[Bug]: `import` command does not import all the state

[EugenKon]

Terraform Core Version

v1.8.5

AWS Provider Version

v5.55.0

Affected Resource(s)

• aws_route53_zone

Expected Behavior

Consecutive run of terraform plan -var vpn_setup=client-ssh-only should output 'No changes' for your plan.

I do not expect that terraform updates not related resources.

Actual Behavior

terraform plan reports to add force_destroy and tags_all -> Project tag.

Also during the import the EC2 IP state was updated, because -var vpn_setup=client-ssh-only was not provided. (see config below)

During the import terraform does not report that state of IPs for EC2 was updated:

terraform -chdir=derived-src/aws/ import -state=../../state.d/terraform.tfstate module.dns.aws_route53_zone.private-cloud[0] Z0xx
data.external.env: Reading...
data.external.env: Read complete after 0s [id=-]
data.external.get_audit_output: Reading...
module.autodraft.data.aws_ecr_authorization_token.token: Reading...
module.private-cloud.data.aws_ami.nomad: Reading...
module.private-cloud.data.aws_caller_identity.current: Reading...
module.private-cloud.data.aws_iam_policy_document.auto_discover_cluster: Reading...
module.private-cloud.data.aws_iam_policy_document.auto_discover_cluster: Read complete after 0s [id=xx]
module.autodraft.data.aws_caller_identity.current: Reading...
module.private-cloud.data.aws_iam_policy_document.ec2-assume-role-policy: Reading...
module.private-cloud.data.aws_iam_policy_document.ec2-assume-role-policy: Read complete after 0s [id=xx]
module.dns.aws_route53_zone.private-cloud[0]: Importing from ID "Z0xx"...
module.dns.aws_route53_zone.private-cloud[0]: Import prepared!
  Prepared aws_route53_zone for import
module.dns.aws_route53_zone.private-cloud[0]: Refreshing state... [id=Z0xx]
module.private-cloud.data.aws_caller_identity.current: Read complete after 0s [id=xx]
module.private-cloud.data.aws_iam_policy_document.notify-devops: Reading...
module.private-cloud.data.aws_iam_policy_document.ses-private-portal-complaints: Reading...
module.private-cloud.data.aws_iam_policy_document.ses-private-portal-delivery: Reading...
module.private-cloud.data.aws_iam_policy_document.ses-private-portal-bounces: Reading...
module.private-cloud.data.aws_iam_policy_document.notify-devops: Read complete after 0s [id=xx]
module.private-cloud.data.aws_iam_policy_document.ses-private-portal-complaints: Read complete after 0s [id=xx]
module.private-cloud.data.aws_iam_policy_document.ses-private-portal-delivery: Read complete after 0s [id=xx]
module.private-cloud.data.aws_iam_policy_document.ses-private-portal-bounces: Read complete after 0s [id=xx]
module.private-cloud.data.aws_iam_policy_document.private-cloud: Reading...
module.private-cloud.data.aws_iam_policy_document.private-cloud: Read complete after 0s [id=xx]
module.autodraft.data.aws_caller_identity.current: Read complete after 0s [id=xx]
data.external.get_audit_output: Read complete after 3s [id=-]
module.audit[0].data.aws_caller_identity.current: Reading...
module.audit[0].data.aws_caller_identity.current: Read complete after 0s [id=xx]
module.autodraft.data.aws_ecr_authorization_token.token: Read complete after 1s [id=ap-east-1]
module.autodraft.data.aws_ecr_image.autodraft: Reading...
module.private-cloud.data.aws_ami.nomad: Read complete after 1s [id=ami-xx]
module.autodraft.data.aws_ecr_image.autodraft: Read complete after 1s [id=sha256:XX]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Expected behaviour

Terraform should report any changes to the state. Terraform should not change a state of unrelated resources. Terraform import should do all the changes to the specified resource during import. There should not be any changes during consecutive terraform plan for the imported resource.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

locals {
  server_ip = var.vpn_setup == "client-ssh-only"? module.private-cloud.server_p
rivate_ip : module.private-cloud.server_public_ip
  client_ip = var.vpn_setup == "client-ssh-only"? module.private-cloud.www_priv
ate_ip : module.private-cloud.www_public_ip
}

output "ConnectionInfo" {
  value = <<CONFIGURATION

Client EC2 instances: ${join(", ", local.client_ip[*])}
Server EC2 instances: ${join(", ", local.server_ip[*])}
CONFIGURATION
}

Steps to Reproduce

1. Manually create Hosted zone
2. terraform -chdir=derived-src/aws/ import -state=../../state.d/terraform.tfstate module.dns.aws_route53_zone.private-cloud[0] Z0XXX
3. terraform -chdir=derived-src/aws/ plan -state=../../state.d/terraform.tfstate

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @EugenKon 👋 Thank you for taking the time to raise this! As far as Terraform refreshing the state of other resources, that's not something that the AWS Provider has control over, and would need to be reported to the Terraform Core repository if you feel that the behavior is incorrect (though it looks like this was discussed in a now-closed issue).

As far as the update to the resource after import, are you able to provide a more complete configuration that can be used to reproduce the issue? Things like this are often very configuration dependent, so that information will be critical in the team's ability to look into this.

[EugenKon]

For the first part, regarding that not everthing was imported.

After a quick dig I am thinking that import did not took into account the next part:

provider "aws" {
  region = local.aws_region
  default_tags {
    tags = {
      Project = local.project_name
    }
  }
}

It was imported regardless globally configured default_tags. And the during plan, which sees that configuration, it reports changes to tags.

For the the second part, regarding imported change to the IP of EC2 instance I do not imagine how to minimize our config. I can try to do this later, but I do not know when.