"import" block validation is failing on false-positive "duplicates" #33390
Comments
|
This can also happen if you have the same resource in multiple providers in the same state - for instance, creating the same resource in multiple AWS accounts. I was about to file this bug with a similar example: terraform {
required_version = "~> 1.5.0"
required_providers {
aws = {
version = "~> 5.0"
source = "hashicorp/aws"
}
}
}
provider "aws" {
alias = "acc_a"
region = "us-east-1"
assume_role {
role_arn = "arn:aws:iam::${ID1}:role/OrganizationAccountAccessRole"
session_name = "import_bug_test"
}
}
provider "aws" {
alias = "acc_b"
region = "us-east-1"
assume_role {
role_arn = "arn:aws:iam::${ID2}:role/OrganizationAccountAccessRole"
session_name = "import_bug_test"
}
}
resource "aws_ebs_encryption_by_default" "ebs_encryption_a" {
provider = aws.acc_a
enabled = true
}
resource "aws_ebs_encryption_by_default" "ebs_encryption_b" {
provider = aws.acc_b
enabled = true
}
import {
to = aws_ebs_encryption_by_default.ebs_encryption_a
id = "default"
}
import {
to = aws_ebs_encryption_by_default.ebs_encryption_b
id = "default"
}But in general, import feels like it should check uniqueness across both the For now, this is breaking valid import use-cases for resource types that have static import |
|
Thanks @DanielRis and @pshuman-heb! The initial validation here assumed that The validation may need to be relaxed to check only the target address, which is the unique key as far as Terraform in concerned. |
|
@jbardin Thanks for the review! In general, it seems like maybe better to remove or significantly relax the validation for now and maybe try to put it back in later after some more review and with a more robust check? The dangers of someone double-importing feels relatively low - worst case your plans/applies do something odd and you have to do a The best minimal validation I could think of is probably validating that you're not importing |
|
It looks like individuating import blocks by id and provider in this validation will fix both the cases mentioned. The dangers of double-importing are the same as any case in which a single remote object is bound to multiple resource addresses (docs 1 2). If my assumptions are correct then we can prevent with validation what was previously always a user error.
@jbardin, do you have an example of this? Given that the |
|
@kmoe, because Terraform cannot enforce any uniqueness in resources, there is no requirement that identifiers themselves are unique. Multiple resource instances may have the exact same state, but with different addresses they are still separate unique values within a configuration. Resource also don't need to each represent real physical objects, with some being more abstract in nature, and the identifying string may the same for each of these resources. These abstract resources are frequently duplicated between modules, for instance you could not import a |
|
I see, We can relax this validation then and just check for duplicate |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Version
Terraform Configuration Files
Debug Output
N/A
Expected Behavior
Terraform should handle each import element individually.
Actual Behavior
Terraform is failing during the init stage:
because it is comparing the
idand thetypeof each import block individually instead of using the full resource identifier that would be required to support child modules.Steps to Reproduce
terraform initAdditional Context
No response
References
[No response]
https://github.com/hashicorp/terraform/blob/5ed38eb3fa6d44f167a48cea80a1bf2941011e3e/internal/configs/module.go#LL423C16-L423C16
The text was updated successfully, but these errors were encountered: