terraform-provider-fortios icon indicating copy to clipboard operation
terraform-provider-fortios copied to clipboard
verified publisher icon fortinetdev

https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs/resources/fortios_system_apiuser#api_key not working

Open agyss opened this issue 2 years ago • 2 comments

https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs/resources/fortios_system_apiuser#api_key

does not seem to be working at all, meaning

terraform output api_token

does not return any value but fails with an error (output not found).

If i refernece the api key in an output, like:

resource "fortios_system_apiuser" "api_user" {
  name       = "api_user_test"
  accprofile = fortios_system_accprofile.api_user_access_profile.testProfile
  vdom {
    name = "root"
  }
}


output "api_token" {
  sensitive = true
  value     = fortios_system_apiuser.api_user.api_key
}

no output is generated and I can't access the value at all.

Changing it to

resource "fortios_system_apiuser" "api_user" {
  name       = "api_user_test"
  accprofile = fortios_system_accprofile.api_user_access_profile.testProfile
  api_key = "test234TestTesdT"

  vdom {
    name = "root"
  }
}

I get this error:

│ Error: Error updating SystemApiUser resource: Internal Server Error - Internal error when processing the request (500)
│ Cli response: 
│ node_check_object fail! for api-key *
│ 
│ value parse error before '*'
│ Command fail. Return code -37
│ 
│ 
│   with fortios_system_apiuser.api_user,
│   on primary_instance.tf line 182, in resource "fortios_system_apiuser" "api_user":
│  1: resource "fortios_system_apiuser" "api_user" {
```

However, in this case `terragrunt output api_token` would return a value - which, however, was not applied.

agyss avatar Dec 01 '23 15:12 agyss

according to this post in your forum, this functionality is not supported at all: https://community.fortinet.com/t5/Support-Forum/Error-enabling-token-based-authentication-for-REST-API/m-p/77740

Also according to this: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/399023/rest-api-administrator The functionality "set api-key ******" should be there. Unfortunately, it's nowhere said that only encrypted values from other systems are supported.

Luckily, this works: execute api-user generate-key <API username>

So this feature is supported my workaround will be:

data "external" "example" {
  program = ["bash", "path/to/script/generate/new_api_token.sh"]

  query = {
    # arbitrary map from strings to strings, passed
    # to the external program as the data query.
    username = "abc123"
    password= "def456"
   host = "1.2.3.4"
  }
}

the script will do nothing else than generating a new api token every time terraform is executed. Unfortunately, let's hope api access is never needed in different modules concurrently as this approach will break the functionality.

agyss avatar Dec 01 '23 16:12 agyss

Hi @agyss ,

Thank you for raising this question, argument api_key is not for user to define that can only be generated through execute api-user generate-key <API username> which is kind of confusing, sorry about that, here is a script to generate and get the token via Terraform, hope that is helpful for you.

resource "fortios_json_generic_api" "generate_token" {
  path   = "/api/v2/monitor/system/api-user/generate-key"
  method = "POST"
  json   = <<EOF
{
  "api-user": "api"
}
EOF
}


locals {
  map_data = jsondecode(fortios_json_generic_api.generate_token.response)
}

output "token" {
  value =  local.map_data.results.access_token
}

Thanks, Maxx

MaxxLiu22 avatar Dec 06 '23 23:12 MaxxLiu22

Hi @agyss

I will go ahead and close this case. If you have any further questions, feel free to reopen it or open a new case to let us know.

Thanks, Maxx

MaxxLiu22 avatar Sep 16 '24 18:09 MaxxLiu22