从 AWS 导入 VPC 配置答案

【问题标题】：Import VPC config from AWS从 AWS 导入 VPC 配置
【发布时间】：2021-07-09 16:21:38
【问题描述】：

我无法从 Terraform 导入现有的 VPC 配置。

创建这个网络的原始代码是：

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> v2.66"

  name = "my-vpc"
  cidr = var.vpc_cidr

  azs              = var.availability_zones
  private_subnets  = var.vpc_private_subnets
  public_subnets   = var.vpc_public_subnets
  database_subnets = var.vpc_database_subnets
  redshift_subnets = var.vpc_redshift_subnets

  enable_nat_gateway     = true
  enable_vpn_gateway     = true
  enable_public_redshift = true

  enable_dns_hostnames = true

  tags = merge(
    tomap({
      "kubernetes.io/cluster/my-production-cluster-" = "shared"
      "kubernetes.io/role/internal-elb"              = ""
      "kubernetes.io/role/elb"                       = ""
  }))
  public_subnet_tags  = merge(tomap({ "kubernetes.io/role/elb" = "1" }))
  private_subnet_tags = merge(tomap({ "kubernetes.io/role/internal-elb" = "1" }))
}

每个网络变量由两个子网组成。

现在我必须为此模块创建一个新的 terraform 配置并将其与现有 VPC 绑定。在规划完之后，Terraform 建议我重新创建所有与 VPC 相关的基础架构。

所以，我正在尝试这样导入它：

terraform import module.vpc.aws_vpc.this vpc-XXXXX

通过没有错误，所有其余命令都给了我相同的图片：

$ terraform import module.vpc.aws_vpn_gateway.this igw-XXX
module.vpc.aws_vpn_gateway.this: Importing from ID "igw-XXX"...
module.vpc.aws_vpn_gateway.this: Import prepared!
  Prepared aws_vpn_gateway for import
module.vpc.aws_vpn_gateway.this: Refreshing state... [id=igw-XXX]

Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "module.vpc.aws_vpn_gateway.this", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's
│ configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.

或

$ terraform import module.vpc.aws_db_subnet_group.database my-production-vpc-db-us-east-2a
module.vpc.aws_db_subnet_group.database: Importing from ID "my-production-vpc-db-us-east-2a"...
module.vpc.aws_db_subnet_group.database: Import prepared!
  Prepared aws_db_subnet_group for import
module.vpc.aws_db_subnet_group.database: Refreshing state... [id=my-production-vpc-db-us-east-2a]

Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "module.vpc.aws_db_subnet_group.database", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the
│ provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.

我尝试过其他方法来输入类似的资源名称：

terraform import module.vpc.aws_vpn_gateway.this[0] igw-XXX
terraform import module.vpc.aws_vpn_gateway.this[\"0\"] igw-XXX
terraform import 'module.vpc.aws_vpn_gateway.this[0]' igw-XXX

terraform import module.vpc.aws_db_subnet_group.database[0] my-production-vpc-db-us-east-2a
terraform import module.vpc.aws_db_subnet_group.database[\"0\"] my-production-vpc-db-us-east-2a
terraform import 'module.vpc.aws_db_subnet_group.database[0]' my-production-vpc-db-us-east-2a

一切都没有运气。

这是地形计划的片段：

 # module.vpc.aws_db_subnet_group.database[0] will be created
  + resource "aws_db_subnet_group" "database" {
      + arn         = (known after apply)
      + description = "Database subnet group for adboost-production-vpc"
      + id          = (known after apply)
      + name        = "my-vpc"
      + name_prefix = (known after apply)
      + subnet_ids  = (known after apply)
      + tags        = {
          + "Name"                                                  = "my-vpc"
          + "kubernetes.io/cluster/my-production-cluster-"          = "shared"    
          + "kubernetes.io/role/elb"                                = ""
          + "kubernetes.io/role/internal-elb"                       = ""
        }
      + tags_all    = {
          + "Name"                                                  = "my-vpc"
          + "kubernetes.io/cluster/my-production-cluster-"          = "shared"    
          + "kubernetes.io/role/elb"                                = (known after apply)
          + "kubernetes.io/role/internal-elb"                       = (known after apply)
        }
    }

...

 # module.vpc.aws_vpn_gateway.this[0] will be created
  + resource "aws_vpn_gateway" "this" {
      + amazon_side_asn = "64512"
      + arn             = (known after apply)
      + id              = (known after apply)
      + tags            = {
          + "Name"                                                  = "my-vpc"
          + "kubernetes.io/cluster/my-production-cluster-"          = "shared"    
          + "kubernetes.io/role/elb"                                = ""
          + "kubernetes.io/role/internal-elb"                       = ""
        }
      + tags_all        = {
          + "Name"                                                  = "my-vpc"
          + "kubernetes.io/cluster/my-production-cluster-"          = "shared"    
          + "kubernetes.io/role/elb"                                = (known after apply)
          + "kubernetes.io/role/internal-elb"                       = (known after apply)
        }
      + vpc_id          = "vpc-XXX"
    }

VPC 模块的其他部分在导入时也有同样的错误

【问题讨论】：

标签： amazon-web-services terraform

【解决方案1】：

VPN 网关和 Internet 网关不是一回事，这就解释了为什么该资源无法导入。

根据the documentation，您应该在导入数据库子网组时指定它的“名称”。那么现有的数据库子网组的名称是什么？是像您在导入命令中尝试的那样是“my-production-vpc-db-us-east-2a”，还是像您在 Terraform 文件中配置的那样是“my-vpc”？

【讨论】：

> 那么现有的数据库子网组的名称是什么？我有 2 个子网组：my-production-vpc-db-us-east-2a 和 my-production-vpc-db-us-east-2b。我正在尝试在导入命令中使用其中一个（在 AWS 控制台中找到）。请注意，Terraform 配置已从 Terraform 0.14 迁移到 Terraform 1.0，并且插件已更新，因此我不确定旧配置看起来是否完全相同，但我确实记得，我没有为 DB 子网组明确设置名称.