import of aws_key_pair fails because it ignores assumed role of provider

[ghost]

Hi,

i'm trying to import two ssh key pairs that already exist in AWS, to link them to the resource entries in my .tf file (see below for the .tf file)

when i execute this:

terraform import aws_key_pair.prod_ssh_key aws_cccs_prod

then terraform is complaining that the key i'm trying to import does not exist:

Terraform detected a resource with this ID doesn't exist. Please verify the ID is correct. You cannot import non-existent resources using Terraform import.

I'm pretty sure the reason is either that the import ignores the provider attribute in the aws_key_pair resource (and therefore looks for the key in the wrong account), or it may have something to do with the fact that i don't have defined a default provider (provider without an alias) and therefore the import may be looking in the account my credentials are associated with?

My credentials (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY) are set to an AWS account that holds only user accounts and no resources of it's own. From this account we use assume role to switch to our development and production accounts that hold the actual resources, in this case the key pairs.

I assume that the import is ignoring the assume role that is defined in the two providers and therefore looks for the keys in the account that holds only our user accounts.

I can kinda get this to work if i provide a default provider (one without alias) that assumes the development role for example, then i can import the dev-keypair (and only that one). then i switch the default provider to the production role and can import the prod key. but later on, during plan and apply terraform tries to do non-plausible changes that imply it does not associate the imported keys with the right account. so it's not really a viable workaround.

I would consider this a bug.

best regards
Mario

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

terraform -v
Terraform v0.11.7

• provider.aws v1.29.0
• provider.tls v1.1.0

Affected Resource(s)

• aws_key_pair

Terraform Configuration Files

provider "aws" {
  alias   = "DevelopmentAndTest"
  version = "~> 1.28"
  region  = "${var.region}"

  assume_role {
    role_arn     = "arn:aws:iam::<redacted>:role/TerraformDevelopmentAndTestRole"
  }  
}

provider "aws" {
  alias   = "Production"
  version = "~> 1.28"
  region  = "${var.region}"

  assume_role {
    role_arn     = "arn:aws:iam::<redacted>:role/TerraformProductionRole"
  }  
}

terraform {
  backend "s3" {
    encrypt = true
  }
}

resource "aws_key_pair" "dev_ssh_key" {
  provider	 = "aws.DevelopmentAndTest"
  key_name   = "aws_cccs_dev"
  public_key = "ssh-rsa <redacted> aws_cccs_dev"
}

resource "aws_key_pair" "prod_ssh_key" {
  provider	 = "aws.Production"
  key_name   = "aws_cccs_prod"
  public_key = "ssh-rsa <redacted> aws_cccs_prod"
}

Expected Behavior

i would have expected that both key pairs can be imported, since they exist and the providers are configured correctly to point to the two different accounts where the keys are located.

Actual Behavior

see above (beginning of post)

[bflad]

Hi @maxdreamland 👋

Does importing work if you add the terraform import -provider flag? e.g.

terraform import -provider=aws.Production aws_key_pair.prod_ssh_key aws_cccs_prod

[ghost]

Hi,

and thanks for your advice!

yes that actually worked. I was able to import both key pairs with that method. and "terraform plan" looks plausible too now.

that seems to confirm that the provider attribute specified in the aws_key_pair resource is ignored, right? so maybe there's still a todo?

I noticed one more thing in the "terraform plan", it shows the public_key attribute of the imported key to be empty (which it is not in reality), but i assume thats because you probably can't query the public key via the aws cli for security reasons, right?

If that's the case, should i use lifecycle/ignore_changes on the public_key field to avoid terraform reapplying the key pair over and over again?

[bflad]

@maxdreamland hope these answer your questions:

that seems to confirm that the provider attribute specified in the aws_key_pair resource is ignored, right? so maybe there's still a todo?

If you remove the provider argument on your resources (e.g. provider = "aws.Production") you should notice that Terraform says it needs to recreate them as it should not be able to read them from AWS anymore.

should i use lifecycle/ignore_changes on the public_key field to avoid terraform reapplying the key pair over and over again

Correct! In this case, we can only retrieve the key name and fingerprint from the EC2 API: https://docs.aws.amazon.com/sdk-for-go/api/service/ec2/#KeyPairInfo

[ghost]

alright then. Thank you for your help with this. I think this can be closed now.

best regards
Mario.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!