search

fortinetdev / terraform-provider-fortimanager

Mozilla Public License 2.0
11 stars 10 forks source link

fortimanager_securityconsole #18

Closed ozid closed 2 years ago

ozid commented 2 years ago

Hello,

I figure out how manipulate objects and policy but i have a trouble to understand how install/commit the policy package to the fortigate..

I'm not sure to understand the equivalent of doing:

I try this:

resource "fortimanager_securityconsole_install_package" "default" {
  fmgadom           = <adom_name>
  adom_rev_comments = "blabla"
  adom_rev_name     = "blabla"
  dev_rev_comments  = "blabla"
  flags             = ["auto_lock_ws", "check_pkg_st", "copy_assigned_pkg", "cp_all_objs", "generate_rev", "preview"]
  pkg               = <policy_package_name>
  force_recreate    = uuid()
  scope {
    name = "<firewall_name>"
    vdom = "<vdom_name>"
  }
  depends_on = [fortimanager_exec_workspace_action.unlockres]
}

resource "fortimanager_securityconsole_package_commit" "defaultcommit" {
  fmgadom        = <adom_name>
  force_recreate = uuid()
  scope {
    name = "<firewall_name>"
    vdom = "<vdom_name>"
  }
  depends_on = [fortimanager_securityconsole_install_package.default]
}

But this is not installing the policy package on the device, in formatimanager task monitor:

image image loading for ever without success. i had to delete the task

in event logs i see: No Installation Targets on package

I'm also not sure if i should include "preview" flags with other flags or if it should be left alone.

There is something i don't understand with package install can someone help me or provide me an example of a working configuration to apply policy to a device/vdom (all settings include objects/policy and so on..)

Thanks you,

ozid commented 2 years ago

I notice the error: No Installation Targets on package Is here because there was no new policy to add.

I added a policy and run terraform again and i notice the task is stuck: image

But event log seem to show a success commit: image

And this is the full trace on fortimanager when i run the apply:

FMG-VM64-AWS # diagnose debug application securityconsole 255
FMG-VM64-AWS # diagnose debug enable
FMG-VM64-AWS #
FMG-VM64-AWS #
FMG-VM64-AWS #
FMG-VM64-AWS # __send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"lock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"unlock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"lock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"unlock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
Request:
{ "client": "\/usr\/local\/apache2\/bin\/httpd:29305", "method": "exec", "params": [{ "data": { "adom": "MYADOM", "adom_rev_comments": "rev by terraform", "adom_rev_name": "terraform-tefv", "dev_rev_comments": "applied by terraform", "flags": ["check_
pkg_st", "preview", "auto_lock_ws", "copy_assigned_pkg", "generate_rev", "cp_all_objs"], "pkg": "MYADOM-POLICYPACKAGE", "scope": [{ "name": "MYADOM", "vdom": "WAN"}]}, "target start": 1, "url": "\/securityconsole\/install\/package"}], "session": "Xx+
Qew1NGrYEICJYw4LMMGw7sd56f4s6dfsdfvpIeNqS6Yg==", "src": "my_ip", "verbose": 1}
Chkperm Response:
{ "result": [{ "status": { "code": 0, "message": "OK"}, "url": "\/securityconsole\/install\/package"}], "session": 34889}
Response:
{ "result": [{ "data": { "task": 4466}, "status": { "code": 0, "message": "OK"}, "url": "\/securityconsole\/install\/package"}]}
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"lock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
SECURITY_CONSOLE: securityconsole.c:827, mm start adom_id=1714, pkg=4251, flags=301b "cp_all_objs preview generate_rev cp_assigned_pkg "
Request:
{ "client": "\/usr\/local\/apache2\/bin\/httpd:29305", "method": "exec", "params": [{ "data": { "adom": "MYADOM", "scope": [{ "name": "MYADOM", "vdom": "WAN"}]}, "target start": 1, "url": "\/securityconsole\/package\/commit"}], "session": "Xx+Qew1NGr
YEICJYw4LMMGw7sd56f4s6dfsdfvpIeNqS6Yg==", "src": "my_ip", "verbose": 1}
Chkperm Response:
{ "result": [{ "status": { "code": 0, "message": "OK"}, "url": "\/securityconsole\/package\/commit"}], "session": 34889}
Response:
{ "result": [{ "data": { "task": 4467}, "status": { "code": 0, "message": "OK"}, "url": "\/securityconsole\/package\/commit"}]}
SECURITY_CONSOLE: security_console_reclaim_child,597: try to reclaim child...
SECURITY_CONSOLE: reap child 2141 (0)
SECURITY_CONSOLE: refresh wait queue, triggered session=34889
SECURITY_CONSOLE: Load shared objects time: 0 hours 0 minutes 0.117980 seconds.
SECURITY_CONSOLE: Load device candidates n=1 SECURITY_CONSOLE: : 0 hours 0 minutes 0.000948 seconds.
SECURITY_CONSOLE: Load device candidates time: 0 hours 0 minutes 0.001103 seconds.
SECURITY_CONSOLE: create task lines done,r=0
SECURITY_CONSOLE:
Create task lines time:: 0 hours 0 minutes 0.004497 seconds.
SECURITY_CONSOLE: Getting firewall policy list: n=4.
SECURITY_CONSOLE: Getting firewall policy64 list: n=0.
SECURITY_CONSOLE: Getting firewall policy46 list: n=0.
SECURITY_CONSOLE: Getting firewall multicast-policy list: n=0.
SECURITY_CONSOLE: Getting firewall multicast-policy6 list: n=0.
SECURITY_CONSOLE: Getting firewall proxy-policy list: n=0.
SECURITY_CONSOLE: Getting firewall local-in-policy list: n=0.
SECURITY_CONSOLE: Getting firewall local-in-policy6 list: n=0.
SECURITY_CONSOLE: Getting firewall shaping-policy list: n=0.
SECURITY_CONSOLE: Getting firewall security-policy list: n=0.
SECURITY_CONSOLE: Getting firewall interface-policy list: n=0.
SECURITY_CONSOLE: Getting firewall interface-policy6 list: n=0.
SECURITY_CONSOLE: Getting firewall DoS-policy list: n=0.
SECURITY_CONSOLE: Getting firewall DoS-policy6 list: n=0.
SECURITY_CONSOLE: Getting webfilter ftgd-local-rating list: n=0.
SECURITY_CONSOLE: Getting user radius list: n=0.
SECURITY_CONSOLE: Getting firewall central-snat-map list: n=0.
SECURITY_CONSOLE: Getting user fsso-polling list: n=0.
SECURITY_CONSOLE: Getting system sdn-connector list: n=0.
SECURITY_CONSOLE: Getting endpoint-control fctems list: n=0.
SECURITY_CONSOLE: Getting firewall internet-service-custom list: n=0.
SECURITY_CONSOLE: Getting firewall internet-service-addition list: n=0.
SECURITY_CONSOLE: Getting firewall shaping-profile list: n=0.
SECURITY_CONSOLE: Getting dynamic interface list: n=99.
SECURITY_CONSOLE: Getting system replacemsg-group list: n=2.
SECURITY_CONSOLE: Getting authentication rule list: n=0.
SECURITY_CONSOLE: Getting authentication setting list: n=0.
SECURITY_CONSOLE: Getting log npu-server list: n=0.
SECURITY_CONSOLE:
Prepare global policies time: 0 hours 0 minutes 0.021590 seconds.
SECURITY_CONSOLE: (2148) pid=1, devid = 1665, idx=0, max_cpu=8.
SECURITY_CONSOLE: [2] pid=2149: installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: [3] pid=2150: installed=0, err=0, copied=0, failed=0
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"lock","params":{"adom_oid":1714,"dev_oid":1665,"obj_oid":0}}
SECURITY_CONSOLE: [4] pid=2151: installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: reap child 2149 (0)
SECURITY_CONSOLE: __read_copy_result,1893:Installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: reap child 2150 (0)
SECURITY_CONSOLE: __read_copy_result,1893:Installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: reap child 2151 (0)
SECURITY_CONSOLE: __read_copy_result,1893:Installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: [5] pid=2153: installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: [6] pid=2154: installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: [7] pid=2155: installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: reap child 2153 (0)
SECURITY_CONSOLE: __read_copy_result,1893:Installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: reap child 2154 (0)
SECURITY_CONSOLE: __read_copy_result,1893:Installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: reap child 2155 (0)
SECURITY_CONSOLE: __read_copy_result,1893:Installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: [8] pid=2156: installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE: reap child 2156 (0)
SECURITY_CONSOLE: __read_copy_result,1893:Installed=0, err=0, copied=0, failed=0
SECURITY_CONSOLE:
Prepare device    (1) data time: 0 hours 0 minutes 0.203065 seconds.
SECURITY_CONSOLE: Load dynamic obj time: 0 hours 0 minutes 0.000261 seconds.
SECURITY_CONSOLE: (1) [MYADOM[check package] WAN] Start copying policy to devdb, device(MYADOM), vdomid(WAN) (reason:none)
SECURITY_CONSOLE: (1) Using mm method.
SECURITY_CONSOLE: Installing dynamic interface
SECURITY_CONSOLE: Installing dynamic interface completed - 0 entries installed, 0 errors
SECURITY_CONSOLE: Installing system replacemsg-group
SECURITY_CONSOLE: Installing system replacemsg-group completed - 0 entries installed, 0 errors
SECURITY_CONSOLE: copy_shared_obj_2_dev_vdom: 0 hours 0 minutes 0.000093 seconds.
SECURITY_CONSOLE: Installing firewall policy
SECURITY_CONSOLE: Installing firewall policy completed - 4 entries installed, 0 errors
SECURITY_CONSOLE: copy all policies: 0 hours 0 minutes 0.059285 seconds.
SECURITY_CONSOLE: (1) [MYADOM[check package] WAN] Copy done (reason:none)
SECURITY_CONSOLE: (1) Compile time: 0 hours 0 minutes 0.070264 seconds.
SECURITY_CONSOLE: (1) Import time: 0 hours 0 minutes 0.018651 seconds.
SECURITY_CONSOLE: (1) Change dvm status time: 0 hours 0 minutes 0.000009 seconds.
SECURITY_CONSOLE: (1) Copy to device done
SECURITY_CONSOLE: (1) Prepare dev install file time: 0 hours 0 minutes 0.000213 seconds.
SECURITY_CONSOLE:
(1) Overall time: 0 hours 0 minutes 0.295586 seconds.
SECURITY_CONSOLE:
1 of 1 devices is done
Device Handle handle refcnt = 1
SECURITY_CONSOLE: [1] pid=2148: installed=0, err=0, copied=1, failed=0
SECURITY_CONSOLE: reap child 2148 (0)
SECURITY_CONSOLE: __read_copy_result,1893:Installed=0, err=0, copied=1, failed=0
SECURITY_CONSOLE: Installed=0, err=0, copied=1, failed=0, max_cpu=8
SECURITY_CONSOLE: Overall time: 0 hours 0 minutes 0.358319 seconds.
Prepare /var/tmp/securityconsole/34889/install_summary.
Global Handle handle refcnt = 19
SECURITY_CONSOLE:
All device is done, elapse time: 0 hours 0 minutes 0.385893 seconds.
SECURITY_CONSOLE: securityconsole.c:862(), mm finish adom_id=1714
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"unlock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"unlock","params":{"adom_oid":0,"dev_oid":1665,"obj_oid":0}}
SECURITY_CONSOLE: security_console_reclaim_child,597: try to reclaim child...
SECURITY_CONSOLE: reap child 2135 (0)
SECURITY_CONSOLE: refresh wait queue, triggered session=34889

I also try with only the flags: preview and auto_lock_ws but problem is the same, task is stuck at 5% for ever

lix-fortinet commented 2 years ago

Hi @ozid,

Thank you for raising this issue. Team are working on this issue. We will get back to you when we have some updates.

Thanks, Xing

ozid commented 2 years ago

Hello thanks @lix-fortinet ! i try also:

resource "fortimanager_securityconsole_install_package" "default" {
  fmgadom               = var.adom
  dev_rev_comments      = "applied by terraform"
  flags                 = ["auto_lock_ws", "cp_all_objs", "copy_assigned_pkg", "check_pkg_st",  "preview"]
  pkg                   = var.policy-package
  force_recreate        = uuid()
  dynamic_sort_subtable = "false"
  scope {
    name                = var.scope-fw-name
    vdom                = var.scope-vdom
  }
  depends_on            = [fortimanager_exec_workspace_action.unlockres]
}

resource "fortimanager_securityconsole_package_commit" "defaultcommit" {
  fmgadom               = var.adom
  force_recreate        = uuid()
  dynamic_sort_subtable = "false"
  scope {
    name                = var.scope-fw-name
    vdom                = var.scope-vdom
  }
  depends_on            = [fortimanager_securityconsole_install_package.default]
}

result cli fortimanager:

FMG-VM64-AWS # __send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"lock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"unlock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"lock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"unlock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
Request:
{ "client": "\/usr\/local\/apache2\/bin\/httpd:23933", "method": "exec", "params": [{ "data": { "adom": "TEST", "dev_rev_comments": "applied by terraform", "flags": ["check_pkg_st", "preview", "auto_lock_ws", "copy_assigned_pkg", "cp_all_objs"], "pk
g": "TEST-POLICYPACKAGE", "scope": [{ "name": "TEST", "vdom": "WAN"}]}, "target start": 1, "url": "\/securityconsole\/install\/package"}], "session": "ZzFp0aGjhUkaDt4SAmAxaIsqdgqsdgqdsglTOUeZpX2OxOtrW72eHUxb4BP7azA
S", "src": "myip", "verbose": 1}
Chkperm Response:
{ "result": [{ "status": { "code": 0, "message": "OK"}, "url": "\/securityconsole\/install\/package"}], "session": 31027}
Response:
{ "result": [{ "data": { "task": 4590}, "status": { "code": 0, "message": "OK"}, "url": "\/securityconsole\/install\/package"}]}
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"lock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
SECURITY_CONSOLE: securityconsole.c:827, mm start adom_id=1714, pkg=4251, flags=3013 "cp_all_objs preview cp_assigned_pkg "
Request:
{ "client": "\/usr\/local\/apache2\/bin\/httpd:23933", "method": "exec", "params": [{ "data": { "adom": "TEST", "scope": [{ "name": "TEST", "vdom": "WAN"}]}, "target start": 1, "url": "\/securityconsole\/package\/commit"}], "session": "ZzFp0aGjhU
kaDt4SAmAxaILPqsdgqsdgsqdgOxOtrW72eHUxb4BP7azAS", "src": "myip", "verbose": 1}
Chkperm Response:
{ "result": [{ "status": { "code": 0, "message": "OK"}, "url": "\/securityconsole\/package\/commit"}], "session": 31027}
Response:
{ "result": [{ "data": { "task": 4591}, "status": { "code": 0, "message": "OK"}, "url": "\/securityconsole\/package\/commit"}]}
SECURITY_CONSOLE: security_console_reclaim_child,597: try to reclaim child...
SECURITY_CONSOLE: reap child 23968 (0)
SECURITY_CONSOLE: refresh wait queue, triggered session=31027
SECURITY_CONSOLE: Load shared objects time: 0 hours 0 minutes 0.176445 seconds.
SECURITY_CONSOLE: Load device candidates n=1 SECURITY_CONSOLE: : 0 hours 0 minutes 0.001040 seconds.
SECURITY_CONSOLE: dev=1665,vdom=101 up to date
SECURITY_CONSOLE: device 1665 was unlocked/up_to_date
Global Handle handle refcnt = 2
SECURITY_CONSOLE: securityconsole.c:862(), mm finish adom_id=1714
__send_gui_notify: {"msg":"notify", "from":"backend","collection":"workspace","method":"unlock","params":{"adom_oid":1714,"dev_oid":1714,"obj_oid":0}}
SECURITY_CONSOLE: security_console_reclaim_child,597: try to reclaim child...
SECURITY_CONSOLE: reap child 23965 (0)
SECURITY_CONSOLE: refresh wait queue, triggered session=31027

But the result is the same, the commit stuck at 5% ..

lix-fortinet commented 2 years ago

Hi @ozid,

I hope you are doing well! Here we have some updates about this issue.

The reason of the task stuck on 5% is that the commit operation could not find a preview cache to commit. So, it just stuck there. Based on our investigation, here are some scenarios that could cause this error:

  1. No waiting for preview been installed. It may take seconds to create the preview successfully. Before that, if we trigger the commit operation, it will not find the preview cache. In the customer scenario, fortimanager_securityconsole_package_commit will be triggered once the install_package task created, and will not wait for the task completed.
  2. Too many flags in resource fortimanager_securityconsole_install_package. If we just set preview in argument of flags, preview cache will be created and commit operation could find it. However, once we set other flags except "cp_all_objs", like flags = ["check_pkg_st", "preview"], the commit operation also could not find the preview cache. We will work with API team to make some improvement for this issue. And also, we will update the example in our document.
  3. No changes for the target package. If there are no changes for the target packages, there will be no preview caches. So that commit operation will have the same error.

Here are some solutions:

  1. Set argument flags to only contains 'none', and do not need to use resource fortimanager_securityconsole_package_commit. It will auto-install the package to device if set flags to 'none'. Here is an example:

    resource "fortimanager_securityconsole_install_package" "default" {
fmgadom           = "root"
flags             = ["none"] 
pkg               = <YOUR PACKAGE NAME>
force_recreate    = uuid()
}

  2. Set argument flags to only contains 'preview', and add the resource of time_sleep between fortimanager_securityconsole_install_package and fortimanager_securityconsole_package_commit. In this way, we could wait for the preview cache completed. Here is an example:

    
resource "fortimanager_securityconsole_install_package" "default" {
fmgadom           = "root"
flags             = ["preview"]
pkg               = <YOUR PACKAGE NAME>
force_recreate    = uuid()
}

resource "time_sleep" "wait_20_seconds" { depends_on = [fortimanager_securityconsole_install_package.default]

create_duration = "20s" triggers = { force_recreate = uuid() } }

resource "fortimanager_securityconsole_package_commit" "defaultcommit" { fmgadom = "root" force_recreate = uuid() depends_on = [time_sleep.wait_20_seconds] } }



We will continually work with related teams on this issue to improve using experience. Please let me know if you have any questions.

Thanks,
Xing
ozid commented 2 years ago

Thanks you !