How to import existing AWS resources into a CloudFormation stack

What is the CloudFormation import resource feature?

This import resource feature enables the management of existing AWS resources initially created outside of a CloudFormation stack, allowing them to be updated using the stack's template. This step brings the benefits of IaC to resources that were created manually or using the CLI/SDK.

Resources can be imported to either an existing stack or a new one that is being created. The manual import process requires cloud administrators to provide the full stack template with the configuration blocks for the resources that will be imported. This is supported using the AWS console and the CLI or SDK. Nested stacks also support resource import. There is also an auto-import feature that simplifies the process in the CLI or SDK by requiring only unique identifiers for the resources to be imported, as opposed to the full resource configuration block.

There are several prerequisites for the import operation to succeed. Two essential ones are:

1. To-be-imported resources must exist in the same AWS account and Region as the stack – they can't already be managed by CloudFormation. Also, the DeletionPolicy attribute must be set in the template configuration for the resources that will be imported.
2. The IAM identity used for executing the import operation must have CloudFormation permissions to create or update stacks, in addition to read permissions. In most cases, the IAM managed policy AWSCloudFormationFullAccess is required to execute all tasks for CloudFormation imports.

CloudFormation supports unique identifiers for managed resources. This configuration varies according to the resource type and it is a unique value that points to the resource that will be managed. Configuring the stack template with unique identifiers for the resources to be managed is an important requirement that must be specified when importing resources into a CloudFormation stack.

6 steps to import existing AWS resources

Below are the steps required to execute a manual resource import into an existing CloudFormation stack, using the AWS console. This example will import an existing S3 bucket into a CloudFormation stack named cloudformation-import-example.

This stack already had a template that manages the configuration of resources that were created along with the stack itself. This example will import an S3 bucket named s3-bucket-cloudformation-import into the cloudformation-import-example stack.

Step 1. Add S3 bucket configurations

The first step consists of adding the configurations of the S3 bucket that will be imported to the stack template, under the Resources block. In this case:

 S3BucketToBeImportedIntoCloudFormation:

    Type: "AWS::S3::Bucket"

    DeletionPolicy: "Retain"

    Properties:

      BucketName: "s3-bucket-cloudformation-import"

The AWS IaC generator tool simplifies the creation of CloudFormation template configurations for resources by automatically generating template syntax based on existing resource configurations. It is a recommended tool for generating JSON or YAML configurations for resources that will be imported.

For simplicity, the existing S3 bucket had basic configurations. In most cases, it will be required to add a wider range of configurations for resources that will be imported. It is essential to note the requirement for configuring the DeletionPolicy parameter, as well as a unique resource identifier, which in this case is the BucketName parameter.

Step 2. Import resources into stack via CloudFormation console

Navigate to the CloudFormation console, select the CloudFormation stack to import resources into and choose the Import resources into stack option under Stack actions:

Step 3. Specify template

On the next page, cloud administrators need to provide the updated template that contains the resources already managed by the stack, plus the resources to import.

Step 4. Confirm the identifiers of the resources

The next step requires confirming the identifiers of the resources to import, which also need to be configured in the template. In this case, the identifier is BucketName and its value is s3-bucket-cloudformation-import.

Step 5. Review updates and complete import

The final step is a review page that displays the updates that will be performed to the stack, which in this case are only related to the resource import operation. After the import task is triggered, the Events tab in CloudFormation displays the sequence of events that take place during the resource import operation:

Step 6. Run drift detection

After resources are imported into a CloudFormation stack, it is recommended to run drift detection on the stack, which will identify any configuration discrepancies between the stack template and the actual resources in AWS. From the console, this can be triggered by selecting the Detect drift action. Under the Stack info tab, the drift status is displayed, ideally showing in sync.

Drift detection is useful to ensure the template has the same configurations as the active resources imported, which helps avoid potential issues when applying future updates to the stack template. Discrepancies can be fixed by either updating the stack template to match the actual resource configurations or by manually updating the resource so it matches the configurations specified in the template, depending on the actual discrepancy and the desired resource configuration.

Ernesto Marquez is owner and project director at Concurrency Labs, where he helps startups launch and grow their applications on AWS. He enjoys building serverless architectures, building data analytics solutions, implementing automation and helping customers cut their AWS costs.