Terraform Import AWS Secrets Manager Secret Version

Question

AWS maintains a secret versioning system, a new version is created if the secret value is updated or if the secret is rotated.

I am in the process of getting existing secrets in AWS under the purview of Terraform. As step 1 I declared all the Terraform resources I needed :

resource "aws_secretsmanager_secret" "secret" {
  name                    = var.secret_name
  description             = var.secret_description
  kms_key_id              = aws_kms_key.main.id
  recovery_window_in_days = var.recovery_window_in_days
  tags                    = var.secret_tags
  policy                  = data.aws_iam_policy_document.secret_access_policy.json
}


// AWS secrets manager secret version
resource "aws_secretsmanager_secret_version" "secret" {
  secret_id     = aws_secretsmanager_secret.secret.id
  secret_string = jsonencode(var.secret_name_in_secrets_file)
}

Next I imported :

1. Import secret to state :

   terraform import module.<module_name>.aws_secretsmanager_secret.secret
   arn:aws:secretsmanager:<region>:<account_id>:secret:<secret_name>-<hash_value>```
   
   

2. Import secret version to state :

   terraform import module.<module_name>.aws_secretsmanager_secret_version.secret
   arn:aws:secretsmanager:<region>:<account_id>:secret:<secret_name>-<hash_value>|<unique_secret_id aka AWSCURRENT>
   

Post this I expected the Terraform plan to only involve changes to the resource policy. But Terraform tried to destroy and recreate the secret version, which did not make sense to me.

After going ahead with the plan the secret version that was initially associated with the AWSCURRENT staging label, the one that I used above in the import became the AWSPREVIOUS staging label id and a new AWSCURRENT was created.

Before terraform import :

{
    "Versions": [
        {
            "VersionId": "initial-current",
            "VersionStages": [
                "AWSCURRENT"
            ],
            "LastAccessedDate": "xxxx",
            "CreatedDate": "xxx"
        },
        {
            "VersionId": "initial-previous",
            "VersionStages": [
                "AWSPREVIOUS"
            ],
            "LastAccessedDate": "xxxx",
            "CreatedDate": "xxxx"
        }
    ],
    "ARN": "xxxx",
    "Name": "xxxx"
}

After TF import and apply:

{
    "Versions": [
        {
            "VersionId": "post-import-current",
            "VersionStages": [
                "AWSCURRENT"
            ],
            "LastAccessedDate": "xxxx",
            "CreatedDate": "xxx"
        },
        {
            "VersionId": "initial-current",
            "VersionStages": [
                "AWSPREVIOUS"
            ],
            "LastAccessedDate": "xxxx",
            "CreatedDate": "xxxx"
        }
    ],
    "ARN": "xxxx",
    "Name": "xxxx"
}

I was expecting initial-current to remain in the AWSCURRENT stage part. Why did AWS make the initial AWSCURRENT secret ID that I imported using TF into AWSPREVIOUS and create a new one since nothing changed in terms of value or rotation? I expected no changes on that front since TF imported the version