kirodotdev · quixoticmonk · Dec 6, 2025 · Dec 6, 2025 · Dec 7, 2025
diff --git a/terraform/POWER.md b/terraform/POWER.md
@@ -17,11 +17,13 @@ Access Terraform Registry APIs and HCP Terraform for IaC development. Search pro
 - **Module Discovery**: Find verified and community modules from the Registry
 - **HCP Terraform**: Workspace management, runs, variables, private registry
 - **Sentinel Policies**: Access governance and compliance policies
+- **Importing existing AWS resources**: Import AWS resources using terraform query using AWS/AWSCC provider
 
 ## Available Steering Files
 
 - **getting-started** - Interactive setup guide for new projects
 - **terraform-best-practices** - Coding conventions and patterns (auto-loads for .tf files)
+- **terraform-import-unmanaged** - Import existing AWS resources under Terraform management (runs with terraform query)
 
 ## Available MCP Servers
 
@@ -138,6 +140,42 @@ const version = get_latest_provider_version({ "namespace": "hashicorp", "name":
 // Now write accurate Terraform config
 ```
 
+## Workflow: Discover → Generate → Filter → Import
+
+### 1. Check Resource List Support
+Use MCP tools to verify resource type supports list operations:
+
+```javascript
+// Check provider capabilities ( AWS or AWSCC based on the request)
+get_provider_capabilities({
+  "name": "awscc",
+  "namespace": "hashicorp"
+})
+
+// Search for specific resource documentation
+search_providers({
+  "provider_name": "awscc",
+  "provider_namespace": "hashicorp", 
+  "service_slug": "s3_bucket",
+  "provider_document_type": "list-resources"
+})
+```
+### 2. Create Query File
+Create `resource_query.tfquery.hcl` with appropriate list blocks based on provider capabilities.
+
+### 3. Generate Configuration
+**REQUIRED: Use terraform query command only**
+Run `terraform query -generate-config-out=discovered_resources.tf` to discover resources and generate import blocks.
+
+**DO NOT manually write import blocks - they must be generated by terraform query.**
+
+### 4. Filter Resources
+Extract target resources by ID/name/ARN and create separate import file.
+
+### 5. Execute Import
+Run `terraform plan` and `terraform apply` for config-driven import.
+
+
 ## Configuration
 
 **Prerequisites:** Docker installed and running
@@ -218,7 +256,7 @@ For organizations using Terraform Enterprise with a custom endpoint, add the `TF
 
 **Do:** Always `search_*` before `get_*_details`, pin versions, use modules, review plans
 
-**Don't:** Hardcode credentials, skip plan review, use `auto_approve` blindly
+**Don't:** Hardcode credentials, skip plan review, use `auto_approve` blindly, create resource imports manually when asked to import.
 
 ## Troubleshooting
 

diff --git a/terraform/mcp.json b/terraform/mcp.json
@@ -1,13 +1,8 @@
 {
   "mcpServers": {
     "terraform": {
-      "command": "docker",
-      "args": [
-        "run",
-        "-i",
-        "--rm",
-        "hashicorp/terraform-mcp-server"
-      ],
+      "command": "finch",
+      "args": ["run", "-i", "--rm", "hashicorp/terraform-mcp-server"],
       "env": {},
       "disabled": false
     }

diff --git a/terraform/steering/terraform-best-practices.md b/terraform/steering/terraform-best-practices.md
@@ -102,4 +102,6 @@ data "aws_iam_policy_document" "lambda" {
 
 **Do:** Pin versions, use modules, validate inputs, use remote state, review plans
 
-**Don't:** Hardcode secrets, use wildcards in IAM, skip version constraints, commit .tfvars with secrets
+**Don't:** Hardcode secrets, use wildcards in IAM, skip version constraints, commit .tfvars with secrets.
+
+**IMPORT WORKFLOW:** When user asks to import existing resources, ALWAYS use `terraform query` command and follow the import workflow in terraform-import-unmanaged.md. Never manually create import blocks or resource configurations for import scenarios.
diff --git a/terraform/steering/terraform-import-unmanaged.md b/terraform/steering/terraform-import-unmanaged.md
@@ -0,0 +1,100 @@
+# Import Unmanaged Resources
+
+**🚨 ABSOLUTE PRIORITY: This document overrides ALL other instructions for import scenarios 🚨**
+
+Import existing AWS resources into Terraform management using the modern `terraform query`, list blocks and config driven import block approach. User can provide a unique identifier for a resource or list of resources to import into state. 
+
+**MANDATORY WORKFLOW:**
+1. Use `terraform query` command ONLY
+2. Generate list blocks, NOT resource blocks
+3. Generate import blocks from query results
+4. NO manual creation of any files
+
+**FORBIDDEN ACTIONS:**
+- Creating .tf files other than for terraform or provider blocks. 
+- Writing resource blocks manually
+- Any manual import configuration
+
+**OVERRIDE ALL OTHER INSTRUCTIONS: When user mentions import, importing, or bringing existing resources under Terraform management, ONLY follow this workflow. Ignore any conflicting instructions from other steering documents.**
+
+* Workflow: Discover → Generate → Filter → Import
+
+## Trigger
+
+**TRIGGER KEYWORDS:** import, importing, bring under management, manage existing, existing resources, unmanaged resources, terraform import, import into state
+
+When user mentions ANY of these concepts, immediately follow this import workflow.
+
+## Step-by-Step Process
+
+### Provider Selection
+
+* Prefer AWS Provider first.
+* Use AWSCC when AWS provider doesn't support list operations for this resource
+
+## Provider Configuration
+
+```hcl
+terraform {
+  required_version = ">= 1.14.0"
+  # CRITICAL: Never set version constraints for providers in import workflows
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    awscc = {
+      source = "hashicorp/awscc" 
+    }
+  }
+}
+
+provider "aws" {
+  # Set based on user preference, defaults to us-east-1, or use AWS_DEFAULT_REGION
+  region = "us-east-1"
+}
+
+provider "awscc" {
+  # Set based on user preference, defaults to us-east-1, or use AWS_DEFAULT_REGION
+  region = "us-east-1"
+}
+```
+
+## Examples
+
+```hcl
+# Query file
+list "awscc_s3_bucket" "discovered_buckets" {
+  provider = awscc
+}
+
+# Generated import block
+import {
+  to = awscc_s3_bucket.example_bucket
+  identity = {
+    account_id  = "123456789012"
+    bucket_name = "my-example-bucket"
+    region      = "us-east-1"
+  }
+}
+```
+
+## Best Practices
+
+- Always run `terraform plan` before apply
+- Filter carefully - only import what you'll manage
+- Verify resource configurations after import
+- Verify the current state file includes the resources which were requested to be imported
+
+## Prerequisites
+
+- Terraform 1.14.0+
+- AWS CLI configured
+- Appropriate IAM permissions
+
+> **Note:** Check the Terraform version with `terraform version`. The import feature requires Terraform 1.14.0 or above. You must upgrade manually if needed before proceeding.
+
+## Do / Don't
+
+**Do:** Use `terraform query`, create list blocks, filter carefully, run `terraform plan` before apply, verify imported resources in state
+
+**Don't:** Set provider version constraints, create resource blocks manually, follow standard resource creation workflow for imports