In my initial post on setting up my tweaks on Vicky Lai’s ephemeral, I made a manky shell script to do the deployment. I mainly did it because I was still a bit dubious about terraform.
However for the past year I’ve gotten way more comfortable with it and
used it in anger loads of times. It works rather well and seems to be
improving at a good clip. Think of it as make
but for infrastructure.
There is a problem though for this task.
The problem is that I normally deploy terraformed resources in a green field. Nothing exists. But in this case, everything existed.
The solution terraform has for this scenario is importing. However you need to import each resource piece by piece because it won’t write the terraform configs for you. You have to describe your deployment and then import them one resource at a time.
I’ll post later with the full terraform configs, but since I’d avoided the importing part of terraform for a long time I thought I’d write up the process. It’s tedious, but it isn’t hard.
Basically you identify a defined thing in AWS you want to import. Generally it’s pretty easy to figure out the corresponding resource(s) in the terraform AWS provider, but there can be different ways to define certain things like security groups or how policies attach to roles. If you’re struggling, keep that in mind - and the terraform AWS provider docs usually highlight that issue.
Since I had the manky shell script I could usually line up CLI options with the appropriate terraform resource attributes and make a stub. In the simple case of a role, you might have this:
1 2 3 4 | resource "aws_iam_role" "twitter-ephemeral" { name = "twitter-ephemeral" assume_role_policy = "${file("policy/twitter-ephemeral.json")}" } |
Note at this point you haven’t done an import yet. First you
can do a plan to make sure terraform’s happy with the config.
If you’ve defined it correctly, terraform plan
will want to create
aws_iam_role.twitter-ephemeral
but obviously you don’t want that.
At this point you need to look at the docs for the resource you’re importing - in this case aws_iam_role - and scroll down to the bottom. The import instructions are always at the bottom. In this case you’d run:
|
|
Now when you run terraform plan
it should say that
aws_iam_role.twitter-ephemeral
exists and doesn’t need to be changed.
If it doesn’t, you need to review what it wants to change. It might be
benign - maybe the original json
file for the policy had a trailing
space and this one does not. But it might mean that the resource isn’t
correctly defined in terraform and you’ll need to fix it.
If you’ve defined the wrong thing and you have done an import, you can
undo that by using terraform state rm
to take it out of the state
file.
It’s important to note that until you do terraform apply
nothing changes
in your AWS deployment. Removing thing from the state file only removes
them from the terraform state file.
One thing to note is that aws things and terraform rosources do not always line up. I haven’t hit one yet, but there can be things that only exist in terraform and are just used as a glue in terraform for some AWS bits.
Anyway, still at it, one resource at a time. I’ll put up a post with a link to a gist when I have it working.