Missing attributes after import on FMG 7.4.5

[agesta23]

There is a problem with importing all attributes from the resource: fortimanager_packages_firewall_policy on FMG 7.4.5.

Missing attributes:

• ztna_status
• ztna_ems_tag

More resource attributes could be missing, but I could only test those.
Here is an imported resource in the state file

terragrunt state show 'fortimanager_packages_firewall_policy.policy["vpn_network_group_policy_2"]'
# fortimanager_packages_firewall_policy.policy["vpn_network_group_policy_2"]:
resource "fortimanager_packages_firewall_policy" "policy" {
    _policy_block                      = 0
    action                             = "accept"
    anti_replay                        = "enable"
    application                        = []
    application_list                   = "default"
    auth_path                          = "disable"
    auto_asic_offload                  = "enable"
    block_notification                 = "disable"
    capture_packet                     = "disable"
    cgn_resource_quota                 = 16
    cgn_session_quota                  = 16777215
    delay_tcp_npu_session              = "disable"
    diffserv_forward                   = "disable"
    diffserv_reverse                   = "disable"
    dsri                               = "disable"
    dstaddr                            = [
        "vpn_network_private_resources_group",
    ]
    dstaddr6                           = []
    dstaddr6_negate                    = "disable"
    dstaddr_negate                     = "disable"
    dstintf                            = [
        "port2",
    ]
    dynamic_shaping                    = "disable"
    dynamic_sort_subtable              = "false"
    email_collect                      = "disable"
    fec                                = "disable"
    fsso_groups                        = []
    geoip_anycast                      = "disable"
    geoip_match                        = "physical-location"
    global_label                       = ""
    groups                             = [
        "vpn-network",
    ]
    id                                 = "114"
    internet_service                   = "disable"
    internet_service6                  = "disable"
    internet_service6_custom           = []
    internet_service6_custom_group     = []
    internet_service6_group            = []
    internet_service6_name             = []
    internet_service6_src              = "disable"
    internet_service6_src_custom       = []
    internet_service6_src_custom_group = []
    internet_service6_src_group        = []
    internet_service6_src_name         = []
    internet_service_id                = []
    internet_service_src               = "disable"
    ip_version_type                    = "ipv4"
    logtraffic                         = "all"
    logtraffic_start                   = "disable"
    match_vip                          = "enable"
    match_vip_only                     = "disable"
    nat                                = "disable"
    nat46                              = "disable"
    nat64                              = "disable"
    natip                              = [
        "0.0.0.0",
        "0.0.0.0",
    ]
    network_service_dynamic            = []
    network_service_src_dynamic        = []
    np_acceleration                    = "enable"
    ntlm_enabled_browsers              = []
    passive_wan_health_measurement     = "disable"
    pcp_inbound                        = "disable"
    pcp_outbound                       = "disable"
    pcp_poolname                       = []
    permit_any_host                    = "disable"
    pkg                                = "VPN_EW1_FGT"
    policy_behaviour_type              = "standard"
    policy_expiry                      = "disable"
    policy_expiry_date                 = "0000-00-00 00:00:00"
    policyid                           = 114
    port_preserve                      = "enable"
    profile_protocol_options           = "default"
    profile_type                       = "single"
    radius_mac_auth_bypass             = "disable"
    reputation_minimum                 = 0
    reputation_minimum6                = 0
    rtp_nat                            = "disable"
    schedule                           = "always"
    schedule_timeout                   = "disable"
    scopetype                          = "inherit"
    service                            = [
        "ALL",
    ]
    service_negate                     = "disable"
    session_ttl                        = "0"
    sgt                                = []
    sgt_check                          = "disable"
    src_vendor_mac                     = []
    srcaddr                            = [
        "ssl_vpn_cp_ip_pool",
    ]
    srcaddr6                           = []
    srcaddr6_negate                    = "disable"
    srcaddr_negate                     = "disable"
    srcintf                            = [
        "sslvpn_tun_intf",
    ]
    ssl_ssh_profile                    = "certificate-inspection"
    status                             = "enable"
    tcp_mss_receiver                   = 0
    tcp_mss_sender                     = 0
    tcp_session_without_syn            = "disable"
    timeout_send_rst                   = "disable"
    tos                                = "0x00"
    tos_mask                           = "0x00"
    tos_negate                         = "disable"
    users                              = []
    utm_status                         = "enable"
    uuid                               = "793a3824-d197-51ee-8716-9ee00451bf2b"
    vlan_cos_fwd                       = 255
    vlan_cos_rev                       = 255
    wccp                               = "disable"
    webcache_https                     = "disable"
    webfilter_profile                  = "monitor-all"
    ztna_ems_tag_secondary             = []
}

Actual resource in Fortimanager GUI

Policy in Fortigate looks like this:

config firewall policy
    edit 114
        set uuid 793a3824-d197-51ee-8716-9ee00451bf2b
        set srcintf "ssl.root"
        set dstintf "port2"
        set action accept
        set ztna-status enable
        set srcaddr "ssl_vpn_cp_ip_pool"
        set dstaddr "vpn_network_private_resources_group"
        set ztna-ems-tag "EMS1_ZTNA_cp-trusted-tag"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "monitor-all"
        set application-list "default"
        set logtraffic all
        set groups "vpn-network"
    next
end

FMG 7.4.2 worked well with it. I suppose it is broken after the update.

After terraform planning, it tries to add missing attributes every time:

# fortimanager_packages_firewall_policy.policy["vpn_network_group_policy_2"] will be updated in-place
  ~ resource "fortimanager_packages_firewall_policy" "policy" {
        id                                 = "114"
      + ztna_ems_tag                       = "EMS1_ZTNA_cp-trusted-tag"
      + ztna_status                        = "enable"
        # (104 unchanged attributes hidden)
    }

[MaxxLiu22]

Hi @agesta23 ,

Thank you very much for bringing this issue to our attention. I’ve observed that, the Terraform FMG provider is not yet compatible with version 7.4.5, but the issue appears that the FOS API GET response no longer includes these two arguments. This suggests there may have been a logical adjustment, potentially merging these arguments with others to achieve the same functionality. I will investigate further and consult with the appropriate team to gain additional insights.

Thanks,
Maxx