terraform-provider-fortios icon indicating copy to clipboard operation
terraform-provider-fortios copied to clipboard

Published 20 hours ago verified publisher icon fortinetdev

provider tries to delete object group before updating firewall policy

Open rijnier opened this issue 2 years ago • 1 comments

Hi,

I've noticed the provider trying to delete a referenced object group before updating the firewall policy resulting in a 500 error from the API.

FortiOS: v7.2.5 fortinetdev/fortios: v1.18.0

  1. Create a group and rule
resource "fortios_firewall_addrgrp" "dummy" {
  name                  = "terraform-dummy-group"

  member {
    name = "terraform-dummy"
  }
}

resource "fortios_firewall_policy" "this" {
  name                     = "TEST_RULE"
  action                   = "accept"
  schedule                 = "always"
  utm_status               = "enable"
  nat                      = "disable"
  status                   = "enable"

  srcintf {
    name = "SRC"
  }

  dstintf {
    name = "DST"
  }

  srcaddr {
    name = "terraform-dummy"
  }

  dstaddr {
    name = fortios_firewall_addrgrp.dummy.name
  }

  service {
    name = "PING"
  }
}
  1. remove the group and replace the dstaddr with a different address At the next apply terraform will try to delete the group before updating the firewall rule
fortios_firewall_addrgrp.dummy: Destroying... [id=terraform-dummy]
╷
│ Error: Error deleting FirewallAddrgrp resource: Internal Server Error - Internal error when processing the request (500)
│ Cli response:
│ The entry is used by other 1 entries
│ Command fail. Return code -23

rijnier avatar Oct 11 '23 10:10 rijnier

Hi @rijnier ,

Thank you for raising this question, we can set create_before_destroy = true to solve this problem like:

resource "fortios_firewall_address" "test2" {
  name     = "maxx_test"
  type     = "iprange"
  start_ip = "22.1.1.0"
  end_ip   = "255.255.255.1"
}

resource "fortios_firewall_addrgrp" "dummy" {
  name = "terraform-dummy-group"
  member {
    name = fortios_firewall_address.test2.name
  }
  depends_on = [fortios_firewall_address.test2]
}


resource "fortios_firewall_policy" "this" {
  name       = "TEST_RULE"
  action     = "accept"
  schedule   = "always"
  utm_status = "enable"
  nat        = "disable"
  status     = "enable"
  srcintf {
    name = "port2"
  }
  dstintf {
    name = "port2"
  }
  srcaddr {
    name = "all"
  }
  dstaddr {
    name = fortios_firewall_addrgrp.dummy.name  # -> "all"
  }
  service {
    name = "PING"
  }
  lifecycle {
    create_before_destroy = true
  }
  depends_on = [fortios_firewall_addrgrp.dummy]
}

, in order to correctly use lifecycle function, we need to insert this code before creating these objects, let me know if that doesn't solve the problem.

Thanks, Maxx

MaxxLiu22 avatar Oct 17 '23 20:10 MaxxLiu22