terraform-provider-fortios
terraform-provider-fortios copied to clipboard
fortinetdev
Cannot set match_ip_address in fortios_router_routemap
Cannot set match_ip_address in fortios_router_routemap
To replicate run the following twice:
name = "RM_LOOPBACK_UNDERLAY"
rule {
id = 1
action = "permit"
match_ip_address = fortios_router_prefixlist.PL_LOOPBACK_UNDERLAY.name
}
rule{
id = 2
action = "deny"
}
}
resource "fortios_router_prefixlist" "PL_LOOPBACK_UNDERLAY" {
name = "PL_LOOPBACK_UNDERLAY"
rule{
id = 1
action = "permit"
prefix = "172.16.234.0 255.255.255.0"
le = "32"
}
}
Result on second run:
~ resource "fortios_router_routemap" "RM_LOOPBACK_UNDERLAY" {
id = "RM_LOOPBACK_UNDERLAY"
name = "RM_LOOPBACK_UNDERLAY"
~ rule {
action = "permit"
id = 1
match_community_exact = "disable"
match_flags = 0
+ match_ip_address = "PL_LOOPBACK_UNDERLAY"
match_metric = 0
@MilesTails, Thanks for the issue. I tested it on 6.2.0/6.2.4/6.2.6/6.4.0/6.4.2 and it should be a bug of FortiAPI for FortiOS 6.2. The API bug has been fixed in FortiOS 6.4. For 6.2, can you please use the following workaround to complete your case:
# cat maintst.tf
provider "fortios" {
hostname = "192.168.52.177"
insecure = "true"
token = "rGqsgj9Qmh3dwfQdc8hd3t3G6xG3N5"
}
resource "fortios_router_routemap" "RM_LOOPBACK_UNDERLAY" {
name = "RM_LOOPBACK_UNDERLAY"
rule {
id = 1
action = "permit"
match_ip_address = fortios_router_prefixlist.PL_LOOPBACK_UNDERLAY.name
}
rule{
id = 2
action = "deny"
}
}
resource "fortios_router_prefixlist" "PL_LOOPBACK_UNDERLAY" {
name = "PL_LOOPBACK_UNDERLAY"
rule{
id = 1
action = "permit"
prefix = "172.16.234.0 255.255.255.0"
le = "32"
}
}
resource "fortios_system_autoscript" "trname1" {
interval = 1
name = join("_", [fortios_router_routemap.RM_LOOPBACK_UNDERLAY.name, "script"])
output_size = 10
repeat = 1
script = <<EOF
config router route-map
edit ${fortios_router_routemap.RM_LOOPBACK_UNDERLAY.name}
config rule
edit 1
set match-ip-address ${fortios_router_prefixlist.PL_LOOPBACK_UNDERLAY.name}
end
end
end
end
EOF
start = "auto"
}
# terraform apply
----
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# fortios_router_prefixlist.PL_LOOPBACK_UNDERLAY will be created
+ resource "fortios_router_prefixlist" "PL_LOOPBACK_UNDERLAY" {
+ comments = (known after apply)
+ id = (known after apply)
+ name = "PL_LOOPBACK_UNDERLAY"
+ rule {
+ action = "permit"
+ flags = (known after apply)
+ ge = (known after apply)
+ id = 1
+ le = 32
+ prefix = "172.16.234.0 255.255.255.0"
}
}
# fortios_router_routemap.RM_LOOPBACK_UNDERLAY will be created
+ resource "fortios_router_routemap" "RM_LOOPBACK_UNDERLAY" {
+ comments = (known after apply)
+ id = (known after apply)
+ name = "RM_LOOPBACK_UNDERLAY"
+ rule {
+ action = "permit"
+ id = 1
+ match_as_path = (known after apply)
+ match_community = (known after apply)
+ match_community_exact = (known after apply)
+ match_flags = (known after apply)
+ match_interface = (known after apply)
+ match_ip6_address = (known after apply)
+ match_ip6_nexthop = (known after apply)
+ match_ip_address = "PL_LOOPBACK_UNDERLAY"
+ match_ip_nexthop = (known after apply)
+ match_metric = (known after apply)
+ match_origin = (known after apply)
+ match_route_type = (known after apply)
+ match_tag = (known after apply)
+ set_aggregator_as = (known after apply)
+ set_aggregator_ip = (known after apply)
+ set_aspath_action = (known after apply)
+ set_atomic_aggregate = (known after apply)
+ set_community_additive = (known after apply)
+ set_community_delete = (known after apply)
+ set_dampening_max_suppress = (known after apply)
+ set_dampening_reachability_half_life = (known after apply)
+ set_dampening_reuse = (known after apply)
+ set_dampening_suppress = (known after apply)
+ set_dampening_unreachability_half_life = (known after apply)
+ set_flags = (known after apply)
+ set_ip6_nexthop = (known after apply)
+ set_ip6_nexthop_local = (known after apply)
+ set_ip_nexthop = (known after apply)
+ set_local_preference = (known after apply)
+ set_metric = (known after apply)
+ set_metric_type = (known after apply)
+ set_origin = (known after apply)
+ set_originator_id = (known after apply)
+ set_route_tag = (known after apply)
+ set_tag = (known after apply)
+ set_weight = (known after apply)
}
+ rule {
+ action = "deny"
+ id = 2
+ match_as_path = (known after apply)
+ match_community = (known after apply)
+ match_community_exact = (known after apply)
+ match_flags = (known after apply)
+ match_interface = (known after apply)
+ match_ip6_address = (known after apply)
+ match_ip6_nexthop = (known after apply)
+ match_ip_address = (known after apply)
+ match_ip_nexthop = (known after apply)
+ match_metric = (known after apply)
+ match_origin = (known after apply)
+ match_route_type = (known after apply)
+ match_tag = (known after apply)
+ set_aggregator_as = (known after apply)
+ set_aggregator_ip = (known after apply)
+ set_aspath_action = (known after apply)
+ set_atomic_aggregate = (known after apply)
+ set_community_additive = (known after apply)
+ set_community_delete = (known after apply)
+ set_dampening_max_suppress = (known after apply)
+ set_dampening_reachability_half_life = (known after apply)
+ set_dampening_reuse = (known after apply)
+ set_dampening_suppress = (known after apply)
+ set_dampening_unreachability_half_life = (known after apply)
+ set_flags = (known after apply)
+ set_ip6_nexthop = (known after apply)
+ set_ip6_nexthop_local = (known after apply)
+ set_ip_nexthop = (known after apply)
+ set_local_preference = (known after apply)
+ set_metric = (known after apply)
+ set_metric_type = (known after apply)
+ set_origin = (known after apply)
+ set_originator_id = (known after apply)
+ set_route_tag = (known after apply)
+ set_tag = (known after apply)
+ set_weight = (known after apply)
}
}
# fortios_system_autoscript.trname1 will be created
+ resource "fortios_system_autoscript" "trname1" {
+ id = (known after apply)
+ interval = 1
+ name = "RM_LOOPBACK_UNDERLAY_script"
+ output_size = 10
+ repeat = 1
+ script = <<~EOT
config router route-map
edit RM_LOOPBACK_UNDERLAY
config rule
edit 1
set match-ip-address PL_LOOPBACK_UNDERLAY
end
end
end
end
EOT
+ start = "auto"
}
Plan: 3 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
fortios_router_prefixlist.PL_LOOPBACK_UNDERLAY: Creating...
fortios_router_prefixlist.PL_LOOPBACK_UNDERLAY: Creation complete after 0s [id=PL_LOOPBACK_UNDERLAY]
fortios_router_routemap.RM_LOOPBACK_UNDERLAY: Creating...
fortios_router_routemap.RM_LOOPBACK_UNDERLAY: Creation complete after 0s [id=RM_LOOPBACK_UNDERLAY]
fortios_system_autoscript.trname1: Creating...
fortios_system_autoscript.trname1: Creation complete after 0s [id=RM_LOOPBACK_UNDERLAY_script]
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
# terraform plan
----
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
fortios_router_prefixlist.PL_LOOPBACK_UNDERLAY: Refreshing state... [id=PL_LOOPBACK_UNDERLAY]
fortios_router_routemap.RM_LOOPBACK_UNDERLAY: Refreshing state... [id=RM_LOOPBACK_UNDERLAY]
fortios_system_autoscript.trname1: Refreshing state... [id=RM_LOOPBACK_UNDERLAY_script]
------------------------------------------------------------------------
No changes. Infrastructure is up-to-date.
This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.
root@sv:/work/zamba/03a-fos-gen-6.2.0only/03Terraform/bin#
validation:
mytestFortiGate (route-map) # show
config router route-map
edit "RM_LOOPBACK_UNDERLAY"
config rule
edit 1
set match-ip-address "PL_LOOPBACK_UNDERLAY"
next
edit 2
set action deny
next
end
next
end
Wow amazing thank you. Does the provider fully support 6.4?
I think we will be on 6.2 for quite some time.
Hi @MilesTails, the current version of the provider contains most of the parameters of 6.4. The Beta of the provider that fully supports 6.0, 6.2, 6.4 and 6.6 has been completed(https://github.com/frankshen-beta/terraform-provider-fortios-beta). It will be merged into the current provider after it has been continuously evaluated for a period of time. Thank you!
Hi @frankshen01
I'm testing the beta but I don't see the datasource fortios_json_generic_api there.
Would be possible to include it on the beta repo?
@mbdraks , Thank you for raising this, the beta version will be merged into the current repo and released (1.9.0) within 1-2 weeks. Do I still need to add fortios_json_generic_api to the beta repo? If you need this feature urgently, I will add this to the beta version this week. Thank you!
Status Update ~ support FortiOS 6.0 6.2 6.4 6.6: https://registry.terraform.io/providers/fortinetdev/fortios/latest (v1.10.0). Thank you!
@frankshen01 I'm running 6.2.6 and hitting this bug when trying to set LE and GE in prefix lists. Do you know the bugid so I can get my SE to check if an interim build is available that resolves this. 6.4.x is not available for our setup unfortunately.
Hi @poroping, thanks for raising the question. We are contacting the responsible team. We will get back to you as soon as we receive feedback from them. Thanks!
@frankshen01 I'm running 6.2.6 and hitting this bug when trying to set LE and GE in prefix lists. Do you know the bugid so I can get my SE to check if an interim build is available that resolves this. 6.4.x is not available for our setup unfortunately.
Thanks for checking this @poroping , and sorry it still has not been fixed by the API team. I haven't their internal BUG ID for the problem. But we have reported the bug to the API team with BUG ID: 0713815. Thank you!