use depends_on to reduce possible race condition around routes and roles

terraform/cluster/aws/iam.tf

@@ -26,24 +26,6 @@ data "aws_iam_policy_document" "assume_eks" {
   }
 }
 
-data "aws_iam_policy_document" "assume_service" {
-  statement {
-    actions = ["sts:AssumeRoleWithWebIdentity"]
-    effect  = "Allow"
-
-    condition {
-      test     = "StringEquals"
-      variable = "${replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")}:sub"
-      values   = ["system:serviceaccount:kube-system:aws-node"]
-    }
-
-    principals {
-      identifiers = ["${aws_iam_openid_connect_provider.cluster.arn}"]
-      type        = "Federated"
-    }
-  }
-}
-
 resource "aws_iam_role" "cluster" {
   assume_role_policy = data.aws_iam_policy_document.assume_eks.json
   name               = "${var.name}-cluster"

terraform/cluster/aws/main.tf

@@ -53,6 +53,11 @@ resource "aws_eks_cluster" "cluster" {
     security_group_ids      = [aws_security_group.cluster.id]
     subnet_ids              = concat(aws_subnet.public.*.id)
   }
+
+  depends_on = [
+    "aws_iam_role_policy_attachment.cluster_eks_cluster",
+    "aws_iam_role_policy_attachment.cluster_eks_service",
+  ]
 }
 
 resource "null_resource" "after_cluster" {

terraform/cluster/aws/vpc.tf

@@ -50,6 +50,11 @@ resource "aws_route" "public-default" {
   destination_cidr_block = "0.0.0.0/0"
   gateway_id             = aws_internet_gateway.nodes.id
   route_table_id         = aws_route_table.public.id
+
+  depends_on = [
+    "aws_internet_gateway.nodes",
+    "aws_route_table.public",
+  ]
 }
 
 resource "aws_route_table_association" "public" {
@@ -110,6 +115,11 @@ resource "aws_route" "private-default" {
   destination_cidr_block = "0.0.0.0/0"
   nat_gateway_id         = aws_nat_gateway.private[count.index].id
   route_table_id         = aws_route_table.private[count.index].id
+
+  depends_on = [
+    "aws_internet_gateway.nodes",
+    "aws_route_table.private",
+  ]
 }
 
 resource "aws_route_table_association" "private" {