How to import random_id with keepers

Question

I have the current config applied elsewhere:

resource "random_id" "certificate" {
  byte_length = 3
  prefix      = "my-cert-prefix-"

  keepers = {
    "domains": "api.domain.com"
  }
}

.. and now I need to import to the current state.

Running the "show" cmd, we can see something like:

resource "random_id" "certificate" {
    b64         = "my-cert-prefix-3YvH"
    b64_std     = "my-cert-prefix-3YvH"
    b64_url     = "my-cert-prefix-3YvH"
    byte_length = 3
    dec         = "my-cert-prefix-14519239"
    hex         = "my-cert-prefix-dd8bc7"
    id          = "3YvH"
    keepers     = {
        "domains" = "api.domain.com"
    }
    prefix      = "my-cert-prefix-"
}

the docs are saying to import running something like:

terraform import module.XXX.random_id.certificate "my-cert-prefix-,3YvH"

how can I add the "keepers" attribute to the current state ?

(edit: adding current plan after importing)

# module.XXXX.google_compute_managed_ssl_certificate.service must be replaced
+/- resource "google_compute_managed_ssl_certificate" "service" {
      ~ certificate_id            = 5697321803048287000 -> (known after apply)
      ~ creation_timestamp        = "2020-09-22T11:35:18.396-07:00" -> (known after apply)
      ~ expire_time               = "2020-12-21T09:42:04.000-08:00" -> (known after apply)
      ~ id                        = "projects/XX/global/sslCertificates/XXXX-dd8bc7" -> (known after apply)
      ~ name                      = "my-cert-prefix-dd8bc7" -> (known after apply) # forces replacement
        project                   = "XXXX"
      ~ self_link                 = "https://www.googleapis.com/compute/v1/projects/XXX/global/sslCertificates/my-cert-prefix-dd8bc7" -> (known after apply)
      ~ subject_alternative_names = [
          - "api.domain.com",
          - "europe-west1-api.domain.com",
          - "us-east1-api.domain.com",
          - "us-west1-api.domain.com",
        ] -> (known after apply)
        type                      = "MANAGED"

        managed {
            domains = [
                "api.domain.com",
                "europe-west1-api.domain.com",
                "us-east1-api.domain.com",
                "us-west1-api.domain.com",
            ]
        }

      - timeouts {}
    }

# module.XXXX.random_id.certificate must be replaced
+/- resource "random_id" "certificate" {
      ~ b64         = "my-cert-prefix-3YvH" -> (known after apply)
      ~ b64_std     = "my-cert-prefix-3YvH" -> (known after apply)
      ~ b64_url     = "my-cert-prefix-3YvH" -> (known after apply)
        byte_length = 3
      ~ dec         = "my-cert-prefix-14519239" -> (known after apply)
      ~ hex         = "my-cert-prefix-dd8bc7" -> (known after apply)
      ~ id          = "3YvH" -> (known after apply)
      + keepers     = {
          + "domains" = "api.domain.com"
        } # forces replacement
        prefix      = "my-cert-prefix-"
    }