Missing values from data.fortios_system_apiuser

[dvmrry]

Listed here it states that the api_key is an exported value but this does not appear to be true.

data "fortios_system_apiuser" "this" {
    accprofile = "terraform-api"
    id         = "terraform-api"
    name       = "terraform-api"
    peer_auth  = "disable"
    trusthost  = [
        {
            id             = 1
            ipv4_trusthost = "X.X.X.X 255.255.128.0"
            ipv6_trusthost = ""
            type           = "ipv4-trusthost"
        },
    ]
    vdom       = [
        {
            name = "root"
        },
    ]
}

Given that it seems it's impossible to re-apply an ENC password with the resource.fortios_system_user this leaves us in race condition that requires manual secret export to Vault with room for user error and exfil.

[MaxxLiu22]

Hi @dvmrry ,

Thank you for raising this issue, yes "api_key" is not a exported value out of security concern, we can only get and see api_key when the moment we generate it, if somehow we lost the token, we have to regenerate a new token. Here is a script to generate a token and save it to local, hope that is helpful in your situation, let me know if that doesn't solve your question.

resource "fortios_json_generic_api" "generate_token" {
  path   = "/api/v2/monitor/system/api-user/generate-key"
  method = "POST"
  json   = <<EOF
{
  "api-user": "api"
}
EOF
}


locals {
  map_data = jsondecode(fortios_json_generic_api.generate_token.response)
}

output "response" {
  value =  local.map_data.results.access_token
}

resource "null_resource" "save_to_file" {
  triggers = {
    data_result = local.map_data.results.access_token
  }

  provisioner "local-exec" {
    command = <<EOT
      echo "${local.map_data.results.access_token}" > local_data.txt
    EOT
  }
}

Thanks, Maxx