Configuration Automation - Terraform

Importing to Terraform state

Terraform maintains a storage of the last known configuration of a product environment. This is to allow Terraform to compare the intended configuration of an environment (declared using the Terraform code language, HCL), with the actual configuration of the environment (which the provider will do when reading the current configuration of an environment using the service API), with what Terraform believes is the last known configuration of an environment. Terraform compares these three sources to reconcile configuration and produce an action plan to fix configuration drift in an environment, while simultaneously handling configuration additions and deletions.

Terraform state is a required component of Terraform management of an environment and must be handled securely. The storage mechanism of the Terraform state is left to the customer to decide. You can find more information and HashiCorp’s own best practices when handling Terraform state in State in the HashiCorp documentation.

You should not manage Terraform state configuration manually using a text editor. Terraform manages the state file itself in two ways:

  1. By declaring end-state configuration in Terraform HCL and running the terraform plan and terraform apply commands. This method is most common when adding net-new configuration to a product, meaning that Terraform manages the full lifecycle of a configuration item including its initial creation.

  2. By importing predefined configuration in an environment, using import {} block HCL code or using the terraform import command. This method is most common when bringing existing product configuration under Terraform control, where Terraform cannot manage the initial creation of that configuration.

Importing configuration is most suited to production environments that have been previously built and managed without using Terraform. Importing configuration to Terraform state is non-destructive (meaning that configuration is not expected to be removed or re-added). After configuration for an environment is imported to Terraform state, Terraform can manage the lifecycle of the imported configuration in the normal way.

Using Ping CLI to generate import blocks

Terraform’s out-of-the-box import capability requires the developer to import each configuration item individually by its unique ID. When working with Ping Identity products and Ping Identity Terraform providers, the required ID used for importing a specific configuration item could be a single ID or a compound ID (where two or more IDs are concatenated together with a / forward slash separator). Depending on the Ping Identity product, the ID could be customer developer defined or could be a platform generated UUID. In both cases, the customer developer might have difficulty in retrieving the required IDs for all configuration for a product environment.

The Ping CLI command-line tool has features to simplify importing configuration to Terraform state. The platform export command is designed to connect to a supported Ping Identity product, read the live configuration of the service, and generate the required Terraform HCL files with clearly labelled import {} blocks, complete with all necessary IDs. The developer can then import all configuration for an environment or choose which configuration items to include in import.