terraform import for_each works only for some resources

[so0k]

I successfully imported 12 aws_subnet resources, and 1 aws_eip resource, but the 2nd aws_eip resource fails...

$ terragrunt import aws_eip.nat['"ap-southeast-1a"'] eipalloc-1c9***
[terragrunt] 2019/11/06 15:31:20 Reading Terragrunt config file...
aws_eip.nat["ap-southeast-1a"]: Importing from ID "eipalloc-1c***"...
aws_eip.nat["ap-southeast-1a"]: Import prepared!
  Prepared aws_eip for import
aws_eip.nat["ap-southeast-1a"]: Refreshing state... [id=eipalloc-1c***]

Import successful!

after import of first one, plan looks good …

Terraform will perform the following actions:

  # aws_eip.nat["ap-southeast-1a"] will be updated in-place
  ~ resource "aws_eip" "nat" {
        association_id    = "eipassoc-68f***"
        domain            = "vpc"
        id                = "eipalloc-1c***"
        network_interface = "eni-0ba***"
        private_dns       = "ip-***.ap-southeast-1.compute.internal"
        private_ip        = "10.***"
        public_dns        = "ec2-***.ap-southeast-1.compute.amazonaws.com"
        public_ip         = "***"
        public_ipv4_pool  = "amazon"
      ~ tags              = {
          ~ "Name"      = "NonProd NatAz1" -> "***"
        }
        vpc               = true

        timeouts {}
    }

  # aws_eip.nat["ap-southeast-1b"] will be created
  + resource "aws_eip" "nat" {
      + allocation_id     = (known after apply)
      + association_id    = (known after apply)
      + domain            = (known after apply)
      + id                = (known after apply)
      + instance          = (known after apply)
      + network_interface = (known after apply)
      + private_dns       = (known after apply)
      + private_ip        = (known after apply)
      + public_dns        = (known after apply)
      + public_ip         = (known after apply)
      + public_ipv4_pool  = (known after apply)
      + tags              = {
          + "Name"      = "***"
        }
      + vpc               = true
    }

but 2nd one fails 😞

$ terragrunt import aws_eip.nat['"ap-southeast-1b"'] eipalloc-a0***
[terragrunt] 2019/11/06 15:33:28 Reading Terragrunt config file ...
aws_eip.nat["ap-southeast-1b"]: Importing from ID "eipalloc-a0***"...
aws_eip.nat["ap-southeast-1b"]: Import prepared!
  Prepared aws_eip for import
aws_eip.nat["ap-southeast-1b"]: Refreshing state... [id=eipalloc-a0***]

Error: Invalid index

  on /Users/vincentdesmet/cag/tf-cag/live/management/network-mgmt/.terragrunt-cache/0eb06M84k-ujl4S9bohVD7xYWts/DfrmbCUQULBtq3gENvMnSY1TI48/main.tf line 48, in locals:
  48:       eip        = aws_eip.nat[az.zone]
    |----------------
    | aws_eip.nat is object with 1 attribute "ap-southeast-1a"
    | az.zone is "ap-southeast-1b"

The given key does not identify an element in this collection value.


Error: Invalid index

  on /Users/vincentdesmet/cag/tf-cag/live/management/network-mgmt/.terragrunt-cache/0eb06M84k-ujl4S9bohVD7xYWts/DfrmbCUQULBtq3gENvMnSY1TI48/main.tf line 48, in locals:
  48:       eip        = aws_eip.nat[az.zone]
    |----------------
    | aws_eip.nat is object with 1 attribute "ap-southeast-1a"
    | az.zone is "ap-southeast-1c"

The given key does not identify an element in this collection value.

[terragrunt] 2019/11/06 15:33:35 Hit multiple errors:
exit status 1

it’s strange because I managed to import all 12 subnets without issues

Terraform Version

$ terraform -v
Terraform v0.12.12
$ terragrunt -v
terragrunt version v0.21.2

Terraform Configuration Files

Subnets config:

variable "subnet_config_map" {
  type = map(object({
      cidr_block = string,
      eip        = object({
        # Declare an object using only the subset of attributes the module
        # needs. Terraform will allow any object that has at least these
        # attributes.
        id           = string
      })
  }))
  description = "A map of az to subnet objects (cidr_block / eip)"
}

resource "aws_subnet" "main" {
  for_each          = var.subnet_config_map
  vpc_id            = var.vpc.vpc_id
  availability_zone = each.key
  cidr_block        = each.value.cidr_block

  # use the default label.tags, but override name tag to prefix the AZ
  tags = merge(
    local.tags,
    map(
      "Name", "${local.id}-public-${each.key}"
    )
  )
}

subnets module is called with (see var.az defined below):

locals {
  tier1_subnets_config_map = {
    for az in var.az: az.zone => {
      cidr_block = cidrsubnet(module.vpc.cidr_block, 4, az.number)
      eip        = aws_eip.nat[az.zone]
    }
  }
...
}

EIPs config

# list of availability zones for subnets
variable "az" {
  type = list(object({
      zone = string
      number = number
    })
  )
}

resource "aws_eip" "nat" {
  for_each  = toset([for az in var.az: az.zone])
  vpc       = true

  # use the default label.tags, but override name tag to suffix the AZ
  tags = merge(
    local.tags,
    map(
      "Name", "${local.id}-${each.key}",
    )
  )
}

Debug Output

will provide when requested

Expected Behavior

aws_eip imports just like aws_subnets

Actual Behavior

aws_subnets import successfully while aws_eip import fails

Steps to Reproduce

1. terraform init
2. terraform plan

References

• Unable to "state mv" to a for_each resource #22301

[so0k]

[terragrunt] 2019/11/06 16:13:58 Running command: terraform state list
aws_eip.nat["ap-southeast-1a"]
module.tier1_subnets.aws_subnet.main["ap-southeast-1a"]
module.tier1_subnets.aws_subnet.main["ap-southeast-1b"]
module.tier1_subnets.aws_subnet.main["ap-southeast-1c"]
module.tier2_subnets.aws_subnet.main["ap-southeast-1a"]
module.tier2_subnets.aws_subnet.main["ap-southeast-1b"]
module.tier2_subnets.aws_subnet.main["ap-southeast-1c"]
module.tier3_subnets.aws_subnet.main["ap-southeast-1a"]
module.tier3_subnets.aws_subnet.main["ap-southeast-1b"]
module.tier3_subnets.aws_subnet.main["ap-southeast-1c"]

[pexaorj]

Same here:

terraform state list
aws_iam_user.api-users["api-test"]

terraform state rm 'aws_iam_user.api-users["test"]'
Removed aws_iam_user.api-users["test"]
Successfully removed 1 resource instance(s).

terraform import  'aws_iam_user.api-users["test"]'
The import command expects two arguments.
Usage: terraform import [options] ADDR ID

terraform import aws_iam_user.api-users["api-test"]
The import command expects two arguments.
Usage: terraform import [options] ADDR ID

Terraform file:

variable "api_user_names" {
  description = "Map api-name users"
  default = {
    api-test                 = "api-test"
  }
}

resource "aws_iam_user" "api-users" {
  for_each = var.api_user_names
  name     = each.value
}

So it is possible to create users and delete from state, but if I need to import then, it's impossible, causing a lot of problems.

[so0k]

for anyone hitting this from Google, I've been pulling state and modifying the json to fix this based on the referenced issue comments... this has been a decent work around for the last month

[pselle]

@so0k I tried to replicate this, but was unable to do so on either 0.12.12 or on master -- I focused on creating the eip resources, as that's where you had the issue. These are the steps I followed:

• Create the resources (using for_each)
• Remove them from state (or delete the state file, tried both)
• Run terraform import on the resources

And I did not run into the issue you described.

However, I do have a suspicion that the work involved in fixing #23077 (currently in master) might impact this as well (in hopefully a positive way), should you still be running into this.

As to @pexaorj, the error message you have is correct, if you are not passing two arguments to import -- terraform import 'aws_iam_user.api-users["test"]' test would be the correct way to do one of your examples. More info on the aws_iam_user import here: https://www.terraform.io/docs/providers/aws/r/iam_user.html#import

[so0k]

good point, I've updated to 0.12.12since as well so perhaps the issue is fixed, I will try again and update this ticket status

[hashibot]

Hello again!

We didn't hear back from you, so I'm going to close this in the hope that a previous response gave you the information you needed. If not, please do feel free to re-open this and leave another comment with the information my human friends requested above. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.