Why does 'terraform state mv' say 'Resource not found' even though the resource exists in my AWS console?

The error refers to the resource not being found in the Terraform state file, not in AWS. The state file tracks resources by their Terraform address (e.g., 'module.compute.aws_instance.web["prod"]'). If the address you supplied to 'state mv' doesn't exactly match the key stored in state — due to a module restructure, count/for_each migration, or provider upgrade — Terraform cannot locate it. Run 'terraform state list' to get the exact address string and use that as your source argument.

Should I use 'terraform state mv' or a 'moved {}' block to refactor resources into modules?

Use 'moved {}' blocks (available in Terraform 1.1+) for all routine refactors. They live in your .tf files, are committed to version control, are reviewable in PRs, and are applied automatically during 'terraform apply' — no manual CLI commands required. Reserve 'terraform state mv' for emergency corrections or environments where you cannot modify the codebase. After the 'moved {}' block is applied successfully, remove it in the next PR cycle.

How do I safely perform a bulk state move for a large module restructure without corrupting state?

Always pull a timestamped backup first with 'terraform state pull > backup.tfstate'. Then use a validated shell script that calls 'terraform state list | grep -qxF' to confirm each source address exists before attempting the move. Log every operation. After all moves, run 'terraform plan' and verify the output shows zero destroys and zero creates before applying. For Terraform Cloud/Enterprise, use Sentinel policies to block applies that exceed a safe destroy threshold as a final safety net.

How to Fix 'terraform state mv' Resource Not Found Error After Manual Infrastructure Changes

Threat/Impact Level: HIGH | Downtime Risk: HIGH | Time to Fix: 10–20 mins

TL;DR

What broke: terraform state mv cannot locate the source resource because the address you supplied does not match the key Terraform actually stored in state — typically caused by a manual resource rename, module refactor, or provider upgrade that changed the resource type string.
How to fix it: Run terraform state list to dump every real address in state, find the correct source key, then re-run terraform state mv <correct_source> <destination>.
Fast path: Use our Client-Side Sandbox below to auto-refactor this — paste your terraform.tfstate or terraform state list output and get the corrected state mv commands generated locally without sending your state file to any external server.

The Incident (What Does the Error Mean?)

You ran something like:

$ terraform state mv 'aws_instance.web' 'module.compute.aws_instance.web'

And got hit with:

Error: Invalid target address

The given source address does not match any resource instance in the state.

Resource not found: aws_instance.web

Or in older Terraform versions (< 1.x):

Failed to move resource: Resource 'aws_instance.web' not found in state.

Immediate consequence: The state move does not execute. Your pending refactor — moving a resource into a module, renaming it, or migrating to a new provider resource type — is blocked. If you already removed the original resource block from your .tf files, your next terraform plan will show a destructive destroy for the live infrastructure. You are one terraform apply away from deleting production resources.

The Attack Vector / Blast Radius

This is not a security exploit vector, but the blast radius is severe:

Unintended destroy-then-recreate: Terraform sees the resource missing from state but present in config (or vice versa). It plans a destroy + create. For stateful resources — RDS instances, EBS volumes, Elasticache clusters — this means data loss or multi-hour downtime.
State drift compounds the problem: If the manual change (console rename, AWS tag update, provider upgrade) also mutated the resource ID stored in state, a blind state mv with the wrong address silently corrupts state by creating a duplicate or orphaned entry.
Team blast radius in remote state: With S3+DynamoDB or Terraform Cloud as the backend, a botched state operation affects every engineer on the team simultaneously. State lock doesn't protect against writing garbage — it only prevents concurrent writes.
Root causes that produce this error:
- Module restructure: Resource moved into or out of a module changes its address from aws_instance.web to module.compute.aws_instance.web.
- count or for_each migration: Address changes from aws_instance.web to aws_instance.web[0] or aws_instance.web["prod"].
- Provider upgrade: Resource type renamed (e.g., aws_elasticache_cluster → aws_elasticache_replication_group semantics shift, or hashicorp/aws 3.x → 4.x type splits).
- Manual state edit gone wrong: Someone ran terraform state rm or edited the JSON directly and the key is now gone or malformed.
- Workspace mismatch: You are in workspace default but the resource lives in workspace prod.

How to Fix It (The Solution)

Step 0: Back up state before touching anything

# Remote backend — pull a local copy first
terraform state pull > terraform.tfstate.backup.$(date +%Y%m%d%H%M%S)

Do not skip this. State corruption without a backup is unrecoverable.

Step 1: Discover the real address

# List every resource address currently in state
terraform state list

# If you suspect a module path or index issue, grep for partial name
terraform state list | grep -i 'web'

# Inspect the full attributes of a candidate resource
terraform state show 'module.compute.aws_instance.web["prod"]'

The output of terraform state list gives you the exact string you must use as the source address in state mv.

Basic Fix

Once you have the correct source address from state list:

- terraform state mv 'aws_instance.web' 'module.compute.aws_instance.web'
+ terraform state mv 'module.legacy.aws_instance.web' 'module.compute.aws_instance.web'

For a count-indexed resource:

- terraform state mv 'aws_instance.web' 'aws_instance.web[0]'
+ # First confirm the exact index in state:
+ # terraform state list | grep aws_instance.web
+ terraform state mv 'aws_instance.web' 'aws_instance.web[0]'

(The command may be identical — the fix is confirming the source address matches exactly what state list returns before running it.)

For a for_each migration from count:

- terraform state mv 'aws_instance.web[0]' 'aws_instance.web["prod"]'
+ terraform state mv 'aws_instance.web[0]' 'aws_instance.web["prod"]'
# Verify with: terraform state show 'aws_instance.web["prod"]' after the move

Enterprise Best Practice: Scripted Bulk State Moves with Validation

For module refactors affecting dozens of resources, never run state mv commands manually one-by-one. Use a validated script:

- # Manual, error-prone one-liner with hardcoded addresses
- terraform state mv 'aws_instance.web' 'module.compute.aws_instance.web'
- terraform state mv 'aws_security_group.web' 'module.compute.aws_security_group.web'

+ #!/usr/bin/env bash
+ # enterprise_state_mv.sh — validate before move, log every operation
+ set -euo pipefail
+
+ BACKUP="terraform.tfstate.backup.$(date +%Y%m%d%H%M%S)"
+ echo "[INFO] Pulling state backup to ${BACKUP}"
+ terraform state pull > "${BACKUP}"
+
+ declare -A MOVES=(
+   ["aws_instance.web"]="module.compute.aws_instance.web"
+   ["aws_security_group.web"]="module.compute.aws_security_group.web"
+ )
+
+ for src in "${!MOVES[@]}"; do
+   dst="${MOVES[$src]}"
+   # Validate source exists before attempting move
+   if terraform state list | grep -qxF "${src}"; then
+     echo "[MOVE] ${src} -> ${dst}"
+     terraform state mv "${src}" "${dst}"
+   else
+     echo "[SKIP] Source not found in state: ${src}" >&2
+   fi
+ done
+
+ echo "[INFO] Post-move state list:"
+ terraform state list

For Terraform 1.1+, prefer moved blocks in HCL over imperative state mv — they are version-controlled, reviewable, and automatically applied during plan/apply:

- # Imperative, untracked, not in version control
- terraform state mv 'aws_instance.web' 'module.compute.aws_instance.web'

+ # In versions.tf or a dedicated moved.tf — tracked in Git, applied automatically
+ moved {
+   from = aws_instance.web
+   to   = module.compute.aws_instance.web
+ }

💡 Tired of pasting proprietary configs into ChatGPT? Generic AI tools log your company's ARNs, DB strings, and private keys. StackEngine is a zero-backend, pure Client-Side WASM utility. Drop your failing config into the sandbox above. We redact your secrets locally in the browser and auto-generate the refactored code using your own API key.

Prevention in CI/CD

1. Enforce `moved` blocks over imperative `state mv` in code review

Add a PR checklist item: "Any resource rename/module move must use a moved {} block, not a manual state mv command." moved blocks are auditable, reversible (remove the block after one apply cycle), and prevent this entire class of error.

2. Checkov / tfsec scan for state hygiene signals

While Checkov doesn't directly lint state addresses, add a pre-plan script in CI:

# .github/workflows/terraform.yml
- name: Validate state addresses match config
  run: |
    terraform init -backend=false
    # Fail if any resource in state has no corresponding config block
    # (signals a missing moved{} block or accidental state rm)
    terraform plan -detailed-exitcode 2>&1 | grep -E '^  # .* will be destroyed' && \
      echo '::error::Destroy detected — verify moved{} blocks are present' && exit 1 || true

3. OPA / Sentinel policy: block apply if destroy count exceeds threshold

# sentinel/no-mass-destroy.sentinel
import "tfplan/v2" as tfplan

max_destroys = 2

destroy_count = length(filter tfplan.resource_changes as _, rc {
  rc.change.actions contains "delete"
})

main = rule {
  destroy_count <= max_destroys
}

This gates terraform apply in Terraform Cloud/Enterprise if a botched state move causes unexpected destroys.

4. Lock state backend and require MFA for state operations

# In your S3 backend config
terraform {
  backend "s3" {
    bucket         = "my-tf-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "tf-state-lock"
    encrypt        = true
    # Require MFA delete on the S3 bucket at the bucket policy level
    # to prevent accidental state wipes
  }
}

5. `terraform state list` as a pre-flight check in every pipeline

Make terraform state list | wc -l a pipeline step that outputs resource count and fails if count drops by more than N% between runs — a cheap canary for accidental state truncation.