Refine terraform aws buckets logic to avoid benign changes

[consideRatio]

When a new bucket is added with our terraform AWS infra where there already is other buckets, terraform reports additional changes to existing buckets like below (parts from #3628).

  # data.aws_iam_policy_document.bucket_access["dask-staging.scratch-dask-staging"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::2i2c-aws-us-scratch-dask-staging",
              + "arn:aws:s3:::2i2c-aws-us-scratch-dask-staging/*",
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::790657130469:role/2i2c-aws-us-dask-staging",
                ]
              + type        = "AWS"
            }
        }
    }

  # aws_s3_bucket_policy.user_bucket_access["staging.scratch-staging"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "2i2c-aws-us-scratch-staging"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::790657130469:role/2i2c-aws-us-staging"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::2i2c-aws-us-scratch-staging/*",
                          - "arn:aws:s3:::2i2c-aws-us-scratch-staging",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

Ideas on why

I think this is a consequence of referencing computed data fields that isn't expected to change by us, but terraform must assume could change.

infrastructure/terraform/aws/buckets.tf

Lines 33 to 50 in 7c66a3e

	data "aws_iam_policy_document" "bucket_access" {
	for_each = { for bp in local.bucket_permissions : "${bp.hub_name}.${bp.bucket_name}" => bp }
	statement {
	effect = "Allow"
	actions = ["s3:*"]
	principals {
	type = "AWS"
	identifiers = [
	aws_iam_role.irsa_role[each.value.hub_name].arn
	]
	}
	resources = [
	# Grant access only to the bucket and its contents
	aws_s3_bucket.user_buckets[each.value.bucket_name].arn,
	"${aws_s3_bucket.user_buckets[each.value.bucket_name].arn}/*"
	]
	}
	}

Also note how the resource bucket_access being updated (via the data fields), which in turn influences the "maybe changed" resources.

infrastructure/terraform/aws/buckets.tf

Lines 52 to 57 in 7c66a3e

	resource "aws_s3_bucket_policy" "user_bucket_access" {
	for_each = { for bp in local.bucket_permissions : "${bp.hub_name}.${bp.bucket_name}" => bp }
	bucket = aws_s3_bucket.user_buckets[each.value.bucket_name].id
	policy = data.aws_iam_policy_document.bucket_access[each.key].json
	}

Is it possible for us to write this terraform logic robustly while also avoiding getting these presumably benign changes?