[Docs]: Import existing trail using ARN doesn't work, but it does if the trail name is used

[chrisdleech-pol]

Documentation Link

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#import

Description

The documentation states to use the CloudTrail ARN when doing a terraform import however this results in an error that the resource does not exist

Using the trail name however does result in a successful import.

For context, my trail is in a different AWS account to my state file, and the configuration block I am importing the existing trail to is set with an assume role provider - not sure if that makes any difference

This looks to be a mistake in the docs to me.

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[stefanfreitag]

If there is no objection, I would like to look into this one.

[stefanfreitag]

I tried to reproduce the described issue using Terraform version 1.8.2 in combination with AWS provider version 5.47.0.

❯ terraform version
Terraform v1.8.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.47.0

The issue itself is described as

• failing import of an aws_cloudtrail when using its ARN.
• successful import of the same aws_cloudtrail when using its name.

It was mentioned that the CloudTrail to import was in another AWS account, so did these tests

• import a CloudTrail existing in the same account using its ARN
• import a CoudTrail existing in the same account using its name
• import a CloudTrail existing in a different AWS account using its ARN
• import a CloudTrail existing in a different AWS account using its name

All of these imports are working with the software versions mentioned above. In below code snippets the AWS account ID I used for testing have been replaced.

CloudTrail in same account

Import CloudTrail by ARN

❯ terraform import aws_cloudtrail.this arn:aws:cloudtrail:eu-central-1:012345678901:trail/SpokeTrail
aws_cloudtrail.this: Importing from ID "arn:aws:cloudtrail:eu-central-1:012345678901:trail/SpokeTrail"...
aws_cloudtrail.this: Import prepared!
  Prepared aws_cloudtrail for import
aws_cloudtrail.this: Refreshing state... [id=arn:aws:cloudtrail:eu-central-1:012345678901:trail/SpokeTrail]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Import CloudTrail by Name

❯ terraform import aws_cloudtrail.this  SpokeTrail
aws_cloudtrail.this: Importing from ID "SpokeTrail"...
aws_cloudtrail.this: Import prepared!
  Prepared aws_cloudtrail for import
aws_cloudtrail.this: Refreshing state... [id=SpokeTrail]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

CloudTrail Cross Account

The provider configuration was modified so that now a role in a remote account is assumed.

provider "aws" {
  alias  = "central"
  region = "eu-central-1"
  assume_role {
    role_arn = "arn:aws:iam::23456789012:role/CICD_Cross_Deployment"
  }
}

Import CloudTrail by ARN

❯ terraform import aws_cloudtrail.this arn:aws:cloudtrail:eu-central-1:23456789012:trail/SpokeTrail
aws_cloudtrail.this: Importing from ID "arn:aws:cloudtrail:eu-central-1:23456789012:trail/SpokeTrail"...
aws_cloudtrail.this: Import prepared!
  Prepared aws_cloudtrail for import
aws_cloudtrail.this: Refreshing state... [id=arn:aws:cloudtrail:eu-central-1:23456789012:trail/SpokeTrail]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Import CloudTrail by Name

❯ terraform import aws_cloudtrail.this  SpokeTrail
aws_cloudtrail.this: Importing from ID "SpokeTrail"...
aws_cloudtrail.this: Import prepared!
  Prepared aws_cloudtrail for import
aws_cloudtrail.this: Refreshing state... [id=SpokeTrail]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

When checking the resource in the Terraform state one can verify that is belongs to the remote account.

Could you please provide more details (e.g. terraform and provider version used, error message and/ or logs)?

[acwwat]

@chrisdleech-pol What version of the Terraform AWS Provider are you using?

Since v5.25.0, that was a change that requires the trail ARN instead of trail name for import.