diff --git a/patch-aws-auth/kubeconfig.tf b/patch-aws-auth/kubeconfig.tf
index df93dc3..89e5212 100644
--- a/patch-aws-auth/kubeconfig.tf
+++ b/patch-aws-auth/kubeconfig.tf
@@ -1,9 +1,12 @@
 # establish kubeconfig file needed for kubectl patch command
 # requires kubectl command in the path
 
+# run only if we have to make changes via patch
+
 resource "null_resource" "kubeconfig" {
   triggers = {
-    always_run = timestamp()
+    users = join(",", sort(keys(local.merged_users)))
+    roles = join(",", sort(keys(local.merged_roles)))
   }
   provisioner "local-exec" {
     command = "which kubectl > /dev/null 2>&1; if [ $? != 0 ]; then 'echo missing kubectl'; exit 1; else exit 0; fi"