Data aws_iam_policy_document and for_each showing changes on every plan and nothing on apply

So, I have some IAM policies I am building with for_each which are then used as assume_role_policy and aws_iam_policy but on every plan:

Plan: 0 to add, 20 to change, 0 to destroy.

and then apply:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Some details:

$ tf version
Terraform v0.13.3
+ provider instaclustr/instaclustr/instaclustr v1.4.1
+ provider registry.terraform.io/hashicorp/aws v3.7.0
+ provider registry.terraform.io/hashicorp/helm v1.3.0
+ provider registry.terraform.io/hashicorp/kubernetes v1.13.2
+ provider registry.terraform.io/hashicorp/local v1.4.0
+ provider registry.terraform.io/hashicorp/null v2.1.2
+ provider registry.terraform.io/hashicorp/random v2.3.0
+ provider registry.terraform.io/hashicorp/template v2.1.2
+ provider registry.terraform.io/hashicorp/tfe v0.21.0

I will just focus on one resource, the roles:

resource aws_iam_role this {
  for_each             = local.k8s_sa_to_iam_roles_indexed

  name                 = "${each.value.name}-${var.cluster_name}"

  max_session_duration = 43200
  assume_role_policy   = data.aws_iam_policy_document.this[each.key].json

  tags = merge(local.tags, {"app" = each.value.name})
}

and the aws_iam_policy_document data source:

data aws_iam_policy_document this {
  for_each = local.k8s_sa_to_iam_roles_indexed

  statement {
    principals {
      type        = "Federated"
      identifiers = [ var.oidc_arn ]
    }

    actions = [
      "sts:AssumeRoleWithWebIdentity",
    ]

    condition {
      test      = "StringEquals"
      variable  = "${var.oidc_url}:sub"
      values = [
        "system:serviceaccount:namespace:${each.value.name}"
      ]
    }
  }
}

but on every plan:

# module.applications["0"].data.aws_iam_policy_document.this["0"] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "this"  {
      ~ id      = "2618924450" -> (known after apply)
      ~ json    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRoleWithWebIdentity"
                      - Condition = {
                          - StringEquals = {
                              - oidc.eks.ap-southeast-2.amazonaws.com/id/XXXX:sub = "system:serviceaccount:namespace:app"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Federated = "arn:aws:iam::XXXX:oidc-provider/oidc.eks.ap-southeast-2.amazonaws.com/id/XXXX"
                        }
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
      - version = "2012-10-17" -> null

      ~ statement {
            actions       = [
                "sts:AssumeRoleWithWebIdentity",
            ]
          - effect        = "Allow" -> null
          - not_actions   = [] -> null
          - not_resources = [] -> null
          - resources     = [] -> null

            condition {
                test     = "StringEquals"
                values   = [
                    "system:serviceaccount:namespace:app",
                ]
                variable = "oidc.eks.ap-southeast-2.amazonaws.com/id/XXXX:sub"
            }

            principals {
                identifiers = [
                    "arn:aws:iam::XXXX:oidc-provider/oidc.eks.ap-southeast-2.amazonaws.com/id/XXXX",
                ]
                type        = "Federated"
            }
        }
    }

I assume it is something I am doing wrong, I can find others doing this without issue but I don’t see it. Any thoughts?

this now seems to be resolved in 0.13.4… maybe this? https://github.com/hashicorp/terraform/pull/26375