### Terraform Version ```shell Terraform v1.13.1 on linux_amd64 + provider registry.terraform.io/hashicorp/aws v5.**x** + provider registry.terraform.io/hashicorp/kubernetes v2.**x** + provider registry.terraform.io/hashicorp/helm v2.**x** # Previously working on: Terraform v0.14.x + provider registry.terraform.io/hashicorp/aws v3.**x** ``` ### Terraform Configuration Files locals { # Your cluster name is set in module.eks as `cluster_name = var.name`. # Keep this exactly the same expression the module uses. cluster_name = var.name } provider "aws" { region = var.region assume_role { role_arn = "arn:aws:iam::${var.target_account_id}:role/terraform" } } # EKS endpoint & CA (does not create a cycle because we don't reference module outputs) data "aws_eks_cluster" "this" { name = local.cluster_name } # Kubernetes provider: talk to EKS directly (no kubeconfig file needed) provider "kubernetes" { host = data.aws_eks_cluster.this.endpoint cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data) # Use AWS CLI exec to fetch a token (works well in CI) exec { api_version = "client.authentication.k8s.io/v1beta1" command = "aws" args = [ "eks", "get-token", "--cluster-name", local.cluster_name, "--region", var.region, "--role-arn", "arn:aws:iam::${var.target_account_id}:role/terraform" ] } } # Helm provider: piggyback on the same EKS connection provider "helm" { kubernetes { host = data.aws_eks_cluster.this.endpoint cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data) exec { api_version = "client.authentication.k8s.io/v1beta1" command = "aws" args = [ "eks", "get-token", "--cluster-name", local.cluster_name, "--region", var.region, "--role-arn", "arn:aws:iam::${var.target_account_id}:role/terraform" ] } } } # (Optional) remote state – make sure encrypt is boolean data "terraform_remote_state" "state" { backend = "s3" config = { bucket = var.backend_config_bucket region = var.backend_config_bucket_region key = "${var.name}/${var.backend_config_tfstate_file_key}" dynamodb_table = "terraform_locks" encrypt = true } } vpc.tf: `module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 5.0" name = var.name cidr = var.vpc_cidr azs = var.azs private_subnets = var.private_subnets public_subnets = var.public_subnets enable_nat_gateway = var.enable_nat_gateway single_nat_gateway = var.single_nat_gateway enable_dns_support = var.enable_dns_support enable_dns_hostnames = var.enable_dns_hostnames tags = merge( { format("kubernetes.io/cluster/%s", var.name) = "shared" }, { "Terraform" = "true" }, ) public_subnet_tags = merge( { "kubernetes.io/role/elb" = "1" }, { "type" = "public" }, ) private_subnet_tags = merge( { format("kubernetes.io/cluster/%s", var.name) = "shared" }, { "kubernetes.io/role/internal-elb" = "1" }, { "type" = "private" }, ) } ` ### Debug Output ``` Plan: 316 to add, 0 to change, 0 to destroy. ``` ### Expected Behavior After upgrading Terraform from v0.14.x to v1.13.1, terraform apply should recognize the existing remote state in S3 and update the existing resources in-place (e.g., upgrade EKS from 1.29 to 1.30, adjust subnets/NAT if needed), not create duplicates. ### Actual Behavior With Terraform v1.13.1, terraform apply proposes creating entirely new resources instead of updating existing ones. Concrete symptoms: An existing VPC tagged/name “qa” remains, but apply creates a second VPC. Subnets and NAT Gateways are also duplicated (2× subnets, 2× NAT gateways, etc.). The state backend is S3 with DynamoDB locking. State exists and was previously used on v0.14.x. ### Steps to Reproduce Initial (working) setup on 0.14.x terraform init -reconfigure -backend-config="bucket=REDACTED" -backend-config="key=qa/global.tfstate" -backend-config="region=REDACTED" -backend-config="dynamodb_table=terraform_locks" terraform apply → creates aws_vpc.qa (and in real config: EKS + networking). Upgrade to 1.13.1 Upgrade to Terraform v1.13.1 and providers (AWS ~>5). (Real-world parity) Keep key = "${var.name}/..." in backend; keep var.name = "qa" (intended to be unchanged). terraform init -upgrade -reconfigure -backend-config="bucket=REDACTED" -backend-config="key=qa/global.tfstate" -backend-config="region=REDACTED" -backend-config="dynamodb_table=terraform_locks" terraform plan / terraform apply Observed: plan/apply attempts to create a new VPC and other resources instead of recognizing the pre-existing ones from the same S3 state. ### Additional Context What I already tried rm -rf .terraform && terraform init -reconfigure (with explicit backend-config values). ### References _No response_ ### Generative AI / LLM assisted development? _No response_