terraform-aws-control_tower_account_factory
terraform-aws-control_tower_account_factory copied to clipboard
aws-ia
Allowing `terraform import` for account/global customizations
Describe the outcome you'd like
Has there been any consideration for being able to terraform import resources into account-specific Terraform state?
Is your feature request related to a problem you are currently experiencing? If so, please describe.
We have a number of accounts that we are "importing" into AFT - these accounts come with preexisting resources (e.g. s3 buckets that hold a lot of regularly used objects) that if possible we'd like to avoid re-creating, but we plan to create these resources in other accounts using account/global customizations. Due to the autogenerated nature of Terraform resources in the account-specific pipelines this doesn't seem possible. This forces us to use a model of recreating resources and redirecting references to them, which is a lot more effort for us than if we could simply import them.
If it's significant, we are using Terraform Cloud, so the state of our resources isn't editable either (otherwise I would have attempted to manually update the state)
Hey Thomas, thanks for reaching out; I've made a feature request for us to track internally. In the meantime, we've recently bundled the pre-API and post-API helper stages in with the Terraform stage during account/global customizations. This improves performance, but it also allows context established during the pre-API helper stage to persist into the Terraform application. Would this help your use case at all?
Thanks Adam! I'm not sure whether having context will be useful - I can imagine maybe importing state through that, but it might be very fiddly. Maybe it would need a way to specify a single execution of a pre-API stage? (which seems it would run counter to the idea of committing those changes to git, so maybe not)
Either way, I haven't had much time since opening this issue to experiment with this specifically but if I do I'll let you know
I am facing the same issue. I have some existing accounts that I enrolled in CT but the global pipeline is failing since there is a terraform iam role in the global customizations repo that is named the same in those accounts. I need a way to import those resources into state. I hope that makes sense.
I have another use case for GuardDuty. Currently I am trying to automate setup for delegated admin to the Audit account using AFT. After using the aws_guardduty_organization_admin_account resource to configure delegated admin from the management account customization, it would create a GuardDuty detector in the Audit account which blocks the use of the aws_guardduty_detector resource. I am thus forced to use data, which does not allow me to enable the data sources for the Audit account! So I am kind of stuck with configuring using AWS CLI in pre-api-helpers. Ideally I would want to manage everything in Terraform if I can import.
If possible I'd also like to bring AWS Organizations into management customer account customization, so that I can enable service integration in TF after importing the Organization resource. I am currently using AWS CLI in pre-api-helpers.
This would be a great feature. Here's my use case. I've got 2 s3 buckets that are managed by the aft-global-customizations. When I import an existing Control Tower account to use AFT, it fails since they already exist and I don't have a way to import them. Sometimes, I can backup the objects to another bucket, delete the bucket, recreate the bucket, and copy the objects back in, but this isn't always simple to do.
*Edited for clarification.
