Skip to content

Using the Import Block

Why

There are various reasons that may lead you to using the import block. For example:

  • Fixing click ops drift
  • After removing a changed resource from state and wanting to import it back in
  • Our code base did not previous support a configuration, but now it does and you want to manage the resource via code

The import block allows you to import an existing resource into the existing state file, allowing you to manage it by code. This differs from the data block in that the data block only allows reference to the resource and not management of the resource.

Note

Import is not supported for all Terraform resources, and Hashicorp is adding support for modules with new Terraform versions.

You must confirm if import of a specific resource is supported by reviewing the Hashicorp Terraform Registry. If it is, a section titled Import will be present at the bottom of the page.

How

Expect the unexpected

It goes without saying, but you should always run a plan to confirm your changes will not clobber existing infrastructure, or to make sure that all components you expect to import actually import.

  1. First, you will define the resource in your code. This is an important step -- the import block brings the resource into state, but you must define it in code as if you were creating it from scratch. We will use an example of importing an AWS security group.

    Warning

    If there are any differences between your code and the existing resource, your code will overwrite the existing resource.

    Tip

    Keep note of lines 2, 4, 5, and 6. They will be used in the next step.

    In this example, you will notice that Line 6 is being created in code and is not defined in the UI screenshot below. This is expected, and in the terraform plan will appear as a change.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
    vpcs = {
    Epic = {
        security_groups = {
            HSWSG = {
                ingress = {
                    Allow_SMB = {
                        from_port = 445
                        to_port = 445
                        cidr_ipv4 = "10.8.0.0/16"
                        description = "SMB Traffic from the 10.8 subnet"
                    }
                }
    Screenshot - Correlating info in AWS

    AWS Config

  2. If it does not exist, create ./src/imports.tf. This file will contain information on the resource you are importing.

  3. Populate imports.tf with resource information for the resource(s) you wish to import.

    1. Obtain the Security Group Rule ID from the AWS console. Security Group Rule ID
    2. Confirm the path to map the resource to. You can either reference a similar resource in the output of a terraform plan or track it down in code, as shown here. You will then concatenate that path with the resource information defined in Step 1. This example results in a full name of module.vpc_security_group_rule.aws_vpc_security_group_ingress_rule_vpc_security_group_ingress_rule["Epic.HSWSG.Allow_SMB.ingress"]. Resource Path
    3. Now you can write your import block. 
      1
2
3
4
      import {
    to = module.vpc_security_group_rule.aws_vpc_security_group_ingress_rule_vpc_security_group_ingress_rule["Epic.HSWSG.Allow_SMB.ingress"]
    id = "sgr-0d3b3a590c2993990"
}

  4. After configuring the imports.tf and .tfvars, save your changes and run a terraform plan. The results of your plan will include # of items to be imported or changed. Be sure to carefully review the results for the expected changes.

  5. If the results are as expected, run your terraform apply.

  6. After the apply, you must clean up your import. Either comment out or delete the contents of your imports.tf file, or delete the file in it's entirety.