Terraform Search Import

1---2name: terraform-search-import3description: Discover existing cloud resources using Terraform Search queries and bulk import them into Terraform management. Use when bringing unmanaged infrastructure under Terraform control, auditing cloud resources, or migrating to IaC.4metadata:5  copyright: Copyright IBM Corp. 20266  version: "0.1.0"7compatibility: Requires Terraform >= 1.14 and providers with list resource support (always use latest provider version)8---9 10# Terraform Search and Bulk Import11 12Discover existing cloud resources using declarative queries and generate configuration for bulk import into Terraform state.13 14**References:**15- [Terraform Search - list block](https://developer.hashicorp.com/terraform/language/block/tfquery/list)16- [Bulk Import](https://developer.hashicorp.com/terraform/language/import/bulk)17 18## When to Use19 20- Bringing unmanaged resources under Terraform control21- Auditing existing cloud infrastructure22- Migrating from manual provisioning to IaC23- Discovering resources across multiple regions/accounts24 25## IMPORTANT: Check Provider Support First26 27**BEFORE starting, you MUST verify the target resource type is supported:**28 29```bash30# Check what list resources are available31./scripts/list_resources.sh aws      # Specific provider32./scripts/list_resources.sh          # All configured providers33```34 35## Decision Tree36 371. **Identify target resource type** (e.g., aws_s3_bucket, aws_instance)382. **Check if supported**: Run `./scripts/list_resources.sh <provider>`393. **Choose workflow**:40   - ** If supported**: Check for terraform version available.41   - ** If terraform version is above 1.14.0** Use Terraform Search workflow (below)42   - ** If not supported or terraform version is below 1.14.0 **: Use Manual Discovery workflow (see [references/MANUAL-IMPORT.md](references/MANUAL-IMPORT.md))43   44   **Note**: The list of supported resources is rapidly expanding. Always verify current support before using manual import.45 46## Prerequisites47 48Before writing queries, verify the provider supports list resources for your target resource type.49 50### Discover Available List Resources51 52Run the helper script to extract supported list resources from your provider:53 54```bash55# From a directory with provider configuration (runs terraform init if needed)56./scripts/list_resources.sh aws      # Specific provider57./scripts/list_resources.sh          # All configured providers58```59 60Or manually query the provider schema:61 62```bash63terraform providers schema -json | jq '.provider_schemas | to_entries | map({key: (.key | split("/")[-1]), value: (.value.list_resource_schemas // {} | keys)})'64```65 66Terraform Search requires an initialized working directory. Ensure you have a configuration with the required provider before running queries:67 68```hcl69# terraform.tf70terraform {71  required_providers {72    aws = {73      source  = "hashicorp/aws"74      version = "~> 6.0"75    }76  }77}78```79 80Run `terraform init` to download the provider, then proceed with queries.81 82## Terraform Search Workflow (Supported Resources Only)83 841. Create `.tfquery.hcl` files with `list` blocks defining search queries852. Run `terraform query` to discover matching resources863. Generate configuration with `-generate-config-out=<file>`874. Review and refine generated `resource` and `import` blocks885. Run `terraform plan` and `terraform apply` to import89 90## Query File Structure91 92Query files use `.tfquery.hcl` extension and support:93- `provider` blocks for authentication94- `list` blocks for resource discovery95- `variable` and `locals` blocks for parameterization96 97```hcl98# discovery.tfquery.hcl99provider "aws" {100  region = "us-west-2"101}102 103list "aws_instance" "all" {104  provider = aws105}106```107 108## List Block Syntax109 110```hcl111list "<list_type>" "<symbolic_name>" {112  provider = <provider_reference>  # Required113 114  # Optional: filter configuration (provider-specific)115  # The `config` block schema is provider-specific. Discover available options using `terraform providers schema -json | jq '.provider_schemas."registry.terraform.io/hashicorp/<provider>".list_resource_schemas."<resource_type>"'`116 117  config {118    filter {119      name   = "<filter_name>"120      values = ["<value1>", "<value2>"]121    }122    region = "<region>"  # AWS-specific123  }124  # Optional: limit results125  limit = 100126}127```128 129## Supported List Resources130 131Provider support for list resources varies by version. **Always check what's available for your specific provider version using the discovery script.**132 133## Query Examples134 135### Basic Discovery136 137```hcl138# Find all EC2 instances in configured region139list "aws_instance" "all" {140  provider = aws141}142```143 144### Filtered Discovery145 146```hcl147# Find instances by tag148list "aws_instance" "production" {149  provider = aws150  151  config {152    filter {153      name   = "tag:Environment"154      values = ["production"]155    }156  }157}158 159# Find instances by type160list "aws_instance" "large" {161  provider = aws162  163  config {164    filter {165      name   = "instance-type"166      values = ["t3.large", "t3.xlarge"]167    }168  }169}170```171 172### Multi-Region Discovery173 174```hcl175provider "aws" {176  region = "us-west-2"177}178 179locals {180  regions = ["us-west-2", "us-east-1", "eu-west-1"]181}182 183list "aws_instance" "all_regions" {184  for_each = toset(local.regions)185  provider = aws186  187  config {188    region = each.value189  }190}191```192 193### Parameterized Queries194 195```hcl196variable "target_environment" {197  type    = string198  default = "staging"199}200 201list "aws_instance" "by_env" {202  provider = aws203  204  config {205    filter {206      name   = "tag:Environment"207      values = [var.target_environment]208    }209  }210}211```212 213## Running Queries214 215```bash216# Execute queries and display results217terraform query218 219# Generate configuration file220terraform query -generate-config-out=imported.tf221 222# Pass variables223terraform query -var='target_environment=production'224```225 226## Query Output Format227 228```229list.aws_instance.all   account_id=123456789012,id=i-0abc123,region=us-west-2   web-server230```231 232Columns: `<query_address>   <identity_attributes>   <name_tag>`233 234## Generated Configuration235 236The `-generate-config-out` flag creates:237 238```hcl239# __generated__ by Terraform240resource "aws_instance" "all_0" {241  ami           = "ami-0c55b159cbfafe1f0"242  instance_type = "t2.micro"243  # ... all attributes244}245 246import {247  to       = aws_instance.all_0248  provider = aws249  identity = {250    account_id = "123456789012"251    id         = "i-0abc123"252    region     = "us-west-2"253  }254}255```256 257## Post-Generation Cleanup258 259Generated configuration includes all attributes. Clean up by:260 2611. Remove computed/read-only attributes2622. Replace hardcoded values with variables2633. Add proper resource naming2644. Organize into appropriate files265 266```hcl267# Before: generated268resource "aws_instance" "all_0" {269  ami                    = "ami-0c55b159cbfafe1f0"270  instance_type          = "t2.micro"271  arn                    = "arn:aws:ec2:..."  # Remove - computed272  id                     = "i-0abc123"        # Remove - computed273  # ... many more attributes274}275 276# After: cleaned277resource "aws_instance" "web_server" {278  ami           = var.ami_id279  instance_type = var.instance_type280  subnet_id     = var.subnet_id281  282  tags = {283    Name        = "web-server"284    Environment = var.environment285  }286}287```288 289## Import by Identity290 291Generated imports use identity-based import (Terraform 1.12+):292 293```hcl294import {295  to       = aws_instance.web296  provider = aws297  identity = {298    account_id = "123456789012"299    id         = "i-0abc123"300    region     = "us-west-2"301  }302}303```304 305## Best Practices306 307### Query Design308- Start broad, then add filters to narrow results309- Use `limit` to prevent overwhelming output310- Test queries before generating configuration311 312### Configuration Management313- Review all generated code before applying314- Remove unnecessary default values315- Use consistent naming conventions316- Add proper variable abstraction317 318## Troubleshooting319 320| Issue | Solution |321|-------|----------|322| "No list resources found" | Check provider version supports list resources |323| Query returns empty | Verify region and filter values |324| Generated config has errors | Remove computed attributes, fix deprecated arguments |325| Import fails | Ensure resource not already in state |326 327## Complete Example328 329```hcl330# main.tf - Initialize provider331terraform {332  required_version = ">= 1.14"333  required_providers {334    aws = {335      source  = "hashicorp/aws"336      version = "~> 6.0"  # Always use latest version337    }338  }339}340 341# discovery.tfquery.hcl - Define queries342provider "aws" {343  region = "us-west-2"344}345 346list "aws_instance" "team_instances" {347  provider = aws348  349  config {350    filter {351      name   = "tag:Owner"352      values = ["platform"]353    }354    filter {355      name   = "instance-state-name"356      values = ["running"]357    }358  }359  360  limit = 50361}362```363 364```bash365# Execute workflow366terraform init367terraform query368terraform query -generate-config-out=generated.tf369# Review and clean generated.tf370terraform plan371terraform apply372```