Closed farroar closed 3 years ago
Hi @farroar, thank you for the improvement suggestion and the detailed information. This issue involves an unresolved requirement that already exists in Terraform: "Terraform import within resource to import programmatically in the same repo" [ https://github.com/hashicorp/terraform/issues/22754 ], but it still does not seem to be supported by terraform. We will develop a new solution to complete the support for the improvement in the next release. Thanks!
Supported and released, please see the latest version(v1.6.7): https://registry.terraform.io/providers/fortinetdev/fortios/latest and https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs/resources/fortios_system_interface ('autogenerated' argument) for details.
Example usage:
# cat maintst.tf
provider "fortios" {
hostname = "192.168.52.177"
token = "rGqsgj9Qmh3dwfQdc8hd3t3G6xG3N5"
insecure = "true"
}
resource "fortios_vpnipsec_phase1interface" "trname1" {
acct_verify = "disable"
add_gw_route = "disable"
add_route = "enable"
assign_ip = "enable"
assign_ip_from = "range"
authmethod = "psk"
auto_discovery_forwarder = "disable"
auto_discovery_psk = "disable"
auto_discovery_receiver = "disable"
auto_discovery_sender = "disable"
auto_negotiate = "enable"
cert_id_validation = "enable"
childless_ike = "disable"
client_auto_negotiate = "disable"
client_keep_alive = "disable"
comments = "VPN: ewwe (Created by VPN wizard)"
default_gw = "0.0.0.0"
default_gw_priority = 0
dhgrp = "14 5"
digital_signature_auth = "disable"
distance = 15
dns_mode = "manual"
dpd = "on-demand"
dpd_retrycount = 3
dpd_retryinterval = "20"
eap = "disable"
eap_identity = "use-id-payload"
encap_local_gw4 = "0.0.0.0"
encap_local_gw6 = "::"
encap_remote_gw4 = "0.0.0.0"
encap_remote_gw6 = "::"
encapsulation = "none"
encapsulation_address = "ike"
enforce_unique_id = "disable"
exchange_interface_ip = "disable"
exchange_ip_addr4 = "0.0.0.0"
exchange_ip_addr6 = "::"
forticlient_enforcement = "disable"
fragmentation = "enable"
fragmentation_mtu = 1200
group_authentication = "disable"
ha_sync_esp_seqno = "enable"
idle_timeout = "disable"
idle_timeoutinterval = 15
ike_version = "1"
include_local_lan = "disable"
interface = "port3"
ip_version = "4"
ipv4_dns_server1 = "0.0.0.0"
ipv4_dns_server2 = "0.0.0.0"
ipv4_dns_server3 = "0.0.0.0"
ipv4_end_ip = "0.0.0.0"
ipv4_netmask = "255.255.255.255"
ipv4_start_ip = "0.0.0.0"
ipv4_wins_server1 = "0.0.0.0"
ipv4_wins_server2 = "0.0.0.0"
ipv6_dns_server1 = "::"
ipv6_dns_server2 = "::"
ipv6_dns_server3 = "::"
ipv6_end_ip = "::"
ipv6_prefix = 128
ipv6_start_ip = "::"
keepalive = 10
keylife = 86400
local_gw = "0.0.0.0"
local_gw6 = "::"
localid_type = "auto"
mesh_selector_type = "disable"
mode = "main"
mode_cfg = "disable"
monitor_hold_down_delay = 0
monitor_hold_down_time = "00:00"
monitor_hold_down_type = "immediate"
monitor_hold_down_weekday = "sunday"
name = "ewwe"
nattraversal = "enable"
negotiate_timeout = 30
net_device = "enable"
passive_mode = "disable"
peertype = "any"
ppk = "disable"
priority = 0
proposal = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1"
psksecret = "fdsjiewnciqwekroiwrewlkrjewqj"
reauth = "disable"
rekey = "enable"
remote_gw = "1.1.1.1"
remote_gw6 = "::"
rsa_signature_format = "pkcs1"
save_password = "disable"
send_cert_chain = "enable"
signature_hash_alg = "sha2-512 sha2-384 sha2-256 sha1"
suite_b = "disable"
tunnel_search = "selectors"
type = "static"
unity_support = "enable"
wizard_type = "static-fortigate"
xauthtype = "disable"
}
resource "fortios_vpnipsec_phase2interface" "trname2" {
add_route = "phase1"
auto_discovery_forwarder = "phase1"
auto_discovery_sender = "phase1"
auto_negotiate = "disable"
comments = "VPN: ewwe (Created by VPN wizard)"
dhcp_ipsec = "disable"
dhgrp = "14 5"
dst_addr_type = "name"
dst_end_ip = "0.0.0.0"
dst_end_ip6 = "::"
dst_name = "ewwe_remote"
dst_port = 0
dst_start_ip = "0.0.0.0"
dst_start_ip6 = "::"
dst_subnet = "0.0.0.0 0.0.0.0"
dst_subnet6 = "::/0"
encapsulation = "tunnel-mode"
keepalive = "disable"
keylife_type = "seconds"
keylifekbs = 5120
keylifeseconds = 43200
l2tp = "disable"
name = "ewwe"
pfs = "enable"
phase1name = fortios_vpnipsec_phase1interface.trname1.name
proposal = "aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305"
protocol = 0
replay = "enable"
route_overlap = "use-new"
single_source = "disable"
src_addr_type = "name"
src_end_ip = "0.0.0.0"
src_end_ip6 = "::"
src_name = "ewwe_local"
src_port = 0
src_start_ip = "0.0.0.0"
src_start_ip6 = "::"
src_subnet = "0.0.0.0 0.0.0.0"
src_subnet6 = "::/0"
}
resource "fortios_system_interface" "trname3" {
vdom = "root"
name = fortios_vpnipsec_phase2interface.trname2.name
ip = "10.10.10.2 255.255.255.255"
remote_ip = "172.22.1.30 255.255.255.255"
interface = "port3"
allowaccess = "ping"
tcp_mss = "1350"
autogenerated = "auto"
}
Note the autogenerated argument and the dependencies.
# terraform apply
----
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# fortios_system_interface.trname3 will be created
+ resource "fortios_system_interface" "trname3" {
+ ac_name = (known after apply)
+ aggregate = (known after apply)
+ algorithm = (known after apply)
+ alias = (known after apply)
+ allowaccess = "ping"
+ ap_discover = (known after apply)
+ arpforward = (known after apply)
+ auth_type = (known after apply)
+ auto_auth_extension_device = (known after apply)
+ autogenerated = "auto"
+ bfd = (known after apply)
+ bfd_desired_min_tx = (known after apply)
+ bfd_detect_mult = (known after apply)
+ bfd_required_min_rx = (known after apply)
+ broadcast_forticlient_discovery = (known after apply)
+ broadcast_forward = (known after apply)
+ captive_portal = (known after apply)
+ cli_conn_status = (known after apply)
+ color = (known after apply)
+ dedicated_to = (known after apply)
+ defaultgw = (known after apply)
+ detected_peer_mtu = (known after apply)
+ detectprotocol = (known after apply)
+ detectserver = (known after apply)
+ device_access_list = (known after apply)
+ device_identification = (known after apply)
+ device_identification_active_scan = (known after apply)
+ device_netscan = (known after apply)
+ device_user_identification = (known after apply)
+ devindex = (known after apply)
+ dhcp_client_identifier = (known after apply)
+ dhcp_relay_agent_option = (known after apply)
+ dhcp_relay_ip = (known after apply)
+ dhcp_relay_service = (known after apply)
+ dhcp_relay_type = (known after apply)
+ dhcp_renew_time = (known after apply)
+ disc_retry_timeout = (known after apply)
+ disconnect_threshold = (known after apply)
+ distance = (known after apply)
+ dns_server_override = (known after apply)
+ drop_fragment = (known after apply)
+ drop_overlapped_fragment = (known after apply)
+ egress_shaping_profile = (known after apply)
+ endpoint_compliance = (known after apply)
+ estimated_downstream_bandwidth = (known after apply)
+ estimated_upstream_bandwidth = (known after apply)
+ explicit_ftp_proxy = (known after apply)
+ explicit_web_proxy = (known after apply)
+ external = (known after apply)
+ fail_action_on_extender = (known after apply)
+ fail_alert_method = (known after apply)
+ fail_detect = (known after apply)
+ fail_detect_option = (known after apply)
+ fortiheartbeat = (known after apply)
+ fortilink = (known after apply)
+ fortilink_backup_link = (known after apply)
+ fortilink_split_interface = (known after apply)
+ fortilink_stacking = (known after apply)
+ forward_domain = (known after apply)
+ gwdetect = (known after apply)
+ ha_priority = (known after apply)
+ icmp_accept_redirect = (known after apply)
+ icmp_send_redirect = (known after apply)
+ id = (known after apply)
+ ident_accept = (known after apply)
+ idle_timeout = (known after apply)
+ inbandwidth = (known after apply)
+ ingress_spillover_threshold = (known after apply)
+ interface = "port3"
+ internal = (known after apply)
+ ip = "10.10.10.2 255.255.255.255"
+ ipmac = (known after apply)
+ ips_sniffer_mode = (known after apply)
+ ipunnumbered = (known after apply)
+ l2forward = (known after apply)
+ lacp_ha_slave = (known after apply)
+ lacp_mode = (known after apply)
+ lacp_speed = (known after apply)
+ lcp_echo_interval = (known after apply)
+ lcp_max_echo_fails = (known after apply)
+ link_up_delay = (known after apply)
+ lldp_network_policy = (known after apply)
+ lldp_reception = (known after apply)
+ lldp_transmission = (known after apply)
+ macaddr = (known after apply)
+ management_ip = (known after apply)
+ min_links = (known after apply)
+ min_links_down = (known after apply)
+ mode = (known after apply)
+ mtu = (known after apply)
+ mtu_override = (known after apply)
+ name = "ewwe"
+ ndiscforward = (known after apply)
+ netbios_forward = (known after apply)
+ netflow_sampler = (known after apply)
+ outbandwidth = (known after apply)
+ padt_retry_timeout = (known after apply)
+ ping_serv_status = (known after apply)
+ polling_interval = (known after apply)
+ pppoe_unnumbered_negotiate = (known after apply)
+ pptp_auth_type = (known after apply)
+ pptp_client = (known after apply)
+ pptp_server_ip = (known after apply)
+ pptp_timeout = (known after apply)
+ pptp_user = (known after apply)
+ preserve_session_route = (known after apply)
+ priority = (known after apply)
+ priority_override = (known after apply)
+ proxy_captive_portal = (known after apply)
+ redundant_interface = (known after apply)
+ remote_ip = "172.22.1.30 255.255.255.255"
+ replacemsg_override_group = (known after apply)
+ role = (known after apply)
+ sample_direction = (known after apply)
+ sample_rate = (known after apply)
+ scan_botnet_connections = (known after apply)
+ secondary_ip = (known after apply)
+ security_exempt_list = (known after apply)
+ security_external_logout = (known after apply)
+ security_external_web = (known after apply)
+ security_mac_auth_bypass = (known after apply)
+ security_mode = (known after apply)
+ security_redirect_url = (known after apply)
+ service_name = (known after apply)
+ sflow_sampler = (known after apply)
+ snmp_index = (known after apply)
+ speed = (known after apply)
+ spillover_threshold = (known after apply)
+ src_check = (known after apply)
+ status = (known after apply)
+ stpforward = (known after apply)
+ stpforward_mode = (known after apply)
+ subst = (known after apply)
+ substitute_dst_mac = (known after apply)
+ switch = (known after apply)
+ switch_controller_access_vlan = (known after apply)
+ switch_controller_arp_inspection = (known after apply)
+ switch_controller_dhcp_snooping = (known after apply)
+ switch_controller_dhcp_snooping_option82 = (known after apply)
+ switch_controller_dhcp_snooping_verify_mac = (known after apply)
+ switch_controller_igmp_snooping = (known after apply)
+ switch_controller_learning_limit = (known after apply)
+ switch_controller_traffic_policy = (known after apply)
+ tcp_mss = 1350
+ trust_ip6_1 = (known after apply)
+ trust_ip6_2 = (known after apply)
+ trust_ip6_3 = (known after apply)
+ trust_ip_1 = (known after apply)
+ trust_ip_2 = (known after apply)
+ trust_ip_3 = (known after apply)
+ type = (known after apply)
+ username = (known after apply)
+ vdom = "root"
+ vindex = (known after apply)
+ vlanforward = (known after apply)
+ vlanid = (known after apply)
+ vrf = (known after apply)
+ vrrp_virtual_mac = (known after apply)
+ wccp = (known after apply)
+ weight = (known after apply)
+ wins_ip = (known after apply)
}
# fortios_vpnipsec_phase1interface.trname1 will be created
+ resource "fortios_vpnipsec_phase1interface" "trname1" {
+ acct_verify = "disable"
+ add_gw_route = "disable"
+ add_route = "enable"
+ assign_ip = "enable"
+ assign_ip_from = "range"
+ authmethod = "psk"
+ authmethod_remote = (known after apply)
+ authusr = (known after apply)
+ authusrgrp = (known after apply)
+ auto_discovery_forwarder = "disable"
+ auto_discovery_psk = "disable"
+ auto_discovery_receiver = "disable"
+ auto_discovery_sender = "disable"
+ auto_negotiate = "enable"
+ cert_id_validation = "enable"
+ childless_ike = "disable"
+ client_auto_negotiate = "disable"
+ client_keep_alive = "disable"
+ comments = "VPN: ewwe (Created by VPN wizard)"
+ default_gw = "0.0.0.0"
+ default_gw_priority = 0
+ dhgrp = "14 5"
+ digital_signature_auth = "disable"
+ distance = 15
+ dns_mode = "manual"
+ domain = (known after apply)
+ dpd = "on-demand"
+ dpd_retrycount = 3
+ dpd_retryinterval = "20"
+ eap = "disable"
+ eap_identity = "use-id-payload"
+ encap_local_gw4 = "0.0.0.0"
+ encap_local_gw6 = "::"
+ encap_remote_gw4 = "0.0.0.0"
+ encap_remote_gw6 = "::"
+ encapsulation = "none"
+ encapsulation_address = "ike"
+ enforce_unique_id = "disable"
+ exchange_interface_ip = "disable"
+ exchange_ip_addr4 = "0.0.0.0"
+ exchange_ip_addr6 = "::"
+ forticlient_enforcement = "disable"
+ fragmentation = "enable"
+ fragmentation_mtu = 1200
+ group_authentication = "disable"
+ ha_sync_esp_seqno = "enable"
+ id = (known after apply)
+ idle_timeout = "disable"
+ idle_timeoutinterval = 15
+ ike_version = "1"
+ include_local_lan = "disable"
+ interface = "port3"
+ ip_version = "4"
+ ipv4_dns_server1 = "0.0.0.0"
+ ipv4_dns_server2 = "0.0.0.0"
+ ipv4_dns_server3 = "0.0.0.0"
+ ipv4_end_ip = "0.0.0.0"
+ ipv4_name = (known after apply)
+ ipv4_netmask = "255.255.255.255"
+ ipv4_split_exclude = (known after apply)
+ ipv4_split_include = (known after apply)
+ ipv4_start_ip = "0.0.0.0"
+ ipv4_wins_server1 = "0.0.0.0"
+ ipv4_wins_server2 = "0.0.0.0"
+ ipv6_dns_server1 = "::"
+ ipv6_dns_server2 = "::"
+ ipv6_dns_server3 = "::"
+ ipv6_end_ip = "::"
+ ipv6_name = (known after apply)
+ ipv6_prefix = 128
+ ipv6_split_exclude = (known after apply)
+ ipv6_split_include = (known after apply)
+ ipv6_start_ip = "::"
+ keepalive = 10
+ keylife = 86400
+ local_gw = "0.0.0.0"
+ local_gw6 = "::"
+ localid = (known after apply)
+ localid_type = "auto"
+ mesh_selector_type = "disable"
+ mode = "main"
+ mode_cfg = "disable"
+ monitor = (known after apply)
+ monitor_hold_down_delay = 0
+ monitor_hold_down_time = "00:00"
+ monitor_hold_down_type = "immediate"
+ monitor_hold_down_weekday = "sunday"
+ name = "ewwe"
+ nattraversal = "enable"
+ negotiate_timeout = 30
+ net_device = "enable"
+ passive_mode = "disable"
+ peer = (known after apply)
+ peergrp = (known after apply)
+ peerid = (known after apply)
+ peertype = "any"
+ ppk = "disable"
+ ppk_identity = (known after apply)
+ priority = 0
+ proposal = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1"
+ psksecret = (sensitive value)
+ reauth = "disable"
+ rekey = "enable"
+ remote_gw = "1.1.1.1"
+ remote_gw6 = "::"
+ remotegw_ddns = (known after apply)
+ rsa_signature_format = "pkcs1"
+ save_password = "disable"
+ send_cert_chain = "enable"
+ signature_hash_alg = "sha2-512 sha2-384 sha2-256 sha1"
+ split_include_service = (known after apply)
+ suite_b = "disable"
+ tunnel_search = "selectors"
+ type = "static"
+ unity_support = "enable"
+ usrgrp = (known after apply)
+ vni = (known after apply)
+ wizard_type = "static-fortigate"
+ xauthtype = "disable"
}
# fortios_vpnipsec_phase2interface.trname2 will be created
+ resource "fortios_vpnipsec_phase2interface" "trname2" {
+ add_route = "phase1"
+ auto_discovery_forwarder = "phase1"
+ auto_discovery_sender = "phase1"
+ auto_negotiate = "disable"
+ comments = "VPN: ewwe (Created by VPN wizard)"
+ dhcp_ipsec = "disable"
+ dhgrp = "14 5"
+ dst_addr_type = "name"
+ dst_end_ip = "0.0.0.0"
+ dst_end_ip6 = "::"
+ dst_name = "ewwe_remote"
+ dst_name6 = (known after apply)
+ dst_port = 0
+ dst_start_ip = "0.0.0.0"
+ dst_start_ip6 = "::"
+ dst_subnet = "0.0.0.0 0.0.0.0"
+ dst_subnet6 = "::/0"
+ encapsulation = "tunnel-mode"
+ id = (known after apply)
+ keepalive = "disable"
+ keylife_type = "seconds"
+ keylifekbs = 5120
+ keylifeseconds = 43200
+ l2tp = "disable"
+ name = "ewwe"
+ pfs = "enable"
+ phase1name = "ewwe"
+ proposal = "aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305"
+ protocol = 0
+ replay = "enable"
+ route_overlap = "use-new"
+ single_source = "disable"
+ src_addr_type = "name"
+ src_end_ip = "0.0.0.0"
+ src_end_ip6 = "::"
+ src_name = "ewwe_local"
+ src_name6 = (known after apply)
+ src_port = 0
+ src_start_ip = "0.0.0.0"
+ src_start_ip6 = "::"
+ src_subnet = "0.0.0.0 0.0.0.0"
+ src_subnet6 = "::/0"
}
Plan: 3 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
fortios_vpnipsec_phase1interface.trname1: Creating...
fortios_vpnipsec_phase1interface.trname1: Creation complete after 0s [id=ewwe]
fortios_vpnipsec_phase2interface.trname2: Creating...
fortios_vpnipsec_phase2interface.trname2: Creation complete after 0s [id=ewwe]
fortios_system_interface.trname3: Creating...
fortios_system_interface.trname3: Creation complete after 0s [id=ewwe]
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
We can find that the configuration of the interface automatically created by VPN has been set according to the configuration of terraform:
Thanks!
Great, this will work. Appreciate the quick turnaround!
Scenario: Created VPN connection and need to setup BGP peering using the interface automatically created during the VPN creation process.
FortiOS tunnel interface post VPN configuration (automatically created):
Terraform Configuration:
Expected Result: Existing interface updated with IP addresses, this would allow a BGP peering relationship to be formed over this tunnel.
Result:
Terraform error:
FortiGate error
Analysis: It seems that the FortiGate is erroring out due to "object already exists". This make me think that the provider is trying to create a new interface and not edit the existing one. I would suspect that this resource would retrieve the state of the named interface and make any delta changes as needed. Would this mean I need to first import the interface?
Using the same resource to make a net new interface works, not a tunnel interface however. That is the main difference and I suspect where this is breaking.
Hopefully this can be sorted out, it would make automating VPNs to cloud providers a lot easier!
Thanks