Hi @lordbyron,
Unfortunately I’m having a little trouble following the details because of all of the redactions, so I wasn’t able to come to any specific conclusions so far, but I do have some general observations that I hope will give some hints for things to try next.
There are two typical reasons why this sort of thing might happen.
- If the configuration effectively modifies its own desired state while being applied in a way that Terraform can’t deduce, such as if it’s reading some data using a data resource but also changing that same object and there’s no dependency relationship between the two for Terraform to notice that possibility.
- If the provider is buggy in a way that causes a similar effect, such as if the provider returns an incomplete or otherwise-incorrect result from its apply step which then gets contradicted when it refreshes the object in the next plan.
It sounds like you already ruled out the first of these by noticing that there are no data resources, so my next thought would be a potentially buggy provider, but I can’t think of any hashicorp/aws bugs I know about that would cause this particular malfunction, and it seems like you’re just mapping two resources together by doing some acrobatics with their instance keys, and so the outcome doesn’t seem like it should be affected by changes to the attributes of the individual resource instances, which are what the provider controls.
You’ve only shown a tiny fragment of the plan output, so it’s hard to guess what might be going on here. If you see a section saying “Objects changed outside of Terraform” then that would be good to know since it might be an specific indicator of problem 2.
These features of the AWS provider are quite old and so are, I think, still implemented using the legacy plugin SDK, which has some quirks of its own which might be in play here. It might be interesting to do your first terraform plan and terraform apply with the environment variable TF_LOG=trace set to get Terraform’s internal logs, and search the output for the word “tolerate” where I suspect you’ll find some lines saying something like “hashicorp/aws did something odd but we’re tolerating it because it’s using the legacy SDK”.
That tolerance is there because the SDK typically does some odd things, so the mere presence of that warning is not a cause for concern, but the specific details it reports might give some insight about what’s going on if you’re able to share them here. (It’s hard for me to know ahead of time what might be useful vs. un-useful examples, so unfortunately I can’t do any better than “share it with me and I’ll see if anything sticks out as weird”. 
)