search

fortinetdev / terraform-provider-fortimanager

Mozilla Public License 2.0
11 stars 10 forks source link

Missing attributes after import on FMG 7.4.5 #60

Open agesta23 opened 1 month ago

agesta23 commented 1 month ago

There is a problem with importing all attributes from the resource: _fortimanager_packages_firewallpolicy on FMG 7.4.5.

Missing attributes:

More resource attributes could be missing, but I could only test those. Here is an imported resource in the state file

terragrunt state show 'fortimanager_packages_firewall_policy.policy["vpn_network_group_policy_2"]'
# fortimanager_packages_firewall_policy.policy["vpn_network_group_policy_2"]:
resource "fortimanager_packages_firewall_policy" "policy" {
    _policy_block                      = 0
    action                             = "accept"
    anti_replay                        = "enable"
    application                        = []
    application_list                   = "default"
    auth_path                          = "disable"
    auto_asic_offload                  = "enable"
    block_notification                 = "disable"
    capture_packet                     = "disable"
    cgn_resource_quota                 = 16
    cgn_session_quota                  = 16777215
    delay_tcp_npu_session              = "disable"
    diffserv_forward                   = "disable"
    diffserv_reverse                   = "disable"
    dsri                               = "disable"
    dstaddr                            = [
        "vpn_network_private_resources_group",
    ]
    dstaddr6                           = []
    dstaddr6_negate                    = "disable"
    dstaddr_negate                     = "disable"
    dstintf                            = [
        "port2",
    ]
    dynamic_shaping                    = "disable"
    dynamic_sort_subtable              = "false"
    email_collect                      = "disable"
    fec                                = "disable"
    fsso_groups                        = []
    geoip_anycast                      = "disable"
    geoip_match                        = "physical-location"
    global_label                       = ""
    groups                             = [
        "vpn-network",
    ]
    id                                 = "114"
    internet_service                   = "disable"
    internet_service6                  = "disable"
    internet_service6_custom           = []
    internet_service6_custom_group     = []
    internet_service6_group            = []
    internet_service6_name             = []
    internet_service6_src              = "disable"
    internet_service6_src_custom       = []
    internet_service6_src_custom_group = []
    internet_service6_src_group        = []
    internet_service6_src_name         = []
    internet_service_id                = []
    internet_service_src               = "disable"
    ip_version_type                    = "ipv4"
    logtraffic                         = "all"
    logtraffic_start                   = "disable"
    match_vip                          = "enable"
    match_vip_only                     = "disable"
    nat                                = "disable"
    nat46                              = "disable"
    nat64                              = "disable"
    natip                              = [
        "0.0.0.0",
        "0.0.0.0",
    ]
    network_service_dynamic            = []
    network_service_src_dynamic        = []
    np_acceleration                    = "enable"
    ntlm_enabled_browsers              = []
    passive_wan_health_measurement     = "disable"
    pcp_inbound                        = "disable"
    pcp_outbound                       = "disable"
    pcp_poolname                       = []
    permit_any_host                    = "disable"
    pkg                                = "VPN_EW1_FGT"
    policy_behaviour_type              = "standard"
    policy_expiry                      = "disable"
    policy_expiry_date                 = "0000-00-00 00:00:00"
    policyid                           = 114
    port_preserve                      = "enable"
    profile_protocol_options           = "default"
    profile_type                       = "single"
    radius_mac_auth_bypass             = "disable"
    reputation_minimum                 = 0
    reputation_minimum6                = 0
    rtp_nat                            = "disable"
    schedule                           = "always"
    schedule_timeout                   = "disable"
    scopetype                          = "inherit"
    service                            = [
        "ALL",
    ]
    service_negate                     = "disable"
    session_ttl                        = "0"
    sgt                                = []
    sgt_check                          = "disable"
    src_vendor_mac                     = []
    srcaddr                            = [
        "ssl_vpn_cp_ip_pool",
    ]
    srcaddr6                           = []
    srcaddr6_negate                    = "disable"
    srcaddr_negate                     = "disable"
    srcintf                            = [
        "sslvpn_tun_intf",
    ]
    ssl_ssh_profile                    = "certificate-inspection"
    status                             = "enable"
    tcp_mss_receiver                   = 0
    tcp_mss_sender                     = 0
    tcp_session_without_syn            = "disable"
    timeout_send_rst                   = "disable"
    tos                                = "0x00"
    tos_mask                           = "0x00"
    tos_negate                         = "disable"
    users                              = []
    utm_status                         = "enable"
    uuid                               = "793a3824-d197-51ee-8716-9ee00451bf2b"
    vlan_cos_fwd                       = 255
    vlan_cos_rev                       = 255
    wccp                               = "disable"
    webcache_https                     = "disable"
    webfilter_profile                  = "monitor-all"
    ztna_ems_tag_secondary             = []
}

Actual resource in Fortimanager GUI

Screenshot 2024-10-22 at 10 27 23

Policy in Fortigate looks like this:

config firewall policy
    edit 114
        set uuid 793a3824-d197-51ee-8716-9ee00451bf2b
        set srcintf "ssl.root"
        set dstintf "port2"
        set action accept
        set ztna-status enable
        set srcaddr "ssl_vpn_cp_ip_pool"
        set dstaddr "vpn_network_private_resources_group"
        set ztna-ems-tag "EMS1_ZTNA_cp-trusted-tag"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "monitor-all"
        set application-list "default"
        set logtraffic all
        set groups "vpn-network"
    next
end

FMG 7.4.2 worked well with it. I suppose it is broken after the update.

After terraform planning, it tries to add missing attributes every time:

# fortimanager_packages_firewall_policy.policy["vpn_network_group_policy_2"] will be updated in-place
  ~ resource "fortimanager_packages_firewall_policy" "policy" {
        id                                 = "114"
      + ztna_ems_tag                       = "EMS1_ZTNA_cp-trusted-tag"
      + ztna_status                        = "enable"
        # (104 unchanged attributes hidden)
    }
MaxxLiu22 commented 4 weeks ago

Hi @agesta23 ,

Thank you very much for bringing this issue to our attention. I’ve observed that, the Terraform FMG provider is not yet compatible with version 7.4.5, but the issue appears that the FOS API GET response no longer includes these two arguments. This suggests there may have been a logical adjustment, potentially merging these arguments with others to achieve the same functionality. I will investigate further and consult with the appropriate team to gain additional insights.

Thanks, Maxx