AWS with Terraform (Day 25)

Terraform Import in AWS: Bringing Existing Resources Under Terraform Control

In an ideal world, every AWS resource would be created by Terraform from day one. In reality, most environments contain legacy resources—VPCs, EC2 instances, security groups, IAM roles—created manually, by the console, or by older automation.

On Day 25 of my DevOps journey, I focused on a critical real-world skill:
bringing existing AWS resources under Terraform management using Terraform import.

This is an essential capability for DevOps engineers working on migrations, brownfield environments, or recovering from lost Terraform state.

Why Terraform Import Matters

Terraform works best when it owns the full lifecycle of the infrastructure it manages. Import allows you to:

  • Migrate manually created or legacy resources into Infrastructure as Code

  • Recover when terraform.tfstate is lost or corrupted

  • Onboard existing infrastructure into a new Terraform repository

  • Standardize environments without downtime or recreation

In production, this is not optional knowledge—it’s expected.

Three Ways to Bring Existing AWS Resources Under Terraform

1. terraform import (Recommended & Production-Safe)

This is the native and supported approach.

  • You write the Terraform resource block yourself

  • Terraform maps the real AWS resource into state

  • No resource recreation

Pros

  • Predictable

  • Fully supported

  • Fine-grained control

Cons

  • Manual effort required

  • Requires reconciling HCL with imported state

This is the preferred approach for production systems and interviews.

2. aws2tf

An open-source AWS-backed script that:

  • Scans AWS resources

  • Generates Terraform HCL automatically

Useful for quick scaffolding, but the generated code must be reviewed and cleaned up before use.

3. Terraformer

A multi-cloud export tool that:

  • Generates Terraform files and state

  • Supports many AWS resources

Great for large environments, but not all edge cases are covered. Generated code often needs manual correction.

Practical Import Workflow (Security Group & EC2)

Below is a safe, repeatable approach I followed.

Step 1: Identify Existing Resources

From the AWS Console, note:

  • Security Group ID: sg-0123456789abcdef0

  • EC2 Instance ID: i-0abc123def456

Step 2: Write Minimal Terraform HCL

Terraform does not generate code during import, so the resource block must already exist.

data "aws_vpc" "default" {
  default = true
}

resource "aws_security_group" "app_sg" {
  name        = "test-tf-sg"
  description = "managed-by-terraform"
  vpc_id      = data.aws_vpc.default.id

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Keep the configuration minimal and intentional.

Step 3: Initialize and Plan

terraform init
terraform plan

Terraform will show it intends to create the resource—this is expected because it’s not in state yet.

Step 4: Import the Resource

terraform import aws_security_group.app_sg sg-0123456789abcdef0
terraform import aws_instance.example i-0abc123def456

Syntax:

terraform import <resource_address> <resource_id>

This updates state only, not configuration.

Step 5: Inspect Imported State

terraform state list
terraform state show aws_security_group.app_sg

Now Terraform knows the resource exists.

Step 6: Reconcile Configuration

Run:

terraform plan

If Terraform shows changes:

  • Update your HCL to match the real resource

  • Aim for zero-drift plans before applying

Common Pitfalls (Real-World Lessons)

  • Import does not generate HCL
    Import updates state only. You must write the resource block yourself.

  • Attribute mismatches can force replacement
    Fields like vpc_id, name, or description can trigger recreation if mismatched.

  • Composite IDs
    Some resources require composite import IDs—always check provider docs.

  • Helper tools aren’t perfect
    aws2tf and Terraformer accelerate work but are not production-ready out of the box.

  • Always back up state
    Before large imports, protect yourself from irreversible mistakes.

Terraform Import Cheat Sheet

terraform init
terraform plan
terraform import <address> <id>
terraform state list
terraform state show <address>
terraform apply
terraform destroy

When to Use Manual Import vs Helper Tools

Use terraform import when:

  • Working in production

  • You need precision and predictability

  • Preparing for interviews or certifications

Use aws2tf / Terraformer when:

  • Migrating large environments

  • You need fast scaffolding

  • You’re prepared to review and refactor generated code

Diagram




Final Thoughts

Terraform import is not just a command—it’s a migration discipline.

The core pattern is simple:

  1. Write minimal HCL

  2. Import the existing resource

  3. Reconcile configuration and state

  4. Achieve zero-drift plans

Once mastered, importing becomes a routine and safe operation, enabling teams to bring legacy infrastructure under consistent, auditable Terraform control.

Onward to deeper infrastructure mastery 

Here is the session link:



Comments

Post a Comment

Popular posts from this blog

AWS with Terraform (Day 01)

Image
  Terraform Fundamentals – Day 01 (My Learning Notes as a DevOps Engineer) Today I wrapped up Day-01 of my Terraform with AWS series, and even with my DevOps background, this session helped me tighten my fundamentals and rethink how I approach cloud provisioning. Terraform is something I’ve used before, but today was more about understanding why IaC matters at scale and why Terraform continues to dominate in real-world DevOps ecosystems. Understanding Infrastructure as Code (IaC) As a DevOps engineer, IaC is not new to me. But today’s session broke it down in a way that clarified its real value. IaC = Infrastructure represented as code. Instead of building resources manually through AWS/Azure/GCP consoles, we define everything in .tf files. This ensures our setup is predictable, repeatable, and version-controlled. What I liked most is how clearly the contrast was shown: Cloud-Agnostic Tools (Terraform / Pulumi) Work across AWS, Azure, GCP, Kubernetes, GitHub, etc. ...
Read more

AWS with Terraform (Day 27)

Image
Automating AWS Infrastructure Using Terraform and GitHub Actions Infrastructure automation is where DevOps truly becomes real. Writing Terraform code is only half the story—the real value comes when infrastructure changes are version-controlled, reviewed, scanned, approved, and applied automatically . On Day 27 of my DevOps journey, I implemented a production-grade CI/CD pipeline to automate AWS infrastructure using Terraform and GitHub Actions , following best practices used in real-world teams. This blog walks through the architecture, workflow design, safety controls, and lessons learned . Why Automate Terraform with CI/CD? Running Terraform manually from a laptop works for learning, but it quickly breaks down in team and production environments: Local state files are risky and hard to share Credentials scattered across machines No standardized reviews or approvals No security or policy checks before apply No clear audit trail By integrating Terraform with G...
Read more

AWS with Terraform (Day 02)

Image
  AWS with Terraform – Day 02 Deep Dive into Providers, Versioning & the Real “Bridge” Between Code and Cloud Today’s session took me from simply writing Terraform code to actually understanding the engine behind it — the Provider layer . And honestly, once this clicks, Terraform stops feeling like just a tool and starts feeling like a real engineering system. Here’s what I learned and how I’ve started applying it. Providers: The Plugin That Makes Terraform Real The simplest way I now understand it: Terraform writes the story. Providers translate it into cloud actions. Before today, I treated the provider block as just two lines of mandatory code. Now I see it as the translator that turns HCL into actual AWS API calls . Example: I write: resource "aws_s3_bucket" "demo" { bucket = "my-app-demo" } The AWS provider turns that into the exact S3 API request. This layer saves us from manually hitting APIs, building payloads, or juggling ...
Read more