From 3019ff2cf979424bb5f613e805eb6d7c0c4af0e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= <johannes.wuerbach@googlemail.com>
Date: Thu, 8 Feb 2024 19:43:35 +0100
Subject: [PATCH] fix: role without policies

---
 .../iam-role/service-account/main.tf             | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/humanitec-resource-defs/iam-role/service-account/main.tf b/humanitec-resource-defs/iam-role/service-account/main.tf
index 27eed49..0ed7a46 100644
--- a/humanitec-resource-defs/iam-role/service-account/main.tf
+++ b/humanitec-resource-defs/iam-role/service-account/main.tf
@@ -1,15 +1,19 @@
+locals {
+  co_provisioned = {
+    for s in var.policy_classes : "aws-policy.${s}" => {
+      match_dependents = true
+      is_dependent     = false
+    }
+  }
+}
+
 resource "humanitec_resource_definition" "main" {
   driver_type = "humanitec/terraform"
   id          = "${var.prefix}aws-workload-role"
   name        = "${var.prefix}aws-workload-role"
   type        = "aws-role"
 
-  provision = {
-    for s in var.policy_classes : "aws-policy.${s}" => {
-      match_dependents = true
-      is_dependent     = false
-    }
-  }
+  provision = length(var.policy_classes) > 0 ? local.co_provisioned : null
 
   driver_inputs = {
     secrets_string = jsonencode({