err -11: No permission for the resource

[DARB-CCM-S-20]

Error updating DvmCmdDevice resource: err -11: No permissions for the resource

terraform {
  required_providers {
    fortimanager = {
      source  = "registry.terraform.io/fortinetdev/fortimanager"
      version = "~>1.7.0"
    }
  }

provider "fortimanager" {
  hostname = var.fortimanager_ip
  username = var.fortimanager_user
  password = var.fortimanager_password
  insecure = true
}

resource "fortimanager_dvm_cmd_add_device" "fortigw" {
  fmgadom = "root"

  device {
    ip        = azurerm_linux_virtual_machine.fortigw.public_ip_address
    mgmt_mode = "fmg"
    name      = azurerm_linux_virtual_machine.fortigw.computer_name
    adm_usr   = var.fortigate_vm_admin
    adm_pass  = var.fortigate_vm_password
  }
}

terraform init initialises the configuration fine. Fortigate is online and can be discovered through the fortimanager GUI when trying to carry out the above action manually.

Initially tried passing the fortigate admin credentials but on coming across, https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/763117/terraform-fortios-as-a-provider, a REST API admin was created and these credentials were passed to adm_usr and adm_pass instead (since there did not seem to be an option to authenticate via api token). Same error persisted.

Credentials passed to the fortigate are the admin credentials that can be used to login via the GUI. Do we need to create a similar REST API user in the Fortimanager instance as well?

Debug logs:

2023-03-13T14:31:55.982Z [INFO]  provider.terraform-provider-fortimanager_v1.7.0: 2023/03/13 14:31:55 Get divice version response: { "result": [ { "status": { "code": -11, "message": "No permission for the resource" }, "url": "\/cli\/global\/system\/status" } ] }: timestamp=2023-03-13T14:31:55.981Z
2023-03-13T14:31:55.982Z [INFO]  provider.terraform-provider-fortimanager_v1.7.0: 2023/03/13 14:31:55 Could not get device version:
err -11: No permission for the resource: timestamp=2023-03-13T14:31:55.981Z
2023-03-13T14:31:55.982Z [INFO]  provider.terraform-provider-fortimanager_v1.7.0: 2023/03/13 14:31:55 [INFO] Request infomation: /dvm/cmd/add/device:    &map[adom:root device:map[adm_pass:<passed_token> adm_usr:<passed_username> ip:<passed_ip> mgmt_mode:fmg name:<passed_vm_name>]]: timestamp=2023-03-13T14:31:55.982Z
2023-03-13T14:31:55.982Z [INFO]  provider.terraform-provider-fortimanager_v1.7.0: 2023/03/13 14:31:55 [INFO] Request URL: /dvm/cmd/add/device: timestamp=2023-03-13T14:31:55.982Z
2023-03-13T14:31:55.987Z [INFO]  provider.terraform-provider-fortimanager_v1.7.0: 2023/03/13 14:31:55 Get divice version response: { "result": [ { "status": { "code": -11, "message": "No permission for the resource" }, "url": "\/cli\/global\/system\/status" } ] }: timestamp=2023-03-13T14:31:55.987Z

[MaxxLiu22]

Hi @DARB-CCM-S-20

Thank you for raising this problem. May I know which FGT and FMG version are you using, I just add an Azure FGT VM on my FMG by using the following code. everything works as expected, you don't need a token to achieve this operation, and make sure you give right rpc-permit to FMG.

resource "fortimanager_dvm_cmd_add_device" "trname" {
  fmgadom = "root"
  device {
    ip       = "1.2.3.4"
    name     = "Terraform-FGT-VM"
    adm_usr  = "admin"
    adm_pass = "password"
    sn       = "FGTAZR_OACL..."
  }
}

config system admin user
    edit "admin"
        set password ENC SH2OiytVkNzI8gq5AgPwaB/QNqk06qUbPXspNzk24QIXHacMIvZ8o3Aq54hAAE=
        set profileid "Super_User"
        set rpc-permit read-write

Thanks, Maxx

[DARB-CCM-S-20]

Hi @MaxxLiu22 Thanks for the response.

It seems to be that I hadn't set the rpc-permit. Can I suggest a link to the guide is put on the homepage since it is essential to use the provider.

Also seems to be that the error message is a bit misleading.

[MaxxLiu22]

Hi @DARB-CCM-S-20 ,

We are continuing improve our doc to be more user-friendly, Thank you for your suggestion, I will go ahead to close this case, if you still have questions feel free to reopen it,

Thanks, Maxx