Terraform cloud : Import existing resource

Question

I am using terraform cloud to manage the state of the infrastructure provisioned in AWS.

I am trying to use terraform import to import an existing resource that is currently not managed by terraform.

I understand terraform import is a local only command. I have set up a workspace reference as follows:

terraform {
  required_version = "~> 0.12.0"

  backend "remote" {
    hostname = "app.terraform.io"
    organization = "foo"

    workspaces {
      name = "bar"
    }
  }
}

The AWS credentials are configured in the remote cloud workspace but terraform does not appear to be referencing the AWS credentials from the workspace but instead falls back trying to using the local credentials which points to a different AWS account. I would like Terraform to use the credentials by referencing the variables in the workspace when I run terraform import.

When I comment out the locally configured credentials, I get the error:

Error: No valid credential sources found for AWS Provider.

I would have expected terraform to use the credentials configured in the workspace.

Note that terraform is able to use the credentials correctly, when I run the plan/apply command directly from the cloud console.

Answer 1

Since Terraform v1.5.0 you can use an import block:

import {
  to = some_resource_type.some_name
  id = "external_id_to_be_imported"
}

resource "some_resource_type" "some_name" {
  name = "foo"
  # (other resource arguments...)
}

Beginning in v1.6.0 you can use variable interpolation within import but the values must be literals in earlier 1.5.x versions.

Once the resource has been imported, the relevant import block is subsequently ignored and can be removed.

Answer 2

Per the backends section of the import docs, plan and apply run in Terraform Cloud whereas import runs locally. Therefore, the import command will not have access to workspace credentials set in Terraform Cloud. From the docs:

In order to use Terraform import with a remote state backend, you may need to set local variables equivalent to the remote workspace variables.

So instead of running the following locally (assuming you've provided access keys to Terraform Cloud):

terraform import aws_instance.myserver i-12345

we should run for example:

export AWS_ACCESS_KEY_ID=abc
export AWS_SECRET_ACCESS_KEY=1234
terraform import aws_instance.myserver i-12345

where the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY have the same permissions as those configured in Terraform Cloud.

Note for AWS SSO users

If you are using AWS SSO and CLI v2, functionality for terraform to be able to use the credential cache for sso was added per this AWS provider issue. The steps for importing with an SSO profile are:

• Ensure you've performed a login and have an active session with e.g. aws sso login --profile my-profile
• Make the profile name available to terraform as an environment variable with e.g. AWS_PROFILE=my-profile terraform import aws_instance.myserver i-12345

If the following error is displayed, ensure you are using a version of the cli > 2.1.23:

Error: SSOProviderInvalidToken: the SSO session has expired or is invalid
│ caused by: expected RFC3339 timestamp: parsing time "2021-07-18T23:10:46UTC" as "2006-01-02T15:04:05Z07:00": cannot parse "UTC" as "Z07:00"

Answer 3

Use the data provider, for Example:-

data "terraform_remote_state" "test" {
  backend = "s3"
  config = {
    bucket = "BUCKET_NAME"
    key    = "BUCKET_KEY WHERE YOUR TERRAFORM.TFSTATE FILE IS PRESENT"
    region = "CLOUD REGION"
  }
}

Now you can call your provisioned resources Example :-

For getting the VPC ID:-

data.terraform_remote_state.test.*.outputs.vpc_id

Just make the cloud resource property you want to refer should be in exported as output and stored in terraform.tfstate file