search

fortinetdev / terraform-provider-fortios

Terraform Fortios provider
https://www.terraform.io/docs/providers/fortios/
Mozilla Public License 2.0
68 stars 50 forks source link

Problems with fortios_vpnssl_settings authentication_rule #302

Open cgrard opened 11 months ago

cgrard commented 11 months ago

Hi there,

Not sure if this is a bug or something since I'm fairly new to this provider, so I'll explain my problem and we'll see from there.

I create two resources, one is a fortios_user_group and the other is a fortios_vpnsslweb_portal, as follow:

resource "fortios_user_group" "forti-vpn-ssl-user-group" {
  group_type = "firewall"
  name       = "GRP-${var.client_shortname}-USERS"
  vdomparam  = "VDOM"
  member {
    name = fortios_user_local.forti-vpn-ssl-user.name
  }
}

resource "fortios_vpnsslweb_portal" "forti-vpn-ssl-portal" {
  name        = "portal-${var.client_shortname}-split"
  tunnel_mode = "enable"
  web_mode    = "enable"
  vdomparam   = "VDOM"
  ip_pools {
    name = fortios_firewall_address.forti-vpn-ssl-subnet.name
  }
}

Both resources are properly created without error, the trouble comes with the next step. I then need to create the authentication_rule to assign the new portal to the new group, and I do this as follow:

resource "fortios_vpnssl_settings" "forti-vpn-ssl-authentication-rule" {
  vdomparam   = "VDOM"
  authentication_rule {
    groups {
      name = fortios_user_group.forti-vpn-ssl-user-group.name
    }
    portal = fortios_vpnsslweb_portal.forti-vpn-ssl-portal.name
  }
}

Now technically this works as well, except that all the other group/portal values are gone and replaced by this one only. I should mention that the existing group/portal values are not covered by Terraform as they were pre-existing.

I'm not sure if it's the right thing to do, or if I'm doing it wrong, or how to go about it so that my resource is simply added to the others instead of replacing everything else.

Any help with this would be greatly appreciated!

lix-fortinet commented 11 months ago

Hi @cgrard,

Thank you for raising this issue. In your case, you need to add all pre-existing group/portal values in your TF configuration. By Terraform's design, Terraform providers should have full control of resources handled by Terraform. Otherwise, Terraform will be confusing whether the user wants to replace all by current value or just want to add a new one. Also, the backend REST API of FortiOS for this resource does not support only adding new group/portal values without affecting pre-existing values. Otherwise, we can create a new sub-resource for authentication rules only.

Please let me know if you have any questions.

Thanks, Xing

cgrard commented 11 months ago

Hi @lix-fortinet

Thanks for the quick answer. I understand that Terraform should have full control of resources however this is not possible in our case because Terraform has been introduced lately on an existing infrastructure that already contains a lot of legacy content that we cannot import in Terraform. I know this is not ideal but our goal is to use Terraform from now on while keeping the legacy in place.

When you say that you can create a new sub-resource for authentication rules only, does it mean that we would have a forti-vpn-ssl-authentication-rule resource which content would be added to the existing pool and thus achieving the goal we have or would it be the same issue?

Isn't there a way to retrieve the list of existing authentication_rules using a data object and append the new resource to it?

lix-fortinet commented 11 months ago

Hi @cgrard,

We can add a new data source for it if that helps. As for the sub-resource of Authentication rules, we can not add it for now since we do not have a related public REST API. We will work with API team about this and will create a new resource for it if possible.

Thanks, Xing

cgrard commented 11 months ago

That would definitely help. Thanks