Terraform import is the process of mapping an existing live resource into Terraform state without recreating it. It lets teams bring pre-existing cloud assets under declarative control so future changes, reviews, and rollbacks can be managed through code rather than manual reconstruction.
Expanded Definition
Terraform import is the bridge between an existing live resource and Terraform state. It records that an asset already exists, so Terraform can begin managing its configuration and lifecycle without deleting and recreating it. In practice, import is most useful during standardisation efforts, cloud consolidation, or after teams inherit unmanaged infrastructure.
The key distinction is that import does not automatically generate a complete, accurate Terraform configuration. It only attaches state to a resource address, which means the declared code still has to be reconciled with the real-world object. That makes import different from discovery, and different from provisioning a new resource from scratch. The surrounding workflow is still guided by external governance principles such as the NIST Cybersecurity Framework 2.0, especially where asset visibility and change control are required.
Definitions vary across vendors and Terraform workflows, but the operational meaning is consistent: bring pre-existing infrastructure under code-managed control while preserving service continuity. The most common misapplication is assuming import alone creates a safe, authoritative configuration, which occurs when teams skip drift review and leave unmanaged settings outside the Terraform codebase.
Examples and Use Cases
Implementing Terraform import rigorously often introduces reconciliation overhead, requiring organisations to weigh faster governance adoption against the cost of auditing live settings before they are codified.
- A cloud team imports an existing IAM role so future permission changes are reviewed in pull requests instead of being edited manually in the console.
- A security team uses import to bring a pre-existing secrets vault into Terraform, then aligns access policies with lessons from the Ultimate Guide to NHIs.
- An operations team imports legacy storage buckets after a merger, then standardises tags, encryption settings, and lifecycle rules across accounts.
- A platform team imports API gateway resources before refactoring modules, using Terraform plan output to surface drift and unintended differences.
- An enterprise team imports inherited service accounts so their NHI inventory can be reviewed alongside broader identity governance processes described in the Ultimate Guide to NHIs.
For resource mapping and state hygiene, teams often compare the imported object against implementation guidance in the NIST Cybersecurity Framework 2.0 to ensure the imported asset is actually governed, not merely recorded.
Why It Matters in NHI Security
Terraform import matters in NHI security because unmanaged infrastructure often hides service accounts, tokens, and embedded credentials that were created outside any governance process. Once those assets are imported and declared, they can be reviewed for privilege, ownership, rotation, and offboarding. That is especially important when teams discover that secrets are already stored in vulnerable locations or that service identities have accumulated excessive permissions. NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, which means the gap between “exists” and “properly governed” is often the real risk.
Import is therefore not a cleanup shortcut. It is a control-recovery step that exposes the difference between live infrastructure and trusted infrastructure. Used well, it supports auditability, change traceability, and eventual least privilege. Used poorly, it can freeze bad configurations into code and give teams false confidence that the environment has been secured. The broader NHI governance context is documented in the Ultimate Guide to NHIs.
Organisations typically encounter Terraform import as an urgent requirement only after a breach review, cloud acquisition, or failed audit reveals that critical resources were never under declarative control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Import helps surface unmanaged NHIs and resources that should be brought under control. |
| NIST CSF 2.0 | CM-8 | Asset management requires accurate visibility into existing infrastructure before control can be enforced. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Imported resources still need least-privilege access boundaries and continuous verification. |
Inventory live identities and bind them to declared ownership before allowing ongoing management.
