Terraform: how to import AWS cross-account resource?

4
votes

How do I import an existing AWS resource into Terraform state, where that resource exists within a different account?

terraform import module.mymodule.aws_iam_policy.policy arn:aws:iam::123456789012:policy/mypolicy

gives the following error:

Error: Cannot import non-existent remote object

While attempting to import an existing object to aws_iam_policy.policy, the
provider detected that no object exists with the given id. Only pre-existing
objects can be imported; check that the id is correct and that it is
associated with the provider's configured region or endpoint, or use
"terraform apply" to create a new remote object for this resource.

The resource was created in one account using a different provisioner defined within a module called mymodule:

module "mymodule" {
    // ... define variables for the module
}

// within the module
provider "aws" {
  alias = "cross-account"
  region = "eu-west-2"
  assume_role {
    role_arn = var.provider_role_arn
  }
}

resource "aws_iam_policy" "policy" {
  provider = "aws.cross-account"
  name        = var.policy-name
  path        = var.policy-path
  description = var.policy-description

  policy = var.policy-document
}

How do I import cross-account resources?

Update: using the -provider flag, I get a different error:

Error: Provider configuration not present

To work with module.mymodule.aws_iam_policy.policy (import
id "arn:aws:iam::123456789012:policy/somepolicytoimport") its original provider
configuration at provider.aws.cross-account is required, but it has been
removed. This occurs when a provider configuration is removed while objects
created by that provider still exist in the state. Re-add the provider
configuration to destroy
module.mymodule.aws_iam_policy.policy (import id
"arn:aws:iam::123456789012:policy/somepolicytoimport"), after which you can remove
the provider configuration again.
2
amazon-web-servicesterraformterraform-provider-aws
What version of Terraform are you using?ydaetskcoR
Latest version (0.12.12)John
You shouldn't need to use -provider=aws.cross-account since 0.12.10 but it might be worth trying to see if that helps things.ydaetskcoR
@ydaetskcoR that gives a different error, see edit above.John

2 Answers

0
votes

I think you have to assume the role of the second account as follows.

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"
  }
}

[1] : https://www.terraform.io/docs/providers/aws/index.html

0
votes

I've got the same error while trying to import AWS acm certificate.

As the first step, before importing the resource, you need to create its configuration in the root module (or other relevant module):

resource "aws_acm_certificate" "cert" {
  # (resource arguments)
}

Or you'll got the following error:

Error: resource address "aws_acm_certificate.cert" does not exist in the configuration.

Then you can import the resource by providing its relevant arn:

$ terraform import aws_acm_certificate.cert <certificate-arn>

Like @ydaetskcoR mentioned in the comments - you don't need to assume the role of the second account if you're using v0.12.10+.

But Terraform do need Access credentials to the second account - so please make sure you provide the relevant account's credentials (and not the source account credentials) or you'll be stuck with the
Error: Cannot import non-existent remote object
for a few hours like me (: