Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UUID attribute cannot be set directly | Issue when changing address objects #350

Open
hogadacab opened this issue Nov 15, 2024 · 1 comment

Comments

@hogadacab
Copy link

Hi!

We have encountered a problem where the firewall is outputting an error such as the following:

│ Error: Error updating FirewallAddress resource: Internal Server Error - Internal error when processing the request (500)
│ Cli response:
│ UUID attribute cannot be set directly.
│ Command fail. Return code -37

This only occur when trying to change an already applied address object.
We created a module to create policies and required address objects. I'll include it in the files.

When modifying our module which creates these objects, terraform will try to recreate address objects and set the uuid of the object. This is causing the error.

I've tried to find anything which forces terraform to ignore the uuid value but haven't found anything.
fgt_issue.zip

To clarify this only happens when we modify the already applied configuration.

Thanks for all help, this seems like an important issue to solve considering that the error stops us from operating the firewall without having to recreate settings thus affecting production.

@MaxxLiu22
Copy link

Hi @hogadacab ,

Thank you for raising this issue. I tested your module on FOS 7.4.5, and it worked well. I was able to apply the configuration and make changes to the name or source_addr, with Terraform successfully applying the changes without any errors. Let me know if I didn't reproduce it in the right way.

Could you kindly let me know which FOS version you are using? Additionally, sharing the Terraform output would be very helpful in diagnosing the issue.

module "create_policy_with_module" {
  source = "./terraform-fortios-cabonline-policies"

  name = "Module_test_rule"  ->  "Module_test_rule2"
  source_addr = {
    First_src  = "10.10.13.0/24"   ->  "10.10.14.0/24"
    Second_src = "10.10.20.0/24"
  }

  dest_addr = {
    First_dst  = "20.20.16.0/20"
    Second_dst = "20.20.15.0/24"
  }
  service = "ALL"

}

root@liang:~/terraform/fgt/github#350/fgt_issue# terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated
with the following symbols:
  + create

Terraform will perform the following actions:

  # module.create_policy_with_module.fortios_firewall_address.dst_addr_obj["First_dst"] will be created
  + resource "fortios_firewall_address" "dst_addr_obj" {
      + allow_routing         = (known after apply)
      + clearpass_spt         = (known after apply)
      + dynamic_sort_subtable = "false"
      + end_ip                = (known after apply)
      + end_mac               = (known after apply)
      + fabric_object         = (known after apply)
      + get_all_tables        = "false"
      + id                    = (known after apply)
      + name                  = "Module_test_rule2 - 20.20.16.0/20"
      + node_ip_only          = (known after apply)
      + obj_type              = (known after apply)
      + sdn_addr_type         = (known after apply)
      + start_ip              = (known after apply)
      + start_mac             = (known after apply)
      + sub_type              = (known after apply)
      + subnet                = "20.20.16.0/20"
      + type                  = (known after apply)
      + uuid                  = (known after apply)
      + vdomparam             = (known after apply)
      + wildcard              = (known after apply)
    }

  # module.create_policy_with_module.fortios_firewall_address.dst_addr_obj["Second_dst"] will be created
  + resource "fortios_firewall_address" "dst_addr_obj" {
      + allow_routing         = (known after apply)
      + clearpass_spt         = (known after apply)
      + dynamic_sort_subtable = "false"
      + end_ip                = (known after apply)
      + end_mac               = (known after apply)
      + fabric_object         = (known after apply)
      + get_all_tables        = "false"
      + id                    = (known after apply)
      + name                  = "Module_test_rule2 - 20.20.15.0/24"
      + node_ip_only          = (known after apply)
      + obj_type              = (known after apply)
      + sdn_addr_type         = (known after apply)
      + start_ip              = (known after apply)
      + start_mac             = (known after apply)
      + sub_type              = (known after apply)
      + subnet                = "20.20.15.0/24"
      + type                  = (known after apply)
      + uuid                  = (known after apply)
      + vdomparam             = (known after apply)
      + wildcard              = (known after apply)
    }

  # module.create_policy_with_module.fortios_firewall_address.src_addr_obj["First_src"] will be created
  + resource "fortios_firewall_address" "src_addr_obj" {
      + allow_routing         = (known after apply)
      + clearpass_spt         = (known after apply)
      + dynamic_sort_subtable = "false"
      + end_ip                = (known after apply)
      + end_mac               = (known after apply)
      + fabric_object         = (known after apply)
      + get_all_tables        = "false"
      + id                    = (known after apply)
      + name                  = "Module_test_rule2 - 10.10.13.0/24"
      + node_ip_only          = (known after apply)
      + obj_type              = (known after apply)
      + sdn_addr_type         = (known after apply)
      + start_ip              = (known after apply)
      + start_mac             = (known after apply)
      + sub_type              = (known after apply)
      + subnet                = "10.10.13.0/24"
      + type                  = (known after apply)
      + uuid                  = (known after apply)
      + vdomparam             = (known after apply)
      + wildcard              = (known after apply)
    }

  # module.create_policy_with_module.fortios_firewall_address.src_addr_obj["Second_src"] will be created
  + resource "fortios_firewall_address" "src_addr_obj" {
      + allow_routing         = (known after apply)
      + clearpass_spt         = (known after apply)
      + dynamic_sort_subtable = "false"
      + end_ip                = (known after apply)
      + end_mac               = (known after apply)
      + fabric_object         = (known after apply)
      + get_all_tables        = "false"
      + id                    = (known after apply)
      + name                  = "Module_test_rule2 - 10.10.20.0/24"
      + node_ip_only          = (known after apply)
      + obj_type              = (known after apply)
      + sdn_addr_type         = (known after apply)
      + start_ip              = (known after apply)
      + start_mac             = (known after apply)
      + sub_type              = (known after apply)
      + subnet                = "10.10.20.0/24"
      + type                  = (known after apply)
      + uuid                  = (known after apply)
      + vdomparam             = (known after apply)
      + wildcard              = (known after apply)
    }

  # module.create_policy_with_module.fortios_firewall_addrgrp.dst_group will be created
  + resource "fortios_firewall_addrgrp" "dst_group" {
      + allow_routing         = (known after apply)
      + category              = (known after apply)
      + color                 = 10
      + dynamic_sort_subtable = "false"
      + exclude               = (known after apply)
      + fabric_object         = (known after apply)
      + get_all_tables        = "false"
      + id                    = (known after apply)
      + name                  = "Module_test_rule2_dst_grp"
      + type                  = (known after apply)
      + uuid                  = (known after apply)
      + vdomparam             = (known after apply)
      + visibility            = (known after apply)

      + member {
          + name = "Module_test_rule2 - 20.20.15.0/24"
        }
      + member {
          + name = "Module_test_rule2 - 20.20.16.0/20"
        }
    }

  # module.create_policy_with_module.fortios_firewall_addrgrp.src_group will be created
  + resource "fortios_firewall_addrgrp" "src_group" {
      + allow_routing         = (known after apply)
      + category              = (known after apply)
      + color                 = 10
      + dynamic_sort_subtable = "false"
      + exclude               = (known after apply)
      + fabric_object         = (known after apply)
      + get_all_tables        = "false"
      + id                    = (known after apply)
      + name                  = "Module_test_rule2_src_grp"
      + type                  = (known after apply)
      + uuid                  = (known after apply)
      + vdomparam             = (known after apply)
      + visibility            = (known after apply)

      + member {
          + name = "Module_test_rule2 - 10.10.13.0/24"
        }
      + member {
          + name = "Module_test_rule2 - 10.10.20.0/24"
        }
    }

  # module.create_policy_with_module.fortios_firewall_policy.policy_creation will be created
  + resource "fortios_firewall_policy" "policy_creation" {
      + action                         = "accept"
      + anti_replay                    = (known after apply)
      + application_list               = "default"
      + auth_path                      = (known after apply)
      + auto_asic_offload              = (known after apply)
      + av_profile                     = "default"
      + block_notification             = (known after apply)
      + captive_portal_exempt          = (known after apply)
      + capture_packet                 = (known after apply)
      + comments                       = "Policie for XXX"
      + delay_tcp_npu_session          = (known after apply)
      + diffserv_copy                  = (known after apply)
      + diffserv_forward               = (known after apply)
      + diffserv_reverse               = (known after apply)
      + diffservcode_forward           = (known after apply)
      + diffservcode_rev               = (known after apply)
      + disclaimer                     = (known after apply)
      + dsri                           = (known after apply)
      + dstaddr6_negate                = (known after apply)
      + dstaddr_negate                 = "disable"
      + dynamic_shaping                = (known after apply)
      + dynamic_sort_subtable          = "false"
      + email_collect                  = (known after apply)
      + fec                            = (known after apply)
      + firewall_session_dirty         = (known after apply)
      + fixedport                      = (known after apply)
      + geoip_anycast                  = (known after apply)
      + geoip_match                    = (known after apply)
      + get_all_tables                 = "false"
      + http_policy_redirect           = (known after apply)
      + id                             = (known after apply)
      + inbound                        = (known after apply)
      + inspection_mode                = (known after apply)
      + internet_service               = (known after apply)
      + internet_service6              = (known after apply)
      + internet_service6_negate       = (known after apply)
      + internet_service6_src          = (known after apply)
      + internet_service6_src_negate   = (known after apply)
      + internet_service_negate        = (known after apply)
      + internet_service_src           = (known after apply)
      + internet_service_src_negate    = (known after apply)
      + ippool                         = (known after apply)
      + ips_sensor                     = "default"
      + logtraffic                     = "all"
      + logtraffic_start               = (known after apply)
      + match_vip                      = (known after apply)
      + match_vip_only                 = (known after apply)
      + name                           = "Module_test_rule2"
      + nat                            = (known after apply)
      + nat46                          = (known after apply)
      + nat64                          = (known after apply)
      + natinbound                     = (known after apply)
      + natip                          = (known after apply)
      + natoutbound                    = (known after apply)
      + np_acceleration                = (known after apply)
      + ntlm                           = (known after apply)
      + ntlm_guest                     = (known after apply)
      + outbound                       = (known after apply)
      + passive_wan_health_measurement = (known after apply)
      + pcp_inbound                    = (known after apply)
      + pcp_outbound                   = (known after apply)
      + permit_any_host                = (known after apply)
      + permit_stun_host               = (known after apply)
      + policy_expiry                  = (known after apply)
      + policy_expiry_date             = (known after apply)
      + policyid                       = (known after apply)
      + port_preserve                  = (known after apply)
      + profile_protocol_options       = (known after apply)
      + profile_type                   = (known after apply)
      + radius_mac_auth_bypass         = (known after apply)
      + reputation_direction           = (known after apply)
      + reputation_direction6          = (known after apply)
      + rtp_nat                        = (known after apply)
      + schedule                       = "always"
      + schedule_timeout               = (known after apply)
      + send_deny_packet               = (known after apply)
      + service_negate                 = (known after apply)
      + sgt_check                      = (known after apply)
      + srcaddr6_negate                = (known after apply)
      + srcaddr_negate                 = (known after apply)
      + ssh_policy_redirect            = (known after apply)
      + ssl_ssh_profile                = "certificate-inspection"
      + status                         = "enable"
      + tcp_session_without_syn        = (known after apply)
      + timeout_send_rst               = (known after apply)
      + tos                            = (known after apply)
      + tos_mask                       = (known after apply)
      + tos_negate                     = (known after apply)
      + utm_status                     = "disable"
      + uuid                           = (known after apply)
      + vdomparam                      = (known after apply)
      + vlan_cos_fwd                   = (known after apply)
      + vlan_cos_rev                   = (known after apply)
      + wanopt                         = (known after apply)
      + wanopt_detection               = (known after apply)
      + wanopt_passive_opt             = (known after apply)
      + wccp                           = (known after apply)
      + webcache                       = (known after apply)
      + webcache_https                 = (known after apply)
      + webfilter_profile              = "default"
      + ztna_device_ownership          = (known after apply)
      + ztna_policy_redirect           = (known after apply)
      + ztna_status                    = (known after apply)
      + ztna_tags_match_logic          = (known after apply)

      + dstaddr {
          + name = "Module_test_rule2_dst_grp"
        }

      + dstintf {
          + name = "port2"
        }

      + service {
          + name = "ALL"
        }

      + srcaddr {
          + name = "Module_test_rule2_src_grp"
        }

      + srcintf {
          + name = "port3"
        }
    }

Plan: 7 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.create_policy_with_module.fortios_firewall_address.dst_addr_obj["First_dst"]: Creating...
module.create_policy_with_module.fortios_firewall_address.src_addr_obj["Second_src"]: Creating...
module.create_policy_with_module.fortios_firewall_address.dst_addr_obj["Second_dst"]: Creating...
module.create_policy_with_module.fortios_firewall_address.src_addr_obj["First_src"]: Creating...
module.create_policy_with_module.fortios_firewall_address.src_addr_obj["Second_src"]: Creation complete after 1s [id=Module_test_rule2 - 10.10.20.0/24]
module.create_policy_with_module.fortios_firewall_address.src_addr_obj["First_src"]: Creation complete after 1s [id=Module_test_rule2 - 10.10.13.0/24]
module.create_policy_with_module.fortios_firewall_addrgrp.src_group: Creating...
module.create_policy_with_module.fortios_firewall_address.dst_addr_obj["Second_dst"]: Creation complete after 1s [id=Module_test_rule2 - 20.20.15.0/24]
module.create_policy_with_module.fortios_firewall_address.dst_addr_obj["First_dst"]: Creation complete after 1s [id=Module_test_rule2 - 20.20.16.0/20]
module.create_policy_with_module.fortios_firewall_addrgrp.dst_group: Creating...
module.create_policy_with_module.fortios_firewall_addrgrp.src_group: Creation complete after 0s [id=Module_test_rule2_src_grp]
module.create_policy_with_module.fortios_firewall_addrgrp.dst_group: Creation complete after 0s [id=Module_test_rule2_dst_grp]
module.create_policy_with_module.fortios_firewall_policy.policy_creation: Creating...
module.create_policy_with_module.fortios_firewall_policy.policy_creation: Creation complete after 0s [id=2]

Apply complete! Resources: 7 added, 0 changed, 0 destroyed.
root@liang:~/terraform/fgt/github#350/fgt_issue# terraform apply
module.create_policy_with_module.fortios_firewall_address.dst_addr_obj["First_dst"]: Refreshing state... [id=Module_test_rule2 - 20.20.16.0/20]
module.create_policy_with_module.fortios_firewall_address.dst_addr_obj["Second_dst"]: Refreshing state... [id=Module_test_rule2 - 20.20.15.0/24]
module.create_policy_with_module.fortios_firewall_address.src_addr_obj["Second_src"]: Refreshing state... [id=Module_test_rule2 - 10.10.20.0/24]
module.create_policy_with_module.fortios_firewall_address.src_addr_obj["First_src"]: Refreshing state... [id=Module_test_rule2 - 10.10.13.0/24]
module.create_policy_with_module.fortios_firewall_addrgrp.src_group: Refreshing state... [id=Module_test_rule2_src_grp]
module.create_policy_with_module.fortios_firewall_addrgrp.dst_group: Refreshing state... [id=Module_test_rule2_dst_grp]
module.create_policy_with_module.fortios_firewall_policy.policy_creation: Refreshing state... [id=2]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated
with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.create_policy_with_module.fortios_firewall_address.src_addr_obj["First_src"] will be updated in-place
  ~ resource "fortios_firewall_address" "src_addr_obj" {
        id                    = "Module_test_rule2 - 10.10.13.0/24"
      ~ name                  = "Module_test_rule2 - 10.10.13.0/24" -> "Module_test_rule2 - 10.10.14.0/24"
      ~ subnet                = "10.10.13.0/24" -> "10.10.14.0/24"
        # (14 unchanged attributes hidden)
    }

  # module.create_policy_with_module.fortios_firewall_addrgrp.src_group will be updated in-place
  ~ resource "fortios_firewall_addrgrp" "src_group" {
        id                    = "Module_test_rule2_src_grp"
        name                  = "Module_test_rule2_src_grp"
        # (9 unchanged attributes hidden)

      - member {
          - name = "Module_test_rule2 - 10.10.13.0/24" -> null
        }
      + member {
          + name = "Module_test_rule2 - 10.10.14.0/24"
        }

        # (1 unchanged block hidden)
    }

  # module.create_policy_with_module.fortios_firewall_policy.policy_creation will be updated in-place
  ~ resource "fortios_firewall_policy" "policy_creation" {
      + application_list               = "default"
      + av_profile                     = "default"
        id                             = "2"
      + ips_sensor                     = "default"
        name                           = "Module_test_rule2"
      + webfilter_profile              = "default"
        # (100 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.create_policy_with_module.fortios_firewall_address.src_addr_obj["First_src"]: Modifying... [id=Module_test_rule2 - 10.10.13.0/24]
module.create_policy_with_module.fortios_firewall_address.src_addr_obj["First_src"]: Modifications complete after 0s [id=Module_test_rule2 - 10.10.14.0/24]
module.create_policy_with_module.fortios_firewall_addrgrp.src_group: Modifying... [id=Module_test_rule2_src_grp]
module.create_policy_with_module.fortios_firewall_addrgrp.src_group: Modifications complete after 1s [id=Module_test_rule2_src_grp]
module.create_policy_with_module.fortios_firewall_policy.policy_creation: Modifying... [id=2]
module.create_policy_with_module.fortios_firewall_policy.policy_creation: Modifications complete after 0s [id=2]

Apply complete! Resources: 0 added, 3 changed, 0 destroyed.

Thanks,
Maxx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants