How do I import existing security group rules using terragrunt
Hello, I am currently attempting to import existing security group rules using terragrunt import command. This worked without an issue when I did the same for a cloudwatch log group. However, with security group rules I am not able to do this. Can you please let me know what I am doing wrong here. OUTPUT OF TERRAGRUNT PLAN: ``` module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0] must be replaced -/+ resource "aws_security_group_rule" "allow_connections_from_cidr_blocks" { ~ cidr_blocks = [ # forces replacement # (2 unchanged elements hidden) "10.2.96.0/21", + "10.8.80.0/21", + "10.8.88.0/21", + "10.8.96.0/21", ] ~ id = "sgrule-3614096971" -> (known after apply) - ipv6_cidr_blocks = [] -> null - prefix_list_ids = [] -> null + source_security_group_id = (known after apply) # (6 unchanged attributes hidden) } ``` The IPs "10.8.80.0/21", "10.8.88.0/21", "10.8.96.0/21" are already added manually from the console. When I applied, the security group lost all the ingress rules. When I planned next time it showed the ingress rules ready to be applied. Running apply one more time recreated the rules properly, but I don't want to do that in my production environment - therefore trying the import option. COMMAND: ``` aws-vault exec stage -- terragrunt import aws_security_group_rule.ingress sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21 ``` -------------------------------------------------------------------------------- ERROR: ``` Error: resource address "aws_security_group_rule.ingress" does not exist in the configuration. Before importing this resource, please create its configuration in the root module. For example: resource "aws_security_group_rule" "ingress" { (resource arguments) } ERRO[0025] 1 error occurred: * exit status 1 ``` --- <ins datetime="2022-08-31T12:33:20Z"> <p><a href="https://support.gruntwork.io/hc/requests/109192">Tracked in ticket #109192</a></p> </ins>
Hi @zackproser, I was able to use terragrunt state list to find the address. It returned: `module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0]`, but the command only worked without [0]. **PLAN BEFORE IMPORT** ``` # module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0] must be replaced -/+ resource "aws_security_group_rule" "allow_connections_from_cidr_blocks" { ~ cidr_blocks = [ # forces replacement # (2 unchanged elements hidden) "10.2.96.0/21", + "10.8.80.0/21", + "10.8.88.0/21", + "10.8.96.0/21", ] ~ id = "sgrule-3614096971" -> (known after apply) - ipv6_cidr_blocks = [] -> null - prefix_list_ids = [] -> null + source_security_group_id = (known after apply) # (6 unchanged attributes hidden) } ``` **IMPORT COMMAND THAT WORKE**D ` aws-vault exec stage -- terragrunt import module.database.aws_security_group_rule.allow_connections_from_cidr_blocks sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21` ``` module.database.aws_security_group_rule.allow_connections_from_cidr_blocks: Importing from ID "sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21"... module.database.aws_security_group_rule.allow_connections_from_cidr_blocks: Import prepared! Prepared aws_security_group_rule for import module.database.aws_security_group_rule.allow_connections_from_cidr_blocks: Refreshing state... [id=sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21] Import successful! ``` **PLAN AFTER IMPORT** From the looks of it, it is trying to delete my import. ``` # module.database.aws_security_group_rule.allow_connections_from_cidr_blocks will be destroyed # (because resource uses count or for_each) - resource "aws_security_group_rule" "allow_connections_from_cidr_blocks" { - cidr_blocks = [ - "10.8.80.0/21", ] -> null - from_port = 5432 -> null - id = "sgrule-3185997217" -> null - ipv6_cidr_blocks = [] -> null - prefix_list_ids = [] -> null - protocol = "tcp" -> null - security_group_id = "sg-01e69230e5c0f1169" -> null - self = false -> null - to_port = 5432 -> null - type = "ingress" -> null } # module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0] must be replaced -/+ resource "aws_security_group_rule" "allow_connections_from_cidr_blocks" { ~ cidr_blocks = [ # forces replacement # (2 unchanged elements hidden) "10.2.96.0/21", + "10.8.80.0/21", + "10.8.88.0/21", + "10.8.96.0/21", ] ~ id = "sgrule-3614096971" -> (known after apply) - ipv6_cidr_blocks = [] -> null - prefix_list_ids = [] -> null + source_security_group_id = (known after apply) # (6 unchanged attributes hidden) } ```