How to Import an AWS ACM Certificate into Terraform
terraback aws import --method bulk. Terraback writes the matching aws_acm_certificate resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the certificate ARN (for example, arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012).Import AWS ACM Certificate with Terraback (recommended)
Terraback reverse-engineers your live infrastructure: it reads the AWS Certificate Manager resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live AWS ACM Certificate to managed Terraform.
Scan your AWS account
terraback scan all aws --region us-east-1Generate import blocks and import into state
terraback aws import --method bulkThe Terraform import block
Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.
import {
to = aws_acm_certificate.app
id = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
}Example aws_acm_certificate configuration
Here is a realistic AWS ACM Certificate block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.
resource "aws_acm_certificate" "app" {
domain_name = "app.example.com"
validation_method = "DNS"
subject_alternative_names = ["www.example.com"]
lifecycle {
create_before_destroy = true
}
}Gotchas when importing a AWS ACM Certificate
- Import by ARN, not by domain name; the ARN is region-specific and certificates used by CloudFront must live in us-east-1.
- ACM-issued certificates import cleanly, but certificates you imported into ACM yourself cannot be re-created by Terraform and should be protected with prevent_destroy.
- DNS validation records (aws_route53_record) and the aws_acm_certificate_validation resource are separate and are not pulled in by importing the certificate.
- validation_method is not always returned consistently; set it explicitly (DNS or EMAIL) to avoid a post-import diff.
Doing it manually with terraform import
The native approach is to write the aws_acm_certificate block by hand, then run terraform import aws_acm_certificate.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.
Import other AWS resources
Import your whole AWS account in minutes
Terraback scans 80+ AWS resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.