Open timwsuqld opened 1 year ago
Hi @timwsuqld,
Thank you for raising this issue. Could you try resource fortios_firewall_security_policysort
which could sort the policy? Here is the reference: https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs/resources/fortios_firewall_security_policysort
Thanks, Xing
@lix-fortinet wouldn't it be possible to simplify the process of organizing the policies by adding another field to the policy resource (e.g. priority) determining it's position? That "policysort" thing really discourage people from using/managing FG by Terraform. I am still using Azure firewall instead exactly for that reason.
Hi @drs143,
Thank you for your suggestion. We will consider it and make some improvement.
Thanks, Xing
I totally agree with @drs143, having a priority or position parameter is what people expect in states like this. It's actually already confusing that setting policyid
doesn't set the order, as people expect that an ID like that would determine the order, and is how many routers have worked for the last 20 years, order is based on the ID of the policy. Yes, this means reordering policies changes the ID, so having a priority or position parameter would be even better. I've not had a chance to try fortios_firewall_security_policysort
yet.
Creating multiple
fortios_firewall_localinpolicy
rules will end up with a different order based on different runs.Policy ID doesn't determine rule order, execution order determines order. And just because they are sequential in terraform config, doesn't mean they'll be executed as such.
2 rules such as (simplified) can end up with rule 2 being created before rule 1, so the deny occurs first.
On 1 router, where the rule order was forced (created policy 1, then updated the config to include policy 2 and ran again) the order came out as
On another router where the whole config was applied at once, the rules ended up as
Ideally we need a way to specify the order, and also to reorder them.