-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fortios_vpncertificate_ca ca attribute needs to be updated #312
Comments
Hi @zippanto , Thank you for raising this issue, I can reproduce it, I will talk to the Terraform and API teams to check if that is on purpose and let you know once there is any improvement. Thanks, |
Hi @zippanto This issue has been fixed in our latest Terraform FOS 1.19.0, Thanks, |
Hi @MaxxLiu22 Unfortunately this is still not fully fixed. Please see below.
The output of the terraform state show command:
We also double checked the contents of the state file and the ca property does contain the certificate. Please advise. Thanks. |
Hi @MaxxLiu22 Could this issue be reopened please? Thanks. |
Hi @MaxxLiu22 Are there any updates on this please? Thanks. |
Hi @zippanto , I apologize for the delayed response. After investigation, the root cause is as you mentioned before: the API GET shows an empty value for I am wondering if you would like to use Terraform to manage an existing CA certificate. How about setting Let me know if these solutions are not suitable in your situation. Thanks, |
Hi @MaxxLiu22, I understand that this is ultimately a limitation on the API / firewall side and there is a good reason for this behaviour. I don't think the proposed workarounds are appropriate. The workarounds essentially provide a create only functionality which defeats the purpose of using Terraform to manage resources and states. As we see it this is the same situation that is presented when Terraform needs to manage a resource with password attribute. I believe the way that is addressed on those resources is that if you imported the state although it's the same password set in Terraform as on the firewall it will still have to overwrite it, because there is no way to check if the contents are the same. However after the first apply the provider will maintain a hash of the password in the state which will now be the same hash that is visible on the firewall CLI. If the provider then later on detects a change in the hash that is on the firewall it will update the resource on the firewall. Trying to do this with certificates will likely not work as there is no hash stored on the firewall for certificates. Do you think this is something that you could propose to the API or other relevant firewall development team to address this issue? Thanks. |
Hi,
A bit similar to issue #230. When you import or create a fortios_vpncertificate_ca resource on every subsequent apply terraform will try to update the resource ca attribute.
The output of terraform show command shows no record of the ca attribute:
We checked and the attribute is present in a configuration backup and visible in the CLI (only if you use show full-configuration though). However it seems it's empty when querying the API. So we are not sure if this issue needs to be raised further up the chain with the API team.
Please advise.
Thanks.
The text was updated successfully, but these errors were encountered: