fix: allow empty kms and ssm arns

I'd like the option to remove access to KMS and SSM permissions on my IRSA roles while still providing the ability to use this module with the default encryption key provided by AWS.  When I attempt to provide an empty list, the IAM policy is invalid because a resource definition is required.

Author: brycelowe

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -539,12 +539,16 @@ data "aws_iam_policy_document" "external_secrets" {
     resources = ["*"]
   }
 
-  statement {
-    actions = [
-      "ssm:GetParameter",
-      "ssm:GetParameters",
-    ]
-    resources = var.external_secrets_ssm_parameter_arns
+  dynamic "statement" {
+    for_each = length(var.external_secrets_ssm_parameter_arns) > 0 ? [1] : []
+    content {
+      actions = [
+        "ssm:GetParameter",
+        "ssm:GetParameters",
+      ]
+      
+      resources = var.external_secrets_ssm_parameter_arns
+    }
   }
 
   statement {
@@ -562,9 +566,12 @@ data "aws_iam_policy_document" "external_secrets" {
     resources = var.external_secrets_secrets_manager_arns
   }
 
-  statement {
-    actions   = ["kms:Decrypt"]
-    resources = var.external_secrets_kms_key_arns
+  dynamic "statement" {
+    for_each = length(var.external_secrets_kms_key_arns) > 0 ? [1] : []
+    content {
+      actions   = ["kms:Decrypt"]
+      resources = var.external_secrets_kms_key_arns
+    }
   }
 
   dynamic "statement" {