OIDC authentication for CI/CD in Terraform - Time & Space Complexity

We want to understand how the time needed to set up OIDC authentication in CI/CD changes as we add more resources.

How does the work grow when we add more roles or policies in Terraform?

Analyze the time complexity of the following code snippet.

resource "aws_iam_openid_connect_provider" "oidc_provider" {
  url = var.oidc_url
  client_id_list = ["sts.amazonaws.com"]
  thumbprint_list = [var.thumbprint]
}

resource "aws_iam_role" "ci_cd_role" {
  count = var.role_count
  name = "ci-cd-role-${count.index}"
  assume_role_policy = jsonencode({
    Statement = [{
      Effect = "Allow"
      Principal = { Federated = aws_iam_openid_connect_provider.oidc_provider.arn }
      Action = "sts:AssumeRoleWithWebIdentity"
    }]
  })
}

This code creates one OIDC provider and multiple IAM roles for CI/CD, each trusting the provider.

Identify the loops, recursion, array traversals that repeat.

• Primary operation: Creating multiple IAM roles using count to repeat the resource block.
• How many times: The number of roles equals var.role_count, so the role creation repeats that many times.

As you increase the number of roles, Terraform creates more resources one by one.

Input Size (n)	Approx. Operations
10	10 role creations
100	100 role creations
1000	1000 role creations

Pattern observation: The work grows directly with the number of roles you add.

Time Complexity: O(n)

This means the time to create roles grows linearly as you add more roles.

[X] Wrong: "Adding more roles won't affect the time much because Terraform handles it fast."

[OK] Correct: Each role is a separate resource, so more roles mean more work and longer apply times.

Understanding how resource count affects deployment time helps you plan scalable infrastructure and explain your design choices clearly.

"What if we replaced count with for_each using a map of roles? How would the time complexity change?"