🤖 refactor: upgrade terraform EKS versions and backend docs (#36)

## Summary
Upgrade the Terraform EKS sandbox configuration to current versions,
keep CI aligned with the new Terraform requirement, and record shared
backend details for agent workflows without hardcoding backend values in
Terraform source.

## Background
The Terraform and EKS defaults in this branch were outdated. We also
needed a durable shared reference for the remote state S3 bucket/key so
agents can run plans quickly, while keeping backend values out of
committed Terraform configuration.

## Implementation
- Upgraded Terraform CLI minimum in `terraform/versions.tf` from `>=
1.11` to `>= 1.14`.
- Upgraded AWS provider constraint from `~> 5.0` to `~> 6.0`.
- Refreshed `terraform/.terraform.lock.hcl` to `hashicorp/aws` `6.31.0`
via `terraform init -upgrade`.
- Upgraded default EKS cluster version in `terraform/variables.tf` from
`1.31` to `1.35`.
- Updated `terraform/README.md` to match new Kubernetes and Terraform
version requirements.
- Added a new **Terraform Backend Reference (Agents)** section to
`AGENTS.md` with:
  - bucket `coder-k8s-tfstate-112158171837`
  - key `terraform-ncp3/sandbox-eks/terraform.tfstate`
  - nix-shell-based init example and AWS CLI usage guidance.
- Updated Terraform CI setup in `.github/workflows/ci.yaml` to
`terraform_version: 1.14.4` so CI uses a version compatible with the new
required Terraform constraint.

## Validation
- `make verify-vendor`
- `make test`
- `make build`
- `make lint`
- `go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.10`
- `nix develop -c terraform -chdir=terraform fmt -check`
- `nix develop -c terraform -chdir=terraform validate`
- `nix develop -c terraform -chdir=terraform init -backend=false
-lockfile=readonly -input=false`
- `nix develop -c terraform -chdir=terraform init -reconfigure
-backend-config="bucket=coder-k8s-tfstate-112158171837"
-backend-config="key=terraform-ncp3/sandbox-eks/terraform.tfstate"
-no-color`
- `nix develop -c terraform -chdir=terraform plan -input=false
-no-color`
- Plan summary: `0 to add, 2 to change, 0 to destroy` (EKS version bump
+ NAT gateway in-place provider schema update)

## Risks
- AWS provider major version upgrade (`5.x` -> `6.x`) can surface
behavior differences at apply time; validated current plan output and
kept changes scoped.
- EKS version bump to `1.35` is an in-place control-plane upgrade and
should be coordinated with expected maintenance windows if applied to
existing environments.
- Terraform CI version bump is scoped to the Terraform job and intended
to keep CI in lockstep with repo constraints.

---
_Generated with [`mux`](https://github.com/coder/mux) • Model:
`openai:gpt-5.3-codex` • Thinking: `xhigh` • Cost: `$0.45`_

<!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh
costs=0.45 -->

Author: ThomasK33

.github/workflows/ci.yaml

@@ -232,7 +232,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.11.4
+          terraform_version: 1.14.4
 
       - name: terraform fmt (check)
         working-directory: terraform

AGENTS.md

@@ -44,6 +44,15 @@ You are an experienced, pragmatic software engineering AI agent. Do not over-eng
 - `vendor/`: checked-in module dependencies (required by project workflow).
 - `.mux/skills/coder-docs/`: Mux agent skill with offline coder/coder docs snapshot (update: `make update-coder-docs-skill`).
 
+### Terraform Backend Reference (Agents)
+- Keep Terraform backend values out of committed `.tf` code beyond shared backend settings in `terraform/versions.tf`.
+- Shared sandbox EKS state location:
+  - S3 bucket: `coder-k8s-tfstate-112158171837`
+  - State key: `terraform-ncp3/sandbox-eks/terraform.tfstate`
+- Initialize Terraform against that backend with explicit config flags (example):
+  - `nix develop -c terraform -chdir=terraform init -reconfigure -backend-config="bucket=coder-k8s-tfstate-112158171837" -backend-config="key=terraform-ncp3/sandbox-eks/terraform.tfstate"`
+- When AWS CLI access is needed, run commands through the Nix dev shell (`nix develop -c ...`).
+
 ### Architecture notes
 - `main` delegates to `run(...)`, which requires `--app=<controller|aggregated-apiserver>`.
 - `controller` mode registers core Kubernetes + `coder.com/v1alpha1` schemes, starts the controller-runtime manager, and wires health/readiness probes.

terraform/.terraform.lock.hcl

@@ -10,7 +10,7 @@ This directory provisions a cost-optimized Amazon EKS sandbox cluster in region
   - Internet Gateway
   - Single NAT Gateway (lower cost than one per AZ)
 - IAM roles for EKS control plane and worker nodes
-- EKS cluster (`sandbox-eks`, Kubernetes `1.31`) with public and private API endpoint access
+- EKS cluster (`sandbox-eks`, Kubernetes `1.35`) with public and private API endpoint access
 - One managed node group:
   - Instance type: `t3.medium`
   - Desired/min/max size: `2/1/3`
@@ -21,7 +21,7 @@ This directory provisions a cost-optimized Amazon EKS sandbox cluster in region
 
 ## Prerequisites
 
-- Terraform `>= 1.11`
+- Terraform `>= 1.14`
 - AWS CLI v2 installed
 - AWS identity with permissions to create VPC, IAM, EKS, and EC2 resources in your target account
 

terraform/README.md

@@ -19,7 +19,7 @@ variable "cluster_name" {
 variable "cluster_version" {
   description = "Kubernetes version for the EKS control plane."
   type        = string
-  default     = "1.31"
+  default     = "1.35"
 }
 
 variable "vpc_cidr" {

terraform/variables.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.11"
+  required_version = ">= 1.14"
 
   backend "s3" {
     region       = "eu-central-1"
@@ -11,7 +11,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "~> 6.0"
     }
   }
 }