terraform-provider-fortios icon indicating copy to clipboard operation
terraform-provider-fortios copied to clipboard

Published 20 hours ago verified publisher icon fortinetdev

Unable to set/get api_key with fortios_system_apiuser

Open freakinhippie opened this issue 4 years ago • 4 comments 

Firmware: FortiOS v6.4.4 build1803 (GA)
Provider: fortinet/fortios/1.10.2
Terraform: 0.14.6

When using the fortios_system_apiuser resource and attempting to pass in an api_key the resource returns the following error:

Error: Error creating SystemApiUser resource: Internal Server Error - Internal error when processing the request (500)

After doing some digging I found that the api key cannot be set directly via the command line, but instead can be generated via the following cli:

execute api-user generate-key <user>

Is the fortios_system_apiuser resource intended to actually allow assigning an api key? If not, is there a workaround to set the api key via terraform?

freakinhippie avatar Feb 15 '21 16:02 freakinhippie

Hi @freakinhippie Thanks for raising this issue. According to FortiOS regulations, the API-KEY will only be displayed once when it is generated, and it needs to be saved for later use, and then the token(API-KEY) cannot be read and set at any other time, and the token can only be regenerated. Currently FortiOS does not allow the token to be set, but it is unclear whether it will be in the future. Generally, we use GUI->Regenerate API Key, CLI->execute api-user generate-key to manually generate api-key. But you can use the following method to dynamically generate API Key in Terraform, for example:

variable randomval {
  type        = string
  default     = "aceq11"
  description = "description"
}

resource "fortios_json_generic_api" "apikey" {
  path = "/api/v2/monitor/system/api-user/generate-key"
  method = "POST"
  force_recreate = var.randomval
  json = jsonencode({
    api-user = "111"
  })
}

output "newkey" {
  value = jsondecode(fortios_json_generic_api.apikey.response)["results"]["access_token"]
}

Note: Every time a new token needs to be generated, a new value must be assigned to force_recreate first so that terraform can perform the force-new function. If you are interested in many details, quite a bit of discussion is provided here: #135 (Thanks to @poroping for his wonderful idea on this) and https://github.com/fortinetdev/terraform-provider-fortios/issues/135#issuecomment-775981511. Thanks!

frankshen01 avatar Feb 15 '21 17:02 frankshen01

@frankshen01, thank you for the work-around!

freakinhippie avatar Feb 15 '21 19:02 freakinhippie

can you simply use taint to recreate? terraform taint fortios_json_generic_api.apikey

so-jelly avatar Feb 16 '21 13:02 so-jelly

can you simply use taint to recreate? terraform taint fortios_json_generic_api.apikey

For manual and static Terraform configuration, taint is an good option (such as the discussion of some limitations of taint in #135 and #131), for the programmable and dynamically generated terraform configuration environment, force_recreate is a more efficient method. Thank you for your suggestions. They are all invaluable.

frankshen01 avatar Feb 24 '21 14:02 frankshen01