Terraform external data source EKS thumbprint not working sometimes

Question

I've tried to retrieve the existing EKS certificate thumbprint with Terraform's external datasource with the following code:

thumbprint.sh

#!/bin/bash

THUMBPRINT=$(echo | openssl s_client -servername oidc.eks.${1}.amazonaws.com -showcerts -connect oidc.eks.${1}.amazonaws.com:443 2>&- | tac | sed -n '/-----END CERTIFICATE-----/,/-----BEGIN CERTIFICATE-----/p; /-----BEGIN CERTIFICATE-----/q' | tac | openssl x509 -fingerprint -noout | sed 's/://g' | awk -F= '{print tolower($2)}')
THUMBPRINT_JSON="{\"thumbprint\": \"${THUMBPRINT}\"}"
echo $THUMBPRINT_JSON

data.tf

data "external" "thumbprint" {
  program = ["${path.root}/scripts/thumbprint.sh", data.aws_region.current.name]
}

openid.tf

resource "aws_iam_openid_connect_provider" "openid" {
  depends_on      = [data.external.thumbprint]
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.external.thumbprint.result.thumbprint]
  url             = data.aws_eks_cluster.this.identity.0.oidc.0.issuer
}

And to get the thumbprint from the above data source with data.external.thumbprint.result.thumbprint.

The main problem is I am confused that sometimes I got data from thumbprint and sometimes it goes blank value even though I've added depends_on. How can I fix this? Or is there a better approach?

Answer 1

You can get the thumbprint of any certificate by using the tls_certificate data source. The data source's resource docs helpfully show an example of how to get the thumbprint for the aws_iam_openid_connect_provider resource:

resource "aws_eks_cluster" "example" {
  name = "example"
}

data "tls_certificate" "example" {
  url = aws_eks_cluster.example.identity.0.oidc.0.issuer
}

resource "aws_iam_openid_connect_provider" "example" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.example.certificates.0.sha1_fingerprint]
  url             = aws_eks_cluster.example.identity.0.oidc.0.issuer
}