I am trying to import some resources ( created by EKS outside terraform) specifically cluster creator access entry.
The documentation provides this usage to create new access entry
locals {
access_entries = {
iam_identity_center_admin_role = {
kubernetes_groups = []
principal_arn = data.external.get_sso_admin_role.result.Arn
policy_associations = {
iam_identity_center_admin_role = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope = {
type = "cluster"
}
}
}
}
}
}
According to terraform import command docs
Before you run terraform import you must manually write a resource configuration block for the resource. The resource block describes where Terraform should map the imported object.
Based on the above understanding I tried to use the following import command which throws error
terraform import module.base.module.eks.aws_eks_access_entry.iam_identity_center_admin_role mycluster:principal arn
Before importing this resource, please create its configuration in module.base.module.eks. For example:
resource "aws_eks_access_entry" "iam_identity_center_admin_role" {
# (resource arguments)
}
The same works if I add the terror resource for eks access entry. Of course when I use resource definition I don't use the locals of access entries map. So, it's not correct resource problem
resource "aws_eks_access_entry" "imported_cluster_creator_eks_access_entry" {
cluster_name = local.eks_name
principal_arn = data.external.get_sso_admin_role.result.Arn
}
But if I use the following import command with locals and not explicit resource definition having this it works . I want to know why the usage of this works? why this is used? To my understanding it is implicitly used
terraform import 'module.base.module.eks.aws_eks_access_entry.this["iam_identity_center_admin_role"]' my-cluster:pricipal arn
Based on the terraform module code, the merged_access_entries local variable is used with the aws_eks_access_entry resource. Since the resource you have created manually needs to be imported into the module, you have to follow the convention specified by the said module. In this case, the resource you want to import is using the logical name of this:
resource "aws_eks_access_entry" "this" {
for_each = { for k, v in local.merged_access_entries : k => v if local.create }
cluster_name = aws_eks_cluster.this[0].name
kubernetes_groups = try(each.value.kubernetes_groups, null)
principal_arn = each.value.principal_arn
type = try(each.value.type, "STANDARD")
user_name = try(each.value.user_name, null)
tags = merge(var.tags, try(each.value.tags, {}))
}
As you can see, the EKS module is also using for_each to create the resource aws_eks_access_entry, hence the need for the key when specifying the import command as the key-value pairs are decided from the merged_access_entries local variable. Based on everything outlined here and in your question, you are calling the EKS module from the base module.
When using modules, you need to know which resource and resource's logical name are used in the module you want to import to in order to successfully import it. Since the resource in question is "aws_eks_access_entry" "this", the entire import command needs to be:
terraform import module.base.module.eks.aws_eks_access_entry.this["iam_identity_center_admin_role"]' <cluster:pricipal arn>
because one of the keys in the local access_entries variable which you have defined is iam_identity_center_admin.