Migrate users from account-baseline-security to iam-users-and-groups
Trying to move users out of security/_global/account-baseline (uses account-baseline-security) and into a new module security/_global/iam/users using iam-users-and-groups Initially we had our users deployed using terraform-aws-service-catalog/landingzone/account-baseline because we only had a few engineers/architects. We have since added more users to our admin staff. Managing the users has become very unwieldy using account-baseline-security. And so we want to split off the users into a separate module and iam-users-adn-groups seems to be the best way. My thought was to just move the users over and leave the groups (mostly just the CrossAccount groups). We already had the users in a separate users.yml file. What's the best way to do this? I am trying to do a terragrunt state mv command, but when I try to do a terragrunt plan in the new folder/location it says: ``` Error: resource address "aws_iam_user.user" does not exist in the configuration. ``` But it is definitely in the users.yml file. Thinking I just imported it wrong? --- <ins datetime="2024-03-12T20:12:06Z"> <p><a href="https://support.gruntwork.io/hc/requests/110818">Tracked in ticket #110818</a></p> </ins>
New Steps: 1. Backup state file in account-baseline ``` cd /work/infrastructure-live/security/_global/account-baseline aws-vault exec security-profile -- terragrunt state pull > iam-users.tfstate ``` 2. Download state file in iam-users iam-users.tfstate ``` cd /work/infrastructure-live/security/_global/iam/users/ aws-vault exec security-profile -- terragrunt state pull > iam-users.tfstate ``` 3. From account-baseline, terragrunt state mv user and group memberships -state-out /work/infrastructure-live/security/_global/iam/users/iam-users.tfstate ``` cd /work/infrastructure-live/security/_global/account-baseline aws-vault exec security-profile -- terragrunt state mv -state-out /work/infrastructure-live/security/_global/iam/users/iam-users.tfstate module.iam_users.aws_iam_user_group_membership.group_memberships[\"test.user\"] module.iam_users.aws_iam_user_group_membership.group_memberships[\"test.user\"] aws-vault exec security-profile -- terragrunt state mv -state-out /work/infrastructure-live/security/_global/iam/users/iam-users.tfstate module.iam_users.aws_iam_user.user[\"test.user\"] module.iam_users.aws_iam_user.user[\"test.user\"] aws-vault exec security-profile -- terragrunt state mv -state-out /work/infrastructure-live/security/_global/iam/users/iam-users.tfstate module.iam_users.aws_iam_user_login_profile.web_console[\"test.user\"] module.iam_users.aws_iam_user_login_profile.web_console[\"test.user\"] ``` 5. Uncomment user in iam/users/users.yml AND comment out user from account-baseline/users.yml 6. Push to remote state file in S3 ``` cd /work/infrastructure-live/security/_global/iam/users/ aws-vault exec security-profile -- terragrunt state push /work/infrastructure-live/security/_global/iam/users/iam-users.tfstate ``` 7. From /work/infrastructure-live/security/_global/iam/users/, run `aws-vault exec security-profile -- terragrunt plan` to verify "no changes" 8. Fix things... if needed. 9. If it is all good, Delete the local state file, `rm /work/infrastructure-live/security/_global/iam/users/iam-users.tfstate`