Terraform-provider-aws: import does not set name_prefix correctly
I noticed this when I tried to import some aws_security_group that were created by another terraform repo, which were using name_prefix to set their name. The import works but a plan shows that terraform thinks the name_prefix is changing which will cause the resource to be destroyed/created again.
Terraform Version
0.11.2
Affected Resource(s)
- aws_security_group
- probably anything with a
name_prefixattribute.
Terraform Configuration Files
variable "vpc_id" { }
resource "aws_security_group" "foo" {
vpc_id = "${var.vpc_id}"
name_prefix = "foo-"
}
output "sg_id" {
value = "${aws_security_group.foo.id}"
}
Expected Behavior
The security group can be imported and then the terraform plan will show no pending changes
Actual Behavior
The import works but the plan shows that the name_prefix is changing from "" to "foo-"
Here's the output from the plan:
-/+ aws_security_group.foo (new resource required)
id: "sg-12345" => <computed> (forces new resource)
description: "Managed by Terraform" => "Managed by Terraform"
egress.#: "0" => <computed>
ingress.#: "0" => <computed>
name: "foo-20180130221122509800000001" => <computed>
name_prefix: "" => "foo-" (forces new resource)
owner_id: "12345" => <computed>
revoke_rules_on_delete: "" => "false"
vpc_id: "vpc-12345" => "vpc-12345"
Steps to Reproduce
terraform init
terraform apply
sg_id=$(terraform output -json | jq -r .sg_id.value)
terraform state rm aws_security_group.foo
terraform import aws_security_group.foo $sg_id
terraform plan
Important Factoids
This may be a problem with terraform core and how it does imports of resources using read. It can't tell the difference between a read for terraform import vs terraform refresh, where the attributes from things like name_prefix shouldn't change in the state.
b-dean
All 10 comments
I also hit this issue. Quite annoying.
I was able to work around it by editing the state and adding the name_prefix attribute manually. If you are using remote state (e.g. s3), you can run terraform state pull > state.json, then edit the state file to add the attribute, e.g. add a line like "name_prefix": "my-fancy-prefix-",, then push the state back with terraform state push state.json.
max-rocket-internet
on 23 May 2019
@max-rocket-internet 's solution works.
This not only affect aws_security_group but seems anything that use name_prefix-. In my case aws_autoscaling_group and aws_launch_configuration
ryanooi
on 1 Jul 2019
Why is this marked as an enhancement? This is a plain as day bug..
cdaniluk
on 10 Jan 2020
Just hit this also with a whole range of resources and did @max-rocket-internet work around for now. Worth noting to make sure you update the serial at the top of the state file before you push it back, or else terraform will complain.
I agree with @cdaniluk that this definitely feels more like a bug than an "enhancement". If it is working as intended for now then maybe the documentation should reflect this gotcha. Though I can't see any reason why this would be the intended behavior.
tinyzimmer
on 3 Feb 2020
If this was changed from enhancement to bug would it get more attention?
Any workaround that avoids having to edit state? I have lots of these to import
red8888
on 12 Feb 2020
@bflad can you have the labels to bug?
Any workaround that avoids having to edit state?
I don't think so
max-rocket-internet
on 13 Feb 2020
Hi folks 👋 This was previously marked as an enhancement because we never advertised the ability to support importing name prefixed resources. It was certainly a miss, however, that this limitation was not documented in resources that supported these types of arguments. Apologies for that.
The good news here is that support for importing the aws_security_group resource name_prefix argument can be found in this pull request (https://github.com/terraform-providers/terraform-provider-aws/pull/12052) via some shared logic we can use to make this easy across any resources implementing this functionality. I have set that pull request to close this issue since a fuller listing of resources that need this implementation can be found in https://github.com/terraform-providers/terraform-provider-aws/issues/9574.
bflad
on 14 Feb 2020
Support for aws_security_group resource name_prefix argument import has been merged and will release with version 2.50.0 of the Terraform AWS Provider, tomorrow. Please follow #9574 for updates on other resources.
bflad
on 20 Feb 2020
This has been released in version 2.50.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 21 Feb 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 21 Mar 2020
Related issues
hashibot
·
3Comments
ccslamstack
·
3Comments
hashibot
·
3Comments
dvishniakov
·
3Comments
modax
·
3Comments
Most helpful comment
I also hit this issue. Quite annoying.
I was able to work around it by editing the state and adding the
name_prefixattribute manually. If you are using remote state (e.g. s3), you can runterraform state pull > state.json, then edit the state file to add the attribute, e.g. add a line like"name_prefix": "my-fancy-prefix-",, then push the state back withterraform state push state.json.