Terraform import for multiple policies

narmadam2010 · December 2, 2022, 5:30pm

I have created resource stub for importing iam customer managed policy as below.

resource "aws_iam_policy" "customer_managed_policy" {
  name = var.customer_managed_policy_name
  policy = "{}"
}

The import command used is:

$ terraform import -var 'customer_managed_policy_name=ec2-readonly' aws_iam_policy.customer_managed_policy arn:aws:iam::<account ID>:policy/ec2-readonly

This works fine for first time. But If I want to make it dynamic in order to import any number of policies, I don’t know how to do.
The first import was successful but for second & third it failed with error

Terraform is already managing a remote object for aws_iam_policy.customer_managed_policy. To import to this address you must first remove the existing object from the state.

I have explored many ways in google nothing relevent to this found. Hence I’m reaching out to get help from you on how to use import command for importing multiple policies If those are defined in list or map or something. Seeking quick response from you. Thank you

maxb · December 2, 2022, 9:10pm

I cannot figure out what you’re trying to achieve here.

Please could you explain what your goal is?

narmadam2010 · December 5, 2022, 11:14am

My goal is to import any number of policies using terraform import command

maxb · December 5, 2022, 11:24am

There are two problems with this.

Every resource of any kind imported into Terraform needs to have a unique resource address. In your code example, it only accomodates a single resource address, aws_iam_policy.customer_managed_policy, so using this configuration file, you can only import one policy into each Terraform state file you use this code with.
Even if you get these imports done, what is the point? Since your Terraform code specifies a dummy placeholder value, "{}", actually trying to do any Terraform plan/apply will want to replace the actual policy content with the dummy placeholder.

That’s why I say it’s impossible to figure out where you’re going with all of this, given what you’ve revealed so far, and therefore it’s impossible to advise you how to get there.

narmadam2010 · December 5, 2022, 12:05pm

Is there any way to write resource of iam_policy to accomadate number of policies for import. Please suggest. My ultimate goal is to import all the policies that are in our AWS account

maxb · December 5, 2022, 12:22pm

As previously stated, since you are not disclosing your end goal here, I don’t know how to usefully advise you.

narmadam2010 · December 5, 2022, 12:39pm

I have mentioned that I need to import iam policies with resuable code

narmadam2010 · December 5, 2022, 12:40pm

with the above resource code, we can import only one policy. so how to make it dynamic for multiple imports

stuart-c · December 5, 2022, 1:08pm

If you want to import multiple policies you need code which relates to that. Either multiple aws_iam_policy resource blocks, or a single block using count or for_each.

narmadam2010 · December 5, 2022, 1:41pm

For single block using count or for_each, I can use count or for_each on policy name but import command uses arn argument. In this case how to pass arn value multiple times. Please provide your suggestions with the example

stuart-c · December 5, 2022, 2:00pm

I’m not quite sure what you mean?

If you are using say count you’d run something like:

terraform import aws_iam_policy.customer_managed_policy[0] arn:aws:iam::<account ID>:policy/ec2-readonly
terraform import aws_iam_policy.customer_managed_policy[1] arn:aws:iam::<account ID>:policy/ec2-readwrite

etc.

narmadam2010 · December 5, 2022, 3:10pm

on what variable we have to apply for_each here?

stuart-c · December 5, 2022, 4:29pm

That’s up to you. If it were me I might have a map where the key is the name of the policy & the value is the policy code.