Hi Ned!
Not an issue but compliment!
First of all: Thanks a lot for cool example and video!

We can go down to Plan: 0 to add, 0 to change, 0 to destroy. if

• ownership_controls and acl will be also included into moved

moved {
  from = aws_s3_bucket_ownership_controls.bucket
  to = module.s3_bucket.aws_s3_bucket_ownership_controls.this[0]
}

moved {
  from = aws_s3_bucket_acl.bucket_acl
  to = module.s3_bucket.aws_s3_bucket_acl.this[0]
}

• import is allowed

terraform import module.s3_bucket.aws_s3_bucket_public_access_block.this[0] my-bucket-aaaaaaaa

Additionally, we can use data provider in module to avoid introducing extra variable vpc_id:

data "aws_subnet" "selected" {
  id = var.subnet_id
}

then just lookup VPC ID in security group resource:

vpc_id = data.aws_subnet.selected.vpc_id

Probably a bit of extension to your solution.

Thanks for your very detailed explanation! It was really fun to play with "zero changes" goal!