search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
41.68k stars 9.41k forks source link

Terraform should initialize only required providers on `terraform import` #30589

Open mkjmdski opened 2 years ago

mkjmdski commented 2 years ago

Current Terraform Version

1.1.4

Use-cases

I'm running terraform import on terraform cloud with multi-provider setup. And by multi I mean really multi. It combines github with aws, gcp, dns provider and many more. This is super convininet because does not require any more provisioners than terraform. However there is one issue with this. When I run terraform import, terraform tries to connect to every provider and parse every variable that is not provided to start import even if these variables and providers are not required to run the import itself. Because of security reasons when running terraform plan, terraform takes creds from the terraform cloud what's great! And I understand why for import it is using local credentials (so nobody uses remote credentials to import some stuff they are not supposed to see)

Attempted Solutions

Just configuring EVERY provider or removing others provider code for time of import. Both very hacky.

Proposal

Maybe terraform could use the same dependency cycle resolving that it uses for terraform plan -target=<resource> for ` that is being imported? That way only required providers and variables would be read.

I understand how deep it might go into way that terraform works so probably this is very hard issue to address but thought it would be great to just provide you feedback about this certain use case :)

crw commented 2 years ago

Thanks for the enhancement request! If you want to really dig in, I think some of the conversation from this issue may be relevant here: https://github.com/hashicorp/terraform/issues/2430 -- I'm thinking having the capability to defer part of the plan might be relevant in this case but I could be wrong. In any case, thanks again.

kmoe commented 2 years ago

In order to run terraform import, the configuration needs to be complete and valid - even the parts of it that aren't being used for that import - which means that Terraform needs to know the values of all variables.

Could you show us an example of what output you're seeing, and what you mean by "terraform tries to connect to every provider"?

balonik commented 1 year ago

@kmoe Simple example would be to have a setup with 2 providers configured, aws and azuread. Let's say that I as a user have access to our AWS account, hence I can use my local credentials for the aws provider during terraform import. But for whatever reason I don't have personal access to Azure subscription or tenant and credentials are only set in TF Cloud.

Let's say I need to import existing AWS EC2 instance into the state. But I am stuck with errors like:

Error: Error building AzureAD Client: Error retrieving the Profile from the Azure CLI: Subscription "1-2-3-4" was not found in your Azure CLI credentials. Please verify it exists in `az account list`. Please re-authenticate using `az login`.
│ 
│   with provider["registry.terraform.io/hashicorp/azuread"],
│   on /home/user/terraform/main.tf line 96, in provider "azuread":
│   96: provider "azuread" {

I don't know if by the configuration needs to be complete and valid you mean anything special, but terraform validate passes and if I trigger a run in TF Cloud everything works as expected.

Another option would be to have options to manipulate state (import/rm) in TF Cloude/TFE directly, using the variables configured on the workspace.

kmoe commented 5 months ago

@balonik You can use the new import block (https://developer.hashicorp.com/terraform/language/import) in TFC to take advantage of the variables already configured on the workspace. Does this work for you?