Cannot import aws_opensearch_domain_policy resources

[gmyers-aiq]

Description

Currently the aws_opensearch_domain_policy resource does not support importing. This seems like a huge oversight. It makes it extremely difficult to work with Terraform that includes this resource, particularly when refactoring into modular structures, as you are either forced to delete and recreate the whole OpenSearch cluster or do manual state hacking.

Affected Resource(s) or Data Source(s)

• aws_opensearch_domain_policy

Potential Terraform Configuration

References

No response

Would you like to implement the enhancement?

No

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[gmyers-aiq]

Related: it seems the aws_elasticsearch_domain_policy resource also suffers from the same issue of not being importable.

[justinretzolk]

Hey @gmyers-aiq 👋 Thank you for taking the time to raise this! While my initial thought is that there probably should be a method for importing these resources, I did want to touch on a couple of things that may help while this awaits prioritization.

The first thing that comes to mind is that rather than importing the resource(s) to the new location, you could utilize either terraform state mv or a moved block (more information on the latter in the Refactoring documentation) to move the resource(s) within the Terraform state. That would mean that support for import was unnecessary, since you're essentially just telling Terraform that the existing state file should be updated to match the new configuration.

I also noticed that the create/update function for the aws_opensearch_domain_policy resource is named "upsert". With that in mind, I created a sample configuration where I initially created an aws_opensearch_domain and aws_opensearch_domain_policy. Once the initial creation was complete, I moved the resources into a module and imported the aws_opensearch_domain. After import, I ran an apply and noted that the aws_opensearch_domain_policy resource was created again, but since the domain already had the policy applied in AWS prior to this new creation of the aws_opensearch_domain_policy, it didn't seem to have any impact on the domain -- the apply went through just fine, and further applied yielded no changes. Unless I've missed something, I'm not sure I'm following why you would need to destroy and recreate the domain itself as you mentioned in your initial report. Are you seeing behavior that differs from what I saw?