AWSAmazon S3aws_s3_bucket_cors_configurationPro

How to Import an AWS S3 Bucket CORS Configuration into Terraform

To import an existing AWS S3 Bucket CORS Configuration into Terraform, scan it with Terraback and run terraback aws import --method bulk. Terraback writes the matching aws_s3_bucket_cors_configuration resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the bucket name, or bucket name and account ID separated by a comma when expected_bucket_owner is set (for example, my-app-assets or my-app-assets,123456789012).

Import AWS S3 Bucket CORS Configuration with Terraback (recommended)

Terraback reverse-engineers your live infrastructure: it reads the Amazon S3 resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live AWS S3 Bucket CORS Configuration to managed Terraform.

1

Scan your AWS account

terraback scan all aws --region us-east-1
2

Generate import blocks and import into state

terraback aws import --method bulk

The Terraform import block

Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.

import {
  to = aws_s3_bucket_cors_configuration.example
  id = "my-app-assets"
}

Example aws_s3_bucket_cors_configuration configuration

Here is a realistic AWS S3 Bucket CORS Configuration block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.

resource "aws_s3_bucket_cors_configuration" "example" {
  bucket = "my-app-assets"

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["GET", "PUT"]
    allowed_origins = ["https://example.com"]
    expose_headers  = ["ETag"]
    max_age_seconds = 3000
  }
}

Gotchas when importing a AWS S3 Bucket CORS Configuration

  • CORS is a separate sub-resource of an aws_s3_bucket in the modern provider; import it by bucket name, and the bucket itself imports separately by the same name.
  • If the configuration was created with expected_bucket_owner, the import ID becomes bucket,account-id (comma separated) instead of just the bucket name.
  • Never put CORS rules inline in aws_s3_bucket and also define this resource; the provider deprecated the inline block, and managing both causes a perpetual diff.
  • allowed_methods only accepts the literal HTTP verbs GET, PUT, POST, DELETE, and HEAD; any other value fails validation on the apply after import.

Doing it manually with terraform import

The native approach is to write the aws_s3_bucket_cors_configuration block by hand, then run terraform import aws_s3_bucket_cors_configuration.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.

Import your whole AWS account in minutes

Terraback scans 80+ AWS resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.