From 8fbb0acdf06a5dcb6040450b8bf73bd0a27ebb31 Mon Sep 17 00:00:00 2001
From: Christopher Russell <christopher.russell@irdeto.com>
Date: Tue, 12 Aug 2025 08:52:19 +1000
Subject: [PATCH] fix: only create origin_shield block when explicitly enabled

Previously the dynamic block was created whenever origin_shield config
existed, even with enabled=false. Now only creates the block when
enabled=true, preventing unnecessary resource updates.
---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index f773d7e..939c13e 100644
--- a/main.tf
+++ b/main.tf
@@ -119,7 +119,7 @@ resource "aws_cloudfront_distribution" "this" {
       }
 
       dynamic "origin_shield" {
-        for_each = length(keys(lookup(origin.value, "origin_shield", {}))) == 0 ? [] : [lookup(origin.value, "origin_shield", {})]
+        for_each = lookup(lookup(origin.value, "origin_shield", {}), "enabled", false) ? [lookup(origin.value, "origin_shield", {})] : []
 
         content {
           enabled              = origin_shield.value.enabled