terraform-provider-fortios
terraform-provider-fortios copied to clipboard
Published
20 hours ago •
fortinetdev
fortinetdev
Can't update Admin user fortios_system_admin
Running the following versions
Terraform v1.1.9
on darwin_arm64
+ provider registry.terraform.io/fortinetdev/fortios v1.16.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
and on the fortigate
Version: FortiGate-VM64-AWS v6.4.9,build1966,220421 (GA)
I can create this resource just fine:
resource "fortios_system_admin" "admin_user_test" {
accprofile = "super_admin"
name = "test_user"
password = "IAmATestPassword123!#!"
comments = "test user"
vdom {
name = "root"
}
}
When I apply this is what I see on the fortigate
# show system admin test_user
config system admin
edit "test_user"
set accprofile "super_admin"
set comments "test user"
set vdom "root"
set password ENC SH2nOLYopqgANigXPmvvhPW2lyDrgEY4lqKI6b1Lp25nBcW0wCcsTH3yEt2jgw=
next
end
However if I change any attribute in the resource, I can not update it. Here, I am just updating the comment as a simple example.
Terraform will perform the following actions:
# module.system.fortios_system_admin.admin_user_test will be updated in-place
~ resource "fortios_system_admin" "admin_user_test" {
~ comments = "test user" -> "test user1"
id = "test_user"
name = "test_user"
# (35 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
When I apply I get this error
module.system.fortios_system_admin.admin_user_test: Modifying... [id=test_user]
╷
│ Error: Error updating SystemAdmin resource: Forbidden - Request is missing CSRF token or administrator is missing access profile permissions (403)
│
│ with module.system.fortios_system_admin.admin_user_test,
│ on ../../modules/system/administrators.tf line 64, in resource "fortios_system_admin" "admin_user_test":
│ 64: resource "fortios_system_admin" "admin_user_test" {
│
╵
Releasing state lock. This may take a few moments...
And on a debug of httpsd I see this even though I'm not updating the password
[httpsd 5851 - 1666121776 error] _api_cmdb_v2_config[1249] -- Modification of the 'password' field of system.admin is forbidden.
full debug here of the apply:
[httpsd 5851 - 1666121776 critical] fweb_error_log[241] -- AH01964: Connection to child 6 established (server Fortigate:7000)
[httpsd 5851 - 1666121776 info] fweb_debug_init[356] -- New GET request for "/api/v2/cmdb/system/global" from "1.1.1.15:61834"
[httpsd 5851 - 1666121776 info] fweb_debug_init[357] -- User-Agent: "Go-http-client/1.1"
[httpsd 5851 - 1666121776 info] fweb_debug_init[359] -- Handler "api_cmdb_v2-handler" assigned to request
[httpsd 5851 - 1666121776 warning] api_access_check_for_api_key[955] -- API Key request authorized for tf_admin from 1.1.1.15.
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'access_token' (type=string)
[httpsd 5851 - 1666121776 info] handle_cli_req_v2_vdom[2402] -- new CMDB API request (vdom='root',user='tf_admin')
[httpsd 5851 - 1666121776 info] api_cmdb_request_init_by_path[1566] -- new CMDB query (path='system',name='global')
[httpsd 5851 - 1666121776 info] fweb_debug_final[261] -- Completed GET request for "/api/v2/cmdb/system/global" (HTTP 200 OK)
[httpsd 5851 - 1666121776 info] fweb_debug_init[356] -- New PUT request for "/api/v2/cmdb/system/admin/test_user" from "1.1.1.15:61834"
[httpsd 5851 - 1666121776 info] fweb_debug_init[357] -- User-Agent: "Go-http-client/1.1"
[httpsd 5851 - 1666121776 info] fweb_debug_init[359] -- Handler "api_cmdb_v2-handler" assigned to request
[httpsd 5851 - 1666121776 warning] api_access_check_for_api_key[955] -- API Key request authorized for tf_admin from 1.1.1.15.
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'access_token' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'accprofile' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'accprofile-override' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'allow-remove-admin-session' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'comments' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'force-password-change' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'guest-auth' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'hidden' (type=int)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost1' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost10' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost2' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost3' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost4' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost5' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost6' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost7' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost8' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'ip6-trusthost9' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'name' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'password' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'password-expire' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'peer-auth' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'radius-vdom-override' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'remote-auth' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'sms-server' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost1' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost10' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost2' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost3' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost4' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost5' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost6' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost7' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost8' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'trusthost9' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'two-factor' (type=string)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'vdom' (type=array)
[httpsd 5851 - 1666121776 info] api_store_parameter[248] -- add API parameter 'wildcard' (type=string)
[httpsd 5851 - 1666121776 info] handle_cli_req_v2_vdom[2402] -- new CMDB API request (vdom='root',user='tf_admin')
[httpsd 5851 - 1666121776 info] api_cmdb_request_init_by_path[1566] -- new CMDB query (path='system',name='admin')
[httpsd 5851 - 1666121776 info] api_cmdb_request_init_by_path[1595] -- querying CMDB entry (mkey='test_user')
[httpsd 5851 - 1666121776 info] _api_cmdb_v2_config[1238] -- editing CLI object (append=0, auto_key=0, path=system, name=admin, mkey=test_user, flags=0)
[httpsd 5851 - 1666121776 error] _api_cmdb_v2_config[1249] -- Modification of the 'password' field of system.admin is forbidden.
[httpsd 5851 - 1666121776 warning] api_return_http_result[751] -- API error 403 raised
[httpsd 5851 - 1666121776 info] fweb_debug_final[261] -- Completed PUT request for "/api/v2/cmdb/system/admin/test_user" (HTTP 403)
The only way to update an admin user is with the -replace flag
terraform apply -replace module.system.fortios_system_admin.admin_user_test
Also, want to note that the api-user has this set:
set accprofile "super_admin"
Hi @brucedewald,
Thank you for raising this issue. Team is working on this issue. We will fix it in the next release, and will get back to you once it's resolved.
Thanks, Xing
Hi @brucedewald , This issue has been fixed in Terraform FOS provider version 1.17.0, please check it out. I will go ahead to close it, if the issue still occurs, you are free to reopen it or open another case.
