Terraform plan after import showing add/destroy for an existing resource

devang.sanghani · May 31, 2023, 9:53am

I am importing the below for an existing permissionset (with the respective parameters, of course):

terraform import aws_ssoadmin_permission_set
terraform import aws_ssoadmin_account_assignment
terraform import aws_ssoadmin_managed_policy_attachment
terraform import aws_ssoadmin_permission_set_inline_policy

The import is successful. I then ran terraform plan to verify that there are no deviations from the already existing resources.

The plan output shows below:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
  - destroy

Terraform will perform the following actions:

  # aws_ssoadmin_account_assignment.AWSAdministratorAccess will be destroyed
  - resource "aws_ssoadmin_account_assignment" "AWSAdministratorAccess" {
      - id                 = "xxxxx-3654xxxx-4209-a440-Xxxxxxx-xxxx9,GROUP,3548406xxxxx,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxx/ps-xxxxxxxx,arn:aws:sso:::instance/ssoins-xxxxxxxx" -> null
      - instance_arn       = "arn:aws:sso:::instance/ssoins-xxxxxxxx" -> null
      - permission_set_arn = "arn:aws:sso:::permissionSet/ssoins-6804xxxxxxx/ps-xxxxxxxxxxxx" -> null
      - principal_id       = "xxxxx-3654xxxx-4209-a440-Xxxxxxx" -> null
      - principal_type     = "GROUP" -> null
      - target_id          = "354840xxxxx" -> null
      - target_type        = "AWS_ACCOUNT" -> null
    }

  # aws_ssoadmin_account_assignment.AWSAdministratorAccess["354840xxxxx"] will be created
  + resource "aws_ssoadmin_account_assignment" "AWSAdministratorAccess" {
      + id                 = (known after apply)
      + instance_arn       = "arn:aws:sso:::instance/ssoins-xxxxxxxx"
      + permission_set_arn = "arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxx/ps-xxxxxxxx"
      + principal_id       = "xxxxx-3654xxxx-4209-a440-Xxxxxxx"
      + principal_type     = "GROUP"
      + target_id          = "354840xxxx
      + target_type        = "AWS_ACCOUNT"
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Since this relationship is already available, it should not have shown anything to add/destroy. Am I missing something here?

My code for reference:

data "aws_identitystore_group" "AWSAdministratorAccess" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.AWSAdministratorAccess.identity_store_ids)[0]
  filter {
    attribute_path  = "DisplayName"
    attribute_value = "AZGP-GLOBAL-SSO-AWS-CloudDevOpsAdminAccess"
  }
}

resource "aws_ssoadmin_account_assignment" "AWSAdministratorAccess" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.AWSAdministratorAccess.arns)[0]
  permission_set_arn = data.aws_ssoadmin_permission_set.AWSAdministratorAccess.arn

  principal_id   = data.aws_identitystore_group.AWSAdministratorAccess.group_id
  principal_type = "GROUP"

  for_each = {
    "354840xxxxx" = "AWS_ACCOUNT"    
  } 

  target_id   = each.key
  target_type = each.value
}

Screenshot of the account detail in IAM Identity Center:

maxb · May 31, 2023, 10:05am

The resource address that you imported:

The resource address that your Terraform configuration defines:

See how they are different?

Since the resource you imported, doesn’t exist in your Terraform configuration, Terraform plans to destroy it.
Since the resource you defined in your Terraform configuration is not in its state, Terraform plans to create it.

When importing a resource that makes use of for_each, you must include the square-bracketed for_each key when importing an instance.

maxb · May 31, 2023, 10:31am

I’m not quite sure how you managed to import aws_ssoadmin_account_assignment.AWSAdministratorAccess in the first place, unless you imported it, and then changed your configuration before executing the plan.

I attempted to replicate this scenario, and Terraform would not perform the import.

However, it did give misleading messages when doing so, so I opened a bug report about that at `terraform import` claims to succeed, but doesn't import anything, when used on a resource with `for_each`, and an incorrect index · Issue #33292 · hashicorp/terraform · GitHub.

devang.sanghani · May 31, 2023, 12:33pm

@maxb The import ran fine and I did not change anything between import and plan.
My TF version is 0.12 and AWS provider version is 3.37.0 - if that could explain this different behaviour.

I’m sorry, I didn’t understand the square-bracket reference. Can you please give an example, perhaps?

maxb · May 31, 2023, 12:36pm

But I already did…

apparentlymart · May 31, 2023, 2:34pm

Based on the shape of the plan output included in the question I think this is a slightly older version of Terraform than current; current Terraform would include a brief reason for why it is proposing to destroy the first object.

Given that, my guess is that this older version of Terraform doesn’t yet have the plan-based import mechanism that allows Terraform to evaluate the for_each expression during the import process, whereas recent Terraform releases treat terraform import essentially as a funny kind of plan, with that culminating in the forthcoming v1.5 release where importing is literally integrated into the normal plan and apply flow. But the intermediate step did at least allow the separate import command to detect and report some more error cases, which I think explains the difference in behavior here

devang.sanghani · May 31, 2023, 3:09pm

Yes, I’ve mentioned above that my TF version is 0.12 and AWS provider version is 3.37.0. Thanks for the info on the v1.5 - I see that it also creates the config files. Gotta check it out.

devang.sanghani · May 31, 2023, 3:09pm

Ah yes! Let me try it that way .

devang.sanghani · June 9, 2023, 11:59am

@maxb , The indexing bit worked! Now, if I have to assign the same permissionset for the same account to another group AZGP-GLOBAL-SSO-AWS-CloudDevOpsSupportAccess is seen in the above screenshot, how do I do that?

If I redo it by just changing the the group name to AZGP-GLOBAL-SSO-AWS-CloudDevOpsSupportAccess, then I get the error :

Error: Resource already managed by Terraform

Terraform is already managing a remote object for
aws_ssoadmin_account_assignment.AWSAdministratorAccess. To import to this
address you must first remove the existing object from the state.

maxb · June 9, 2023, 12:07pm

Hi @devang.sanghani,

I think you are misunderstanding a core principal of how Terraform works: Every thing that is managed must be represented in the Terraform configuration.

You are apparently trying to manage at least two different things:

An assigment of (account 354840xxxxx, group AdminAccess)
An assignment of (account 354840xxxxx, group SupportAccess)

By changing the existing configuration that you just imported into, you are instructing Terraform to MODIFY OR DELETE WHAT YOU JUST IMPORTED!

It may be useful to you to spend some time practicing creating, updating, and deleting some simple AWS objects using Terraform to get used to how this works, before trying to master importing existing objects.