kubernetes_* resources (namespace and service_account) are being recreated even if the state already exists during cluster upgrades

[nickjj]

This was originally opened at https://github.com/terraform-aws-modules/terraform-aws-eks/issues/3313 but got closed.

Versions

• Terraform version: 1.9.3
• Provider version(s): 2.32.0 for hashicorp/kubernetes

Reproduction Code

• Upgrade control plane or worker nodes from 1.30 to 1.31 (or 1.31 to 1.32)

Expected behavior

Apply only shows changes related to the control plane or the node group being upgraded

Actual behavior

Every kubenernetes_* resource is getting added again, such as namespaces and service accounts even when they already exist in the state file correctly and with the same name.

The apply finishes with N number of failures saying those resources exist but the upgrade was successful.

Additional context

It's like those resources are being ignored from the state file when the plan or apply occurs when something is being updated. If I keep both the control plane and worker nodes to 1.30 and plan or apply then it shows no changes.

This hasn't happened before Kubernetes 1.30 so I'm not sure what's up. I've done about a dozen upgrades prior to this but it happened when upgrading both the control plane and worker nodes from 1.30 to 1.31 and 1.31 to 1.32 in steps.

For the Kubernetes provider, I am setting the host, token and CA cluster certificate based on what's in the official documentation. It reads these values from data attributes that reach in and get the cluster by name with module.eks.cluster_name. Then the host, token and CA cluster certificate use various attributes to set their respective properties in the provider.