fortios_system_interface - tunnel mode ip address

farroar commented 4 years ago

Scenario: Created VPN connection and need to setup BGP peering using the interface automatically created during the VPN creation process.

FortiOS tunnel interface post VPN configuration (automatically created):

edit
  set vdom root
  set type tunnel
  set interface "wan1"
next

Terraform Configuration:

resource fortios_system_interface {
  vdom        = "root"
  name        = "VPN"
  ip          = "10.10.10.2 255.255.255.255"
  remote_ip   = "172.22.1.30 255.255.255.255"
  interface   = "wan1"
  allowaccess = "ping"
  tcp_mss     = "1350"
}

Expected Result: Existing interface updated with IP addresses, this would allow a BGP peering relationship to be formed over this tunnel.

Result:

Terraform error:

Error: Error creating SystemInterface resource: Internal Server Error - Internal error when processing the request (500)

FortiGate error

diag debug app httpsd -1

\f0\fs24 \cf0 [httpsd 7119 - 1603028263     info] api_store_parameter[227] -- add API parameter 'access_token': '********' (type=string)\
[httpsd 7119 - 1603028263     info] api_store_parameter[227] -- add API parameter 'allowaccess': '"ping"' (type=string)\
[httpsd 7119 - 1603028263     info] api_store_parameter[227] -- add API parameter 'interface': '"wan1"' (type=string)\
[httpsd 7119 - 1603028263     info] api_store_parameter[227] -- add API parameter 'ip': '"10.20.10.2 255.255.255.255"' (type=string)\
[httpsd 7119 - 1603028263     info] api_store_parameter[227] -- add API parameter 'name': '"aws_vpn"' (type=string)\
[httpsd 7119 - 1603028263     info] api_store_parameter[227] -- add API parameter 'remote-ip': '"172.16.1.30 255.255.255.255"' (type=string)\
[httpsd 7119 - 1603028263     info] api_store_parameter[227] -- add API parameter 'vdom': '"root"' (type=string)\
[httpsd 7119 - 1603028263     info] handle_cli_req_v2_vdom[1957] -- new CMDB API request (vdom='root',user='terraform')\
[httpsd 7119 - 1603028263     info] api_cmdb_request_init_by_path[1360] -- new CMDB query (path='system',name='interface')\
[httpsd 7119 - 1603028263    error] log_error_core[439] -- [Sun Oct 18 06:37:43 2020] [error] [client 172.20.0.105] [libapreq] unknown content-type: `application/json'\
[httpsd 7119 - 1603028263     info] api_return_cmdb_revision[779] -- ETag check for system.interface\
[httpsd 7119 - 1603028263     info] _api_cmdb_v2_config[1145] -- editing CLI object (append=1, auto_key=0, path=system, name=interface, mkey=(null), flags=0)\
[httpsd 7119 - 1603028263    error] cmdb_commit_from_json[1428] -- object already exists (mkey='aws_vpn')\
[httpsd 7119 - 1603028263    error] _api_cmdb_v2_config[1172] -- error editing object (nret=-5)\
[httpsd 7119 - 1603028263    error] api_return_http_result[631] -- API error -5 raised\
[httpsd 7119 - 1603028263     info] ap_invoke_handler[616] -- request completed (handler='api_cmdb_v2-handler' result==0)\
[httpsd 8799 - 1603028266     info] ap_invoke_handler[593] -- new request (handler='api_monitor_v2-handler', uri='/api/v2/monitor/system/usb-log', method='GET')\
[httpsd 8799 - 1603028266     info] ap_invoke_handler[597] -- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36\
[httpsd 8799 - 1603028266     info] ap_invoke_handler[600] -- Source: 172.20.0.105:59120 Destination: 172.20.0.1:443\
[httpsd 8799 - 1603028266     info] endpoint_handle_req[611] -- received api_monitor_v2_request from '172.20.0.105'\
[httpsd 8799 - 1603028266     info] aps_init_process_vdom[1195] -- initialized process vdom to 'root' (cookie='root')\
[httpsd 8799 - 1603028266     info] endpoint_process_req_vdom[452] -- new API request (action='select',path='system',name='usb-log',vdom='root',user='farroar')\
[httpsd 8799 - 1603028266     info] ap_invoke_handler[616] -- request completed (handler='api_monitor_v2-handler' result==0)\
}

Analysis: It seems that the FortiGate is erroring out due to "object already exists". This make me think that the provider is trying to create a new interface and not edit the existing one. I would suspect that this resource would retrieve the state of the named interface and make any delta changes as needed. Would this mean I need to first import the interface?

Using the same resource to make a net new interface works, not a tunnel interface however. That is the main difference and I suspect where this is breaking.

Hopefully this can be sorted out, it would make automating VPNs to cloud providers a lot easier!

Thanks

frankshen01 commented 4 years ago

Hi @farroar, thank you for the improvement suggestion and the detailed information. This issue involves an unresolved requirement that already exists in Terraform: "Terraform import within resource to import programmatically in the same repo" [ https://github.com/hashicorp/terraform/issues/22754 ], but it still does not seem to be supported by terraform. We will develop a new solution to complete the support for the improvement in the next release. Thanks!

frankshen01 commented 3 years ago

Supported and released, please see the latest version(v1.6.7): https://registry.terraform.io/providers/fortinetdev/fortios/latest and https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs/resources/fortios_system_interface ('autogenerated' argument) for details.

Example usage:


# cat maintst.tf
provider "fortios" {
  hostname  = "192.168.52.177"
  token     = "rGqsgj9Qmh3dwfQdc8hd3t3G6xG3N5" 
  insecure  = "true"
}

resource "fortios_vpnipsec_phase1interface" "trname1" {
  acct_verify               = "disable"
  add_gw_route              = "disable"
  add_route                 = "enable"
  assign_ip                 = "enable"
  assign_ip_from            = "range"
  authmethod                = "psk"
  auto_discovery_forwarder  = "disable"
  auto_discovery_psk        = "disable"
  auto_discovery_receiver   = "disable"
  auto_discovery_sender     = "disable"
  auto_negotiate            = "enable"
  cert_id_validation        = "enable"
  childless_ike             = "disable"
  client_auto_negotiate     = "disable"
  client_keep_alive         = "disable"
  comments                  = "VPN: ewwe (Created by VPN wizard)"
  default_gw                = "0.0.0.0"
  default_gw_priority       = 0
  dhgrp                     = "14 5"
  digital_signature_auth    = "disable"
  distance                  = 15
  dns_mode                  = "manual"
  dpd                       = "on-demand"
  dpd_retrycount            = 3
  dpd_retryinterval         = "20"
  eap                       = "disable"
  eap_identity              = "use-id-payload"
  encap_local_gw4           = "0.0.0.0"
  encap_local_gw6           = "::"
  encap_remote_gw4          = "0.0.0.0"
  encap_remote_gw6          = "::"
  encapsulation             = "none"
  encapsulation_address     = "ike"
  enforce_unique_id         = "disable"
  exchange_interface_ip     = "disable"
  exchange_ip_addr4         = "0.0.0.0"
  exchange_ip_addr6         = "::"
  forticlient_enforcement   = "disable"
  fragmentation             = "enable"
  fragmentation_mtu         = 1200
  group_authentication      = "disable"
  ha_sync_esp_seqno         = "enable"
  idle_timeout              = "disable"
  idle_timeoutinterval      = 15
  ike_version               = "1"
  include_local_lan         = "disable"
  interface                 = "port3"
  ip_version                = "4"
  ipv4_dns_server1          = "0.0.0.0"
  ipv4_dns_server2          = "0.0.0.0"
  ipv4_dns_server3          = "0.0.0.0"
  ipv4_end_ip               = "0.0.0.0"
  ipv4_netmask              = "255.255.255.255"
  ipv4_start_ip             = "0.0.0.0"
  ipv4_wins_server1         = "0.0.0.0"
  ipv4_wins_server2         = "0.0.0.0"
  ipv6_dns_server1          = "::"
  ipv6_dns_server2          = "::"
  ipv6_dns_server3          = "::"
  ipv6_end_ip               = "::"
  ipv6_prefix               = 128
  ipv6_start_ip             = "::"
  keepalive                 = 10
  keylife                   = 86400
  local_gw                  = "0.0.0.0"
  local_gw6                 = "::"
  localid_type              = "auto"
  mesh_selector_type        = "disable"
  mode                      = "main"
  mode_cfg                  = "disable"
  monitor_hold_down_delay   = 0
  monitor_hold_down_time    = "00:00"
  monitor_hold_down_type    = "immediate"
  monitor_hold_down_weekday = "sunday"
  name                      = "ewwe"
  nattraversal              = "enable"
  negotiate_timeout         = 30
  net_device                = "enable"
  passive_mode              = "disable"
  peertype                  = "any"
  ppk                       = "disable"
  priority                  = 0
  proposal                  = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1"
  psksecret                 = "fdsjiewnciqwekroiwrewlkrjewqj"
  reauth                    = "disable"
  rekey                     = "enable"
  remote_gw                 = "1.1.1.1"
  remote_gw6                = "::"
  rsa_signature_format      = "pkcs1"
  save_password             = "disable"
  send_cert_chain           = "enable"
  signature_hash_alg        = "sha2-512 sha2-384 sha2-256 sha1"
  suite_b                   = "disable"
  tunnel_search             = "selectors"
  type                      = "static"
  unity_support             = "enable"
  wizard_type               = "static-fortigate"
  xauthtype                 = "disable"
}

resource "fortios_vpnipsec_phase2interface" "trname2" {
  add_route                = "phase1"
  auto_discovery_forwarder = "phase1"
  auto_discovery_sender    = "phase1"
  auto_negotiate           = "disable"
  comments                 = "VPN: ewwe (Created by VPN wizard)"
  dhcp_ipsec               = "disable"
  dhgrp                    = "14 5"
  dst_addr_type            = "name"
  dst_end_ip               = "0.0.0.0"
  dst_end_ip6              = "::"
  dst_name                 = "ewwe_remote"
  dst_port                 = 0
  dst_start_ip             = "0.0.0.0"
  dst_start_ip6            = "::"
  dst_subnet               = "0.0.0.0 0.0.0.0"
  dst_subnet6              = "::/0"
  encapsulation            = "tunnel-mode"
  keepalive                = "disable"
  keylife_type             = "seconds"
  keylifekbs               = 5120
  keylifeseconds           = 43200
  l2tp                     = "disable"
  name                     = "ewwe"
  pfs                      = "enable"
  phase1name               = fortios_vpnipsec_phase1interface.trname1.name
  proposal                 = "aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305"
  protocol                 = 0
  replay                   = "enable"
  route_overlap            = "use-new"
  single_source            = "disable"
  src_addr_type            = "name"
  src_end_ip               = "0.0.0.0"
  src_end_ip6              = "::"
  src_name                 = "ewwe_local"
  src_port                 = 0
  src_start_ip             = "0.0.0.0"
  src_start_ip6            = "::"
  src_subnet               = "0.0.0.0 0.0.0.0"
  src_subnet6              = "::/0"
}

resource "fortios_system_interface" "trname3" {
  vdom        = "root"
  name        = fortios_vpnipsec_phase2interface.trname2.name
  ip          = "10.10.10.2 255.255.255.255"
  remote_ip   = "172.22.1.30 255.255.255.255"
  interface   = "port3"
  allowaccess = "ping"
  tcp_mss     = "1350"

  autogenerated = "auto"
}

Note the autogenerated argument and the dependencies.

# terraform apply
  ----

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # fortios_system_interface.trname3 will be created
  + resource "fortios_system_interface" "trname3" {
      + ac_name                                    = (known after apply)
      + aggregate                                  = (known after apply)
      + algorithm                                  = (known after apply)
      + alias                                      = (known after apply)
      + allowaccess                                = "ping"
      + ap_discover                                = (known after apply)
      + arpforward                                 = (known after apply)
      + auth_type                                  = (known after apply)
      + auto_auth_extension_device                 = (known after apply)
      + autogenerated                              = "auto"
      + bfd                                        = (known after apply)
      + bfd_desired_min_tx                         = (known after apply)
      + bfd_detect_mult                            = (known after apply)
      + bfd_required_min_rx                        = (known after apply)
      + broadcast_forticlient_discovery            = (known after apply)
      + broadcast_forward                          = (known after apply)
      + captive_portal                             = (known after apply)
      + cli_conn_status                            = (known after apply)
      + color                                      = (known after apply)
      + dedicated_to                               = (known after apply)
      + defaultgw                                  = (known after apply)
      + detected_peer_mtu                          = (known after apply)
      + detectprotocol                             = (known after apply)
      + detectserver                               = (known after apply)
      + device_access_list                         = (known after apply)
      + device_identification                      = (known after apply)
      + device_identification_active_scan          = (known after apply)
      + device_netscan                             = (known after apply)
      + device_user_identification                 = (known after apply)
      + devindex                                   = (known after apply)
      + dhcp_client_identifier                     = (known after apply)
      + dhcp_relay_agent_option                    = (known after apply)
      + dhcp_relay_ip                              = (known after apply)
      + dhcp_relay_service                         = (known after apply)
      + dhcp_relay_type                            = (known after apply)
      + dhcp_renew_time                            = (known after apply)
      + disc_retry_timeout                         = (known after apply)
      + disconnect_threshold                       = (known after apply)
      + distance                                   = (known after apply)
      + dns_server_override                        = (known after apply)
      + drop_fragment                              = (known after apply)
      + drop_overlapped_fragment                   = (known after apply)
      + egress_shaping_profile                     = (known after apply)
      + endpoint_compliance                        = (known after apply)
      + estimated_downstream_bandwidth             = (known after apply)
      + estimated_upstream_bandwidth               = (known after apply)
      + explicit_ftp_proxy                         = (known after apply)
      + explicit_web_proxy                         = (known after apply)
      + external                                   = (known after apply)
      + fail_action_on_extender                    = (known after apply)
      + fail_alert_method                          = (known after apply)
      + fail_detect                                = (known after apply)
      + fail_detect_option                         = (known after apply)
      + fortiheartbeat                             = (known after apply)
      + fortilink                                  = (known after apply)
      + fortilink_backup_link                      = (known after apply)
      + fortilink_split_interface                  = (known after apply)
      + fortilink_stacking                         = (known after apply)
      + forward_domain                             = (known after apply)
      + gwdetect                                   = (known after apply)
      + ha_priority                                = (known after apply)
      + icmp_accept_redirect                       = (known after apply)
      + icmp_send_redirect                         = (known after apply)
      + id                                         = (known after apply)
      + ident_accept                               = (known after apply)
      + idle_timeout                               = (known after apply)
      + inbandwidth                                = (known after apply)
      + ingress_spillover_threshold                = (known after apply)
      + interface                                  = "port3"
      + internal                                   = (known after apply)
      + ip                                         = "10.10.10.2 255.255.255.255"
      + ipmac                                      = (known after apply)
      + ips_sniffer_mode                           = (known after apply)
      + ipunnumbered                               = (known after apply)
      + l2forward                                  = (known after apply)
      + lacp_ha_slave                              = (known after apply)
      + lacp_mode                                  = (known after apply)
      + lacp_speed                                 = (known after apply)
      + lcp_echo_interval                          = (known after apply)
      + lcp_max_echo_fails                         = (known after apply)
      + link_up_delay                              = (known after apply)
      + lldp_network_policy                        = (known after apply)
      + lldp_reception                             = (known after apply)
      + lldp_transmission                          = (known after apply)
      + macaddr                                    = (known after apply)
      + management_ip                              = (known after apply)
      + min_links                                  = (known after apply)
      + min_links_down                             = (known after apply)
      + mode                                       = (known after apply)
      + mtu                                        = (known after apply)
      + mtu_override                               = (known after apply)
      + name                                       = "ewwe"
      + ndiscforward                               = (known after apply)
      + netbios_forward                            = (known after apply)
      + netflow_sampler                            = (known after apply)
      + outbandwidth                               = (known after apply)
      + padt_retry_timeout                         = (known after apply)
      + ping_serv_status                           = (known after apply)
      + polling_interval                           = (known after apply)
      + pppoe_unnumbered_negotiate                 = (known after apply)
      + pptp_auth_type                             = (known after apply)
      + pptp_client                                = (known after apply)
      + pptp_server_ip                             = (known after apply)
      + pptp_timeout                               = (known after apply)
      + pptp_user                                  = (known after apply)
      + preserve_session_route                     = (known after apply)
      + priority                                   = (known after apply)
      + priority_override                          = (known after apply)
      + proxy_captive_portal                       = (known after apply)
      + redundant_interface                        = (known after apply)
      + remote_ip                                  = "172.22.1.30 255.255.255.255"
      + replacemsg_override_group                  = (known after apply)
      + role                                       = (known after apply)
      + sample_direction                           = (known after apply)
      + sample_rate                                = (known after apply)
      + scan_botnet_connections                    = (known after apply)
      + secondary_ip                               = (known after apply)
      + security_exempt_list                       = (known after apply)
      + security_external_logout                   = (known after apply)
      + security_external_web                      = (known after apply)
      + security_mac_auth_bypass                   = (known after apply)
      + security_mode                              = (known after apply)
      + security_redirect_url                      = (known after apply)
      + service_name                               = (known after apply)
      + sflow_sampler                              = (known after apply)
      + snmp_index                                 = (known after apply)
      + speed                                      = (known after apply)
      + spillover_threshold                        = (known after apply)
      + src_check                                  = (known after apply)
      + status                                     = (known after apply)
      + stpforward                                 = (known after apply)
      + stpforward_mode                            = (known after apply)
      + subst                                      = (known after apply)
      + substitute_dst_mac                         = (known after apply)
      + switch                                     = (known after apply)
      + switch_controller_access_vlan              = (known after apply)
      + switch_controller_arp_inspection           = (known after apply)
      + switch_controller_dhcp_snooping            = (known after apply)
      + switch_controller_dhcp_snooping_option82   = (known after apply)
      + switch_controller_dhcp_snooping_verify_mac = (known after apply)
      + switch_controller_igmp_snooping            = (known after apply)
      + switch_controller_learning_limit           = (known after apply)
      + switch_controller_traffic_policy           = (known after apply)
      + tcp_mss                                    = 1350
      + trust_ip6_1                                = (known after apply)
      + trust_ip6_2                                = (known after apply)
      + trust_ip6_3                                = (known after apply)
      + trust_ip_1                                 = (known after apply)
      + trust_ip_2                                 = (known after apply)
      + trust_ip_3                                 = (known after apply)
      + type                                       = (known after apply)
      + username                                   = (known after apply)
      + vdom                                       = "root"
      + vindex                                     = (known after apply)
      + vlanforward                                = (known after apply)
      + vlanid                                     = (known after apply)
      + vrf                                        = (known after apply)
      + vrrp_virtual_mac                           = (known after apply)
      + wccp                                       = (known after apply)
      + weight                                     = (known after apply)
      + wins_ip                                    = (known after apply)
    }

  # fortios_vpnipsec_phase1interface.trname1 will be created
  + resource "fortios_vpnipsec_phase1interface" "trname1" {
      + acct_verify               = "disable"
      + add_gw_route              = "disable"
      + add_route                 = "enable"
      + assign_ip                 = "enable"
      + assign_ip_from            = "range"
      + authmethod                = "psk"
      + authmethod_remote         = (known after apply)
      + authusr                   = (known after apply)
      + authusrgrp                = (known after apply)
      + auto_discovery_forwarder  = "disable"
      + auto_discovery_psk        = "disable"
      + auto_discovery_receiver   = "disable"
      + auto_discovery_sender     = "disable"
      + auto_negotiate            = "enable"
      + cert_id_validation        = "enable"
      + childless_ike             = "disable"
      + client_auto_negotiate     = "disable"
      + client_keep_alive         = "disable"
      + comments                  = "VPN: ewwe (Created by VPN wizard)"
      + default_gw                = "0.0.0.0"
      + default_gw_priority       = 0
      + dhgrp                     = "14 5"
      + digital_signature_auth    = "disable"
      + distance                  = 15
      + dns_mode                  = "manual"
      + domain                    = (known after apply)
      + dpd                       = "on-demand"
      + dpd_retrycount            = 3
      + dpd_retryinterval         = "20"
      + eap                       = "disable"
      + eap_identity              = "use-id-payload"
      + encap_local_gw4           = "0.0.0.0"
      + encap_local_gw6           = "::"
      + encap_remote_gw4          = "0.0.0.0"
      + encap_remote_gw6          = "::"
      + encapsulation             = "none"
      + encapsulation_address     = "ike"
      + enforce_unique_id         = "disable"
      + exchange_interface_ip     = "disable"
      + exchange_ip_addr4         = "0.0.0.0"
      + exchange_ip_addr6         = "::"
      + forticlient_enforcement   = "disable"
      + fragmentation             = "enable"
      + fragmentation_mtu         = 1200
      + group_authentication      = "disable"
      + ha_sync_esp_seqno         = "enable"
      + id                        = (known after apply)
      + idle_timeout              = "disable"
      + idle_timeoutinterval      = 15
      + ike_version               = "1"
      + include_local_lan         = "disable"
      + interface                 = "port3"
      + ip_version                = "4"
      + ipv4_dns_server1          = "0.0.0.0"
      + ipv4_dns_server2          = "0.0.0.0"
      + ipv4_dns_server3          = "0.0.0.0"
      + ipv4_end_ip               = "0.0.0.0"
      + ipv4_name                 = (known after apply)
      + ipv4_netmask              = "255.255.255.255"
      + ipv4_split_exclude        = (known after apply)
      + ipv4_split_include        = (known after apply)
      + ipv4_start_ip             = "0.0.0.0"
      + ipv4_wins_server1         = "0.0.0.0"
      + ipv4_wins_server2         = "0.0.0.0"
      + ipv6_dns_server1          = "::"
      + ipv6_dns_server2          = "::"
      + ipv6_dns_server3          = "::"
      + ipv6_end_ip               = "::"
      + ipv6_name                 = (known after apply)
      + ipv6_prefix               = 128
      + ipv6_split_exclude        = (known after apply)
      + ipv6_split_include        = (known after apply)
      + ipv6_start_ip             = "::"
      + keepalive                 = 10
      + keylife                   = 86400
      + local_gw                  = "0.0.0.0"
      + local_gw6                 = "::"
      + localid                   = (known after apply)
      + localid_type              = "auto"
      + mesh_selector_type        = "disable"
      + mode                      = "main"
      + mode_cfg                  = "disable"
      + monitor                   = (known after apply)
      + monitor_hold_down_delay   = 0
      + monitor_hold_down_time    = "00:00"
      + monitor_hold_down_type    = "immediate"
      + monitor_hold_down_weekday = "sunday"
      + name                      = "ewwe"
      + nattraversal              = "enable"
      + negotiate_timeout         = 30
      + net_device                = "enable"
      + passive_mode              = "disable"
      + peer                      = (known after apply)
      + peergrp                   = (known after apply)
      + peerid                    = (known after apply)
      + peertype                  = "any"
      + ppk                       = "disable"
      + ppk_identity              = (known after apply)
      + priority                  = 0
      + proposal                  = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1"
      + psksecret                 = (sensitive value)
      + reauth                    = "disable"
      + rekey                     = "enable"
      + remote_gw                 = "1.1.1.1"
      + remote_gw6                = "::"
      + remotegw_ddns             = (known after apply)
      + rsa_signature_format      = "pkcs1"
      + save_password             = "disable"
      + send_cert_chain           = "enable"
      + signature_hash_alg        = "sha2-512 sha2-384 sha2-256 sha1"
      + split_include_service     = (known after apply)
      + suite_b                   = "disable"
      + tunnel_search             = "selectors"
      + type                      = "static"
      + unity_support             = "enable"
      + usrgrp                    = (known after apply)
      + vni                       = (known after apply)
      + wizard_type               = "static-fortigate"
      + xauthtype                 = "disable"
    }

  # fortios_vpnipsec_phase2interface.trname2 will be created
  + resource "fortios_vpnipsec_phase2interface" "trname2" {
      + add_route                = "phase1"
      + auto_discovery_forwarder = "phase1"
      + auto_discovery_sender    = "phase1"
      + auto_negotiate           = "disable"
      + comments                 = "VPN: ewwe (Created by VPN wizard)"
      + dhcp_ipsec               = "disable"
      + dhgrp                    = "14 5"
      + dst_addr_type            = "name"
      + dst_end_ip               = "0.0.0.0"
      + dst_end_ip6              = "::"
      + dst_name                 = "ewwe_remote"
      + dst_name6                = (known after apply)
      + dst_port                 = 0
      + dst_start_ip             = "0.0.0.0"
      + dst_start_ip6            = "::"
      + dst_subnet               = "0.0.0.0 0.0.0.0"
      + dst_subnet6              = "::/0"
      + encapsulation            = "tunnel-mode"
      + id                       = (known after apply)
      + keepalive                = "disable"
      + keylife_type             = "seconds"
      + keylifekbs               = 5120
      + keylifeseconds           = 43200
      + l2tp                     = "disable"
      + name                     = "ewwe"
      + pfs                      = "enable"
      + phase1name               = "ewwe"
      + proposal                 = "aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305"
      + protocol                 = 0
      + replay                   = "enable"
      + route_overlap            = "use-new"
      + single_source            = "disable"
      + src_addr_type            = "name"
      + src_end_ip               = "0.0.0.0"
      + src_end_ip6              = "::"
      + src_name                 = "ewwe_local"
      + src_name6                = (known after apply)
      + src_port                 = 0
      + src_start_ip             = "0.0.0.0"
      + src_start_ip6            = "::"
      + src_subnet               = "0.0.0.0 0.0.0.0"
      + src_subnet6              = "::/0"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

fortios_vpnipsec_phase1interface.trname1: Creating...
fortios_vpnipsec_phase1interface.trname1: Creation complete after 0s [id=ewwe]
fortios_vpnipsec_phase2interface.trname2: Creating...
fortios_vpnipsec_phase2interface.trname2: Creation complete after 0s [id=ewwe]
fortios_system_interface.trname3: Creating...
fortios_system_interface.trname3: Creation complete after 0s [id=ewwe]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

We can find that the configuration of the interface automatically created by VPN has been set according to the configuration of terraform:

11111111

Thanks!

farroar commented 3 years ago

Great, this will work. Appreciate the quick turnaround!

fortinetdev / terraform-provider-fortios

fortios_system_interface - tunnel mode ip address #97