Run one import per error block, then plan and apply. The table below covers all four
roles this TF package can create — only the ones that appear in your errors need to
be imported:
│
│ Error: creating IAM Role (jsh-migr-test): operation error IAM: CreateRole,
│ https response error StatusCode: 409,
│ RequestID: e67cdb68-57b3-4328-8386-ef6f7812141a,
│ EntityAlreadyExists: Role with name jsh-migr-test already exists.
│
│ with aws_iam_role.cross_account_assume_role[0],
│ on iam.tf line 80, in resource "aws_iam_role" "cross_account_assume_role":
│ 80: resource "aws_iam_role" "cross_account_assume_role" {
│
Fix:
terraform import 'aws_iam_role.cross_account_assume_role[0]'
'jsh-migr-test'
Error 2
│
│ Error: creating IAM Role (jsh-migr-test_ip_tag): operation error IAM: CreateRole,
│ https response error StatusCode: 409,
│ RequestID: 68e03add-cfd6-466f-abd1-3f1bb79d52f7,
│ EntityAlreadyExists: Role with name jsh-migr-test_ip_tag already exists.
│
│ with aws_iam_role.cross_account_assume_role_ip_tag[0],
│ on iam.tf line 128, in resource "aws_iam_role" "cross_account_assume_role_ip_tag":
│ 128: resource "aws_iam_role" "cross_account_assume_role_ip_tag" {
│
Fix:
terraform import
'aws_iam_role.cross_account_assume_role_ip_tag[0]'
'jsh-migr-test_ip_tag'
GCP Required Actions
- After migration completes, your existing GCP cloud account will be disabled and
cannot be re-enabled.
- Onboard a new GCP account following the standard GCP onboarding guide.
- Configure Cloud IP Tag (CIPT) service on the new GCP account.
- Verify CIPT is operating correctly.
- Delete the old (disabled) GCP account from the SCM portal.
CIPT on the old account will continue to function until you
complete re-onboarding.
Expected Error/Resolution while re-applying the GCP cloud onboarding
Terraform
- Reapply/edit disabled account after onboarding (GCP)
- You may encounter errors while trying to reapply terraform for the onboarded
accounts, if .tfstate file is not provided; both should be
imported using:
Error: Error creating Topic: googleapi: Error 409: Resource already exists in the project (resource=panw-discovery-<tsg_id>-asset-feed)
Error: Custom project role projects/<project>/roles/panw_discovery_<tsgId> already exists and must be imported
Both need to be imported using:
- terraform import
'google_project_iam_custom_role.iam_role_cloudasset-assets_list[0]'
projects/<project>/roles/panw_discovery_<tsgId>
- terraform import google_pubsub_topic.asset_feed_pub_sub_topic
projects/<project>/topics/panw-discovery-<tsgId>-asset-feed
General loud IP Tag (CIPT) Updates
When migrating from the legacy SCM
environment to the MSF consider the following:
- Azure: CIPT continues to function even when the Azure account is disabled
post-migration. After adding the new perimeter firewall IPs and re-enabling
the account, CIPT resumes automatically. The CIPT enable-account call is
ignored if CIPT is already active.
- AWS: No impact. CIPT continues to function normally post-migration.
- GCP: CIPT continues to function on the old (disabled) GCP account
post-migration. To operate CIPT on the new MSF infrastructure, you must
onboard a new GCP account, configure CIPT on it, and then delete the old
account.
Delicensing Blackout
Delicensing is unavailable during the migration maintenance window. If you need to
delicense a product or remove a tenant, complete that action before the maintenance
window begins. Contact support if you have time-sensitive delicensing
requirements.