github.com/GoogleCloudPlatform/terraformer@v0.8.18/docs/aws.md (about) 1 2 ### Use with AWS 3 4 Example: 5 6 ``` 7 terraformer import aws --resources=vpc,subnet --connect=true --regions=eu-west-1 --profile=prod 8 terraformer import aws --resources=vpc,subnet --filter=vpc=vpc_id1:vpc_id2:vpc_id3 --regions=eu-west-1 9 ``` 10 11 #### Profiles support 12 13 AWS configuration including environmental variables, shared credentials file (\~/.aws/credentials), and shared config file (\~/.aws/config) will be loaded by the tool by default. To use a specific profile, you can use the following command: 14 15 ``` 16 terraformer import aws --resources=vpc,subnet --regions=eu-west-1 --profile=prod 17 ``` 18 19 You can also provide no regions when importing resources: 20 ``` 21 terraformer import aws --resources=cloudfront --profile=prod 22 ``` 23 In that case terraformer will not know with which region resources are associated with and will not assume any region. That scenario is useful in case of global resources (e.g. CloudFront distributions or Route 53 records) and when region is passed implicitly through environmental variables or metadata service. 24 25 #### Supported services 26 27 * `accessanalyzer` 28 * `aws_accessanalyzer_analyzer` 29 * `acm` 30 * `aws_acm_certificate` 31 * `alb` (supports ALB and NLB) 32 * `aws_lb` 33 * `aws_lb_listener` 34 * `aws_lb_listener_rule` 35 * `aws_lb_listener_certificate` 36 * `aws_lb_target_group` 37 * `aws_lb_target_group_attachment` 38 * `api_gateway` 39 * `aws_api_gateway_authorizer` 40 * `aws_api_gateway_documentation_part` 41 * `aws_api_gateway_gateway_response` 42 * `aws_api_gateway_integration` 43 * `aws_api_gateway_integration_response` 44 * `aws_api_gateway_method` 45 * `aws_api_gateway_method_response` 46 * `aws_api_gateway_model` 47 * `aws_api_gateway_resource` 48 * `aws_api_gateway_rest_api` 49 * `aws_api_gateway_stage` 50 * `aws_api_gateway_usage_plan` 51 * `aws_api_gateway_vpc_link` 52 * `appsync` 53 * `aws_appsync_graphql_api` 54 * `auto_scaling` 55 * `aws_autoscaling_group` 56 * `aws_launch_configuration` 57 * `aws_launch_template` 58 * `batch` 59 * `aws_batch_compute_environment` 60 * `aws_batch_job_definition` 61 * `aws_batch_job_queue` 62 * `budgets` 63 * `aws_budgets_budget` 64 * `cloud9` 65 * `aws_cloud9_environment_ec2` 66 * `cloudformation` 67 * `aws_cloudformation_stack` 68 * `aws_cloudformation_stack_set` 69 * `aws_cloudformation_stack_set_instance` 70 * `cloudfront` 71 * `aws_cloudfront_distribution` 72 * `cloudhsm` 73 * `aws_cloudhsm_v2_cluster` 74 * `aws_cloudhsm_v2_hsm` 75 * `cloudtrail` 76 * `aws_cloudtrail` 77 * `cloudwatch` 78 * `aws_cloudwatch_dashboard` 79 * `aws_cloudwatch_event_rule` 80 * `aws_cloudwatch_event_target` 81 * `aws_cloudwatch_metric_alarm` 82 * `codebuild` 83 * `aws_codebuild_project` 84 * `codecommit` 85 * `aws_codecommit_repository` 86 * `codedeploy` 87 * `aws_codedeploy_app` 88 * `codepipeline` 89 * `aws_codepipeline` 90 * `aws_codepipeline_webhook` 91 * `cognito` 92 * `aws_cognito_identity_pool` 93 * `aws_cognito_user_pool` 94 * `config` 95 * `aws_config_config_rule` 96 * `aws_config_configuration_recorder` 97 * `aws_config_delivery_channel` 98 * `customer_gateway` 99 * `aws_customer_gateway` 100 * `datapipeline` 101 * `aws_datapipeline_pipeline` 102 * `devicefarm` 103 * `aws_devicefarm_project` 104 * `docdb` 105 * `aws_docdb_cluster` 106 * `aws_docdb_cluster_instance` 107 * `aws_docdb_cluster_parameter_group` 108 * `aws_docdb_subnet_group` 109 * `dynamodb` 110 * `aws_dynamodb_table` 111 * `ebs` 112 * `aws_ebs_volume` 113 * `aws_volume_attachment` 114 * `ec2_instance` 115 * `aws_instance` 116 * `ecr` 117 * `aws_ecr_lifecycle_policy` 118 * `aws_ecr_repository` 119 * `aws_ecr_repository_policy` 120 * `ecrpublic` 121 * `aws_ecrpublic_repository` 122 * `ecs` 123 * `aws_ecs_cluster` 124 * `aws_ecs_service` 125 * `aws_ecs_task_definition` 126 * `efs` 127 * `aws_efs_access_point` 128 * `aws_efs_file_system` 129 * `aws_efs_file_system_policy` 130 * `aws_efs_mount_target` 131 * `eip` 132 * `aws_eip` 133 * `eks` 134 * `aws_eks_cluster` 135 * `elasticache` 136 * `aws_elasticache_cluster` 137 * `aws_elasticache_parameter_group` 138 * `aws_elasticache_subnet_group` 139 * `aws_elasticache_replication_group` 140 * `elastic_beanstalk` 141 * `aws_elastic_beanstalk_application` 142 * `aws_elastic_beanstalk_environment` 143 * `elb` 144 * `aws_elb` 145 * `emr` 146 * `aws_emr_cluster` 147 * `aws_emr_security_configuration` 148 * `eni` 149 * `aws_network_interface` 150 * `es` 151 * `aws_elasticsearch_domain` 152 * `firehose` 153 * `aws_kinesis_firehose_delivery_stream` 154 * `glue` 155 * `glue_crawler` 156 * `aws_glue_catalog_database` 157 * `aws_glue_catalog_table` 158 * `aws_glue_job` 159 * `aws_glue_trigger` 160 * `iam` 161 * `aws_iam_group` 162 * `aws_iam_group_policy` 163 * `aws_iam_group_policy_attachment` 164 * `aws_iam_instance_profile` 165 * `aws_iam_policy` 166 * `aws_iam_role` 167 * `aws_iam_role_policy` 168 * `aws_iam_role_policy_attachment` 169 * `aws_iam_user` 170 * `aws_iam_user_group_membership` 171 * `aws_iam_user_policy` 172 * `aws_iam_user_policy_attachment` 173 * `igw` 174 * `aws_internet_gateway` 175 * `iot` 176 * `aws_iot_thing` 177 * `aws_iot_thing_type` 178 * `aws_iot_topic_rule` 179 * `aws_iot_role_alias` 180 * `kinesis` 181 * `aws_kinesis_stream` 182 * `kms` 183 * `aws_kms_key` 184 * `aws_kms_alias` 185 * `aws_kms_grant` 186 * `lambda` 187 * `aws_lambda_event_source_mapping` 188 * `aws_lambda_function` 189 * `aws_lambda_function_event_invoke_config` 190 * `aws_lambda_layer_version` 191 * `logs` 192 * `aws_cloudwatch_log_group` 193 * `media_package` 194 * `aws_media_package_channel` 195 * `media_store` 196 * `aws_media_store_container` 197 * `msk` 198 * `aws_msk_cluster` 199 * `nacl` 200 * `aws_network_acl` 201 * `nat` 202 * `aws_nat_gateway` 203 * `opsworks` 204 * `aws_opsworks_application` 205 * `aws_opsworks_custom_layer` 206 * `aws_opsworks_instance` 207 * `aws_opsworks_java_app_layer` 208 * `aws_opsworks_php_app_layer` 209 * `aws_opsworks_rds_db_instance` 210 * `aws_opsworks_stack` 211 * `aws_opsworks_static_web_layer` 212 * `aws_opsworks_user_profile` 213 * `organization` 214 * `aws_organizations_account` 215 * `aws_organizations_organization` 216 * `aws_organizations_organizational_unit` 217 * `aws_organizations_policy` 218 * `aws_organizations_policy_attachment` 219 * `qldb` 220 * `aws_qldb_ledger` 221 * `rds` 222 * `aws_db_instance` 223 * `aws_db_parameter_group` 224 * `aws_db_subnet_group` 225 * `aws_db_option_group` 226 * `aws_db_event_subscription` 227 * `resourcegroups` 228 * `aws_resourcegroups_group` 229 * `route53` 230 * `aws_route53_zone` 231 * `aws_route53_record` 232 * `route_table` 233 * `aws_route_table` 234 * `aws_main_route_table_association` 235 * `aws_route_table_association` 236 * `s3` 237 * `aws_s3_bucket` 238 * `secretsmanager` 239 * `aws_secretsmanager_secret` 240 * `securityhub` 241 * `aws_securityhub_account` 242 * `aws_securityhub_member` 243 * `aws_securityhub_standards_subscription` 244 * `servicecatalog` 245 * `aws_servicecatalog_portfolio` 246 * `ses` 247 * `aws_ses_configuration_set` 248 * `aws_ses_domain_identity` 249 * `aws_ses_email_identity` 250 * `aws_ses_receipt_rule` 251 * `aws_ses_receipt_rule_set` 252 * `aws_ses_template` 253 * `sfn` 254 * `aws_sfn_activity` 255 * `aws_sfn_state_machine` 256 * `sg` 257 * `aws_security_group` 258 * `aws_security_group_rule` (if a rule cannot be inlined) 259 * `sns` 260 * `aws_sns_topic` 261 * `aws_sns_topic_subscription` 262 * `sqs` 263 * `aws_sqs_queue` 264 * `ssm` 265 * `aws_ssm_parameter` 266 * `subnet` 267 * `aws_subnet` 268 * `swf` 269 * `aws_swf_domain` 270 * `transit_gateway` 271 * `aws_ec2_transit_gateway_route_table` 272 * `aws_ec2_transit_gateway_vpc_attachment` 273 * `waf` 274 * `aws_waf_byte_match_set` 275 * `aws_waf_geo_match_set` 276 * `aws_waf_ipset` 277 * `aws_waf_rate_based_rule` 278 * `aws_waf_regex_match_set` 279 * `aws_waf_regex_pattern_set` 280 * `aws_waf_rule` 281 * `aws_waf_rule_group` 282 * `aws_waf_size_constraint_set` 283 * `aws_waf_sql_injection_match_set` 284 * `aws_waf_web_acl` 285 * `aws_waf_xss_match_set` 286 * `waf_regional` 287 * `aws_wafregional_byte_match_set` 288 * `aws_wafregional_geo_match_set` 289 * `aws_wafregional_ipset` 290 * `aws_wafregional_rate_based_rule` 291 * `aws_wafregional_regex_match_set` 292 * `aws_wafregional_regex_pattern_set` 293 * `aws_wafregional_rule` 294 * `aws_wafregional_rule_group` 295 * `aws_wafregional_size_constraint_set` 296 * `aws_wafregional_sql_injection_match_set` 297 * `aws_wafregional_web_acl` 298 * `aws_wafregional_xss_match_set` 299 * `vpc` 300 * `aws_vpc` 301 * `vpc_peering` 302 * `aws_vpc_peering_connection` 303 * `vpn_connection` 304 * `aws_vpn_connection` 305 * `vpn_gateway` 306 * `aws_vpn_gateway` 307 * `workspaces` 308 * `aws_workspaces_directory` 309 * `aws_workspaces_ip_group` 310 * `aws_workspaces_workspace` 311 * `xray` 312 * `aws_xray_sampling_rule` 313 314 #### Global services 315 316 AWS services that are global will be imported without specified region even if several regions will be passed. It is to ensure only one representation of an AWS resource is imported. 317 318 List of global AWS services: 319 * `budgets` 320 * `cloudfront` 321 * `ecrpublic` 322 * `iam` 323 * `organization` 324 * `route53` 325 * `waf` 326 327 #### Attribute filters 328 329 Attribute filters allow filtering across different resource types by its attributes. 330 331 ``` 332 terraformer import aws --resources=ec2_instance,ebs --filter="Name=tags.costCenter;Value=20000:'20001:1'" --regions=eu-west-1 333 ``` 334 Will only import AWS EC2 instances along with EBS volumes annotated with tag `costCenter` with values `20000` or `20001:1`. Attribute filters are by default applicable to all resource types although it's possible to specify to what resource type a given filter should be applicable to by providing `Type=<type>` parameter. For example: 335 ``` 336 terraformer import aws --resources=ec2_instance,ebs --filter=Type=ec2_instance;Name=tags.costCenter;Value=20000:'20001:1' --regions=eu-west-1 337 ``` 338 Will work as same as example above with a change the filter will be applicable only to `ec2_instance` resources. 339 340 Due to fact API Gateway generates a lot of resources, it's possible to issue a filtering query to retrieve resources related to a given REST API by tags. To fetch resources related to a REST API resource with a tag `STAGE` and value `dev`, add parameter `--filter="Type=api_gateway_rest_api;Name=tags.STAGE;Value=dev"`. 341 342 #### SQS queues retrieval 343 344 Terraformer uses AWS [ListQueues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ListQueues.html) API call to fetch available queues. The API is able to return only up to 1000 queues and an additional name prefix should be passed to filter the list results. It's possible to pass `QueueNamePrefix` parameter by environmental variable `SQS_PREFIX`. 345 346 #### Security groups and rules 347 348 Terraformer by default will try to keep rules in security groups as long as no circular dependencies are detected. This approach is implemented to keep the rules as tidy as possible but there can be cases when this behaviour is not desirable (see [GoogleCloudPlatform/terraformer#493](https://github.com/GoogleCloudPlatform/terraformer/issues/493)). To make Terraformer split rules from security groups, add `SPLIT_SG_RULES` environmental variable with any value.