Terraform (0.12.29) import for AWS resources not working as expected; import succeeded but plan shows destroy & recreate

Some Background:
We have terraform code to create various AWS resources. Some of these resources are created per AWS account and hence are structured to be stored in a account-scope folder in our project. This was when we were only having one AWS region. Now our application is made multi-region and hence these resources are to be created per region for each AWS account.

In order to do that we have now moved these TF scripts to region-scope folder which will be run per region. Since these resources are no longer part of ‘account scope’ we have removed them from the account scope Terraform state.
Now when I try to import these resources

Imported the resources by running this from xyz-region-scope directory:

terraform import -var-file=config/us-west-2/default.tfvars -var-file=variables.tfvars -var-file=../globals.tfvars -var profile=xyz-stage -var region=us-west-2 -var tfstate_bucket=ab-xyz-stage-tfstate-5b8873b8 -no-color <RESOURCE_NAME> <RESOURCE_ID>

One of the examples of a resource is:


I was expecting the imports would update the resources in the terraform state file on my local machine but the terraform state file created under xyz-region-scope/state/xyz-stage/terraform.tfstate is not updated.

Verified the Imports with:

terraform show

Run terraform plan:

terraform plan -var-file=config/us-west-2/default.tfvars -var-file=variables.tfvars -var-file=../globals.tfvars -var profile=xyz-stage -var region=us-west-2 -var tfstate_bucket=ab-xyz-stage-tfstate-5b8873b8 -no-color

But the terraform plan output shows Plan: 6 to add, 0 to change, 5 to destroy. that is those resources will be destroyed and recreated.

I am not clear why so, am I missing something and not doing it right?

Please note we store the remote state in S3 bucket. And I see the remote TF state file created in the S3 for region scope after running imports. One difference that I see between this new region-scope tf state file from old account-scope one is that the new file does not have any "depends_on" block under any of the resources resources[] > instances[]


Local machine: macOS v10.14.6

Terraform v0.12.29
+ provider.aws v3.14.1
+ provider.null v2.1.2
+ provider.random v2.3.1
+ provider.template v2.1.2

Posted this on Stackoverflow as well: https://stackoverflow.com/q/64758624/948268

Since we were using random_id for the bucket suffix. Even after importing “random_id.bucket_suffix”, the keepers were not imported and caused to trigger the recreation of dependent resources.

Due to the nature of the resource being random the import sequence for another resource did not work. So, to workaround this I had to manipulate the state manually.

  # module.buckets.module.access_logging_bucket.random_id.bucket_suffix must be replaced
-/+ resource "random_id" "bucket_suffix" {
      ~ b64         = "nY6U_w" -> (known after apply)
      ~ b64_std     = "nY6U/w==" -> (known after apply)
      ~ b64_url     = "nY6U_w" -> (known after apply)
        byte_length = 4
      ~ dec         = "2643367167" -> (known after apply)
      ~ hex         = "9d8e94ff" -> (known after apply)
      ~ id          = "nY6U_w" -> (known after apply)
      + keepers     = {
          + "aws_account_id" = "123412341234"
          + "env"            = "xyz-stage"
        } # forces replacement