Usage of "this" in terraform import command?

Question

I am trying to import some resources ( created by EKS outside terraform) specifically cluster creator access entry.

The documentation provides this usage to create new access entry

locals {
  access_entries = {
    iam_identity_center_admin_role = {
      kubernetes_groups = []
      principal_arn     = data.external.get_sso_admin_role.result.Arn
      policy_associations = {
        iam_identity_center_admin_role = {
          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
          access_scope = {
            type = "cluster"
          }
        }
      }
    }
  }
}

According to terraform import command docs

Before you run terraform import you must manually write a resource configuration block for the resource. The resource block describes where Terraform should map the imported object.

Based on the above understanding I tried to use the following import command which throws error

terraform import  module.base.module.eks.aws_eks_access_entry.iam_identity_center_admin_role mycluster:principal arn

Before importing this resource, please create its configuration in module.base.module.eks. For example:
    resource "aws_eks_access_entry" "iam_identity_center_admin_role" {
      # (resource arguments)
    }

The same works if I add the terror resource for eks access entry. Of course when I use resource definition I don't use the locals of access entries map.　So, it's not correct resource problem

resource "aws_eks_access_entry" "imported_cluster_creator_eks_access_entry" {
  cluster_name  = local.eks_name
  principal_arn = data.external.get_sso_admin_role.result.Arn
}

But if I use the following import command with locals and not explicit resource definition having this it works . I want to know why the usage of this works? why this is used? To my understanding it is implicitly used

terraform import 'module.base.module.eks.aws_eks_access_entry.this["iam_identity_center_admin_role"]' my-cluster:pricipal arn

Answer 1

Based on the terraform module code, the merged_access_entries local variable is used with the aws_eks_access_entry resource. Since the resource you have created manually needs to be imported into the module, you have to follow the convention specified by the said module. In this case, the resource you want to import is using the logical name of this:

resource "aws_eks_access_entry" "this" {
  for_each = { for k, v in local.merged_access_entries : k => v if local.create }

  cluster_name      = aws_eks_cluster.this[0].name
  kubernetes_groups = try(each.value.kubernetes_groups, null)
  principal_arn     = each.value.principal_arn
  type              = try(each.value.type, "STANDARD")
  user_name         = try(each.value.user_name, null)

  tags = merge(var.tags, try(each.value.tags, {}))
}

As you can see, the EKS module is also using for_each to create the resource aws_eks_access_entry, hence the need for the key when specifying the import command as the key-value pairs are decided from the merged_access_entries local variable. Based on everything outlined here and in your question, you are calling the EKS module from the base module.

When using modules, you need to know which resource and resource's logical name are used in the module you want to import to in order to successfully import it. Since the resource in question is "aws_eks_access_entry" "this", the entire import command needs to be:

terraform import module.base.module.eks.aws_eks_access_entry.this["iam_identity_center_admin_role"]' <cluster:pricipal arn>

because one of the keys in the local access_entries variable which you have defined is iam_identity_center_admin.

Answer 2

The eks module defines the aws_eks_access_entry resource with a name called this. It then uses a for_each meta to loop over all the entries it needs to create

resource "aws_eks_access_entry" "this" {
  for_each = { for k, v in local.merged_access_entries : k => v if local.create }

  cluster_name      = aws_eks_cluster.this[0].name
  kubernetes_groups = try(each.value.kubernetes_groups, null)
  principal_arn     = each.value.principal_arn
  type              = try(each.value.type, "STANDARD")
  user_name         = try(each.value.user_name, null)

  tags = merge(var.tags, try(each.value.tags, {}))
}

As mentioned in the comments, this doesnt do anything special, its just a name for the aws_eks_access_entry resource. Using this is just general convention for a general purpose resource in a module.

you can read more on naming which says

Resource name should be named this if there is no more descriptive and general name available, or if the resource module creates a single resource of this type (eg, in AWS VPC module there is a single resource of type aws_nat_gateway and multiple resources of typeaws_route_table, so aws_nat_gateway should be named this and aws_route_table should have more descriptive names - like private, public, database).