In modern cloud engineering, Infrastructure as Code (IaC) is more than a best practice—it’s a necessity. But what happens when your AWS infrastructure already exists, created manually through the console or scripts, long before Terraform entered the picture?
This blog post walks through a hybrid solution: using Python and Boto3 to detect and import existing AWS Security Groups into Terraform, then converting them into reproducible, editable .tf files. It’s fast, scalable, and minimizes human error.
🚩 Problem Statement
Many teams start their cloud journey without IaC. As the environment grows, managing resources manually becomes error-prone and unscalable. Transitioning to Terraform becomes inevitable—but re-creating everything manually in .tf files is:
- Time-consuming
- Risky
- Hard to validate
💡 Solution:
Use Python to automate the Terraform import process and dynamically generate configuration files per AWS Security Group.
⚙️ Tech Stack
| Tool | Role |
|---|---|
| Terraform | Infrastructure provisioning |
| Python (Boto3) | AWS resource discovery |
| AWS CLI / IAM Role | Credentials & API access |
| Shell Commands | Automating imports |
🔄 Workflow Overview
- Discover all Security Groups in a region
- Create Terraform directories per group
- Write
provider.tfandmain.tf - Run
terraform importto sync state - Output the state into HCL format via
terraform show - Format and validate using
terraform fmt
📜 Python Script Breakdown
Here’s the key automation script: securitygroupimporter.py
import boto3
import os
region = "us-west-1"
client = boto3.client('ec2', region_name=region)
for group in client.describe_security_groups()['SecurityGroups']:
dir_name = group['GroupId']
os.system("mkdir " + dir_name)
with open(os.path.join(dir_name, "provider.tf"), "w") as file:
file.write(f"""provider "aws" {{
region = "{region}"
}}""")
with open(os.path.join(dir_name, "main.tf"), "w") as file:
file.write(f"""resource "aws_security_group" "imported_sg_tf" {{
name = "{group['GroupName']}"
description = "{group['Description']}"
vpc_id = "{group['VpcId']}"
}}""")
os.system(f"cd {dir_name} && terraform init && terraform fmt && terraform import aws_security_group.imported_sg_tf {group['GroupId']} && terraform show -no-color > main.tf")
🧾 Example Output
The script generates a clean folder structure like:
bashCopyEditsg-0a1b2c3d4e5f67890/
├── provider.tf # AWS provider config
├── main.tf # Full resource definition (after import)
This makes it easy to commit, audit, and manage each security group individually.
📦 Terraform Usage
Once the .tf files are created:
cd sg-0a1b2c3d4e5f67890
terraform plan
terraform apply
You can now modify the SG rules as code and re-apply them safely!
📈 Benefits of This Approach
✅ No Manual Rewrites: Automates tedious .tf file generation
✅ Version Control: All SGs under Git with Terraform
✅ Audit-Friendly: Clear, editable .tf source
✅ Repeatable: Works in any region with any account
✅ Safe Migration: No downtime or resource recreation
💡 Possible Enhancements
Here’s how we can take this further:
- ✳️ Add user prompts for selective SG import
- 🔍 Extract individual
ingress/egressrules instead of full state dump - 📦 Refactor into reusable Terraform modules
- 📊 Add CloudWatch alerts for drift detection
- ⚙️ Integrate into CI/CD pipeline
🌐 Real-World Use Case
Imagine you’re handed an AWS account with 100+ resources but no existing Terraform config. This script gives you a jumpstart, extracting current state and turning it into a fully manageable codebase — all without starting from scratch.
🔐 Security Considerations
- Use IAM roles with read-only EC2 access
- Validate the Terraform plan before applying changes
- Consider sanitizing or encrypting sensitive outputs if saved
📸 Architecture Diagram
This tool can be a part of a larger provisioning pipeline (e.g., VPCs, EC2, Load Balancers, etc.).
🧪 Try It Yourself
pip install boto3
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
python securitygroupimporter.py
Each SG is imported and converted into Terraform-ready format in its own folder. You can version it, tweak rules, and manage it from here on out like any other .tf module.
🧩 Final Thoughts
Cloud infrastructure is not always born as code — but it should evolve that way. With this approach, we take a real-world AWS environment and transform it into Terraform IaC with minimal friction.
This saves hours of repetitive work and brings undocumented infrastructure under the umbrella of security, compliance, and automation.
🤝 Let’s Connect
If you found this useful or have ideas to improve it, let’s talk!
I’d love to collaborate with other DevOps engineers and cloud enthusiasts.
📬 DM me on LinkedIn or drop a comment below.
#Terraform #AWS #Python #Boto3 #DevOps #InfrastructureAsCode #IaC #CloudMigration #Security #Automation
The Lazy Networker 
Leave a comment