Terraform 1.5.x’s Import Block

Jun 13, 2023Terraform

Motivation

It is a common occurence for DevOps teams without rock-solid best practice usage of Terraform: A user or application has created a cloud resource through the AWS console or the gcloud CLI, and now we want to bring that resource under Terraform control.

For this article, we will assume that we have an example s3 bucket that we want to bring into Terraform control, with the matching Terraform configuration definition.

resource "aws_s3_bucket" "example" {
  bucket = "my-uncontrolled-bucket"
  ...
 
  versioning {
    enabled = true
  }
}

Importing in a pre-1.5 World — Not Fun!

There are entire other articles dedicated to this, but essentially, we need to run within directory where we have already run terraform init the following Terraform CLI command:

terraform import aws_s3_bucket.example my-uncontrolled-bucket

There are several problems with this approach, namely:

Manually updating Terraform state on the command line is not ideal
No record of imports run in the past
Risk of running a subsquent terraform apply and overwriting a remote resource with mis-specified Terraform configuration.

Introducing the Import Block

Now, with Terraform 1.5.x, we can import directly using Terraform’s new import block:

import {
  to = aws_s3_bucket.example
  id = my-uncontrolled-bucket
}

Then, in our next terraform plan and terraform apply run, we can directly import the resource into our state file. This is a big upgrade:

No updating terraform state via the CLI ✅
Should we keep the import block, we have a written record of the import ✅
We can run terraform plan to ensure that our new resource block matches what is in our cloud, and will make no changes ✅

Limitations

Of course, this new syntax helps, but by itself is no panacea to ensure that an entire cloud environement is controlled by code. To do so, we need to identify resources outside of Terraform control, generate corresponding configuration, and write the import block that includes the exact ID of the resource within the cloud environment.

Shameless plug: Tools like dragondrop will actually automate all of the above steps, with results output directly as a Pull Request into your git repository.

Conclusion

The new import block released in Terraform 1.5.x is a major improvement for bringing externally created cloud resources under Terraform control. For practitioners, once you upgrade to Terraform 1.5.x+, there is no need to ever manually run an import command on your CLI again!

–

dragondrop.cloud’s mission is to automate developer best practices while working with Infrastructure as Code. Our flagship OSS product, cloud-concierge, allows developers to codify their cloud, detect drift, estimate cloud costs and security risks, and more — while delivering the results via a Pull Request. For enterprises running cloud-concierge at scale, we provide a management platform. To learn more, schedule a demo or get started today!

Learn More About Terraform

Everything Everywhere All as Code

“Everything as Code” Definition Everything as Code is a philosophy for managing IT infrastructure where all components of infrastructure are created, managed, and deleted using code. This applies to container definitions, cloud infrastructure, on-premise server...

Open Source driftctl Alternatives

What is driftctl? driftctl is an OSS CLI tool that enables users to identify Terraform drift as well as unmanaged resources within a cloud environment. It is a quite popular tool and has collected over two thousand stars on GitHub. Why Would We Want a Replacement?...

Why We Are Not Supporting OpenTF

Background On August 10, HashiCorp changed the license to their previously “Open Source” projects to a Business Source License (BSL), making them now “source available” for all future releases. We discusssed in detail reasons and motivations for this change here. On...