terraform

Hi, I’m trying to use the Terraform provider with an existing ZITADEL org/project/OIDC app and all imports fail, even though terraform plan can create new resources.

Setup

Terraform: v1.14.0
Provider: zitadel/zitadel v2.3.0

Provider config:
provider "zitadel" {
domain = "domain.us1.zitadel.cloud"
jwt_profile_file = "service-account.json"
}

Service User Configuration:
Access token type: JWT
Permissions: Has Org Owner on org and Project Owner Global on project.

What works

Terraform plan against this config shows it would create a new org/project/app, so auth + domain look fine.
Calling https://domain.us1.zitadel.cloud/.well-known/openid-configuration returns 200.

What fails

Import org:

terraform import zitadel_org.imported '12345678912345678'
Error:error while getting org by id 12345678912345678: ErrorType=server_error Description=Errors.Internal

Import project (after commenting out org resource so it’s not managed):

terraform import zitadel_project.imported '12345678912345678'
Error: failed to get project

Import OIDC app:

terraform import zitadel_application_oidc.imported '12345678912345678:12345678912345678:12345678912345678'
Error:failed to get application oidc

Even if I switch to a different service User(with no roles), I still get the same Errors.Internal / failed to get ... messages, which makes me think this is not just a permission issue.

Questions

Is there any known issue with imports for existing org/project/app on hosted ZITADEL?
Are these IDs/commands in the correct format for v2.3.0 of the Terraform provider?

Ask Inkeep•12/5/25, 7:24 AM

Hi @kashish, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•12/5/25, 7:24 AM

Answer

I wasn't able to find a direct answer about import failures with the v2.3.0 Terraform provider in the available sources. Here are some relevant resources:

ZITADEL Terraform Provider (1) : The official documentation covers basic setup and usage but doesn't specifically address import command formats or troubleshooting import failures.
getting started with zitadel terraform provider (2) : This discussion shows a user who experienced state-related issues with Terraform and resolved them by deleting state files and re-running terraform initterraform init.

Since your terraform planterraform plan works but imports fail with "Errors.Internal", this suggests the authentication and API connectivity are functional. The issue might be related to:

Terraform state conflicts
Provider version compatibility with import commands
Specific import syntax requirements for v2.3.0

I'd recommend clicking the "Ask for help" button to tag a team member who can provide specific guidance on the correct import syntax for v2.3.0 and troubleshoot the "Errors.Internal" error you're encountering.

Ask Inkeep•12/5/25, 7:24 AM

To learn more, see the sources I considered:

[1] ZITADEL Terraform Provider
[2] getting started with zitadel terraform provider

Ask Inkeep•12/5/25, 7:24 AM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] ZITADEL Terraform Provider]...

Ask InkeepAPP•12/5/25, 7:27 AM

Got it. Tagging @Rajat for additional help.

Rajat•12/5/25, 10:32 AM

hey @kashish thanks for your question, I will look into it and will get back to you.

RRajat hey <@1446394855264882772> thanks for your question, I will look into it and wil...

kashishOP•12/5/25, 1:32 PM

Thanks @Rajat , looking forward for your help

Rajat•12/5/25, 2:49 PM

cc @Mridang Agarwalla

Mridang Agarwalla•12/7/25, 11:01 PM

Hi @kashish,
We've investigated your import issues and tested against ZITADEL Cloud. The imports actually work correctly when configured properly. The problem is likely related to permissions or incorrect resource IDs, but the error messages don't make this clear.
We tested on ZITADEL Cloud with a service account that has Org Owner and Project Owner roles. Human user, project, and OIDC application imports all succeeded. Organization imports failed as expected since they require instance-level permissions that service accounts on Cloud can't have.
For OIDC applications, the correct format is app_id:project_id or app_id:project_id:org_id. The order matters - app_id must come first. For projects, use project_id or project_id:org_id.
Based on your errors, verify that your service account is a member of the organization containing the resources you're importing. Check Organization Managers in your org settings to confirm your service account is listed with appropriate roles. Also ensure you're using the correct resource IDs from the organization your service account can access.
You mentioned testing with a service user with no roles, which would definitely cause these "failed to get" errors since that account has no permission to read anything.
We're improving these error messages to make them more actionable: https://github.com/zitadel/terraform-provider-zitadel/pull/309
Can you verify your service account has Org Owner and Project Owner Global roles and that you're using resource IDs that exist in your organization?

GitHub

fix: propagate underlying error in diag.Errorf returns across resou...

This pull-request addresses an issue where many of the read functions for Terraform resources were discarding the underlying Go error (err) when returning a diagnostic error via diag.Errorf.
The or...

MMridang Agarwalla Hi @kashish, We've investigated your import issues and tested against ZITADEL Cl...

kashishOP•12/8/25, 7:13 AM

Hey , I doubled checked above but everything seems to be fine. I also checked the service-user key and that is also correct.
This is my project block

Zitadel Project inside organization

resource "zitadel_project" "imported" {
org_id = var.organization_id
name = var.project_name
}

Also tried commenting out org_id still same error.
Am I missing something?

Mridang Agarwalla•12/8/25, 9:10 PM

Hi @kashish that is seems confusing. We will roll pout that pull-request soon so you will get more meaningful errors. I think that will allow us to debug this.