modules/tasks requiring global scope fail for devices in multi-vdom mode

[jgun-at-redhat]

Scenario 1: fortios_system_snmp_user module (resolved with config change)

• attempting to create an SNMP user results in "Error in repo" response
• "scope global" not present in gui for fortios 6.x
• requires config from cli similar to following before it will work:

  config system accprofile
  edit "ansible-profile"
      set scope global

• could be resolved with a "setup" or "requirements" section in collection readme?

Scenario 2: fortios_system_admin module (not yet resolved)

• attempting to create an admin user results in "Error in repo" response, even with "set scope global" present in ansible admin accprofile

  - name: Configure admin users - result in error in repo
  fortios_system_admin:
    vdom:  "root"
    state: "present"
    system_admin:
      [SNIP]

• tried various permutations of vdom parameters, specifying "vdom: global" results in an error that lists a VDOM that is not referenced in the play, and is neither "root" nor "global" (obfuscated here as "SOMEVDOMNAME") "cli_error": "current vf=SOMEVDOMNAME\nentry not found in datasource

  - name: Configure admin users - results in entry not found in datasource
  fortios_system_admin:
    vdom:  "global"
    state: "present"
    system_admin:
      [SNIP]

thoughts

Everything I have written and tested against my "non-vdom" fortigate VM instance seems to work in accordance with the documentation and examples. Some of those same playbooks run against a "multi-vdom" instance deployed from the same source, with an otherwise identical config fail, while others are successful. The common denominator for those things that fail are the tasks where the equivalent CLI command would need to be run in the "config global" context.

[MaxxLiu22]

Hi @jgun-at-redhat ,

Thank you for raising this issue, for Scenario 2, I can reproduce this problem. I find if I give the API user with the predefined "super_admin" profile, this error will not happen, and giving an API user with "super_admin" profile can only be achieved through CLI, that may be a protection design, "super_admin" may have a privilege to achieve this operation, I will report it to the API team for further investigation and let you know If I get any answer from them. Let me know if you still have questions.

test1 (global) # config system api-user 

test1 (api-user) # edit api_ansible 

test1 (api_ansible) # set accprofile super_admin 

test1 (api_ansible) # end

test1 (global) #

Thanks, Maxx

[jgun-at-redhat]

Great! It looks like I can use this as a workaround for now.

I'd like to see what can be done here so the API user does not have to be a super admin. (principle of least privilege and all that as this is a security device) I'll keep an eye out here to see if there's anything I can do to assist with testing or resolution.

Cheers!