Error while running Terraform Import Command to import Azure Key Vault
I have a key vault in my Azure subscription and now i want to put this KV in my Terraform State File as Terraform is throwing this error during Apply :
│ Error: A resource with the ID "/subscriptions/xxxxx1-41b1-4519-xxxxxx-8c25546c0829/resourceGroups/rg-identity-prd-cus-001/providers/Microsoft.KeyVault/vaults/kv-identity-prd-cus-001" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault" for more information.
│
│ with module.identity_subscription[0].module.key_vault[0].azurerm_key_vault.key_vault,
│ on ../modules/key_vault/key_vault.tf line 58, in resource "azurerm_key_vault" "key_vault":
│ 58: resource "azurerm_key_vault" "key_vault" {
So i have created a module and a module block as shown below :
resource "azurerm_key_vault" "key_vault" {
# required
name = "${var.abbreviation}-${var.workload}-${var.environment}-${var.location_short_name}-${var.instance_number}"
location = var.location
resource_group_name = var.resource_group_name
sku_name = var.sku_name
tenant_id = data.azurerm_client_config.current.tenant_id # current tenant_id from azurerm provider
# optional
enabled_for_deployment = var.enabled_for_deployment
enabled_for_disk_encryption = var.enabled_for_disk_encryption
enabled_for_template_deployment = var.enabled_for_template_deployment
enable_rbac_authorization = var.enable_rbac_authorization
purge_protection_enabled = var.purge_protection_enabled
soft_delete_retention_days = var.soft_delete_retention_days
tags = var.tags
network_acls {
bypass = "AzureServices"
default_action = "Deny"
}
#Optional if Azure policies are forced to use RBAC
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","Create","List",
]
secret_permissions = [
"Get","Set","List",
]
}
lifecycle {
ignore_changes = [
tags["CreatedOn"],
network_acls
]
}
}
The module is in it's own modules folder with other child modules I am calling the child module in my root module as shown below :
module "key_vault" {
count = var.enable_keyvault == true ? 1 : 0
source = "../../../modules/key_vault"
environment = var.environment
instance_number = var.instance_number
location_short_name = var.location_short_name
workload = local.application_names.workload_type
location = var.location
tags = local.tags
resource_group_name = module.resource_group.rg_name_subs
sku_name = var.kv_sku_name
}
Now when i run the import command as shown below i get error :
terraform import module.key_vault.azurerm_key_vault.key_vault "/subscriptions/xxxx-41xx-4xxx9-9658-8c25546c0829/resourceGroups/rg-identity-prd-cus-001/providers/Microsoft.KeyVault/vaults/kv-identity-prd-cus-001"
Import Error Message :
Error: Import to non-existent module
│
│ module.key_vault is not defined in the configuration. Please add configuration
│ for this module before importing into it.
My Folder Structure is shown in the attachment 
Solution
From what you’ve shared, the error seems to occur because Terraform cannot locate the key_vault module during the import process. The initial error shows that the key_vault module is nested within identity_subscription module, and Terraform requires the full path to the resource being imported.
To fix it, use the full path in the import command:
terraform import 'module.identity_subscription[0].module.key_vault[0].azurerm_key_vault.key_vault' "/subscriptions/xxxxx1-41b1-4519-xxxxxx-8c25546c0829/resourceGroups/rg-identity-prd-cus-001/providers/Microsoft.KeyVault/vaults/kv-identity-prd-cus-001"
This path matches the module hierarchy Terraform expects based on your configuration. Also make sure to:
- Verify that the
identity_subscriptionmodule is properly configured in your root module. - Confirm that identity_subscription calls the
key_vaultmodule correctly.
Finally, run terraform init and terraform plan to ensure the resource is successfully imported into the state and matches the configuration.
Hope it helps.
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?