Import Terraform Configuration

27min
|
Terraform

Terraform supports bringing your existing infrastructure under its management. By importing resources into Terraform, you can safely and
consistently manage your infrastruture using a predictable workflow.

When you create new infrastructure with Terraform, you usually use the following workflow:

Write Terraform configuration that defines the infrastructure you want to create.
Review the Terraform plan to ensure the configuration will result in the expected infrastructure.
Apply the configuration to have Terraform create your infrastructure.

Typical Terraform workflow: Write config, review plan, apply

Terraform stores information about your infrastructure in a state file. To update your infrastructure, you first modify your configuration, and then use Terraform to plan and apply the required changes. Terraform uses the data in your state file to determine the changes it needs to make to your infrastructure.

You can use the import command to migrate existing resources into your Terraform state file. The import command does not currently generate the configuration for the imported resource, so you must write the corresponding configuration block to map the imported resource to it.

Importing infrastructure involves five steps:

Identify the existing infrastructure you will import.
Import infrastructure into your Terraform state file.
Write Terraform configuration that matches that infrastructure.
Review the Terraform plan to ensure the configuration matches the expected state and infrastructure.
Apply the configuration to update your Terraform state.

Terraform import workflow: Identify infrastructure, import into state, write config, review plan, apply

In this tutorial, you will create a Docker container with the Docker CLI. Then, you will import the container into a new Terraform project and begin using the Terraform workflow to modify the container.

Warning

Importing infrastructure manipulates Terraform state and can corrupt the state file for existing projects. Make a backup of your terraform.tfstate file and .terraform directory before using Terraform import on a real Terraform project, and store them securely.

Prerequisites

You can complete this tutorial using the same workflow with either Terraform OSS or Terraform Cloud.

Terraform Cloud is a platform that you can use to manage and execute your Terraform projects. It includes features like remote state and execution, structured plan output, workspace resource summaries, and more.

Select the Terraform Cloud tab to complete this tutorial using Terraform Cloud.

This tutorial assumes that you are familiar with the Terraform workflow. If you are new to Terraform, complete the Get Started collection first.

In order to complete this tutorial, you will need the following:

Docker installed and running.
Terraform v1.2+ installed locally.

This tutorial uses Terraform Cloud for remote state storage and assumes that you are familiar with the Terraform and Terraform Cloud workflows. If you are new to Terraform, complete the Get Started collection first. If you are new to Terraform Cloud, complete the Terraform Cloud Get Started tutorials first.

In order to complete this tutorial, you will need the following:

Docker installed and running.
Terraform v1.2+ installed locally.
A Terraform Cloud account with Terraform Cloud locally authenticated.

Create a Docker container

Create a container named hashicorp-learn using the latest NGINX image from Docker Hub, and publish that container's port 80 (HTTP) to your local host system's port 8080. You will import this container in this tutorial.

$ docker run --name hashicorp-learn --detach --publish "0.0.0.0:8080:80" nginx:latest
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
afb6ec6fdc1c: Pull complete
dd3ac8106a0b: Pull complete
8de28bdda69b: Pull complete
a2c431ac2669: Pull complete
e070d03fd1b5: Pull complete
Digest: sha256:883874c218a6c71640579ae54e6952398757ec65702f4c8ba7675655156fcca6
Status: Downloaded newer image for nginx:latest
e7ba41fd94e51c501533241e4cffd307fbda81c5b402c372d989c4578518d2e5

Use docker ps to verify that the container is running.

$ docker ps --filter="name=hashicorp-learn"
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                  NAMES
e7ba41fd94e5        nginx:latest        "/docker-entrypoint.…"   About a minute ago   Up 59 seconds       0.0.0.0:8080->80/tcp   hashicorp-learn

Visit the address 0.0.0.0:8080 in your web browser to see the NGINX default index page.

Now you have a Docker image and container to import into your project and manage with Terraform.

Initialize configuration

Now, clone the example repository for this tutorial.

$ git clone https://github.com/hashicorp/learn-terraform-import.git

Change to the repository directory.

$ cd learn-terraform-import

This directory organizes Terraform configuration across three files:

terraform.tf configures the Terraform and provider versions
main.tf configures the Docker provider
docker.tf will contain the configuration for Docker container you import

Initialize this configuration.

$ terraform init
Initializing the backend...
##...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Open your terraform.tf file and uncomment the cloud block. Replace the organization name with your own Terraform Cloud organization.

terraform.tf

terraform {
  cloud {
    organization = "organization-name"
    workspaces {
      name = "learn-terraform-import"
    }
  }

    required_providers {
     docker = {
         source  = "kreuzwerker/docker"
         version = "~> 2.17.0"
     }
    }

 required_version = "~> 1.2"
}

Initialize your configuration. Terraform will automatically create the learn-terraform-import workspace in your Terraform Cloud organization.

$ terraform init
Initializing Terraform Cloud...
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v4.4.0...
- Installed hashicorp/aws v4.4.0 (signed by HashiCorp)
Terraform Cloud has been successfully initialized!
You may now begin working with Terraform Cloud. Try running "terraform plan" to
see any changes that are required for your infrastructure.
If you ever set or change modules or Terraform Settings, run "terraform init"
again to reinitialize your working directory.

Because this tutorial uses a Docker container as the example resource to import, you must use local execution with Terraform Cloud. This workflow lets you run Terraform operations locally, letting Terraform access containers and resources on your local machine. It then stores your state file in Terraform Cloud for easy collaboration and versioning.

To enable local execution, navigate to your new learn-terraform-import workspace in Terraform Cloud. In the workspace's General settings, select Local under Execution Mode, then click Save settings.

Enable local execution for Terraform Cloud workspace

Import the container into Terraform

Next, define an empty docker_container resource in your docker.tf file, which represents a Docker container with the Terraform resource ID docker_container.web.

docker.tf

resource "docker_container" "web" {}

Next, run docker ps to find the name of the container you want to import - in this case, the container you created in the previous step.

$ docker ps --filter "name=hashicorp-learn"
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                  NAMES
d45091b71212        nginx:latest        "nginx -g 'daemon of…"   18 minutes ago      Up 18 minutes       0.0.0.0:8080->80/tcp   hashicorp-learn

Now run terraform import to attach the existing Docker container to the docker_container.web resource you just created. Terraform import requires this Terraform resource ID and the full Docker container ID. In the following example, the command docker inspect --format="{{.ID}}" hashicorp-learn returns the full SHA256 container ID.

$ terraform import docker_container.web $(docker inspect --format="{{.ID}}" hashicorp-learn)
docker_container.web: Importing from ID "d45091b7121266f0c0e69dd9985acdefd110a66bcedbd03797e3606fb0a7d7ee"...
docker_container.web: Import prepared!
  Prepared docker_container for import
docker_container.web: Refreshing state... [id=d45091b7121266f0c0e69dd9985acdefd110a66bcedbd03797e3606fb0a7d7ee]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Note

The ID terraform import requires varies by resource type. You can find the required ID in the provider documentation for the resource you wish to import. For this example, consult the Docker provider documentation.

Review the contents of your state file by running terraform show.

$ terraform show
# docker_container.web:
resource "docker_container" "web" {
    command           = [
      "nginx",
      "-g",
      "daemon off;",
    ]

    ## ...

    ports {
      external = 8080
      internal = 80
      ip       = "0.0.0.0"
      protocol = "tcp"
    }
}

Importing the container pulled all of the displayed data about the resource into your state file under the resource ID you specified (docker_container.web). However, Terraform import does not create the configuration for the resource.

Create configuration

In order to continue managing the imported container using Terraform, you must also create corresponding configuraton for it.

Run terraform plan. Terraform shows errors because your configuration does not have the required image and name arguments for the container resource. Terraform cannot generate a plan for a resource that is missing required arguments.

$ terraform plan

Error: Missing required argument

  on docker.tf line 1, in resource "docker_container" "web":
   1: resource "docker_container" "web" { }

The argument "name" is required, but no definition was found.


Error: Missing required argument

  on docker.tf line 1, in resource "docker_container" "web":
   1: resource "docker_container" "web" { }

The argument "image" is required, but no definition was found.

There are two approaches you can use to update the configuration in docker.tf to match the state you imported:

Accept entire current state as-is. This approach is often faster, but can lead to overly verbose configuration since not all attributes in state are necessary in the configuration.
Cherry-pick required attributes into configuration one at a time. This creates a more manageable configuration, but requires understanding which attributes are required.

You may find both of these methods useful in different circumstances. Try either or both of these approaches using the tabs below.

To use current state as configuration, you will:

Copy the Terraform state for the imported resource into a configuration file. You will base the configuration for the resource on its definition in state.
Run terraform plan to identify and remove read-only configuration arguments.
Re-run terraform plan to confirm the configuration is correct.
Run terraform apply to finish synchronizing your configuration, state, and infrastructure.

Use terraform show to copy your Terraform state into your docker.tf file.

$ terraform show -no-color > docker.tf

Warning

The > symbol replaces the entire contents of docker.tf with the output of the terraform show command. If your configuration already manages other resources, you must edit the output of terraform show to remove existing resources whose configuration you do not want to replace, and merge the new resources into your existing configuration.

Review the contents of docker.tf.

Now run terraform plan. Terraform will show warnings and errors about a deprecated argument (links), and several read-only arguments (ip_address, network_data, gateway, ip_prefix_length, id).

$ terraform plan
│ Error: Invalid or unknown key
│
│   with docker_container.web,
│   on docker.tf line 17, in resource "docker_container" "web":
│   17:     id                = "5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6"
│
╵
╷
│ Error: Value for unconfigurable attribute
│
│   with docker_container.web,
│   on docker.tf line 27, in resource "docker_container" "web":
│   27:     network_data      = [
│   28:         {
│   29:             gateway                   = "172.17.0.1"
│   30:             global_ipv6_address       = ""
│   31:             global_ipv6_prefix_length = 0
│   32:             ip_address                = "172.17.0.2"
│   33:             ip_prefix_length          = 16
│   34:             ipv6_gateway              = ""
│   35:             mac_address               = "02:42:ac:11:00:02"
│   36:             network_name              = "bridge"
│   37:         },
│   38:     ]
│
│ Can't configure a value for "network_data": its value will be decided automatically based on the result of applying this configuration.

These read-only arguments are Docker container attributes that Terraform stores in state but that it cannot set through configuration because Docker manages them internally. Terraform can set the links argument with configuration, but still throws a warning because the argument is deprecated and future versions of the Docker provider may not support it.

Remove all six of these attributes from your docker.tf configuration file before continuing with the next step.

docker.tf

##...
    group_add         = []
    hostname          = "5cf0052f45a4"
-    id                = "5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6"
    image             = "sha256:9e7e7b26c784556498f584508123ae46da82b4915e262975893be4c8ec8009a5"
    init              = false
    ipc_mode          = "private"
    log_driver        = "json-file"
    log_opts          = {}
    max_retry_count   = 0
    memory            = 0
    memory_swap       = 0
    name              = "hashicorp-learn"
-    network_data      = [
-        {
-            gateway                   = "172.17.0.1"
-            global_ipv6_address       = ""
-            global_ipv6_prefix_length = 0
-            ip_address                = "172.17.0.2"
-            ip_prefix_length          = 16
-            ipv6_gateway              = ""
-            mac_address               = "02:42:ac:11:00:02"
-            network_name              = "bridge"
-        },
-    ]
    network_mode      = "default"
    privileged        = false
    publish_all_ports = false
##...

When importing real infrastructure, consult the provider documentation to learn what each argument does. This will help you determine how to handle any errors or warnings from the plan step. For example, the documentation for the links argument is in the Docker provider documentation.

Now verify that you resolved the errors by re-running terraform plan.

$ terraform plan
docker_container.web: Refreshing state... [id=772ad3901a62667a28f4d7e6cc52a55fbadad13d544be811d4bc18bf455e1909]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # docker_container.web must be replaced
-/+ resource "docker_container" "web" {
      + attach            = false
      + bridge            = (known after apply)
      + container_logs    = (known after apply)
      - dns               = [] -> null
      - dns_opts          = [] -> null
      - dns_search        = [] -> null
      + env               = (known after apply) # forces replacement
      + exit_code         = (known after apply)
      ## ...
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Notice that Terraform plans to destroy then recreate your Docker container because your configuration does not set the env attribute..

Add env to your docker_container.web resource.

docker.tf

 resource "docker_container" "web" {
     command           = [
         "nginx",
         "-g",
         "daemon off;",
     ]
     cpu_shares        = 0
     dns               = []
     dns_opts          = []
     dns_search        = []
     entrypoint        = [
         "/docker-entrypoint.sh",
     ]
     group_add         = []
+    env               = []

     ## ...
 }

Verify that you resolved the errors by re-running terraform plan.

$ terraform plan
docker_container.web: Refreshing state... [id=5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # docker_container.web will be updated in-place
  ~ resource "docker_container" "web" {
      + attach                                      = false
      + container_read_refresh_timeout_milliseconds = 15000
        id                                          = "5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6"
      + logs                                        = false
      + must_run                                    = true
        name                                        = "hashicorp-learn"
      + remove_volumes                              = true
      + start                                       = true
      + wait                                        = false
      + wait_timeout                                = 60
        # (33 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

The plan should now execute successfully. Notice that the plan indicates that Terraform will update the container in place to add the attach, logs, must_run, and start attributes.

Terraform uses these attributes to create Docker containers, but Docker does not store them. As a result, terraform import did not load their values into state. When you plan and apply your configuration, the Docker provider will assign the default values for these attributes and save them in state, but they will not affect the running container.

Note

Provider documentation may not indicate if a change is safe. You must understand the lifecycle of the underlying resource in order to know if a given change is safe to apply.

Apply the changes to finish syncing your Terraform configuration and state with the Docker container they represent. Remember to confirm the apply step with a yes.

$ terraform apply
docker_container.web: Refreshing state... [id=5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # docker_container.web will be updated in-place
  ~ resource "docker_container" "web" {
      + attach                                      = false
      + container_read_refresh_timeout_milliseconds = 15000
        id                                          = "5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6"
      + logs                                        = false
      + must_run                                    = true
        name                                        = "hashicorp-learn"
      + remove_volumes                              = true
      + start                                       = true
      + wait                                        = false
      + wait_timeout                                = 60
        # (33 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

docker_container.web: Modifying... [id=5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6]
docker_container.web: Modifications complete after 0s [id=5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Now your configuration file, Terraform state, and the container are all in sync, and you can use Terraform to manage the Terraform container as you normally would. Because this apply step changed the container's state rather than destroying and recreating it, the container ID did not change, and the container continued running during the process.

Since the approach shown here loads all of the attributes represented in Terraform state, your configuration includes optional attributes whose values are the same as their defaults. Which attributes are optional, and their default values, will vary from provider to provider, and can be found in the provider documentation.

Optionally, you can remove all of these attributes, keeping only the required attributes and any that are specific to your container. After removing these unnecessary attributes, your configuration should match the following.

docker.tf

resource "docker_container" "web" {
  image = "sha256:9e7e7b26c784556498f584508123ae46da82b4915e262975893be4c8ec8009a5"
  name  = "hashicorp-learn"
  env   = []

  ports {
    external = 8080
    internal = 80
    ip       = "0.0.0.0"
    protocol = "tcp"
  }
}

Note

Your image ID may be different from the one shown here.

At this point, running terraform plan or terraform apply will show no changes, and your configuration only includes the minimum set of attributes needed to recreate the container as-is.

To cherry-pick the configuration for your Docker container, you will add the missing required attributes which caused the errors in your plan. Terraform cannot generate a plan without all of the required attributes for your resource.

Run terraform show to find the correct values for the missing image and name attributes.

$ terraform show
# docker_container.web:
resource "docker_container" "web" {
  ## ...
  image             = "sha256:4392e5dad77dbaf6a573650b0fe1e282b57c5fba6e6cea00a27c7d4b68539b81"
  ## ...
  name              = "hashicorp-learn"
  ## ...
}

Copy these values into the "docker_container" "web" block in docker.tf. Replace the image ID with the value from the output of terraform show, not the one shown here.

docker.tf

resource "docker_container" "web" {
  name  = "hashicorp-learn"
  image = "sha256..."
}

This will resolve the errors from missing required attributes, but your configuration will not match the Terraform state or Docker container.

Run terraform plan again to see those differences. The plan will succeed, but applying it would destroy the existing container and add a new one with a different configuration, instead of bringing the existing container under Terraform's control.

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

## ...

Terraform will perform the following actions:

  # docker_container.web must be replaced
-/+ resource "docker_container" "web" {
      + attach            = false
      + bridge            = (known after apply)
      ## ...

      + env               = (known after apply) # forces replacement

      ## ...

      - ports { # forces replacement
          - external = 8080 -> null
          - internal = 80 -> null
          - ip       = "0.0.0.0" -> null
          - protocol = "tcp" -> null
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

## ...

Your configuration is missing values for env and ports. The values loaded from state indicate that Docker exposes the container's port 80 as port 8080 in your host system. The output of Terraform plan shows that changes to the env and port attributes "forces replacement" of the container.

Resolve this by adding the env and ports attributes to the docker_container.web resource in docker.tf.

docker.tf

resource "docker_container" "web" {
  name  = "hashicorp-learn"
  image = "sha256:602e111c06b6934013578ad80554a074049c59441d9bcd963cb4a7feccede7a5"

  env  = []

  ports {
    external = 8080
    internal = 80
  }
}

You do not need to include values for ip or protocol because these attributes are optional, and the current state is the same as their default values.

Note

Which attributes are optional, and their default values, will vary from provider to provider. You can review the optional values for the docker_container resource in the Docker provider documentation.

Run terraform plan again to compare your new configuration to the state you imported earlier:

$ terraform plan
docker_container.web: Refreshing state... [id=b36a3ff77d52482b6f6833e48dd20f12272d80a1652b1ea0a8b61f493718dc75]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # docker_container.web will be updated in-place
  ~ resource "docker_container" "web" {
      + attach                                      = false
      + container_read_refresh_timeout_milliseconds = 15000
        id                                          = "b36a3ff77d52482b6f6833e48dd20f12272d80a1652b1ea0a8b61f493718dc75"
      + logs                                        = false
      + must_run                                    = true
        name                                        = "hashicorp-learn"
      + remove_volumes                              = true
      + start                                       = true
      + wait                                        = false
      + wait_timeout                                = 60
        # (33 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Notice that the plan indicates that Terraform will update the container in place to add the attach, container_read_refresh_timeout_milliseconds, logs, must_run, remove_volumes, start, wait, and wait_timeout attributes.

Note

Provider documentation may not indicate if a change is safe. You must understand the lifecycle of the underlying resource in order to know if a given change is safe to apply.

Apply the changes and finish the process of syncing your Terraform configuration and state with the Docker container they represent. Remember to confirm the apply step with a yes.

$ terraform apply
docker_container.web: Refreshing state... [id=b36a3ff77d52482b6f6833e48dd20f12272d80a1652b1ea0a8b61f493718dc75]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # docker_container.web will be updated in-place
  ~ resource "docker_container" "web" {
      + attach                                      = false
      + container_read_refresh_timeout_milliseconds = 15000
        id                                          = "b36a3ff77d52482b6f6833e48dd20f12272d80a1652b1ea0a8b61f493718dc75"
      + logs                                        = false
      + must_run                                    = true
        name                                        = "hashicorp-learn"
      + remove_volumes                              = true
      + start                                       = true
      + wait                                        = false
      + wait_timeout                                = 60
        # (33 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

docker_container.web: Modifying... [id=b36a3ff77d52482b6f6833e48dd20f12272d80a1652b1ea0a8b61f493718dc75]
docker_container.web: Modifications complete after 0s [id=b36a3ff77d52482b6f6833e48dd20f12272d80a1652b1ea0a8b61f493718dc75]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

At this point, running terraform plan or terraform apply will show no further changes, and you can now manage the container with Terraform as you would any other resource.

If you want to try the other method for generating configuration, use the following steps to revert the changes you made in the previous section, then switch to the other tab.

Remove everything inside the "docker_container" "web" block in docker.tf, so that the file only contains resource "docker_container" "web" { }.
Remove the container from your Terraform state.
```
$ terraform state rm "docker_container.web"
```

Re-import the container to Terraform state.

$ terraform import docker_container.web $(docker inspect -f {{.ID}} hashicorp-learn)

Otherwise, proceed with the next step to verify your configuration.

Verify import

Regardless of which method you used, Terraform now manages your Docker container. Use the Docker CLI to inspect the container.

$ docker ps --filter "name=hashicorp-learn"
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                  NAMES
fac6b3ddb49d        nginx:latest        "nginx -g 'daemon of…"   11 minutes ago      Up 11 minutes       0.0.0.0:8080->80/tcp   hashicorp-learn

The "Status" of the container did not change, confirming that the import process did not affect the container's operations. The ID has not changed either, confirming that this is the same container you created at the beginning of this tutorial.

Visit 0.0.0.0:8080 in your web browser to verify that the container still works as intended.

Create image resource

In some cases, you can bring resources under Terraform's control without using the terraform import command. This is often the case for resources that are defined by a single unique ID or tag, such as Docker images.

In your docker.tf file, the docker_container.web resource specifies the SHA256 hash ID of the image used to create the container. This is how Docker stores the image ID internally, and so terraform import loaded the image ID directly into your state. However the image ID is not as human readable as the image tag or name, and it may not match your intent. For example, you might want to use the latest version of the "nginx" image.

Retrieve the image's tag name by running the following command. Replace the image ID with the image ID from docker.tf.

$ docker image inspect -f {{.RepoTags}} <SHA>
[nginx:latest]

Then add the following configuration to your docker.tf file to represent this image as a resource.

docker.tf

resource "docker_image" "nginx" {
  name         = "nginx:latest"
}

Warning

Do not replace the image value in the docker_container.web resource yet, or Terraform will destroy and recreate your container. Since Terraform did not yet load the docker_image.nginx resource into state, it does not have an image ID to compare with the hardcoded one, which will force replacement. To work around this, define and create the image resource first, then update the container to reference it, as shown in this tutorial.

Run terraform apply to create an image resource in state. Remember to confirm the apply step with a yes.

$ terraform apply
docker_container.web: Refreshing state... [id=5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # docker_image.nginx will be created
  + resource "docker_image" "nginx" {
      + id          = (known after apply)
      + image_id    = (known after apply)
      + name        = "nginx:latest"
      + repo_digest = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

##...

Apply complete! Resources: 1 added, 0 changed, 0 destroyed

Now that Terraform created a resource for the image, you can reference it in your container's configuration. Change the image value for docker_container.web to reference the new image resource.

docker.tf

resource "docker_container" "web" {
  name  = "hashicorp-learn"
  image = docker_image.nginx.image_id

  ## ...
}

Since docker_image.nginx.latest will match the hardcoded image ID you replaced, terraform apply will show no changes.

$ terraform apply
docker_image.nginx: Refreshing state... [id=sha256:9e7e7b26c784556498f584508123ae46da82b4915e262975893be4c8ec8009a5nginx:latest]
docker_container.web: Refreshing state... [id=5cf0052f45a4c22e6b077ca476cd0f584f4e874b64c1a7c89e8a3ceb2e41bad6]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Note

If the image ID for the tag nginx:latest changed between the time you first created the Docker container and when you run this command, Docker will destroy the container and then recreate it with the new image.

Manage the container with Terraform

Now that Terraform manages the Docker container, use Terraform to change the its configuration.

In your docker.tf file, change the container's external port from 8080 to 8081.

docker.tf

resource "docker_container" "web" {
  name  = "hashicorp-learn"
  image = docker_image.nginx.latest

  ports {
    external = 8081
    internal = 80
  }
}

Apply the change. Terraform will destroy and recreate the container with the new port configuration. Remember to confirm the apply step with a yes.

$ terraform apply
docker_container.web: Refreshing state... [id=75278f99c53a6b39e94127d2c25f7dee13f97a4af89c52d74bff9dc783b3cce1]

## ...

Plan: 1 to add, 0 to change, 1 to destroy.

## ...

docker_container.web: Destroying... [id=75278f99c53a6b39e94127d2c25f7dee13f97a4af89c52d74bff9dc783b3cce1]
docker_container.web: Destruction complete after 1s
docker_container.web: Creating...
docker_container.web: Creation complete after 1s [id=023afc10768ab8eeaf646d6a3ac47b52a15af764367ded41702ef9cf5b91a976]

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

Now verify that Terraform replaced the container with a new one with the new configuration by running docker ps or visiting 0.0.0.0:8081 in your web browser.

$ docker ps --filter "name=hashicorp-learn"
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                  NAMES
023afc10768a        4392e5dad77d        "nginx -g 'daemon of…"   3 minutes ago       Up 3 minutes        0.0.0.0:8081->80/tcp   hashicorp-learn

Notice that the container ID has changed. Because changing the port configuration required destroying and recreating it, this is a completely new container.

Destroy infrastructure

You have now imported your Docker container and the image used to create it into Terraform.

Destroy the container and image by running terraform destroy. Respond yes to the prompt to confirm the operation.

$ terraform destroy
docker_image.nginx: Refreshing state... [id=sha256:9beeba249f3ee158d3e495a6ac25c5667ae2de8a43ac2a8bfd2bf687a58c06c9nginx:latest]
docker_container.web: Refreshing state... [id=3fe1cb2e5326c31bac9250f6d09eade77945ee07ccea025d6424d91a89f98557]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # docker_container.web will be destroyed
  - resource "docker_container" "web" {
      - attach            = false -> null

      ## ...
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

docker_container.web: Destroying... [id=3fe1cb2e5326c31bac9250f6d09eade77945ee07ccea025d6424d91a89f98557]
docker_container.web: Destruction complete after 1s
docker_image.nginx: Destroying... [id=sha256:9beeba249f3ee158d3e495a6ac25c5667ae2de8a43ac2a8bfd2bf687a58c06c9nginx:latest]
docker_image.nginx: Destruction complete after 0s

Destroy complete! Resources: 2 destroyed.

Finally, run docker ps to validate that the container was destroyed.

$ docker ps --filter "name=hashicorp-learn"
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

If you used Terraform Cloud for this tutorial, after destroying your resources, delete the learn-terraform-import workspace from your Terraform Cloud organization.

Tip

Since you added both the image and the container to your Terraform configuration, Terraform will remove both from Docker. If there were another container using the same image, the destroy step would fail. Remember that importing a resource into Terraform means that Terraform will manage the entire lifecycle of the resource, including destruction.

Limitations and other considerations

There are several important things to consider when importing resources into Terraform:

Terraform import uses the current state of your infrastructure reported by the Terraform provider. It cannot determine:
- the health of the infrastructure.
- the intent of the infrastructure.
- changes made to the infrastructure that are not in Terraform's control, such as the state of a Docker container's filesystem.
Importing involves manual steps which can be error prone, especially if the operator lacks context about the purpose and history of the infrastructure.
Importing manipulates the Terraform state file. You may want to create a backup before importing new infrastructure.
Terraform import does not detect or generate relationships between infrastructure.
Terraform import does not detect which default attributes you can skip setting.
Not all providers and resources support Terraform import.
Importing a resource into Terraform does not mean that Terraform can destroy and recreate it. For example, the imported infrastructure could rely on other unmanaged infrastructure or configuration.
If you store your state in a remote backend, you may need to set local variables equivalent to the remote workspace variables. The import command always runs locally and cannot access data from the remote backend, unlike commands like apply, which run inside your Terraform Cloud environment.

Following Infrastructure as Code (IaC) best practices, such as immutable infrastructure, can help prevent many of these problems.

You can use tools such as Terraformer to automate some of the manual steps required to import infrastructure. HashiCorp does not endorse or support these tools, and they are not part of Terraform.

Next step

In this tutorial, you learned how to bring existing infrastructure under Terraform management. You reviewed the different approaches for developing configuration for imported resources and considerations and limitations of the import workflow.

Review the following resources to learn more about how to use Terraform to safely and consistently manage your infrastructure:

Review the Terraform Import documentation.
Learn how to migrate configuration to Terraform Cloud.
Learn how to create reusable configuration with modules.
Learn how to manage a resource in Terraform state.

Back to Collection

38 tutorials

Associate Tutorial List
Study for the Terraform Associate exam by following these tutorials. Login to Learn and bookmark them to track your progress. Study the complete list of study materials (including docs) in the Certification Prep guides.
- Terraform
16 tutorials

Use the Command Line Interface
Use the Terraform Command Line Interface (CLI) to manage infrastructure, and interact with Terraform state, providers, configuration files, and Terraform Cloud.
- Terraform

Prerequisites

Create a Docker container

Initialize configuration

Import the container into Terraform

Create configuration

Verify import

Create image resource

Manage the container with Terraform

Destroy infrastructure

Limitations and other considerations

Next step

This tutorial also appears in: