Inconsistency with thumbprint_list during cluster update

[janavenkat]

Description

Every time when am updating the Kubernetes version, EKS module is replacing the OIDC thumbprint_list.

Versions

• Module version [Required]: 20.8.3

• Terraform version: 1.7.5

• Provider version(s): ~ 5.0

Reproduction Code [Required]

module "eks-test" {  
  source  = "terraform-aws-modules/eks/aws"  
  version = "20.8.3"  
  subnet_ids      = module.vpc.private_subnets  
  vpc_id       = module.vpc.vpc_id  
  cluster_name = var.k8s_cluster_name  
  cluster_version = "1.27"  
  
  enable_irsa  = true

.....
}

Steps to reproduce the behavior:

Expected behavior

I shouldn't see the thumbprint_list change.

Actual behavior

Terraform will perform the following actions:

  # module.eks-test.data.tls_certificate.this[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "tls_certificate" "this" {
      + certificates = (known after apply)
      + id           = (known after apply)
      + url          = "<redacted>"
    }

  # module.eks-test.aws_eks_cluster.this[0] will be updated in-place
  ~ resource "aws_eks_cluster" "this" {
        id                        = "eks-test"
        name                      = "eks-test"
        tags                      = {
            "terraform-aws-modules" = "eks"
        }
      ~ version                   = "1.27" -> "1.28"
        # (10 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # module.eks-test.aws_iam_openid_connect_provider.oidc_provider[0] will be updated in-place
  ~ resource "aws_iam_openid_connect_provider" "oidc_provider" {
        id              = "<redacted>"
        tags            = {
            "Name" = "eks-test-eks-irsa"
        }
      ~ thumbprint_list = [
          - "<redacted>",
        ] -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Seems something with wrong the data tls_certificate while getting the thumbprint.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[janavenkat]

@bryantbiggs It would be great to know the cause.

[hanneshofmann]

I see the same behavior using 20.8.3, even without updating the Kubernetes version.

After the initial apply, a subsequent plan without any configuration change is changing the thumbprint_list.

@bryantbiggs - please let me know if further details are required.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[janavenkat]

@bryantbiggs let me know if you need more info.

[bryantbiggs]

there isn't anything that we plan to change for this - as far as I can tell, its just a matter of something showing up in a plan diff, but theres no actual impact to the cluster so this is a no-op

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.