Use Terraform moved blocks and the terraform state mv command together to safely refactor a root module that splits into child modules without destroying resources

Verified steps

1. Run terraform state list to capture the current addresses of all resources that will move into the new child module structure
2. Add moved blocks in the root module mapping each old address to the new address under the module path, for example moved { from = aws_s3_bucket.logs to = module.logging.aws_s3_bucket.logs }
3. Run terraform plan and verify the output shows zero resource replacements and only in-place renames; any replacement indicates a resource attribute changed alongside the move, which must be resolved first
4. For resources that cannot be expressed as moved blocks (such as those whose provider changed), use terraform state mv commands instead, then add import blocks if the resource needs re-importing under a new provider configuration
5. After applying the moved configuration, remove the moved blocks in a follow-up commit; moved blocks left in place for more than one release cycle cause confusion but do not cause errors
6. Tag the pre-move and post-move state in the remote backend by taking a manual state snapshot or using the backend's versioning feature so a rollback path exists if the apply reveals unexpected plan differences