How to Import an AWS X-Ray Encryption Config into Terraform
terraback aws import --method bulk. Terraback writes the matching aws_xray_encryption_config resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the AWS region name (for example, us-west-2); X-Ray encryption config is a regional singleton.Import AWS X-Ray Encryption Config with Terraback (recommended)
Terraback reverse-engineers your live infrastructure: it reads the AWS X-Ray resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live AWS X-Ray Encryption Config to managed Terraform.
Scan your AWS account
terraback scan all aws --region us-east-1Generate import blocks and import into state
terraback aws import --method bulkThe Terraform import block
Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.
import {
to = aws_xray_encryption_config.example
id = "us-west-2"
}Example aws_xray_encryption_config configuration
Here is a realistic AWS X-Ray Encryption Config block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.
resource "aws_xray_encryption_config" "example" {
type = "KMS"
key_id = "arn:aws:kms:us-west-2:123456789012:key/0123abcd-4567-89ef-0123-456789abcdef"
}Gotchas when importing a AWS X-Ray Encryption Config
- This is a regional singleton: there is exactly one encryption config per region, and it is imported by the region name (for example, us-west-2), not by an ARN or ID.
- type is NONE or KMS; key_id is required only when type is KMS and must be omitted for NONE, or the apply after import fails validation.
- Because it is account/region-wide, importing it makes Terraform own X-Ray encryption for the entire region, so coordinate to avoid two stacks managing the same config.
- Switching type from KMS back to NONE (or changing the key) re-encrypts trace data going forward; review the plan carefully since it affects all traces in the region.
Doing it manually with terraform import
The native approach is to write the aws_xray_encryption_config block by hand, then run terraform import aws_xray_encryption_config.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.
Import other AWS resources
Import your whole AWS account in minutes
Terraback scans 80+ AWS resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.