fix: Prevent perpetual drift on OIDC thumbprint when root CA thumbprint is disabled

[raman1236]

Description

When include_oidc_root_ca_thumbprint is set to false and no custom_oidc_thumbprints are provided, thumbprint_list resolves to an empty list []. On apply, Terraform sets the empty list on the OIDC provider, but AWS auto-provisions a thumbprint for the provider. On the next terraform plan, Terraform detects the AWS-managed thumbprint and proposes to remove it — causing a perpetual diff:

  ~ resource "aws_iam_openid_connect_provider" "oidc_provider" {
      ~ thumbprint_list = [
          - "06b25927c42a721631c1efd9431e648fa62e1e39",
        ]
    }

Fix

Set thumbprint_list to null when both oidc_root_ca_thumbprint and custom_oidc_thumbprints are empty. Per the AWS provider docs, when thumbprint_list is not set, the OIDC provider thumbprint is auto-managed by AWS and Terraform won't attempt to reconcile it.

When either source provides thumbprints, the existing concat() behavior is preserved.

Reproduction

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  include_oidc_root_ca_thumbprint = false
  enable_irsa                     = true
  # ...
}

1. terraform apply — creates OIDC provider with empty thumbprint list
2. terraform plan — shows removal of AWS-managed thumbprint (perpetual drift)

Breaking Changes

None. When include_oidc_root_ca_thumbprint = true (the default) or custom_oidc_thumbprints are provided, behavior is unchanged.

How Has This Been Tested?

• I have executed pre-commit run -a on my pull request

Fixes #3607
Related to #3586 (prior fix attempt, closed for lack of reproduction)

[raman1236]

Friendly ping — this PR prevents perpetual drift on the OIDC thumbprint when root CA thumbprint is disabled. Would appreciate a review when you have a moment. Thanks!