How do I import existing security group rules using terragrunt

[sewmiuraj]

Hello,

I am currently attempting to import existing security group rules using terragrunt import command. This worked without an issue when I did the same for a cloudwatch log group.

However, with security group rules I am not able to do this. Can you please let me know what I am doing wrong here.

OUTPUT OF TERRAGRUNT PLAN:

module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0] must be replaced
-/+ resource "aws_security_group_rule" "allow_connections_from_cidr_blocks" {
      ~ cidr_blocks              = [ # forces replacement
            # (2 unchanged elements hidden)
            "10.2.96.0/21",
          + "10.8.80.0/21",
          + "10.8.88.0/21",
          + "10.8.96.0/21",
        ]
      ~ id                       = "sgrule-3614096971" -> (known after apply)
      - ipv6_cidr_blocks         = [] -> null
      - prefix_list_ids          = [] -> null
      + source_security_group_id = (known after apply)
        # (6 unchanged attributes hidden)
    }

The IPs "10.8.80.0/21", "10.8.88.0/21", "10.8.96.0/21" are already added manually from the console. When I applied, the security group lost all the ingress rules. When I planned next time it showed the ingress rules ready to be applied. Running apply one more time recreated the rules properly, but I don't want to do that in my production environment - therefore trying the import option.

COMMAND:

aws-vault exec stage -- terragrunt import aws_security_group_rule.ingress sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21

---

ERROR:

Error: resource address "aws_security_group_rule.ingress" does not exist in the configuration.

Before importing this resource, please create its configuration in the root module. For example:

resource "aws_security_group_rule" "ingress" {
   (resource arguments)
}

ERRO[0025] 1 error occurred:
	* exit status 1

---

Tracked in ticket #109192

[zackproser]

Hi @sewmiuraj,

First of all - thank you for the outstanding bug report. We really appreciate your taking the time to fill in all this helpful information.

I think we know what might be going on here:

Your import command is very close - but I'm guessing you went to these docs like me and saw the examples mentioning the ingress - which in the case of the terraform example is the name of the security group rule to import.

However, in your case the correct address is module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0]. , because the name of the security group rule you're trying to import is allow_connections_from_cidr_blocks[0].

This means your command should be:

aws-vault exec stage -- terragrunt import aws_security_group_rule.allow_connections_from_cidr_blocks[0] sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21

Hope this helps!

[sewmiuraj]

Hi @zackproser ,

Thank you for your response.

As you've suggested, I did refer to the documentation that you've mentioned. I did try the solution you provided as well, however it still returns an error:

aws-vault exec stage -- terragrunt import aws_security_group_rule.allow_connections_from_cidr_blocks[0] sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21 

zsh: no matches found: aws_security_group_rule.allow_connections_from_cidr_blocks[0]

Could this be because it's unable to find the source_securtiy_group_id?
I could see in the plan that the source_security_group_id is set to (known after apply).

On another note, I also tried
aws-vault exec stage -- terragrunt import module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0] sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21
since i got it to work for cloudwatch log groups. It too fails with the same error:

zsh: no matches found: module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0]

[zackproser]

Hi @sewmiuraj

Could you please try running the terragrunt state list command, and paste the addresses that come back?

aws-vault exec stage -- terragrunt state list should do the trick.

This should output the correct addresses for resources that we can use with the import command.

[sewmiuraj]

Hi @zackproser,

I was able to use terragrunt state list to find the address. It returned:
module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0], but the command only worked without [0].

PLAN BEFORE IMPORT

  # module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0] must be replaced
-/+ resource "aws_security_group_rule" "allow_connections_from_cidr_blocks" {
      ~ cidr_blocks              = [ # forces replacement
            # (2 unchanged elements hidden)
            "10.2.96.0/21",
          + "10.8.80.0/21",
          + "10.8.88.0/21",
          + "10.8.96.0/21",
        ]
      ~ id                       = "sgrule-3614096971" -> (known after apply)
      - ipv6_cidr_blocks         = [] -> null
      - prefix_list_ids          = [] -> null
      + source_security_group_id = (known after apply)
        # (6 unchanged attributes hidden)
    }

IMPORT COMMAND THAT WORKED
aws-vault exec stage -- terragrunt import module.database.aws_security_group_rule.allow_connections_from_cidr_blocks sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21

module.database.aws_security_group_rule.allow_connections_from_cidr_blocks: Importing from ID "sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21"...
module.database.aws_security_group_rule.allow_connections_from_cidr_blocks: Import prepared!
  Prepared aws_security_group_rule for import
module.database.aws_security_group_rule.allow_connections_from_cidr_blocks: Refreshing state... [id=sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21]

Import successful!

PLAN AFTER IMPORT
From the looks of it, it is trying to delete my import.

# module.database.aws_security_group_rule.allow_connections_from_cidr_blocks will be destroyed
  # (because resource uses count or for_each)
  - resource "aws_security_group_rule" "allow_connections_from_cidr_blocks" {
      - cidr_blocks       = [
          - "10.8.80.0/21",
        ] -> null
      - from_port         = 5432 -> null
      - id                = "sgrule-3185997217" -> null
      - ipv6_cidr_blocks  = [] -> null
      - prefix_list_ids   = [] -> null
      - protocol          = "tcp" -> null
      - security_group_id = "sg-01e69230e5c0f1169" -> null
      - self              = false -> null
      - to_port           = 5432 -> null
      - type              = "ingress" -> null
    }

  # module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0] must be replaced
-/+ resource "aws_security_group_rule" "allow_connections_from_cidr_blocks" {
      ~ cidr_blocks              = [ # forces replacement
            # (2 unchanged elements hidden)
            "10.2.96.0/21",
          + "10.8.80.0/21",
          + "10.8.88.0/21",
          + "10.8.96.0/21",
        ]
      ~ id                       = "sgrule-3614096971" -> (known after apply)
      - ipv6_cidr_blocks         = [] -> null
      - prefix_list_ids          = [] -> null
      + source_security_group_id = (known after apply)
        # (6 unchanged attributes hidden)
    }

[sewmiuraj]

Small Update - I was able to get the import command to work with [0] by adding '' around the address. But the import fails with error.

aws-vault exec stage -- terragrunt import 'module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0]' sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.88.0/21
╷
│ Warning: Version constraints inside provider configuration blocks are deprecated
│ 
│   on provider.tf line 4, in provider "aws":
│    4:   version = "~> 3.0" //temp fix for: https://github.com/gruntwork-io/knowledge-base/discussions/187
│ 
│ Terraform 0.13 and earlier allowed provider version constraints inside the
│ provider configuration block, but that is now deprecated and will be
│ removed in a future version of Terraform. To silence this warning, move the
│ provider version constraint into the required_providers block.
╵

module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0]: Importing from ID "sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.88.0/21"...
module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0]: Import prepared!
  Prepared aws_security_group_rule for import
╷
│ Warning: Version constraints inside provider configuration blocks are deprecated
│ 
│   on provider.tf line 4, in provider "aws":
│    4:   version = "~> 3.0" //temp fix for: https://github.com/gruntwork-io/knowledge-base/discussions/187
│ 
│ Terraform 0.13 and earlier allowed provider version constraints inside the
│ provider configuration block, but that is now deprecated and will be
│ removed in a future version of Terraform. To silence this warning, move the
│ provider version constraint into the required_providers block.
│ 
│ (and one more similar warning elsewhere)
╵

╷
│ Error: Resource already managed by Terraform
│ 
│ Terraform is already managing a remote object for
│ module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0].
│ To import to this address you must first remove the existing object from
│ the state.
╵

ERRO[0026] 1 error occurred:
	* exit status 1

Import does work if I use [3] instead, but then it would prompt to destroy it in the next plan - as explained in my last reply.

aws-vault exec stage -- terragrunt import 'module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[3]' sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.88.0/21
╷
│ Warning: Version constraints inside provider configuration blocks are deprecated
│ 
│   on provider.tf line 4, in provider "aws":
│    4:   version = "~> 3.0" //temp fix for: https://github.com/gruntwork-io/knowledge-base/discussions/187
│ 
│ Terraform 0.13 and earlier allowed provider version constraints inside the
│ provider configuration block, but that is now deprecated and will be
│ removed in a future version of Terraform. To silence this warning, move the
│ provider version constraint into the required_providers block.
╵

module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[3]: Importing from ID "sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.88.0/21"...
module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[3]: Import prepared!
  Prepared aws_security_group_rule for import
module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[3]: Refreshing state... [id=sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.88.0/21]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

[denis256]

Hi,
looks like the resource is already in the state and import fails with the respective message:

╷
│ Error: Resource already managed by Terraform
│ 
│ Terraform is already managing a remote object for
│ module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0]

import in [3] works since resource is added as a new element in list, but later is proposed for removal since it is not defined in terraform files...

Can be attempted to remove from state reference to aws_security_group_rule:

terragrunt state rm module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0]

and attempted to re-import it back

https://www.terraform.io/cli/commands/state/rm

[sewmiuraj]

Thank you @zackproser and @denis256. I was able to import with the command:

aws-vault exec stage -- terragrunt import 'module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0]' sg-01e69230e5c0f1169_ingress_tcp_5432_5432_10.8.80.0/21

I had to add '' when adding module.database.aws_security_group_rule.allow_connections_from_cidr_blocks[0].

[zackproser]

@sewmiuraj Awesome! Thanks so much for letting us know. Glad you were able to get that working.