rpuserh
commented
2 years ago Any suggestions ?
Closed rpuserh closed 1 year ago
rpuserh
commented
2 years ago Any suggestions ?
lix-fortinet
commented
2 years ago Hi @rpuserh,
Sorry for the late response. And thank you for raising this issue. This issue seems like the sequence of groups in your Terraform configure file is not match the order in state file. Could you let me know how you add group2 to variable groups? So that I can reproduce it in my end.
Thanks, Xing
rpuserh
commented
2 years ago Hi @lix-fortinet ,
First I execute code
variable "groups" {
type= map
default = {
group1 = {}
}
}
resource "fortios_vpnssl_settings" "sslvpn" {
......
authentication_rule {
portal = fortios_vpnsslweb_portal.main.name
dynamic "groups" {
for_each = var.groups
content {
name = groups.key
}
}
}
}then i add second group
variable "groups" {
type= map
default = {
group1 = {}
group2 = {}
}
}
resource "fortios_vpnssl_settings" "sslvpn" {
......
authentication_rule {
portal = fortios_vpnsslweb_portal.main.name
dynamic "groups" {
for_each = var.groups
content {
name = groups.key
}
}
}
}and terraform apply After this as many times i run terraform apply will have diff where its trying to reorder groups
lix-fortinet
commented
2 years ago Hi @rpuserh,
Thank you for your quick response. Interesting, I am using the same process, but everything works good in my end. Could you let me know your working env, like Terraform version, FortiOS provider version?
Thanks, Xing
rpuserh
commented
2 years ago @lix-fortinet here is complite code and how to reproduce
1) apply following code
variable "groups" {
type = map(any)
default = {
group-b = {}
}
}
resource "fortios_user_group" "groups" {
for_each = var.groups
name = each.key
}
resource "fortios_firewall_address" "sslvpn_tunnel_addrs" {
name = "sslvpn_tunnel_addrs"
color = 3
start_ip = "10.9.9.1"
end_ip = "10.9.9.10"
type = "iprange"
}
resource "fortios_vpnsslweb_portal" "main" {
name = "main"
allow_user_access = "web ftp smb sftp telnet ssh vnc rdp ping"
dynamic_sort_subtable = "false"
heading = "SSL-VPN Portal"
host_check_interval = 0
ipv6_split_tunneling_routing_negate = "disable"
ipv6_tunnel_mode = "disable"
tunnel_mode = "enable"
smb_max_version = "smbv3"
smb_min_version = "smbv2"
split_tunneling_routing_negate = "disable"
theme = "neutrino"
web_mode = "enable"
bookmark_group {
name = "gui-bookmarks"
}
ip_pools {
name = fortios_firewall_address.sslvpn_tunnel_addrs.name
}
}
resource "fortios_vpnsslweb_portal" "none" {
name = "none"
web_mode = "disable"
tunnel_mode = "disable"
}
resource "fortios_vpnssl_settings" "sslvpn" {
source_interface {
name = "port1"
}
tunnel_ip_pools {
name = fortios_firewall_address.sslvpn_tunnel_addrs.name
}
source_address {
name = "all"
}
source_address6 {
name = "all"
}
port = 4444
login_attempt_limit = 2
login_block_time = 60
login_timeout = 180
dynamic_sort_subtable = "false"
default_portal = fortios_vpnsslweb_portal.none.name
authentication_rule {
portal = fortios_vpnsslweb_portal.main.name
dynamic "groups" {
for_each = var.groups
content {
name = groups.key
}
}
}
depends_on = [fortios_vpnsslweb_portal.none, fortios_vpnsslweb_portal.main, fortios_user_group.groups]
}2) update variable and terraform apply
variable "groups" {
type = map(any)
default = {
group-b = {}
group-a = {}
}
}3) now as many times you apply it will see drift (Will try to reorder) if you reorder map keys it will still detect drift
lix-fortinet
commented
2 years ago Hi @rpuserh,
Thank you for your update. I can reproduce it now. The process is add "group2" first --> add "group1" --> terraform plan get the following info:
~ authentication_rule {
id = 1
# (6 unchanged attributes hidden)
~ groups {
~ name = "group2" -> "group1"
}
~ groups {
~ name = "group1" -> "group2"
}
}The result is that the sequence in state file is [group2, group1], but the sequence in terraform configuration file(.tf file) is [group1, group2]. So, Terraform always shows that there is a change. I checked the source code. Currently, dynamic_sort_subtable did not apply to argument authentication_rule. Team is working on this issue. We will get back to you once it's resolved.
Thanks, Xing
lix-fortinet
commented
2 years ago Hi @rpuserh,
This issue has been fixed in the latest release of FortiOS Terraform provider v1.15.0. Please switch to the latest version of FortiOS Terraform provider and try it again.
We applied dynamic_sort_subtable to parameter authentication_rule. Also, we added two options for dynamic_sort_subtable: natural, alphabetical. natural: sort tables in natural order. For example: [ a10, a2 ] --> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] --> [ a10, a2 ]. To keep the compatibility, true has the same meaning with nature.
Please let me know if you have any questions.
Thanks, Xing
lix-fortinet
commented
1 year ago Hi @rpuserh,
We will close this issue since it has been fixed. Feel free to open a new issue if you have any other questions.
Thanks, Xing
Hi,
I have variable where i list groups and add them to SSLVPN config here is code
After Apply everything is good I add group2 to var and apply. After this step if i run plan/apply again it will try to reorder groups (will keep doing it as many time I run apply)
I tried to sort map didn't help.
Please advice