With full understanding (and taking the responsibility) of the the warning from Manipulating State - Terraform CLI - Terraform by HashiCorp
Important: Modifying state data outside a normal plan or apply can
cause Terraform to lose track of managed resources, which might
waste money, annoy your colleagues, or even compromise the
security of your operations. Make sure to keep backups of your
state data when modifying state out-of-band.
and in relation to `terraform import` does not respect `ignore_changes` · Issue #20375 · hashicorp/terraform-provider-aws · GitHub,
I’ve got some resources I want to import, but those resources contain an ignorable element.
During the import, the ignorable element is imported, and so it now exists in the .tfstate file.
With full understanding that manipulation of the .tfstate file can lead to all sorts of issues, is it “safe” to CAREFULLY remove the values from the .tfstate file and put it back into the backend store?
Are there checksums or any sort of tfstate file integrity checks that would reveal that the file is inconsistent in some way?
The change really would be changing from (example matching the GitHub issue):
{
"mode": "managed",
"type": "aws_ssm_parameter",
"name": "parameter",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": "/PRIVATE/KEY",
"schema_version": 0,
"attributes": {
"allowed_pattern": "",
"arn": "arn:aws:ssm:eu-west-1:123456789012:parameter/PRIVATE/KEY",
"data_type": "text",
"description": "A private key whose value should not be present in the repo or TFstate.",
"id": "/PRIVATE/KEY",
"key_id": "",
"name": "/PRIVATE/KEY",
"overwrite": null,
"tags": {},
"tags_all": {},
"tier": "Standard",
"type": "String",
"value": "dummy",
"version": 1
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjAifQ=="
}
]
},
to
{
"mode": "managed",
"type": "aws_ssm_parameter",
"name": "parameter",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": "/PRIVATE/KEY",
"schema_version": 0,
"attributes": {
"allowed_pattern": "",
"arn": "arn:aws:ssm:eu-west-1:123456789012:parameter/PRIVATE/KEY",
"data_type": "text",
"description": "A private key whose value should not be present in the repo or TFstate.",
"id": "/PRIVATE/KEY",
"key_id": "",
"name": "/PRIVATE/KEY",
"overwrite": null,
"tags": {},
"tags_all": {},
"tier": "Standard",
"type": "String",
"value": "",
"version": 1
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjAifQ=="
}
]
},
That is, just removing the dummy
value (which is what I am using for this example).
An additional complexity is that the tfstate file is in a versioning backend (S3).
To truly hide the recording of the values, I think I’d need to change the backend to a local file, run the terraform import
to import the manually created resources, edit the now local .tfstate file, and then migrate to a backend on S3.
Which does, in itself, seems as potentially fraught with issues as editing the .tfstate file in the first place!
Are there any other, “saner” ways to not get the sensitive data into the .tfstate file for a pre-existing resource when importing?