Introduction
This document explains how to import an existing, unmanaged resource into Terraform under an alias provider. It also covers how to generate resource configuration automatically if needed.
Expected Outcome
Once completed, you will have unmanaged cloud resources (for example, AWS resources) brought under Terraform management under an alias provider setup. Optionally, you will also be able to auto-generate Terraform configuration files for the imported resources.
Prerequisites
-
Terraform CLI 1.5.0 or newer (for native import block and -generate-config-out support)
-
Access to the necessary cloud accounts (e.g., multiple AWS accounts)
Use Case
When managing resources across multiple cloud accounts or regions, Terraform aliases allow you to handle multiple credentials or environments. Importing a resource under an aliased provider ensures the resource is managed correctly under required environment.
This process is useful when you have existing infrastructure that was not originally deployed via Terraform but now needs to be managed via Terraform.
Procedure
Step 1: Define Multiple Providers with Alias
Set up the default and aliased providers:
# Default AWS provider (Account A)
provider "aws" {
region = "us-east-1"
}
# Aliased AWS provider (Account B)
provider "aws" {
alias = "account_b"
region = "us-east-1"
}Step 2: Configure Resources and Data Sources
Reference the alias in the resources or data sources associated with the second account:
# Default VPC in Account A
data "aws_vpc" "default_a" {
default = true
}
# Default VPC in Account B (using alias)
data "aws_vpc" "default_b" {
provider = aws.account_b
default = true
}
# Resource example in Account A
resource "aws_security_group" "sg_account_a" {
name = "sec-sg-account-a"
description = "Security Group in Account A"
vpc_id = data.aws_vpc.default_a.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}Step 3: Write Resource Configuration for the Resource to Import
When preparing to import an existing resource:
-
Manually write the resource block.
-
Attach the alias provider in the resource block using the provider argument.
Example:
resource "aws_security_group" "sg_account_b" {
provider = aws.account_b
#Add the required attributes
# After import, run terraform plan to fill in missing attributes
}Note: While writing the import block itself, you do not specify the provider unless you intend to auto-generate the resource configuration (explained in Step 5).
Step 4: Perform Import (Without Provider in Import Block)
Run the import command traditionally, mapping the existing resource to the Terraform resource:
terraform import aws_security_group.sg_account_b sg-xxxxThis attaches the existing resource (sg-xxxx) to the Terraform state under the aws.account_b provider context based on your resource definition.
Step 5: (Optional) Auto-Generate Resource Configuration
If you want to automatically generate the Terraform configuration for the imported resource:
-
Write an import block including the provider attribute:
import {
to = aws_security_group.sg_account_b
id = "sg-097f00ed5db88ae7a"
provider = aws.account_b
}-
Run:
terraform plan -generate-config-out="generated_resources.tf"This will create a file generated_resources.tf containing the complete resource configuration detected from the imported state.
This method is highly useful when importing multiple resources or when you want to minimize manual typing.
Step 6: Validate the Import
After the import:
terraform plan-
Review the plan to ensure Terraform recognizes the imported resource.
-
Adjust the resource configuration manually if Terraform reports any differences.
Step 7: Applying the Changes
Apply the changes using :
terraform apply