Day 25 - Terraform Import for Existing AWS Resources

Today I worked on Terraform import as part of Day 25 of my AWS Terraform learning series.

In real projects, not every AWS resource starts from Terraform. Some resources are created manually from the AWS Console. Some are created by older scripts. Some are created by different teams before Infrastructure as Code is adopted.

Terraform import helps bring those existing resources into Terraform state so they can be managed going forward.

For this project, I created a few AWS resources manually first, then imported them into Terraform.

What I Built

I used three existing AWS resources:

S3 bucket
EC2 instance
Security group

These resources were created outside Terraform first. Then I wrote Terraform configuration blocks for them and used terraform import to connect those real AWS resources to Terraform state.

Architecture

The workflow is simple:

Existing AWS resources already exist in the AWS account.
Terraform configuration defines matching resource blocks.
terraform import maps those resources into Terraform state.
terraform plan checks whether the code and real infrastructure match.
Terraform manages the resources going forward.

Why Terraform Import Matters

Terraform normally manages resources from the time it creates them. But in real environments, we often inherit existing infrastructure.

Terraform import is useful when:

A company is adopting Infrastructure as Code.
Resources were created manually before Terraform was introduced.
A production resource should not be recreated.
A resource was created during troubleshooting and now needs to be managed properly.
Teams want better drift detection and consistent change control.

The important point is this: import does not create infrastructure. It only updates Terraform state so Terraform knows about the existing resource.

Terraform Configuration

I started with a normal Terraform provider and backend configuration.

terraform {
  required_version = ">= 1.6.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }

  backend "s3" {
    bucket       = "jay-terraformstate-bucket"
    key          = "day-25/dev/terraform.tfstate"
    region       = "us-east-1"
    encrypt      = true
    use_lockfile = true
  }
}

provider "aws" {
  region = var.aws_region
}

Then I defined the existing resources in Terraform.

resource "aws_s3_bucket" "imported_bucket" {
  bucket = var.existing_bucket_name

  tags = {
    Name        = var.existing_bucket_name
    Project     = "Day25TerraformImport"
    ManagedBy   = "Terraform"
    Environment = "dev"
  }
}

I also added resource blocks for the existing security group and EC2 instance.


This screenshot should show the Terraform files before running the import commands.

Import Commands

After initializing Terraform, I ran the import commands.

terraform init
terraform validate

Then I imported the existing S3 bucket.

terraform import aws_s3_bucket.imported_bucket day25-import-demo-xxxx

Next, I imported the security group.

terraform import aws_security_group.imported_sg sg-xxxxxxxxxxxxxxxxx

Then I imported the EC2 instance.

terraform import aws_instance.imported_ec2 i-xxxxxxxxxxxxxxxxx

State Verification

After importing, I checked the Terraform state.

terraform state list

Expected output:

aws_instance.imported_ec2
aws_s3_bucket.imported_bucket
aws_security_group.imported_sg

Before import, terraform state list returned no resources because Terraform had configuration files but no state mapping to existing AWS resources. After running import commands, the resources appeared in Terraform state, confirming that Terraform now tracks and manages them.

I also checked detailed state information.

terraform state show aws_instance.imported_ec2

This helps verify that Terraform has stored the correct resource attributes.

Drift Check

The most important step after import is running:

terraform plan

This step shows whether the Terraform configuration matches the real AWS resources.

If the plan shows changes, it means the Terraform code does not fully match the existing resource. In that case, I need to update the Terraform configuration carefully until the plan becomes clean.

A good final result is:

No changes. Your infrastructure matches the configuration.

One observation was, there's 1 resource that is destroyed as per above. 
I noticed that changing the security group description forced replacement. 
This showed me why terraform plan is critical after import. 
Imported resources should first match the real AWS configuration 
before making changes.

Test Scenario

To test that Terraform can now manage the imported resources, I added a new tag:

Owner = "Jay"

Then I ran:

terraform plan
terraform apply

This proves Terraform is not just tracking the resource, but can also manage changes going forward.

Key Learnings

Terraform import is useful for bringing existing AWS resources under Infrastructure as Code.

Import does not create resources. It connects existing resources to Terraform state.

A matching Terraform resource block is required before import.

terraform state list and terraform state show help verify the import.

terraform plan is the most important validation step because it shows drift between code and real infrastructure.

Cleanup

For this project, cleanup should be handled carefully.

If these are demo resources, they can be destroyed using:

terraform destroy


But in real environments, imported resources may already be production resources. In that case, do not destroy them unless the resource owner approves it.

Conclusion

Day 25 helped me understand how Terraform can adopt existing AWS resources. This is an important real world skill because cloud environments often already have resources before Terraform is introduced.

The main lesson is to import carefully, validate state, review the plan, and only then allow Terraform to manage future changes.

Video Reference


Jay

Comments

Post a Comment

Popular posts from this blog

ASM Integrity check failed with PRCT-1225 and PRCT-1011 errors while creating database using DBCA on Exadata 3 node RAC

Image
  Error: The error message PRCT-1225: failed to verify Oracle Automatic Storage Management (Oracle ASM) user credentials using the command 'asmcmd credverify' indicates that the asmcmd credverify command failed to verify the Oracle ASM user credentials. This can happen for a number of reasons, including: The user credentials are incorrect. The user credentials file is corrupted. The user does not have the necessary permissions to run the asmcmd credverify command. There is a problem with the Oracle ASM instance. To troubleshoot this error, you can try the following: Make sure that the user credentials are correct. You can do this by trying to log in to the Oracle ASM instance using the same credentials. Check the user credentials file for errors. You can do this by using a text editor to open the file and inspect the contents. Make sure that the user has the necessary permissions to run the asmcmd credverify command. You can do this by checking the user's permissi...
Read more

Life is beautiful

Image
Life brings unexpected tragedies that are beyond our control. It's heartbreaking to witness people facing circumstances they never chose. We react with tears and inevitably wonder, "What if that happens to me?" As humans, we naturally focus on the positive and avoid dwelling on such thoughts—and that's healthy. But this perspective has shaped how I approach life: Am I prepared for these scenarios? Are my loved ones protected if something goes wrong? If I were to die, I couldn't be there to tell them to stay strong—they'd have to face that grief alone. But I can give them financial security through proper planning, wills, and trusts. These are tangible ways to care for them even when I'm gone. Beyond that, what else can I control? I don't waste energy worrying about an uncertain past or future. Instead, I choose to spread peace, truly listen to others, and share genuine smiles. I embrace the principle of living fully while letting others do the same. ...
Read more

Lock Tables in MariaDB

Whether or not you need to lock tables while backing up MariaDB depends on a few factors, including the type of backup you are performing and the tools you are using. If you are performing a full backup , you should lock the tables to ensure that the backup is consistent. This is because a full backup copies all of the data in the database, including any data that is currently being modified by transactions. If you do not lock the tables, it is possible that the backup could contain inconsistent data. If you are performing a differential backup or an incremental backup , you may not need to lock the tables. Differential and incremental backups only copy the data that has changed since the previous backup. This means that the data is already consistent, so there is no need to lock the tables. However, some backup tools may require you to lock the tables, even if you are performing a differential or incremental backup. This is because these tools may need to modify the database in some ...
Read more