I have a key vault in my Azure subscription and now i want to put this KV in my Terraform State File as Terraform is throwing this error during Apply :
│ Error: A resource with the ID "/subscriptions/xxxxx1-41b1-4519-xxxxxx-8c25546c0829/resourceGroups/rg-identity-prd-cus-001/providers/Microsoft.KeyVault/vaults/kv-identity-prd-cus-001" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault" for more information.
│
│ with module.identity_subscription[0].module.key_vault[0].azurerm_key_vault.key_vault,
│ on ../modules/key_vault/key_vault.tf line 58, in resource "azurerm_key_vault" "key_vault":
│ 58: resource "azurerm_key_vault" "key_vault" {
So i have created a module and a module block as shown below :
resource "azurerm_key_vault" "key_vault" {
# required
name = "${var.abbreviation}-${var.workload}-${var.environment}-${var.location_short_name}-${var.instance_number}"
location = var.location
resource_group_name = var.resource_group_name
sku_name = var.sku_name
tenant_id = data.azurerm_client_config.current.tenant_id # current tenant_id from azurerm provider
# optional
enabled_for_deployment = var.enabled_for_deployment
enabled_for_disk_encryption = var.enabled_for_disk_encryption
enabled_for_template_deployment = var.enabled_for_template_deployment
enable_rbac_authorization = var.enable_rbac_authorization
purge_protection_enabled = var.purge_protection_enabled
soft_delete_retention_days = var.soft_delete_retention_days
tags = var.tags
network_acls {
bypass = "AzureServices"
default_action = "Deny"
}
#Optional if Azure policies are forced to use RBAC
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","Create","List",
]
secret_permissions = [
"Get","Set","List",
]
}
lifecycle {
ignore_changes = [
tags["CreatedOn"],
network_acls
]
}
}
The module is in it's own modules folder with other child modules I am calling the child module in my root module as shown below :
module "key_vault" {
count = var.enable_keyvault == true ? 1 : 0
source = "../../../modules/key_vault"
environment = var.environment
instance_number = var.instance_number
location_short_name = var.location_short_name
workload = local.application_names.workload_type
location = var.location
tags = local.tags
resource_group_name = module.resource_group.rg_name_subs
sku_name = var.kv_sku_name
}
Now when i run the import command as shown below i get error :
terraform import module.key_vault.azurerm_key_vault.key_vault "/subscriptions/xxxx-41xx-4xxx9-9658-8c25546c0829/resourceGroups/rg-identity-prd-cus-001/providers/Microsoft.KeyVault/vaults/kv-identity-prd-cus-001"
Import Error Message :
Error: Import to non-existent module
│
│ module.key_vault is not defined in the configuration. Please add configuration
│ for this module before importing into it.
My Folder Structure is shown in the attachment
I have a key vault in my Azure subscription and now i want to put this KV in my Terraform State File as Terraform is throwing this error during Apply :
│ Error: A resource with the ID "/subscriptions/xxxxx1-41b1-4519-xxxxxx-8c25546c0829/resourceGroups/rg-identity-prd-cus-001/providers/Microsoft.KeyVault/vaults/kv-identity-prd-cus-001" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault" for more information.
│
│ with module.identity_subscription[0].module.key_vault[0].azurerm_key_vault.key_vault,
│ on ../modules/key_vault/key_vault.tf line 58, in resource "azurerm_key_vault" "key_vault":
│ 58: resource "azurerm_key_vault" "key_vault" {
So i have created a module and a module block as shown below :
resource "azurerm_key_vault" "key_vault" {
# required
name = "${var.abbreviation}-${var.workload}-${var.environment}-${var.location_short_name}-${var.instance_number}"
location = var.location
resource_group_name = var.resource_group_name
sku_name = var.sku_name
tenant_id = data.azurerm_client_config.current.tenant_id # current tenant_id from azurerm provider
# optional
enabled_for_deployment = var.enabled_for_deployment
enabled_for_disk_encryption = var.enabled_for_disk_encryption
enabled_for_template_deployment = var.enabled_for_template_deployment
enable_rbac_authorization = var.enable_rbac_authorization
purge_protection_enabled = var.purge_protection_enabled
soft_delete_retention_days = var.soft_delete_retention_days
tags = var.tags
network_acls {
bypass = "AzureServices"
default_action = "Deny"
}
#Optional if Azure policies are forced to use RBAC
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","Create","List",
]
secret_permissions = [
"Get","Set","List",
]
}
lifecycle {
ignore_changes = [
tags["CreatedOn"],
network_acls
]
}
}
The module is in it's own modules folder with other child modules I am calling the child module in my root module as shown below :
module "key_vault" {
count = var.enable_keyvault == true ? 1 : 0
source = "../../../modules/key_vault"
environment = var.environment
instance_number = var.instance_number
location_short_name = var.location_short_name
workload = local.application_names.workload_type
location = var.location
tags = local.tags
resource_group_name = module.resource_group.rg_name_subs
sku_name = var.kv_sku_name
}
Now when i run the import command as shown below i get error :
terraform import module.key_vault.azurerm_key_vault.key_vault "/subscriptions/xxxx-41xx-4xxx9-9658-8c25546c0829/resourceGroups/rg-identity-prd-cus-001/providers/Microsoft.KeyVault/vaults/kv-identity-prd-cus-001"
Import Error Message :
Error: Import to non-existent module
│
│ module.key_vault is not defined in the configuration. Please add configuration
│ for this module before importing into it.
My Folder Structure is shown in the attachment
Share Improve this question asked Jan 18 at 23:15 PallabPallab 2,3354 gold badges34 silver badges53 bronze badges1 Answer
Reset to default 1From what you’ve shared, the error seems to occur because Terraform cannot locate the key_vault module during the import process. The initial error shows that the key_vault module is nested within identity_subscription module, and Terraform requires the full path to the resource being imported.
To fix it, use the full path in the import command:
terraform import 'module.identity_subscription[0].module.key_vault[0].azurerm_key_vault.key_vault' "/subscriptions/xxxxx1-41b1-4519-xxxxxx-8c25546c0829/resourceGroups/rg-identity-prd-cus-001/providers/Microsoft.KeyVault/vaults/kv-identity-prd-cus-001"
This path matches the module hierarchy Terraform expects based on your configuration. Also make sure to:
- Verify that the
identity_subscriptionmodule is properly configured in your root module. - Confirm that identity_subscription calls the
key_vaultmodule correctly.
Finally, run terraform init and terraform plan to ensure the resource is successfully imported into the state and matches the configuration.
Hope it helps.