Update state file for import of an already imported resource

I am importing the existing permission-sets along with their managed/in-line policies. It works okay the first time. However, if I want to redo the import with some change(in case if I have missed something the first time), I get an error resource already managed by terraform. I then have to delete the resource from the state file and again import.

Error: Resource already managed by Terraform

Terraform is already managing a remote object for
aws_ssoadmin_permission_set.AWSAdministratorAccess. To import to this address
you must first remove the existing object from the state

Is there someway to update an existing state file for an imported resource? Or do I always need to delete and the again run the import with the correct changes?

I’m a bit confused here… what kind of changes are you making, that you believe require re-doing the import of a resource?

Having done the import once, why don’t you just leave it imported, and continue making further changes as required?

If you do want to redo the import for whatever reason, then yes, you do need to first remove the resource. Considering there is a dedicated command for this (terraform state rm) this should not be a big deal.

Hi @devang.sanghani,

There should be no change that you could make which would affect the import, so there’s no reason to try and import it again. Any changes made to the config file will be taken into account in the next normal plan operation. Is there a problem preventing you from running plan?

Thanks for your replies @jbardin and @maxb. Trying to explain with an example here:

In my first iteration, I do the below import. Then, say I want to add more account numbers, or a different group (attribute_value), then I would update the config and have to re-do the import. But , then, since the account assignment is already managed by state file, it will give the error.

data "aws_identitystore_group" "AWSAdministratorAccess" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.AWSAdministratorAccess.identity_store_ids)[0]
  filter {
    attribute_path  = "DisplayName"
    attribute_value = "AZGP-GLOBAL-SSO-AWS-CloudDevOpsSupportAccess"
  }
}

resource "aws_ssoadmin_account_assignment" "AWSAdministratorAccess" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.AWSAdministratorAccess.arns)[0]
  permission_set_arn = data.aws_ssoadmin_permission_set.AWSAdministratorAccess.arn

  principal_id   = data.aws_identitystore_group.AWSAdministratorAccess.group_id
  principal_type = "GROUP"

  for_each = {
    "354840xxxxx" = "AWS_ACCOUNT"    
  } 

  target_id   = each.key
  target_type = each.value
}

@devang.sanghani I am still really confused what you are trying to achieve.

Where? Within the for_each in your example? Since each element of a for_each is separately imported, that doesn’t make sense with the rest of your messages.

If you do that, then you are telling Terraform to change your existing aws_ssoadmin_account_assignments to use the new group.

Perhaps you are continuing to make changes to your AWS infrastructure manually, outside of Terraform, after importing it? If so, you need to stop doing this, it’s not how Terraform is intended to be used.

However, at this point, it’s difficult to give useful advice, because I have no idea what you’re trying to use Terraform to accomplish.

Coud you please have another go at explaining, and give much more detail about why you are doing what you are doing?

Sure, let me try my hand at it a couple of times. Maybe things will get clear to me in those attempts itself. Thanks!