frankshen01
commented
4 years ago Hi @blkistsg , since the interface "aws_hq_wan1" is automatically created during the VPN creation process by FGT. Please add "autogenerated" argument to "fortios_system_interface" "aws_hq_wan1" and keep its dependency with VPN resources, example:
# cat maintst.tf
provider "fortios" {
hostname = "192.168.52.177"
token = "rGqsgj9Qmh3dwfQdc8hd3t3G6xG3N5"
insecure = "true"
}
resource "fortios_vpnipsec_phase1interface" "aws_hq_wan1" {
name = "aws-hq-wan1"
interface = "port1"
ike_version = "2"
peertype = "any"
proposal = "aes256-sha256"
dhgrp = "21"
local_gw = "1.1.1.1"
remote_gw = "2.2.2.2"
psksecret = "XXXsssssssssssXXX"
nattraversal = "forced"
}
resource "fortios_vpnipsec_phase2interface" "aws_hq_wan1" {
name = fortios_vpnipsec_phase1interface.aws_hq_wan1.name
phase1name = fortios_vpnipsec_phase1interface.aws_hq_wan1.name
pfs = "enable"
proposal = "aes256-sha256"
dhgrp = "21"
keylifeseconds = 3600
}
resource "fortios_system_interface" "aws_hq_wan1" {
name = fortios_vpnipsec_phase2interface.aws_hq_wan1.name
description = "VPN Interface between hq wan1 and aws fw"
type = "tunnel"
vdom = "root"
allowaccess = "ping https ssh http"
ip = "10.10.10.2 255.255.255.255"
remote_ip = "172.22.1.30 255.255.255.255"
tcp_mss = 1400
autogenerated = "auto"
}Note the dependency between _fortios_system_interface and fortios_vpnipsecphase2interface here(by interface name field) and autogenerated = "auto" argument. For autogenerated argument, please refer to: https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs/resources/fortios_system_interface#example-usage
# terraform apply
----
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# fortios_system_interface.aws_hq_wan1 will be created
+ resource "fortios_system_interface" "aws_hq_wan1" {
+ ac_name = (known after apply)
+ aggregate = (known after apply)
+ algorithm = (known after apply)
+ alias = (known after apply)
+ allowaccess = "ping https ssh http"
+ ap_discover = (known after apply)
+ arpforward = (known after apply)
+ auth_type = (known after apply)
+ auto_auth_extension_device = (known after apply)
+ autogenerated = "auto"
+ bfd = (known after apply)
+ bfd_desired_min_tx = (known after apply)
+ bfd_detect_mult = (known after apply)
+ bfd_required_min_rx = (known after apply)
+ broadcast_forticlient_discovery = (known after apply)
+ broadcast_forward = (known after apply)
+ captive_portal = (known after apply)
+ cli_conn_status = (known after apply)
+ color = (known after apply)
+ dedicated_to = (known after apply)
+ defaultgw = (known after apply)
+ description = "VPN Interface between hq wan1 and aws fw"
+ detected_peer_mtu = (known after apply)
+ detectprotocol = (known after apply)
+ detectserver = (known after apply)
+ device_access_list = (known after apply)
+ device_identification = (known after apply)
+ device_identification_active_scan = (known after apply)
+ device_netscan = (known after apply)
+ device_user_identification = (known after apply)
+ devindex = (known after apply)
+ dhcp_client_identifier = (known after apply)
+ dhcp_relay_agent_option = (known after apply)
+ dhcp_relay_ip = (known after apply)
+ dhcp_relay_service = (known after apply)
+ dhcp_relay_type = (known after apply)
+ dhcp_renew_time = (known after apply)
+ disc_retry_timeout = (known after apply)
+ disconnect_threshold = (known after apply)
+ distance = (known after apply)
+ dns_server_override = (known after apply)
+ drop_fragment = (known after apply)
+ drop_overlapped_fragment = (known after apply)
+ egress_shaping_profile = (known after apply)
+ endpoint_compliance = (known after apply)
+ estimated_downstream_bandwidth = (known after apply)
+ estimated_upstream_bandwidth = (known after apply)
+ explicit_ftp_proxy = (known after apply)
+ explicit_web_proxy = (known after apply)
+ external = (known after apply)
+ fail_action_on_extender = (known after apply)
+ fail_alert_method = (known after apply)
+ fail_detect = (known after apply)
+ fail_detect_option = (known after apply)
+ fortiheartbeat = (known after apply)
+ fortilink = (known after apply)
+ fortilink_backup_link = (known after apply)
+ fortilink_split_interface = (known after apply)
+ fortilink_stacking = (known after apply)
+ forward_domain = (known after apply)
+ gwdetect = (known after apply)
+ ha_priority = (known after apply)
+ icmp_accept_redirect = (known after apply)
+ icmp_send_redirect = (known after apply)
+ id = (known after apply)
+ ident_accept = (known after apply)
+ idle_timeout = (known after apply)
+ inbandwidth = (known after apply)
+ ingress_spillover_threshold = (known after apply)
+ interface = (known after apply)
+ internal = (known after apply)
+ ip = "10.10.10.2 255.255.255.255"
+ ipmac = (known after apply)
+ ips_sniffer_mode = (known after apply)
+ ipunnumbered = (known after apply)
+ l2forward = (known after apply)
+ lacp_ha_slave = (known after apply)
+ lacp_mode = (known after apply)
+ lacp_speed = (known after apply)
+ lcp_echo_interval = (known after apply)
+ lcp_max_echo_fails = (known after apply)
+ link_up_delay = (known after apply)
+ lldp_network_policy = (known after apply)
+ lldp_reception = (known after apply)
+ lldp_transmission = (known after apply)
+ macaddr = (known after apply)
+ management_ip = (known after apply)
+ min_links = (known after apply)
+ min_links_down = (known after apply)
+ mode = (known after apply)
+ mtu = (known after apply)
+ mtu_override = (known after apply)
+ name = "aws-hq-wan1"
+ ndiscforward = (known after apply)
+ netbios_forward = (known after apply)
+ netflow_sampler = (known after apply)
+ outbandwidth = (known after apply)
+ padt_retry_timeout = (known after apply)
+ ping_serv_status = (known after apply)
+ polling_interval = (known after apply)
+ pppoe_unnumbered_negotiate = (known after apply)
+ pptp_auth_type = (known after apply)
+ pptp_client = (known after apply)
+ pptp_server_ip = (known after apply)
+ pptp_timeout = (known after apply)
+ pptp_user = (known after apply)
+ preserve_session_route = (known after apply)
+ priority = (known after apply)
+ priority_override = (known after apply)
+ proxy_captive_portal = (known after apply)
+ redundant_interface = (known after apply)
+ remote_ip = "172.22.1.30 255.255.255.255"
+ replacemsg_override_group = (known after apply)
+ role = (known after apply)
+ sample_direction = (known after apply)
+ sample_rate = (known after apply)
+ scan_botnet_connections = (known after apply)
+ secondary_ip = (known after apply)
+ security_exempt_list = (known after apply)
+ security_external_logout = (known after apply)
+ security_external_web = (known after apply)
+ security_mac_auth_bypass = (known after apply)
+ security_mode = (known after apply)
+ security_redirect_url = (known after apply)
+ service_name = (known after apply)
+ sflow_sampler = (known after apply)
+ snmp_index = (known after apply)
+ speed = (known after apply)
+ spillover_threshold = (known after apply)
+ src_check = (known after apply)
+ status = (known after apply)
+ stpforward = (known after apply)
+ stpforward_mode = (known after apply)
+ subst = (known after apply)
+ substitute_dst_mac = (known after apply)
+ switch = (known after apply)
+ switch_controller_access_vlan = (known after apply)
+ switch_controller_arp_inspection = (known after apply)
+ switch_controller_dhcp_snooping = (known after apply)
+ switch_controller_dhcp_snooping_option82 = (known after apply)
+ switch_controller_dhcp_snooping_verify_mac = (known after apply)
+ switch_controller_igmp_snooping = (known after apply)
+ switch_controller_learning_limit = (known after apply)
+ switch_controller_traffic_policy = (known after apply)
+ tcp_mss = 1400
+ trust_ip6_1 = (known after apply)
+ trust_ip6_2 = (known after apply)
+ trust_ip6_3 = (known after apply)
+ trust_ip_1 = (known after apply)
+ trust_ip_2 = (known after apply)
+ trust_ip_3 = (known after apply)
+ type = "tunnel"
+ username = (known after apply)
+ vdom = "root"
+ vindex = (known after apply)
+ vlanforward = (known after apply)
+ vlanid = (known after apply)
+ vrf = (known after apply)
+ vrrp_virtual_mac = (known after apply)
+ wccp = (known after apply)
+ weight = (known after apply)
+ wins_ip = (known after apply)
}
# fortios_vpnipsec_phase1interface.aws_hq_wan1 will be created
+ resource "fortios_vpnipsec_phase1interface" "aws_hq_wan1" {
+ acct_verify = (known after apply)
+ add_gw_route = (known after apply)
+ add_route = (known after apply)
+ assign_ip = (known after apply)
+ assign_ip_from = (known after apply)
+ authmethod = (known after apply)
+ authmethod_remote = (known after apply)
+ authusr = (known after apply)
+ authusrgrp = (known after apply)
+ auto_discovery_forwarder = (known after apply)
+ auto_discovery_psk = (known after apply)
+ auto_discovery_receiver = (known after apply)
+ auto_discovery_sender = (known after apply)
+ auto_negotiate = (known after apply)
+ cert_id_validation = (known after apply)
+ childless_ike = (known after apply)
+ client_auto_negotiate = (known after apply)
+ client_keep_alive = (known after apply)
+ default_gw = (known after apply)
+ default_gw_priority = (known after apply)
+ dhgrp = "21"
+ digital_signature_auth = (known after apply)
+ distance = (known after apply)
+ dns_mode = (known after apply)
+ domain = (known after apply)
+ dpd = (known after apply)
+ dpd_retrycount = (known after apply)
+ dpd_retryinterval = (known after apply)
+ eap = (known after apply)
+ eap_identity = (known after apply)
+ encap_local_gw4 = (known after apply)
+ encap_local_gw6 = (known after apply)
+ encap_remote_gw4 = (known after apply)
+ encap_remote_gw6 = (known after apply)
+ encapsulation = (known after apply)
+ encapsulation_address = (known after apply)
+ enforce_unique_id = (known after apply)
+ exchange_interface_ip = (known after apply)
+ exchange_ip_addr4 = (known after apply)
+ exchange_ip_addr6 = (known after apply)
+ forticlient_enforcement = (known after apply)
+ fragmentation = (known after apply)
+ fragmentation_mtu = (known after apply)
+ group_authentication = (known after apply)
+ ha_sync_esp_seqno = (known after apply)
+ id = (known after apply)
+ idle_timeout = (known after apply)
+ idle_timeoutinterval = (known after apply)
+ ike_version = "2"
+ include_local_lan = (known after apply)
+ interface = "port1"
+ ip_version = (known after apply)
+ ipv4_dns_server1 = (known after apply)
+ ipv4_dns_server2 = (known after apply)
+ ipv4_dns_server3 = (known after apply)
+ ipv4_end_ip = (known after apply)
+ ipv4_name = (known after apply)
+ ipv4_netmask = (known after apply)
+ ipv4_split_exclude = (known after apply)
+ ipv4_split_include = (known after apply)
+ ipv4_start_ip = (known after apply)
+ ipv4_wins_server1 = (known after apply)
+ ipv4_wins_server2 = (known after apply)
+ ipv6_dns_server1 = (known after apply)
+ ipv6_dns_server2 = (known after apply)
+ ipv6_dns_server3 = (known after apply)
+ ipv6_end_ip = (known after apply)
+ ipv6_name = (known after apply)
+ ipv6_prefix = (known after apply)
+ ipv6_split_exclude = (known after apply)
+ ipv6_split_include = (known after apply)
+ ipv6_start_ip = (known after apply)
+ keepalive = (known after apply)
+ keylife = (known after apply)
+ local_gw = "1.1.1.1"
+ local_gw6 = (known after apply)
+ localid = (known after apply)
+ localid_type = (known after apply)
+ mesh_selector_type = (known after apply)
+ mode = (known after apply)
+ mode_cfg = (known after apply)
+ monitor = (known after apply)
+ monitor_hold_down_delay = (known after apply)
+ monitor_hold_down_time = (known after apply)
+ monitor_hold_down_type = (known after apply)
+ monitor_hold_down_weekday = (known after apply)
+ name = "aws-hq-wan1"
+ nattraversal = "forced"
+ negotiate_timeout = (known after apply)
+ net_device = (known after apply)
+ passive_mode = (known after apply)
+ peer = (known after apply)
+ peergrp = (known after apply)
+ peerid = (known after apply)
+ peertype = "any"
+ ppk = (known after apply)
+ ppk_identity = (known after apply)
+ priority = (known after apply)
+ proposal = "aes256-sha256"
+ psksecret = (sensitive value)
+ reauth = (known after apply)
+ rekey = (known after apply)
+ remote_gw = "2.2.2.2"
+ remote_gw6 = (known after apply)
+ remotegw_ddns = (known after apply)
+ rsa_signature_format = (known after apply)
+ save_password = (known after apply)
+ send_cert_chain = (known after apply)
+ signature_hash_alg = (known after apply)
+ split_include_service = (known after apply)
+ suite_b = (known after apply)
+ tunnel_search = (known after apply)
+ type = (known after apply)
+ unity_support = (known after apply)
+ usrgrp = (known after apply)
+ vni = (known after apply)
+ wizard_type = (known after apply)
+ xauthtype = (known after apply)
}
# fortios_vpnipsec_phase2interface.aws_hq_wan1 will be created
+ resource "fortios_vpnipsec_phase2interface" "aws_hq_wan1" {
+ add_route = (known after apply)
+ auto_discovery_forwarder = (known after apply)
+ auto_discovery_sender = (known after apply)
+ auto_negotiate = (known after apply)
+ dhcp_ipsec = (known after apply)
+ dhgrp = "21"
+ dst_addr_type = (known after apply)
+ dst_end_ip = (known after apply)
+ dst_end_ip6 = (known after apply)
+ dst_name = (known after apply)
+ dst_name6 = (known after apply)
+ dst_port = (known after apply)
+ dst_start_ip = (known after apply)
+ dst_start_ip6 = (known after apply)
+ dst_subnet = (known after apply)
+ dst_subnet6 = (known after apply)
+ encapsulation = (known after apply)
+ id = (known after apply)
+ keepalive = (known after apply)
+ keylife_type = (known after apply)
+ keylifekbs = (known after apply)
+ keylifeseconds = 3600
+ l2tp = (known after apply)
+ name = "aws-hq-wan1"
+ pfs = "enable"
+ phase1name = "aws-hq-wan1"
+ proposal = "aes256-sha256"
+ protocol = (known after apply)
+ replay = (known after apply)
+ route_overlap = (known after apply)
+ single_source = (known after apply)
+ src_addr_type = (known after apply)
+ src_end_ip = (known after apply)
+ src_end_ip6 = (known after apply)
+ src_name = (known after apply)
+ src_name6 = (known after apply)
+ src_port = (known after apply)
+ src_start_ip = (known after apply)
+ src_start_ip6 = (known after apply)
+ src_subnet = (known after apply)
+ src_subnet6 = (known after apply)
}
Plan: 3 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
fortios_vpnipsec_phase1interface.aws_hq_wan1: Creating...
fortios_vpnipsec_phase1interface.aws_hq_wan1: Creation complete after 0s [id=aws-hq-wan1]
fortios_vpnipsec_phase2interface.aws_hq_wan1: Creating...
fortios_vpnipsec_phase2interface.aws_hq_wan1: Creation complete after 0s [id=aws-hq-wan1]
fortios_system_interface.aws_hq_wan1: Creating...
fortios_system_interface.aws_hq_wan1: Creation complete after 0s [id=aws-hq-wan1]
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
Thanks!
zipphreak
FortiOS 6.4
Sometimes it just works.