terraform-provider-fortios
terraform-provider-fortios copied to clipboard
Published
20 hours ago •
fortinetdev
fortinetdev
fortios_system_sdwwan Trying to create multiple SDWAN zones
I am trying to create multiple sdwan zones using terraform.
data "local_file" "sdwan" {
filename = "sdwan.txt"
}
locals {
sdwan = jsondecode(data.local_file.sdwan.content)
sdwan_data = {
for section in local.sdwan : section["zone"] => {
zone = lookup(section,"zone", "")
interface = lookup(section,"interface", "")
gateway = lookup(section,"gateway", "")
}
}
zones = {for item in local.sdwan : item.zone => [item.zone]}
}
resource "fortios_system_sdwan" "example_sdwan_zone" {
for_each = local.sdwan_data
dynamic "zone" {
iterator = inner_block
for_each = [each.key]
content {
name = each.value.zone
}
}
}
This is a snippet of how the data that i am using looks like.
[
{
"interface": "VLAN1001",
"zone": "VLAN1001_2684354560",
"gateway": "x.x.x.x"
},
{
"interface": "VLAN3",
"zone": "INTERNET",
"gateway": "x.x.x.x"
},
{
"interface": "VLAN1002",
"zone": "VLAN1002_2818572288",
"gateway": "x.x.x.x"
},
{
"interface": "VLAN1003",
"zone": "VLAN1003_2969567232",
"gateway": "x.x.x.x"
},
{
"interface": "VLAN1004",
"zone": "VLAN1004_3305111552",
"gateway": "x.x.x.x"
}
]
The problem i keep having is that Terraform says it has created all of the sdwan zones but when i look at the firewall it only creates 1 or 2 of them. When looking at the logs of the Fortigate i see that it creates the zones and deletes them immediately after.
0: config system sdwan
0: config zone
0: edit "VLAN1010_2264924160"
0: end
0: end
[cmf_restore_err_redir:3304] restoring stdout/stderr. redir_fd: 11, save_fd1: 12, save_fd2: 13
[cmf_restore_err_redir:3304] restoring stdout/stderr. redir_fd: 15, save_fd1: 16, save_fd2: 17
[cmf_err_redir_to_file:3364] redirecting stdout/stderr redir_fd: 15, saved_fd1: 16, saved_fd2: 17
[cmf_restore_err_redir:3304] restoring stdout/stderr. redir_fd: 15, save_fd1: 16, save_fd2: 17
[cmf_err_redir_to_file:3364] redirecting stdout/stderr redir_fd: 15, saved_fd1: 16, saved_fd2: 17
[cmf_err_redir_to_file:3364] redirecting stdout/stderr redir_fd: 11, saved_fd1: 12, saved_fd2: 13
0: config system sdwan
0: end
[cmf_restore_err_redir:3304] restoring stdout/stderr. redir_fd: 11, save_fd1: 12, save_fd2: 13
[cmf_err_redir_to_file:3364] redirecting stdout/stderr redir_fd: 11, saved_fd1: 12, saved_fd2: 13
0: config system sdwan
0: config zone
0: delete "VLAN1010_2264924160"
0: end
When i try to ad zones manually it does it just fine.
resource "fortios_system_sdwan" "default" {
zone {
name = "virtual-wan-link"
}
zone {
name = "test-zone"
}
zone {
name = "trial-zone"
}
}
Hi @amar-ysabie ,
Thank you for raising this question, your script was trying to create 5 fortios_system_sdwan resources, the later one would overwrite the previous one that is the reason you were seeing FOS deleted the pervious created zones, could you substitute your fortios_system_sdwan snippet with following one and try again, and add one more "zone" named virtual-wan-link into your sdwan.txt since that is predefined and can't be deleted by FOS, if not define terraform always try to delete that one.
resource "fortios_system_sdwan" "example_sdwan_zone" {
dynamic "zone" {
for_each = local.sdwan_data
content {
name = zone.key
}
}
}
[
{
"interface": "1",
"zone": "virtual-wan-link",
"gateway": "x.x.x.x"
},
{
"interface": "2",
"zone": "INTERNET",
"gateway": "x.x.x.x"
},
....
Terraform will perform the following actions:
# fortios_system_sdwan.example_sdwan_zone will be created
+ resource "fortios_system_sdwan" "example_sdwan_zone" {
+ app_perf_log_period = (known after apply)
+ duplication_max_num = (known after apply)
+ dynamic_sort_subtable = "false"
+ fail_detect = (known after apply)
+ get_all_tables = "false"
+ id = (known after apply)
+ load_balance_mode = (known after apply)
+ neighbor_hold_boot_time = (known after apply)
+ neighbor_hold_down = (known after apply)
+ neighbor_hold_down_time = (known after apply)
+ speedtest_bypass_routing = (known after apply)
+ status = (known after apply)
+ zone {
+ advpn_health_check = (known after apply)
+ advpn_select = (known after apply)
+ minimum_sla_meet_members = (known after apply)
+ name = "INTERNET"
+ service_sla_tie_break = (known after apply)
}
+ zone {
+ advpn_health_check = (known after apply)
+ advpn_select = (known after apply)
+ minimum_sla_meet_members = (known after apply)
+ name = "VLAN1001_2684354560"
+ service_sla_tie_break = (known after apply)
}
+ zone {
+ advpn_health_check = (known after apply)
+ advpn_select = (known after apply)
+ minimum_sla_meet_members = (known after apply)
+ name = "VLAN1002_2818572288"
+ service_sla_tie_break = (known after apply)
}
+ zone {
+ advpn_health_check = (known after apply)
+ advpn_select = (known after apply)
+ minimum_sla_meet_members = (known after apply)
+ name = "VLAN1003_2969567232"
+ service_sla_tie_break = (known after apply)
}
+ zone {
+ advpn_health_check = (known after apply)
+ advpn_select = (known after apply)
+ minimum_sla_meet_members = (known after apply)
+ name = "VLAN1004_3305111552"
+ service_sla_tie_break = (known after apply)
}
+ zone {
+ advpn_health_check = (known after apply)
+ advpn_select = (known after apply)
+ minimum_sla_meet_members = (known after apply)
+ name = "virtual-wan-link"
+ service_sla_tie_break = (known after apply)
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Thanks, Maxx
