Importing existing confluentcloud_api_key looks like broken

[sertaco]

I have difficulty in importing existing confluentcloud_api_key resources. ccloud api-key list does not give an ID field that can be used and when I use the key attribute, I get only an empty resource in terraform state. Later I realized even an arbitrary identifier "successfully" imports an empty resource.

Example:
terraform import confluentcloud_api_key.api "arbitrary"
gives

confluentcloud_api_key.api: Import prepared!
  Prepared confluentcloud_api_key for import
confluentcloud_api_key.api: Refreshing state... [id=random]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

And when I check this in terraform state:

# confluentcloud_api_key.api:
resource "confluentcloud_api_key" "api" {
    id = "arbitrary"
}

Can you confirm terraform import confluentcloud_api_key is not supported yet? Is it on the roadmap by any chance?
In relation to this, ACL imports are also not supported I suppose. Can you confirm?

[sjahl]

I just ran into this today, and wanted to note that I was seeing the issue as well. You can find the ID that the provider "wants" to use in the confluent web UI when viewing the API key, and it looks like a 6 digit number. Supplying that number on the cli when importing seems to work, but then when running a "terraform plan" after that, the provider thinks it needs to change the id, and recreate the key (which fails if you try to proceed with the plan).

# created an API key using another terraform env, and retrieve the ID, then try to import using that ID
$ terraform import confluentcloud_api_key.imported_admin_key 123456
confluentcloud_api_key.imported_admin_key: Importing from ID "123456"...
confluentcloud_api_key.imported_admin_key: Import prepared!
  Prepared confluentcloud_api_key for import
confluentcloud_api_key.imported_admin_key: Refreshing state... [id=123456]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

# then run a terraform plan after importing 
$ terraform plan

Terraform will perform the following actions:

  # confluentcloud_api_key.imported_admin_key must be replaced
-/+ resource "confluentcloud_api_key" "imported_admin_key" {
      + cluster_id     = "lkc-foobar" # forces replacement
      + environment_id = "env-baz" # forces replacement
      ~ id             = "123456" -> (known after apply)
      + key            = (known after apply)
      + secret         = (sensitive value)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

[Mongey]

In that example @sjahl, it looks like the cluster_id and environment_id are what's going to cause the replacement. I guess I'll need to implement a custom importer for confluentcloud_api_key to take in cluster_id and environment_id ... or figure out if there's an api to read the key back from a given id.

In the meantime, you could manually change your state to populate cluster_id and environment_id, which should stop it from attempting to recreate the key

terraform-provider-confluentcloud/ccloud/resource_api_key.go

Lines 20 to 22 in 0328b5c

	Importer: &schema.ResourceImporter{
	StateContext: schema.ImportStatePassthroughContext,
	},