Terraform plan failing after aws vpc import

I’m new to terraform and am trying to import existing resources from my aws cloud.
My plan was to import an existing vpc: vpc-07479cb59a38ce176 and then run plan to copy it into main.tf

My main.tf is as below:

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.21.0"

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "3.14.2"
  # insert the 23 required variables here

provider "aws" {
  # Configuration options
  region = "ap-northeast-1"
  access_key = "XXXXX"
  secret_key = "XXX"

The import appears to work fine and when I inspect the state file I see:

module.vpc.aws_vpc.this: Importing from ID "vpc-07479cb59a38ce176"...
module.vpc.aws_vpc.this: Import prepared!
  Prepared aws_vpc for import
module.vpc.aws_vpc.this: Refreshing state... [id=vpc-07479cb59a38ce176]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

  "version": 4,
  "terraform_version": "1.2.4",
  "serial": 1,
  "lineage": "ee3f721e-bed3-fdef-a90b-db31a9b34e40",
  "outputs": {},
  "resources": [
      "module": "module.vpc",
      "mode": "managed",
      "type": "aws_vpc",
      "name": "this",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": [
          "schema_version": 1,
          "attributes": {
            "arn": "arn:aws:ec2:ap-northeast-1:086225920113:vpc/vpc-07479cb59a38ce176",
            "assign_generated_ipv6_cidr_block": false,
            "cidr_block": "",
            "default_network_acl_id": "acl-03fce37e63777e521",
            "default_route_table_id": "rtb-0861981bc380adfc1",
            "default_security_group_id": "sg-0b07dbb532f84f195",
            "dhcp_options_id": "dopt-ac9871ca",
            "enable_classiclink": false,
            "enable_classiclink_dns_support": false,
            "enable_dns_hostnames": false,
            "enable_dns_support": true,
            "id": "vpc-07479cb59a38ce176",
            "instance_tenancy": "default",
            "ipv4_ipam_pool_id": null,
            "ipv4_netmask_length": null,
            "ipv6_association_id": "",
            "ipv6_cidr_block": "",
            "ipv6_cidr_block_network_border_group": "",
            "ipv6_ipam_pool_id": "",
            "ipv6_netmask_length": 0,
            "main_route_table_id": "rtb-0861981bc380adfc1",
            "owner_id": "086225920113",
            "tags": {
              "Name": "vpc_test1"
            "tags_all": {
              "Name": "vpc_test1"
          "sensitive_attributes": [],
          "private": "XXXXXX=="

However once I run plan - it complains about my cidr block (even though that looks correct to me)

module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-07479cb59a38ce176]
│ Error: expected "cidr_block" to contain a network Value with between 16 and 28 significant bits, got: 0
│   with module.vpc.aws_vpc.this[0],
│   on .terraform/modules/vpc/main.tf line 23, in resource "aws_vpc" "this":
│   23:   cidr_block                       = var.cidr

What am I doing wrong here ?

Hi @david_co888,

This error is talking about the cidr_block value set in the configuration, rather than the one already in the state. In other words, the problem here seems to be in the var.cidr value, which I don’t think you have included in your question.

From the text of the message alone, it sounds like the validator thinks that var.cidr ends with /0, declaring a zero-length network prefix which is invalid.

In case it helps with debugging, I can see in the code that the provider is relying on the following validator function to implement this rule:

(Some general context, too: Terraform does not typically validate what’s in the state, aside from some low-level checking that it’s of a suitable shape for the provider’s schema. Terraform assumes that the values in the state were created by the provider itself on a previous run and so were validated at that time. Import does make things a little more “interesting”, since the provider then needs to reconstruct hypothetical input based on what it finds in the remote system, but it’s still true that when terraform plan says that something is invalid it will be talking about the configuration rather than about the state unless it specifies otherwise in the error message.)


many thanks @apparentlymart . I got it working. Realised I had to set my cidr in:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "3.14.2"
  # insert the 23 required variables here
  name = "vpc_test1"
  cidr = ""

So now my plan outputs:

  # module.vpc.aws_vpc.this has moved to module.vpc.aws_vpc.this[0]
    resource "aws_vpc" "this" {
        id                               = "vpc-07479cb59a38ce176"
        tags                             = {
            "Name" = "vpc_test1"
        # (16 unchanged attributes hidden)

How would I go about changing “this” to something meaningful ?

What import command do you run? I have the same issue.