importing existing account assignment

[rfum]

Hello, I'm willing to import my existing account assignment resources by using import block as defined in https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment#import . When I check the resources section in the module I see that there's aws_ssoadmin_account_assignment.account_assignment resource is listed. My module configuration is like below:

module "aws_iam_identity_center" {
  source  = "aws-ia/iam-identity-center/aws"
  version = "0.0.5"
  providers = {
    aws = aws
  }
}

My import statement is like below:

import {
  to = module.aws_iam_identity_center.aws_ssoadmin_account_assignment.account_assignment
  id = "f81d4fae-7dec-11d0-a765-00a0c91e6bf6,GROUP,1234567890,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-0123456789abcdef/ps-0123456789abcdef,arn:aws:sso:::instance/ssoins-0123456789abcdef"
}

I'm getting the following error :

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Configuration for import target does not exist
│ 
│ The configuration for the given import
│ module.aws_iam_identity_center.aws_ssoadmin_account_assignment.account_assignment
│ does not exist. All target instances must have an associated configuration
│ to be imported.

does importing possible with this module? am I doing something wrong in my configuration?

[umerbeigh]

is there a way to migrate iam users to identity center.. i am currently using i am to manage users and groups .. i want to migrate to identity center? Does this module support importing iam users .

[novekm]

Hi all, sorry for the delay. Responses below:

• @rfum We can work on some examples on importing existing resources soon which should hopefully help you and others who need to import existing resources. In the meantime, I believe referring to the Terraform Docs on using Import Blocks with for_each should help you. The module uses for_each to dynamically create/reference multiple users, groups, accounts assignments, and permission sets, and loop through them. Are you using IAM Identity Center as the Identity Provider, or are you using a 3rd party IdP such as Azure AD/Entra ID, Okta, etc. ?

• @umerbeigh no, IAM Users/Groups are completely different resources than IAM Identity Center Users/Groups. What @rfum is trying to set up is importing existing IAM Identity Center resources, which is supported. Unfortunately in your case, you will need to do one of the following:

  1. Create these users/groups in IAM Identity Center with the module, mimicking the IAM Users/Groups that already exist
  2. Use another mechanism (likely some sort of script if you have many resources) to discover and log all of the desired IAM Users/Groups and re-create these Users/Groups in IAM Identity Center. From there, you can use the module to import those resources into Terraform.
  3. Use a 3rd party Identity Provider (Azure AD/Entra ID, Google, Okta, etc.) and connect it to IAM Identity Center. From there you can reference those existing resources in the module and create account assignments/permission sets etc.

[rfum]

@novekm I'm using a 3rd party IdP so users and groups are already present. What I need to do is just to import account assignments if I understand correctly. I also considered for_each block by myself, but it's a bit confusing for me. I already have some assignments but I couldn't form up a for_each loop for them because of the error: "resource name account_assignment is not found". When I checked the source code of the module the naming matching with my code. What might be the reason behind this?