Importing routes & ACL rules

[hashibot]

This issue was originally opened by @AMMullan as hashicorp/terraform#13779. It was migrated here as part of the provider split. The original body of the issue is below.

---

I'm trying to import existing infrastructure but am not sure how to import ACL Rules and Routes for AWS.

Terraform Version

v0.8.8

Affected Resource(s)

• aws_route
• aws_network_acl_rule

Would just like to know if you can import these or you just have to apply and force it to overwrite the existing items?

[frittentheke]

I am wondering if importing a AWS route (table entry) is even necessary in case it already exists.
It's clearly defined by "destination -> target" as a combined "primary key". If that matches the route exists and only the additional fields could be different (which then is a update in-place). If everything matches simply skip this route.

[vkatsikaros]

If the aws_route already exists and it was not created by terraform it needs to be impoerted, otherwise apply fails.

I tried it with both

Terraform v0.11.5
+ provider.aws v1.11.0

and

Terraform v0.11.7
+ provider.aws v1.11.0

Plan and failure:

  + module.core.aws_route.lala
      id:                         <computed>
      destination_cidr_block:     "10.242.2.0/24"
      destination_prefix_list_id: <computed>
      egress_only_gateway_id:     <computed>
      gateway_id:                 <computed>
      instance_id:                <computed>
      instance_owner_id:          <computed>
      nat_gateway_id:             <computed>
      network_interface_id:       <computed>
      origin:                     <computed>
      route_table_id:             "rtb-123456"
      state:                      <computed>
      vpc_peering_connection_id:  "pcx-123456"

module.core.aws_route.lala: Creating...
  destination_cidr_block:     "" => "10.242.2.0/24"
  destination_prefix_list_id: "" => "<computed>"
  egress_only_gateway_id:     "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "<computed>"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-123456"
  state:                      "" => "<computed>"
  vpc_peering_connection_id:  "" => "pcx-123456"

Error: Error applying plan:

* module.core.aws_route.lala: 1 error(s) occurred:

* aws_route.lala: Error creating route: RouteAlreadyExists: The route identified by 10.242.2.0/24 already exists.
	status code: 400, request id: abcdefg-123456

The solution is:

• either import the aws_route. But as far as I understand is not possible right now
• or delete the route on the aws side

So a workaround exists, but an import would be ideal.

[YakDriver]

@vkatsikaros and @AMMullan and @frittentheke This enhancement for aws_route is pending in PR #5687 .

[bflad]

Support for importing aws_route resources has been merged into master and will release with version 1.34.0 of the AWS provider, likely later today.

[flickerfly]

Could someone provide an example of what the import would look like? I don't understand what the ID should be or where to find it.

[lorengordon]

@flickerfly It's the <route-table-id>_<destination_cidr>. Examples are in the import section of the aws_route doc...

• https://www.terraform.io/docs/providers/aws/r/route.html#import

[flickerfly]

@lorengordon, Thanks!

[flickerfly]

@YakDriver Should this work if the route table is from a remote state?

$ terraform import aws_route.stable_to_mail_temp_route[2] rtb-09e9b7df22051b1d1_192.168.0.0/24
aws_route.stable_to_mail_temp_route: Importing from ID "rtb-09e9b7df22051b1d1_192.168.0.0/24"...
aws_route.stable_to_mail_temp_route: Import complete!
  Imported aws_route (ID: r-rtb-09e9b7df22051b1d14165679356)
aws_route.stable_to_mail_temp_route: Refreshing state... (ID: r-rtb-09e9b7df22051b1d14165679356)

Error: aws_route.stable_to_mail_temp_route[2] (import id: rtb-09e9b7df22051b1d1_192.168.0.0/24): 1 error(s) occurred:

* import aws_route.stable_to_mail_temp_route[2] result: r-rtb-09e9b7df22051b1d14165679356: import aws_route.stable_to_mail_temp_route (id: r-rtb-09e9b7df22051b1d14165679356): Terraform detected a resource with this ID doesn't
exist. Please verify the ID is correct. You cannot import non-existent
resources using Terraform import.

[lorengordon]

I don't think it should matter where the route table exists, as long as the import is executed with a provider that has credentials to the account. If your tf config uses multiple providers, pass -provider X to the import command, X is the provider alias.

-provider=provider      Specific provider to use for import. This is used for
                        specifying aliases, such as "aws.eu". Defaults to the
                        normal provider prefix of the resource being imported.

But, I haven't yet used the remote state data source, so maybe I'm wrong. 🤷‍♂️

[pmacdougall]

Any update/progress on importing aws_network_acl_rule resources?

[bflad]

Hi folks 👋 Let's track aws_network_acl_rule resource import support in #10983 -- aws_route resource import support has been possible for awhile now. 👍

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!