diff --git a/cloudtrail-key/main.tf b/cloudtrail-key/main.tf
index dc888d7..00f070a 100644
--- a/cloudtrail-key/main.tf
+++ b/cloudtrail-key/main.tf
@@ -204,14 +204,17 @@ data "aws_iam_policy_document" "key_orig" {
 }
 
 data "aws_iam_policy_document" "key_admin" {
-  statement {
-    sid       = "BuiltinKMSAdminRoles"
-    effect    = "Allow"
-    actions   = ["kms:*"]
-    resources = ["*"]
-    principals {
-      type        = "AWS"
-      identifiers = local.kms_admin_roles
+  dynamic "statement" {
+    for_each = length(local.kms_admin_roles) > 0 ? [1] : []
+    content {
+      sid       = "BuiltinKMSAdminRoles"
+      effect    = "Allow"
+      actions   = ["kms:*"]
+      resources = ["*"]
+      principals {
+        type        = "AWS"
+        identifiers = local.kms_admin_roles
+      }
     }
   }
 }