fortimgr_install installs on all devices instead of the "fortigate_name" param

[jcsicard]

When installing a policy_package with fortimgr_install, the "fortigate_name" parameter specifying the device on which to install the policy isn't respected and the Fortimanager actually pushes to all devices.

This seems to be because the Fortigate device specified with "fortigate_name" is passed as a list item for the "scope" parameter to the API endpoint (/securityconsole/install/package)

        args = dict(
            adom=adom,
            adom_rev_comments=module.params["adom_revision_comments"],
            adom_rev_name=module.params["adom_revision_name"],
            dev_rev_comments=module.params["fortigate_revision_comments"],
            flags=module.params["install_flags"],
            pkg=package,
            scope=[fortigate]
        )

The scope parameter, according to the API doc should be

scope object, refer to device object, or group object Target device or device group. "object member": [ { "name": "...", "vdom": "..." }, { "name": "..." }, ... ] When referencing to a device, the object should contain both "name" and "vdom". When referencing to other objects (ie. device groups), only the name attribute is used.

The API behaviour with the current format of the scope parameter seems to be to revert to push to all Fortigate devices.

(Tested on FortiManager 5.6.8)

[jmcgill298]

@jcsicard I have an update that uses a list of dictionaries; are you willing to test that for me?

[jcsicard]

Certainly. Was going to write and submit a patch myself but if you already have that done, great! Do you also handle the device list (name + vdom kv) vs device group list (name only)?

[jmcgill298]

I wrote it a couple of weeks ago, and I forget the exact implementation. I want to say I updated the current param to be transformed into:

- name: fortigate_name
- name: other_fortigate_name

[jcsicard]

Ok, I myself was going to add

• name: fortigate_install_devices (supporting a list of devices as targets)
• name: fortigate_install_device_groups
  and make does params incompatible with the check_install and dst_file (preview) modes as the api doesn't handle the same target parameters...

[jmcgill298]

I have created branch fw_vdom with my suggested edits; please feel free to suggest updates. I believe you could just pass {"name": device_group_name} for device groups, but not sure.