(cli) cdk import gives "unsupported resource type" errors for resource types which should be supported

[anentropic]

Describe the bug

I am trying to import pre-created resources into my stack via cdk import cli

The docs say:

See the list of resources that can be imported here

...and that page has a table of importable resource types (which seems pretty comprehensive)

But when I try to import the resources I get errors like "unsupported resource type ___, skipping import" ...for resource types which are found in the importable list linked in the docs

Expected Behavior

the resources are imported, or I get an error explaining why not

Current Behavior

I get these errors:

my-stack/Web Lambda/Invoke2UTWxhlfyqbT5FTn--5jvgbLgj+FfJwzswGk55DU1H--Y=: unsupported resource type AWS::Lambda::Permission, skipping import.
my-stack/ALB/Resource: unsupported resource type AWS::ElasticLoadBalancingV2::LoadBalancer, skipping import.
my-stack/ALB/SecurityGroup/Resource: unsupported resource type AWS::EC2::SecurityGroup, skipping import.
my-stack/ALB/ALB-http-listener/Resource: unsupported resource type AWS::ElasticLoadBalancingV2::Listener, skipping import.
my-stack/ALB/ALB-http-listener/ALB-targetsGroup/Resource: unsupported resource type AWS::ElasticLoadBalancingV2::TargetGroup, skipping import.
No resources selected for import.

so there are five resources identified for import, of the following types:

• AWS::Lambda::Permission
• AWS::ElasticLoadBalancingV2::LoadBalancer
• AWS::EC2::SecurityGroup
• AWS::ElasticLoadBalancingV2::Listener
• AWS::ElasticLoadBalancingV2::TargetGroup

all of these resource types are found in the table of importable resource types linked in the docs

Reproduction Steps

at the moment I am unable to provide a minimal repro

but basically:

• create a cdk stack with a Lambda function (mine also has other stuff - S3 bucket, RDS db etc, but doesn't seem relevant)
• via the AWS web console add an Application Load Balancer with the Lambda as a target
• write code in the cdk stack to mimic the manually created ALB
• run cdk import cli

Possible Solution

I am guessing that maybe, rather than the docs being totally wrong, my resources are non-importable for some other reason and the error message is wrong, obscuring the real problem?

Additional Information/Context

No response

CDK CLI Version

2.121.1 (build d86bb1a)

Framework Version

No response

Node.js Version

v18.18.0

OS

macOS 14.1

Language

Python

Language Version

3.11.5

Other information

No response

[pahud]

- write code in the cdk stack to mimic the manually created ALB
- run cdk import cli

Can you share your code snippets and full CLI command for the two steps?

[anentropic]

the code I've added looks like:

        load_balancer = elb.ApplicationLoadBalancer(
            self,
            "ALB",
            vpc=vpc,
            vpc_subnets=ec2.SubnetSelection(
                subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS,
            ),
            internet_facing=False,
        )
        load_balancer.connections.allow_from(
            other=ec2.Peer.ipv4(gateway_cidr),
            port_range=ec2.Port.all_icmp(),
        )
        load_balancer.connections.allow_from(
            other=ec2.Peer.ipv4(gateway_cidr),
            port_range=ec2.Port.tcp(80),
        )
        alb_listener = load_balancer.add_listener(
            "ALB-http-listener",
            port=80,
            open=True,
        )
        alb_listener.add_targets(
            "ALB-targets",
            targets=[
                elb_targets.LambdaTarget(
                    cast(lambda_.IFunction, django_lambdas.web_lambda)
                ),
            ],
        )

and then I do like cdk import my-stack

[qrsor]

I'm getting a similar error with a following message: "unsupported resource type AWS::ApiGateway::BasePathMapping, skipping import." Also running cdk diff does not output anything but the resource that is to be imported, but when running cdk import it stops due to lambda resources requiring an update. cdk import -fv prints out:

Ignoring updated/deleted resources (--force): ...

EDIT: I've tried importing the resource using AWS Console but that failed as well reporting no resources to update.

[anentropic]

@qrsor part of that sounds like a different issue

I have a result from cdk diff

but cdk import says "No resources selected for import." and names several resources as "unsupported resource type" even though they are shown as supported types in the docs

I now have cdk 2.131.0 and the problem persists, no clue what is actually wrong

am wishing I had used Terraform instead at this point

would love if there was any kind of workaround, besides what I currently have which is just comment out these items from the stack and carry on with the manually deployed resources

e.g. now I want to deploy the stack in a new env, so I have to conditionally define those resources in the stack so they can at least be cdk deployed for one of the envs, but not for the other ... it's just a frustrating mess

[qrsor]

@anentropic make sure you have explicitly set DeletionPolicy on imported resources. Without it the resources will not be recognized.

[anentropic]

thanks... is this documented somewhere? which deletion policy do they need to have?

[anentropic]

the primary resource I am trying to import is an aws_elasticloadbalancingv2.ApplicationLoadBalancer

the closest thing to a deletion policy arg I can see on that is a deletion_protection: bool which apparently defaults to false - do I have to set that true?

[anentropic]

ah I see, it's a method, not all resources have it as an arg like S3 Bucket does

adding load_balancer.apply_removal_policy(RemovalPolicy.RETAIN) did not seem to have an effect, I get the same messages about "unsupported resource type AWS::ElasticLoadBalancingV2::LoadBalancer, skipping import"

[qrsor]

Could you maybe test the DESTROY Removal policy? Not in PROD but some test environment?

[anentropic]

the code for the chunk I'm trying to import looks like:

        from aws_cdk import (
            aws_elasticloadbalancingv2 as elb,
            aws_elasticloadbalancingv2_targets as elb_targets,
            aws_lambda as lambda_,
        )

        load_balancer = elb.ApplicationLoadBalancer(
            self,
            "ALB",
            load_balancer_name=resource_name_template.format("analytics-dev-alb"),
            vpc=vpc,
            vpc_subnets=ec2.SubnetSelection(
                subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS,
            ),
            internet_facing=False,
        )
        load_balancer.apply_removal_policy(RemovalPolicy.DESTROY)
        if config.gateway_cidr:
            gateway_peer = ec2.Peer.ipv4(config.gateway_cidr)
        else:
            gateway_peer = ec2.Peer.any_ipv4()
        load_balancer.connections.allow_from(
            other=gateway_peer,
            port_range=ec2.Port.all_icmp(),
        )
        load_balancer.connections.allow_from(
            other=gateway_peer,
            port_range=ec2.Port.tcp(80),
        )
        # load_balancer.log_access_logs(logs_bucket, prefix="alb")
        alb_listener = load_balancer.add_listener(
            "ALB-http-listener",
            port=80,
            open=True,
        )
        alb_listener.add_targets(
            "ALB-targets",
            targets=[
                elb_targets.LambdaTarget(
                    cast(lambda_.IFunction, django_lambdas.web_lambda)
                ),
            ],
        )
        alb_listener.apply_removal_policy(RemovalPolicy.DESTROY)

same errors with RemovalPolicy.DESTROY though

[qrsor]

What does diff output? What does synth output? Is your ALB managed by other stack or created manually? Is your resources present in the list? https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html mind that only ELBV2 seem to be supported.

[anentropic]

the ALB was created manually

Is your resources present in the list? https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html mind that only ELBV2 seem to be supported.

as per my original post, all of the resource types it complains "unsupported resource type" for are listed in the table on that page as supporting import

[anentropic]

cdk diff looks like:

Stack my-stack
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
IAM Statement Changes
┌───┬──────────────────────────┬────────┬───────────────────────┬────────────────────────────────────────────┬───────────┐
│   │ Resource                 │ Effect │ Action                │ Principal                                  │ Condition │
├───┼──────────────────────────┼────────┼───────────────────────┼────────────────────────────────────────────┼───────────┤
│ + │ ${Django/Web Lambda.Arn} │ Allow  │ lambda:InvokeFunction │ Service:elasticloadbalancing.amazonaws.com │           │
└───┴──────────────────────────┴────────┴───────────────────────┴────────────────────────────────────────────┴───────────┘
Security Group Changes
┌───┬──────────────────────────────┬─────┬─────────────┬────────────────────┐
│   │ Group                        │ Dir │ Protocol    │ Peer               │
├───┼──────────────────────────────┼─────┼─────────────┼────────────────────┤
│ + │ ${ALB/SecurityGroup.GroupId} │ In  │ All ICMP    │ 10.4.0.0/16        │
│ + │ ${ALB/SecurityGroup.GroupId} │ In  │ TCP 80      │ 10.4.0.0/16        │
│ + │ ${ALB/SecurityGroup.GroupId} │ In  │ TCP 80      │ Everyone (IPv4)    │
│ + │ ${ALB/SecurityGroup.GroupId} │ Out │ ICMP 252-86 │ 255.255.255.255/32 │
└───┴──────────────────────────────┴─────┴─────────────┴────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[+] AWS::Lambda::Permission Django/Web Lambda/Invoke2UTWxhlfyqbT5FTn--5jvgbLgj+FfJwzswGk55DU1H--Y= DjangoWebLambdaInvoke2UTWxhlfyqbT5FTn5jvgbLgjFfJwzswGk55DU1HYFC50E0FF
[+] AWS::ElasticLoadBalancingV2::LoadBalancer ALB ALBAEE750D2
[+] AWS::EC2::SecurityGroup ALB/SecurityGroup ALBSecurityGroup8B8624F8
[+] AWS::ElasticLoadBalancingV2::Listener ALB/ALB-http-listener ALBALBhttplistener38A8914F
[+] AWS::ElasticLoadBalancingV2::TargetGroup ALB/ALB-http-listener/ALB-targetsGroup ALBALBhttplistenerALBtargetsGroup6742614E

Outputs
[+] Output ALB URL ALBURL: {"Description":"Load-balancer hostname","Value":{"Fn::GetAtt":["ALBAEE750D2","DNSName"]},"Export":{"Name":"ifm-ssa-loadbalancer-dns-name-dev-eu"}}

✨  Number of stacks with differences: 1

[qrsor]

I would suggest two possible actions:

1. Comment out some code so that cdk diff only outputs the ALB to be imported without any other resources being created or changed and try cdk import then
2. Try to perform the import using AWS Console in order to see if the resources are recognized as possible to be imported:
   • comment out all resources to be imported except for ALB
   • run cdk synth -j
   • copy the ALB resource definition from the generated CloudFormation template
   • Go to AWS Console > CloudFormation > my-stack > Template
   • Toggle the "generated template" toggle
   • Copy the template to a local file
   • Add the ALB resource snippet in the "Resources" section of the template and save the file
   • In AWS console stack actions select: import > upload template > select your file
   • check if the ALB is properly recognized as a resource to be imported