From c4900156bb076d95aaead68c3ffcdd179baef91a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5rten=20Svantesson?= <marten.svantesson@ticket.se>
Date: Tue, 21 Oct 2025 16:23:31 +0200
Subject: [PATCH] fix: create irsa without iam_role_arns or
 iam_authorizing_role_arns

---
 main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index a19db05..5202330 100644
--- a/main.tf
+++ b/main.tf
@@ -83,7 +83,7 @@ resource "aws_iam_service_linked_role" "default" {
 
 # Role that pods can assume for access to elasticsearch and kibana
 resource "aws_iam_role" "elasticsearch_user" {
-  count              = module.this.enabled && var.create_elasticsearch_user_role && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
+  count              = module.this.enabled && var.create_elasticsearch_user_role && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 || var.iam_irsa_openid_connect_provider_arn != "") ? 1 : 0
   name               = module.user_label.id
   assume_role_policy = join("", data.aws_iam_policy_document.assume_role[*].json)
   description        = "IAM Role to assume to access the Elasticsearch ${module.this.id} cluster"
@@ -95,7 +95,7 @@ resource "aws_iam_role" "elasticsearch_user" {
 }
 
 data "aws_iam_policy_document" "assume_role" {
-  count = module.this.enabled && var.create_elasticsearch_user_role && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
+  count = module.this.enabled && var.create_elasticsearch_user_role && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 || var.iam_irsa_openid_connect_provider_arn != "") ? 1 : 0
 
   statement {
     actions = [