diff --git a/docs/UPGRADE-19.0.md b/docs/UPGRADE-19.0.md
index 5bb7472..f626129 100644
--- a/docs/UPGRADE-19.0.md
+++ b/docs/UPGRADE-19.0.md
@@ -364,8 +364,12 @@ EKS managed node groups on `v18.x` by default create a security group that does
 
   # OIDC Identity provider
   cluster_identity_providers = {
-    sts = {
-      client_id = "sts.amazonaws.com"
+    cognito = {
+      client_id      = "702vqsrjicklgb7c5b7b50i1gc"
+      issuer_url     = "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_re1u6bpRA"
+      username_claim = "email"
+      groups_claim   = "cognito:groups"
+      groups_prefix  = "gid:"
     }
   }
 
diff --git a/main.tf b/main.tf
index dd638f2..211179d 100644
--- a/main.tf
+++ b/main.tf
@@ -552,6 +552,14 @@ resource "aws_eks_addon" "before_compute" {
 # Note - this is different from IRSA
 ################################################################################
 
+locals {
+  # Maintain current behavior for <= 1.29, remove default for >= 1.30
+  # `null` will return the latest Kubernetes version from the EKS API, which at time of writing is 1.30
+  # https://github.com/kubernetes/kubernetes/pull/123561
+  idpc_backwards_compat_version = contains(["1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29"], coalesce(var.cluster_version, "1.30"))
+  idpc_issuer_url               = local.idpc_backwards_compat_version ? try(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, null) : null
+}
+
 resource "aws_eks_identity_provider_config" "this" {
   for_each = { for k, v in var.cluster_identity_providers : k => v if local.create && !local.create_outposts_local_cluster }
 
@@ -562,10 +570,11 @@ resource "aws_eks_identity_provider_config" "this" {
     groups_claim                  = lookup(each.value, "groups_claim", null)
     groups_prefix                 = lookup(each.value, "groups_prefix", null)
     identity_provider_config_name = try(each.value.identity_provider_config_name, each.key)
-    issuer_url                    = try(each.value.issuer_url, aws_eks_cluster.this[0].identity[0].oidc[0].issuer)
-    required_claims               = lookup(each.value, "required_claims", null)
-    username_claim                = lookup(each.value, "username_claim", null)
-    username_prefix               = lookup(each.value, "username_prefix", null)
+    # TODO - make argument explicitly required on next breaking change
+    issuer_url      = try(each.value.issuer_url, local.idpc_issuer_url)
+    required_claims = lookup(each.value, "required_claims", null)
+    username_claim  = lookup(each.value, "username_claim", null)
+    username_prefix = lookup(each.value, "username_prefix", null)
   }
 
   tags = merge(var.tags, try(each.value.tags, {}))