Terraform & Azure : Importing an existing infrastructure

Hey everyone, I hope you are doing well.

Since it’s been a while that I did not talk about Infra-As-Code (IaC), I decided to write a post about it. Today’s topic will be about Terraform Import.

Let’s get into the heart of the topic. Let’s suppose that I already have an amazing infrastructure deployed with terraform :

(Yes, it is an amazing infrastructure that contains an App Service). The terraform code that deploys the App Service is pushed in my git repo.

We also have a design that we should respect, each deployed resource may have some tags (such as source : terraform).

Let’s assume that a new OPS guy named “Marouane” joined the team. He does not have an idea about Terraform so we asked him to add a Key Vault to our infrastructure. Instead of using Terraform, he created it using Az Cli command (or ARM Template, Azure Powershell, manually whatever !) :

Well, this does not respect the way we do neither our design and it does not contain the tags :

Now, we have to correct this, and without impacting the infrastructure, we should bring the Key Vault under the Terraform management.

  • Terraform import : The definition

The documentation says that Terraform Import is :

Terraform is able to import existing infrastructure. This allows you take resources you’ve created by some other means and bring it under Terraform management.

This is a great way to slowly transition infrastructure to Terraform, or to be able to be confident that you can use Terraform in the future if it potentially doesn’t support every feature you need today.

  • How to use it :

The command is :

terraform import Config ID

Where “Config” is the configuration of the resource like module.keyvault, the “ID” is the identifier of the resource (Resource ID) :

ResourceId : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/vault1
  • How to solve Marouane’s problem :

First, we have to adapt our terraform, Let’s add a Key Vault Module :

Let’s run a Terraform plan

Terraform plan -out infra.tfplan

As you see, we got a new resource which isthe Key Vault, but we don’t want to add it since it already exists, we just want to import it and modify it to respect our design.

The idea is to write a script that gets the ResourceId of a wanted resource (Key Vault in our case) and runs terraform import so we can import the Key Vault :

How did I get the moduleConfig ? well a quick tip, by running Terraform plan, it gives you the module config which will be created, you just have to take this one !

Let’s run the script :

As you see terraform has imported the Key Vault to the state file.

Now let’s run the plan once again :

Terraform plan -out infra.tfplan

Instead of the creation (0 to add), the terraform will only modify the Key Vault to line up with our design (1 to change).

Let’s run the apply !

terraform apply

The resource now is changed but also contains the tags :

To ensure that our resource exists in our state file, just run :

terraform state list
  • Another case !

Let’s assume that you already have an infrastructure, then you decide to use Terraform, instead of destorying everything and recreate your infrastructure from scratch, you may use the famous Terraform Import to construct your state file, and move on !

For now, we just need to onboard Marouane on Terraform !