Closed jgun-at-redhat closed 8 months ago
Hi @jgun-at-redhat ,
Thank you for raising this issue, for Scenario 2, I can reproduce this problem. I find if I give the API user with the predefined "super_admin" profile, this error will not happen, and giving an API user with "super_admin" profile can only be achieved through CLI, that may be a protection design, "super_admin" may have a privilege to achieve this operation, I will report it to the API team for further investigation and let you know If I get any answer from them. Let me know if you still have questions.
test1 (global) # config system api-user
test1 (api-user) # edit api_ansible
test1 (api_ansible) # set accprofile super_admin
test1 (api_ansible) # end
test1 (global) #
Thanks, Maxx
Great! It looks like I can use this as a workaround for now.
I'd like to see what can be done here so the API user does not have to be a super admin. (principle of least privilege and all that as this is a security device) I'll keep an eye out here to see if there's anything I can do to assist with testing or resolution.
Cheers!
Scenario 1: fortios_system_snmp_user module (resolved with config change)
Scenario 2: fortios_system_admin module (not yet resolved)
"cli_error": "current vf=SOMEVDOMNAME\nentry not found in datasource
thoughts
Everything I have written and tested against my "non-vdom" fortigate VM instance seems to work in accordance with the documentation and examples. Some of those same playbooks run against a "multi-vdom" instance deployed from the same source, with an otherwise identical config fail, while others are successful. The common denominator for those things that fail are the tasks where the equivalent CLI command would need to be run in the "config global" context.