fix: Canonicalize OpenSearch IAM policy using sort

Author: asri-badlah

main.tf

@@ -223,14 +223,14 @@ data "aws_iam_policy_document" "default" {
 
     actions = distinct(compact(var.iam_actions))
 
-    resources = [
-      join("", aws_elasticsearch_domain.default.*.arn),
-      "${join("", aws_elasticsearch_domain.default.*.arn)}/*"
-    ]
+    resources = sort(flatten([
+      aws_elasticsearch_domain.default.*.arn,
+      [for arn in aws_elasticsearch_domain.default.*.arn : "${arn}/*"]
+    ]))
 
     principals {
       type        = "AWS"
-      identifiers = distinct(compact(concat(var.iam_role_arns, aws_iam_role.elasticsearch_user.*.arn)))
+      identifiers = sort(distinct(compact(concat(var.iam_role_arns, aws_iam_role.elasticsearch_user.*.arn))))
     }
   }
 
@@ -244,10 +244,10 @@ data "aws_iam_policy_document" "default" {
 
       actions = distinct(compact(var.iam_actions))
 
-      resources = [
-        join("", aws_elasticsearch_domain.default.*.arn),
-        "${join("", aws_elasticsearch_domain.default.*.arn)}/*"
-      ]
+      resources = sort(flatten([
+        aws_elasticsearch_domain.default.*.arn,
+        [for arn in aws_elasticsearch_domain.default.*.arn : "${arn}/*"]
+      ]))
 
       principals {
         type        = "AWS"