Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to change interface name on VpnIpsecPhase1Interface #105

Closed
blkistsg opened this issue Oct 23, 2020 · 8 comments
Closed

Unable to change interface name on VpnIpsecPhase1Interface #105

blkistsg opened this issue Oct 23, 2020 · 8 comments

Comments

@blkistsg
Copy link

blkistsg commented Oct 23, 2020
edited

FortiOS 6.4

My guess is that it is because it is trying to change it instead of delete and re-add it. I don't think you can just edit the name on the VpnIpsecPhase1Interface

image-2020-09-01-14-32-10-315


    fortios_system_interface.vpn_hq_wan1 will be updated in-place
    ~ resource "fortios_system_interface" "vpn_hq_wan1" { algorithm = "L4" allowaccess = "ping https ssh http" ap_discover = "enable" arpforward = "enable" auth_type = "auto" auto_auth_extension_device = "disable" bfd = "global" bfd_desired_min_tx = 250 bfd_detect_mult = 3 bfd_required_min_rx = 250 broadcast_forward = "disable" captive_portal = 0 cli_conn_status = 0 color = 0 dedicated_to = "none" defaultgw = "enable" description = "VPN Interface between hq wan1 and aws fw" detected_peer_mtu = 0 detectprotocol = "ping" device_identification = "disable" device_user_identification = "enable" devindex = 13 dhcp_relay_agent_option = "enable" dhcp_relay_service = "disable" dhcp_relay_type = "regular" dhcp_renew_time = 0 disc_retry_timeout = 1 disconnect_threshold = 0 distance = 5 dns_server_override = "enable" drop_fragment = "disable" drop_overlapped_fragment = "disable" estimated_downstream_bandwidth = 0 estimated_upstream_bandwidth = 0 explicit_ftp_proxy = "disable" explicit_web_proxy = "disable" external = "disable" fail_action_on_extender = "soft-restart" fail_alert_method = "link-down" fail_detect = "disable" fail_detect_option = "link-down" fortilink = "disable" fortilink_backup_link = 0 fortilink_split_interface = "enable" fortilink_stacking = "enable" forward_domain = 0 gwdetect = "disable" ha_priority = 1 icmp_accept_redirect = "enable" icmp_send_redirect = "enable" id = "vpn-hq-wan1" ident_accept = "disable" idle_timeout = 0 inbandwidth = 0 ingress_spillover_threshold = 0 interface = "port1" internal = 0 ip = "169.254.255.1 255.255.255.255" ipmac = "disable" ips_sniffer_mode = "disable" ipunnumbered = "0.0.0.0" l2forward = "disable" lacp_ha_slave = "enable" lacp_mode = "active" lacp_speed = "slow" lcp_echo_interval = 5 lcp_max_echo_fails = 3 link_up_delay = 50 lldp_reception = "vdom" lldp_transmission = "vdom" management_ip = "0.0.0.0 0.0.0.0" min_links = 1 min_links_down = "operational" mode = "static" mtu = 1500 mtu_override = "disable" ~ name = "vpn-hq-wan1" -> "aws-hq-wan1" ndiscforward = "enable" netbios_forward = "disable" netflow_sampler = "disable" outbandwidth = 0 padt_retry_timeout = 1 ping_serv_status = 0 polling_interval = 20 pppoe_unnumbered_negotiate = "enable" pptp_auth_type = "auto" pptp_client = "disable" pptp_server_ip = "0.0.0.0" pptp_timeout = 0 preserve_session_route = "disable" priority = 0 priority_override = "enable" proxy_captive_portal = "disable" remote_ip = "169.254.255.2 255.255.255.255" role = "undefined" sample_direction = "both" sample_rate = 2000 secondary_ip = "disable" security_mac_auth_bypass = "disable" security_mode = "none" sflow_sampler = "disable" snmp_index = 5 speed = "auto" spillover_threshold = 0 src_check = "enable" status = "up" stpforward = "disable" stpforward_mode = "rpl-all-ext-id" subst = "disable" substitute_dst_mac = "00:00:00:00:00:00" switch_controller_access_vlan = "disable" switch_controller_arp_inspection = "disable" switch_controller_dhcp_snooping = "disable" switch_controller_dhcp_snooping_option82 = "disable" switch_controller_dhcp_snooping_verify_mac = "disable" switch_controller_igmp_snooping = "disable" switch_controller_learning_limit = 0 tcp_mss = 0 trust_ip6_1 = "::/0" trust_ip6_2 = "::/0" trust_ip6_3 = "::/0" trust_ip_1 = "0.0.0.0 0.0.0.0" trust_ip_2 = "0.0.0.0 0.0.0.0" trust_ip_3 = "0.0.0.0 0.0.0.0" type = "tunnel" vdom = "root" vindex = 0 vlanforward = "disable" vlanid = 0 vrf = 0 vrrp_virtual_mac = "disable" wccp = "disable" weight = 0 wins_ip = "0.0.0.0" }

    fortios_vpnipsec_phase1interface.vpn_hq_wan1 will be updated in-place
    ~ resource "fortios_vpnipsec_phase1interface" "vpn_hq_wan1" { acct_verify = "disable" add_gw_route = "disable" add_route = "enable" assign_ip = "enable" assign_ip_from = "range" authmethod = "psk" auto_discovery_forwarder = "disable" auto_discovery_psk = "disable" auto_discovery_receiver = "disable" auto_discovery_sender = "disable" auto_negotiate = "enable" cert_id_validation = "enable" childless_ike = "disable" client_auto_negotiate = "disable" client_keep_alive = "disable" default_gw = "0.0.0.0" default_gw_priority = 0 dhgrp = "21" digital_signature_auth = "disable" distance = 15 dns_mode = "manual" dpd = "on-demand" dpd_retrycount = 3 dpd_retryinterval = "20" eap = "disable" eap_identity = "use-id-payload" encap_local_gw4 = "0.0.0.0" encap_local_gw6 = "::" encap_remote_gw4 = "0.0.0.0" encap_remote_gw6 = "::" encapsulation = "none" encapsulation_address = "ike" enforce_unique_id = "disable" exchange_interface_ip = "disable" exchange_ip_addr4 = "0.0.0.0" exchange_ip_addr6 = "::" forticlient_enforcement = "disable" fragmentation = "enable" fragmentation_mtu = 1200 group_authentication = "disable" ha_sync_esp_seqno = "enable" id = "vpn-hq-wan1" idle_timeout = "disable" idle_timeoutinterval = 15 ike_version = "2" include_local_lan = "disable" interface = "port1" ip_version = "4" ipv4_dns_server1 = "0.0.0.0" ipv4_dns_server2 = "0.0.0.0" ipv4_dns_server3 = "0.0.0.0" ipv4_end_ip = "0.0.0.0" ipv4_netmask = "255.255.255.255" ipv4_start_ip = "0.0.0.0" ipv4_wins_server1 = "0.0.0.0" ipv4_wins_server2 = "0.0.0.0" ipv6_dns_server1 = "::" ipv6_dns_server2 = "::" ipv6_dns_server3 = "::" ipv6_end_ip = "::" ipv6_prefix = 128 ipv6_start_ip = "::" keepalive = 10 keylife = 86400 local_gw = "54.237.170.14" local_gw6 = "::" localid_type = "auto" mesh_selector_type = "disable" mode = "main" mode_cfg = "disable" monitor_hold_down_delay = 0 monitor_hold_down_time = "00:00" monitor_hold_down_type = "immediate" monitor_hold_down_weekday = "sunday" ~ name = "vpn-hq-wan1" -> "aws-hq-wan1" nattraversal = "enable" negotiate_timeout = 30 net_device = "disable" passive_mode = "disable" peertype = "any" ppk = "disable" priority = 0 proposal = "aes256-sha256" psksecret = "Lifesaver1" reauth = "disable" rekey = "enable" remote_gw = "144.91.197.106" remote_gw6 = "::" rsa_signature_format = "pkcs1" save_password = "disable" send_cert_chain = "enable" signature_hash_alg = "sha2-512 sha2-384 sha2-256 sha1" suite_b = "disable" tunnel_search = "selectors" type = "static" unity_support = "enable" vni = 0 wizard_type = "custom" xauthtype = "disable" }

    fortios_vpnipsec_phase2interface.vpn_hq_wan1 will be updated in-place
    ~ resource "fortios_vpnipsec_phase2interface" "vpn_hq_wan1" { add_route = "phase1" auto_discovery_forwarder = "phase1" auto_discovery_sender = "phase1" auto_negotiate = "disable" dhcp_ipsec = "disable" dhgrp = "21" dst_addr_type = "subnet" dst_end_ip6 = "::" dst_port = 0 dst_subnet = "0.0.0.0 0.0.0.0" encapsulation = "tunnel-mode" id = "vpn-hq-wan1" keepalive = "disable" keylife_type = "seconds" keylifekbs = 5120 keylifeseconds = 3600 l2tp = "disable" ~ name = "vpn-hq-wan1" -> "aws-hq-wan1" pfs = "enable" ~ phase1name = "vpn-hq-wan1" -> "aws-hq-wan1" proposal = "aes256-sha256" protocol = 0 replay = "enable" route_overlap = "use-new" single_source = "disable" src_addr_type = "subnet" src_end_ip6 = "::" src_port = 0 src_subnet = "0.0.0.0 0.0.0.0" }

Plan: 0 to add, 5 to change, 0 to destroy.


    Resource Docs: https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs/resources/fortios_vpnipsec_phase2interface
    resource "fortios_vpnipsec_phase1interface" "vpn_hq_wan1" { name = "aws-hq-wan1" interface = "port1" ike_version = "2" peertype = "any" proposal = "aes256-sha256" dhgrp = "21" local_gw = var.aws_vpn_eip remote_gw = var.hq_wan1_ip psksecret = "XXXXXX" nattraversal = "enable" ### Random Garbage: net_device = "disable" }

resource "fortios_vpnipsec_phase2interface" "vpn_hq_wan1"
{ name = fortios_vpnipsec_phase1interface.vpn_hq_wan1.name phase1name = fortios_vpnipsec_phase1interface.vpn_hq_wan1.name pfs = "enable" proposal = "aes256-sha256" dhgrp = "21" keylifeseconds = 3600 }

resource "fortios_system_interface" "vpn_hq_wan1"
{ name = fortios_vpnipsec_phase1interface.vpn_hq_wan1.name description = "VPN Interface between hq wan1 and aws fw" type = "tunnel" vdom = "root" allowaccess = "ping https ssh http" ip = var.hq_wan1_local_tunnel_ip remote_ip = var.hq_wan1_remote_tunnel_ip }
@frankshen01
Copy link
Contributor

frankshen01 commented Oct 28, 2020
edited

Hi @blkistsg , It seems that I have not been able to reproduce your situation, can you please re-check again?

My validation:

# cat maintst.tf
provider "fortios" {
  hostname = "192.168.52.177"
  token = "rGqsgj9Qmh3dwfQdc8hd3t3G6xG3N5"
  insecure = "true"
}

resource "fortios_vpnipsec_phase1interface" "aws_hq_wan1" {
  name         = "aws-hq-wan1"
  interface    = "port2"
  ike_version  = "2"
  peertype     = "any"
  proposal     = "aes256-sha256"
  dhgrp        = "21"
  local_gw     = "1.1.1.1"
  remote_gw    = "2.2.2.2"
  psksecret    = "XXXsssssssssssXXX"
  nattraversal = "forced"
}

resource "fortios_vpnipsec_phase2interface" "aws_hq_wan1" {
  name           = fortios_vpnipsec_phase1interface.aws_hq_wan1.name
  phase1name     = fortios_vpnipsec_phase1interface.aws_hq_wan1.name
  pfs            = "enable"
  proposal       = "aes256-sha256"
  dhgrp          = "21"
  keylifeseconds = 3600
}

# terraform apply
  ----

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # fortios_vpnipsec_phase1interface.aws_hq_wan1 will be created
  + resource "fortios_vpnipsec_phase1interface" "aws_hq_wan1" {
      + acct_verify               = (known after apply)
      + add_gw_route              = (known after apply)
      + add_route                 = (known after apply)
      + assign_ip                 = (known after apply)
      + assign_ip_from            = (known after apply)
      + authmethod                = (known after apply)
      + authmethod_remote         = (known after apply)
      + authusr                   = (known after apply)
      + authusrgrp                = (known after apply)
      + auto_discovery_forwarder  = (known after apply)
      + auto_discovery_psk        = (known after apply)
      + auto_discovery_receiver   = (known after apply)
      + auto_discovery_sender     = (known after apply)
      + auto_negotiate            = (known after apply)
      + cert_id_validation        = (known after apply)
      + childless_ike             = (known after apply)
      + client_auto_negotiate     = (known after apply)
      + client_keep_alive         = (known after apply)
      + default_gw                = (known after apply)
      + default_gw_priority       = (known after apply)
      + dhgrp                     = "21"
      + digital_signature_auth    = (known after apply)
      + distance                  = (known after apply)
      + dns_mode                  = (known after apply)
      + domain                    = (known after apply)
      + dpd                       = (known after apply)
      + dpd_retrycount            = (known after apply)
      + dpd_retryinterval         = (known after apply)
      + eap                       = (known after apply)
      + eap_identity              = (known after apply)
      + encap_local_gw4           = (known after apply)
      + encap_local_gw6           = (known after apply)
      + encap_remote_gw4          = (known after apply)
      + encap_remote_gw6          = (known after apply)
      + encapsulation             = (known after apply)
      + encapsulation_address     = (known after apply)
      + enforce_unique_id         = (known after apply)
      + exchange_interface_ip     = (known after apply)
      + exchange_ip_addr4         = (known after apply)
      + exchange_ip_addr6         = (known after apply)
      + forticlient_enforcement   = (known after apply)
      + fragmentation             = (known after apply)
      + fragmentation_mtu         = (known after apply)
      + group_authentication      = (known after apply)
      + ha_sync_esp_seqno         = (known after apply)
      + id                        = (known after apply)
      + idle_timeout              = (known after apply)
      + idle_timeoutinterval      = (known after apply)
      + ike_version               = "2"
      + include_local_lan         = (known after apply)
      + interface                 = "port2"
      + ip_version                = (known after apply)
      + ipv4_dns_server1          = (known after apply)
      + ipv4_dns_server2          = (known after apply)
      + ipv4_dns_server3          = (known after apply)
      + ipv4_end_ip               = (known after apply)
      + ipv4_name                 = (known after apply)
      + ipv4_netmask              = (known after apply)
      + ipv4_split_exclude        = (known after apply)
      + ipv4_split_include        = (known after apply)
      + ipv4_start_ip             = (known after apply)
      + ipv4_wins_server1         = (known after apply)
      + ipv4_wins_server2         = (known after apply)
      + ipv6_dns_server1          = (known after apply)
      + ipv6_dns_server2          = (known after apply)
      + ipv6_dns_server3          = (known after apply)
      + ipv6_end_ip               = (known after apply)
      + ipv6_name                 = (known after apply)
      + ipv6_prefix               = (known after apply)
      + ipv6_split_exclude        = (known after apply)
      + ipv6_split_include        = (known after apply)
      + ipv6_start_ip             = (known after apply)
      + keepalive                 = (known after apply)
      + keylife                   = (known after apply)
      + local_gw                  = "1.1.1.1"
      + local_gw6                 = (known after apply)
      + localid                   = (known after apply)
      + localid_type              = (known after apply)
      + mesh_selector_type        = (known after apply)
      + mode                      = (known after apply)
      + mode_cfg                  = (known after apply)
      + monitor                   = (known after apply)
      + monitor_hold_down_delay   = (known after apply)
      + monitor_hold_down_time    = (known after apply)
      + monitor_hold_down_type    = (known after apply)
      + monitor_hold_down_weekday = (known after apply)
      + name                      = "aws-hq-wan1"
      + nattraversal              = "forced"
      + negotiate_timeout         = (known after apply)
      + net_device                = (known after apply)
      + passive_mode              = (known after apply)
      + peer                      = (known after apply)
      + peergrp                   = (known after apply)
      + peerid                    = (known after apply)
      + peertype                  = "any"
      + ppk                       = (known after apply)
      + ppk_identity              = (known after apply)
      + priority                  = (known after apply)
      + proposal                  = "aes256-sha256"
      + psksecret                 = (sensitive value)
      + reauth                    = (known after apply)
      + rekey                     = (known after apply)
      + remote_gw                 = "2.2.2.2"
      + remote_gw6                = (known after apply)
      + remotegw_ddns             = (known after apply)
      + rsa_signature_format      = (known after apply)
      + save_password             = (known after apply)
      + send_cert_chain           = (known after apply)
      + signature_hash_alg        = (known after apply)
      + split_include_service     = (known after apply)
      + suite_b                   = (known after apply)
      + tunnel_search             = (known after apply)
      + type                      = (known after apply)
      + unity_support             = (known after apply)
      + usrgrp                    = (known after apply)
      + vni                       = (known after apply)
      + wizard_type               = (known after apply)
      + xauthtype                 = (known after apply)
    }

  # fortios_vpnipsec_phase2interface.aws_hq_wan1 will be created
  + resource "fortios_vpnipsec_phase2interface" "aws_hq_wan1" {
      + add_route                = (known after apply)
      + auto_discovery_forwarder = (known after apply)
      + auto_discovery_sender    = (known after apply)
      + auto_negotiate           = (known after apply)
      + dhcp_ipsec               = (known after apply)
      + dhgrp                    = "21"
      + dst_addr_type            = (known after apply)
      + dst_end_ip               = (known after apply)
      + dst_end_ip6              = (known after apply)
      + dst_name                 = (known after apply)
      + dst_name6                = (known after apply)
      + dst_port                 = (known after apply)
      + dst_start_ip             = (known after apply)
      + dst_start_ip6            = (known after apply)
      + dst_subnet               = (known after apply)
      + dst_subnet6              = (known after apply)
      + encapsulation            = (known after apply)
      + id                       = (known after apply)
      + keepalive                = (known after apply)
      + keylife_type             = (known after apply)
      + keylifekbs               = (known after apply)
      + keylifeseconds           = 3600
      + l2tp                     = (known after apply)
      + name                     = "aws-hq-wan1"
      + pfs                      = "enable"
      + phase1name               = "aws-hq-wan1"
      + proposal                 = "aes256-sha256"
      + protocol                 = (known after apply)
      + replay                   = (known after apply)
      + route_overlap            = (known after apply)
      + single_source            = (known after apply)
      + src_addr_type            = (known after apply)
      + src_end_ip               = (known after apply)
      + src_end_ip6              = (known after apply)
      + src_name                 = (known after apply)
      + src_name6                = (known after apply)
      + src_port                 = (known after apply)
      + src_start_ip             = (known after apply)
      + src_start_ip6            = (known after apply)
      + src_subnet               = (known after apply)
      + src_subnet6              = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

fortios_vpnipsec_phase1interface.aws_hq_wan1: Creating...
fortios_vpnipsec_phase1interface.aws_hq_wan1: Creation complete after 0s [id=aws-hq-wan1]
fortios_vpnipsec_phase2interface.aws_hq_wan1: Creating...
fortios_vpnipsec_phase2interface.aws_hq_wan1: Creation complete after 0s [id=aws-hq-wan1]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Then I changed the interface name to 'port3' and executed it again. The result was successful:

root@sv:/work/zamba/03fos-gen/03Terraform/bin# terraform apply
  ----
fortios_vpnipsec_phase1interface.aws_hq_wan1: Refreshing state... [id=aws-hq-wan1]
fortios_vpnipsec_phase2interface.aws_hq_wan1: Refreshing state... [id=aws-hq-wan1]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # fortios_vpnipsec_phase1interface.aws_hq_wan1 will be updated in-place
  ~ resource "fortios_vpnipsec_phase1interface" "aws_hq_wan1" {
        acct_verify               = "disable"
        add_gw_route              = "disable"
        add_route                 = "enable"
        assign_ip                 = "enable"
        assign_ip_from            = "range"
        authmethod                = "psk"
        auto_discovery_forwarder  = "disable"
        auto_discovery_psk        = "disable"
        auto_discovery_receiver   = "disable"
        auto_discovery_sender     = "disable"
        auto_negotiate            = "enable"
        cert_id_validation        = "enable"
        childless_ike             = "disable"
        client_auto_negotiate     = "disable"
        client_keep_alive         = "disable"
        default_gw                = "0.0.0.0"
        default_gw_priority       = 0
        dhgrp                     = "21"
        digital_signature_auth    = "disable"
        distance                  = 15
        dns_mode                  = "manual"
        dpd                       = "on-demand"
        dpd_retrycount            = 3
        dpd_retryinterval         = "20"
        eap                       = "disable"
        eap_identity              = "use-id-payload"
        encap_local_gw4           = "0.0.0.0"
        encap_local_gw6           = "::"
        encap_remote_gw4          = "0.0.0.0"
        encap_remote_gw6          = "::"
        encapsulation             = "none"
        encapsulation_address     = "ike"
        enforce_unique_id         = "disable"
        exchange_interface_ip     = "disable"
        exchange_ip_addr4         = "0.0.0.0"
        exchange_ip_addr6         = "::"
        forticlient_enforcement   = "disable"
        fragmentation             = "enable"
        fragmentation_mtu         = 1200
        group_authentication      = "disable"
        ha_sync_esp_seqno         = "enable"
        id                        = "aws-hq-wan1"
        idle_timeout              = "disable"
        idle_timeoutinterval      = 15
        ike_version               = "2"
        include_local_lan         = "disable"
      ~ interface                 = "port2" -> "port3"
        ip_version                = "4"
        ipv4_dns_server1          = "0.0.0.0"
        ipv4_dns_server2          = "0.0.0.0"
        ipv4_dns_server3          = "0.0.0.0"
        ipv4_end_ip               = "0.0.0.0"
        ipv4_netmask              = "255.255.255.255"
        ipv4_start_ip             = "0.0.0.0"
        ipv4_wins_server1         = "0.0.0.0"
        ipv4_wins_server2         = "0.0.0.0"
        ipv6_dns_server1          = "::"
        ipv6_dns_server2          = "::"
        ipv6_dns_server3          = "::"
        ipv6_end_ip               = "::"
        ipv6_prefix               = 128
        ipv6_start_ip             = "::"
        keepalive                 = 10
        keylife                   = 86400
        local_gw                  = "1.1.1.1"
        local_gw6                 = "::"
        localid_type              = "auto"
        mesh_selector_type        = "disable"
        mode                      = "main"
        mode_cfg                  = "disable"
        monitor_hold_down_delay   = 0
        monitor_hold_down_time    = "00:00"
        monitor_hold_down_type    = "immediate"
        monitor_hold_down_weekday = "sunday"
        name                      = "aws-hq-wan1"
        nattraversal              = "forced"
        negotiate_timeout         = 30
        net_device                = "enable"
        passive_mode              = "disable"
        peertype                  = "any"
        ppk                       = "disable"
        priority                  = 0
        proposal                  = "aes256-sha256"
        psksecret                 = (sensitive value)
        reauth                    = "disable"
        rekey                     = "enable"
        remote_gw                 = "2.2.2.2"
        remote_gw6                = "::"
        rsa_signature_format      = "pkcs1"
        save_password             = "disable"
        send_cert_chain           = "enable"
        signature_hash_alg        = "sha2-512 sha2-384 sha2-256 sha1"
        suite_b                   = "disable"
        tunnel_search             = "selectors"
        type                      = "static"
        unity_support             = "enable"
        vni                       = 0
        wizard_type               = "custom"
        xauthtype                 = "disable"
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

fortios_vpnipsec_phase1interface.aws_hq_wan1: Modifying... [id=aws-hq-wan1]
fortios_vpnipsec_phase1interface.aws_hq_wan1: Modifications complete after 0s [id=aws-hq-wan1]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

The operation mode of modifying the interface name here is consistent with the operation mode of CLI. By the way, can you please keep the line breaks in the terraform configuration you pasted? I have to reformat the content you pasted to analyze them. Thanks!

@mbdraks
Copy link

mbdraks commented Oct 28, 2020

@frankshen01

What he's trying to change is the field name

name                      = "aws-hq-wan1"

Not the interface name field. The name field is used to generate a new interface (if you check at conf sys interface).

@frankshen01
Copy link
Contributor

frankshen01 commented Nov 10, 2020
edited

Thanks @mbdraks.

Hi @blkistsg Please do not try to expect the terraform resource to be created by modifying the name field only, you need to modify the name of the resource itself at the same time. This means:

resource "fortios_vpnipsec_phase1interface" "tr1abc" {
  name         = "abc" 
  interface    = "port2"
  ike_version  = "2"
  peertype     = "any"
  proposal     = "aes256-sha256"
  dhgrp        = "21"
  local_gw     = "1.1.1.1"
  remote_gw    = "2.2.2.2"
  psksecret    = "XXXsssssssssssXXX"
  nattraversal = "forced"
}

If only the name field is modified here, terraform will regard it as modifying the original resource fortios_vpnipsec_phase1interface.tr1abc. The correct approach is to modify the resource name at the same time:

resource "fortios_vpnipsec_phase1interface" "tr1cde" { <==================================
  name         = "cde"    <=========================================
  interface    = "port2"
  ike_version  = "2"
  peertype     = "any"
  proposal     = "aes256-sha256"
  dhgrp        = "21"
  local_gw     = "1.1.1.1"
  remote_gw    = "2.2.2.2"
  psksecret    = "XXXsssssssssssXXX"
  nattraversal = "forced"
}

At this time terraform thinks that new resources fortios_vpnipsec_phase1interface.tr1cde will be created and the old ones fortios_vpnipsec_phase1interface.tr1abc will be destroyed.

Refer: hashicorp/terraform#10792 , as terraform founder mitchellh and terraform developer apparentlymart described:

mitchellh: Terraform tracks resources by their name. If you change the name, you have created a new resource and deleted the old resource.
apparentlymart: One consequence of that is that Terraform can't tell if it's being asked to "create" a resource that already exists...

By the way, for the creation and modification of fortios_vpnipsec_phase1interface/fortios_vpnipsec_phase2interface/fortios_system_interface, the creation and modification can theoretically be realized in the following way:

variable "address_object_subnets" {
  type = list
  default = ["sda1"]
}

resource "fortios_vpnipsec_phase1interface" "tr1" {
  for_each = toset(var.address_object_subnets)
  name         = each.key
  interface    = "port2"
  ike_version  = "2"
  peertype     = "any"
  proposal     = "aes256-sha256"
  dhgrp        = "21"
  local_gw     = "1.1.1.1"
  remote_gw    = "2.2.2.2"
  psksecret    = "XXXsssssssssssXXX"
  nattraversal = "forced"
}

resource "fortios_vpnipsec_phase2interface" "tr2" {
  for_each = toset(var.address_object_subnets)
  name           = fortios_vpnipsec_phase1interface.tr1[each.key].name
  phase1name     = fortios_vpnipsec_phase1interface.tr1[each.key].name
  pfs            = "enable"
  proposal       = "aes256-sha256"
  dhgrp          = "21"
  keylifeseconds = 3600
}

resource "fortios_system_interface" "tr2" {
  for_each = toset(var.address_object_subnets)
  vdom        = "root"
  name        = fortios_vpnipsec_phase2interface.tr2[each.key].name
  ip          = "10.10.10.2 255.255.255.255"
  remote_ip   = "172.22.1.30 255.255.255.255"
  interface   = "port2"
  allowaccess = "ping"
  tcp_mss     = "1350"

  autogenerated = "auto"
}

But if the resource fortios_vpnipsec_phase1interface is unchanged except for the resource name and the name field, the above method is not feasible, since terraform still has the following problems, as described in https://discuss.hashicorp.com/t/destroy-before-create/3980/3. which means the new fortios_vpnipsec_phase1interface may be created before the old fortios_vpnipsec_phase1interface is destroyed, if the fortios_vpnipsec_phase1interface is unchanged except for the resource name and the name field, the FGT creation will fail. In view of this situation, execute terraform destroy first, and then execute terraform apply is a better way. Thanks!

@Parahandy Parahandy mentioned this issue Nov 29, 2020
Closed
@StratusChris
Copy link

@frankshen01 - This is not the behavior of other providers, for instance the AWS provider (probably the most mature). My understanding is that the provider should codify which settings are able to be modified directly vs. which need to force a complete destroy/create cycle of the resource. If I'm not mistaken, it is done by marking the schema elements for the resource which cannot be modified directly with the ForceNew behavior.

Here is the documentation in HashiCorp docs: https://www.terraform.io/docs/extend/schemas/schema-behaviors.html#forcenew

@frankshen01
Copy link
Contributor

frankshen01 commented Nov 30, 2020
edited

Hi @StratusChris, you are totally right, your suggestion is wonderful. Thanks for the guidance. The bug will be fixed, it will be included in the next release (within a week). Thank you!

@StratusChris
Copy link

Thanks so much @frankshen01 ! I suspect this same fix is needed for every resource where the name field is used as the object id in the FortiGate (almost all resources seem to fall under this since ids are not usually generated by the FortiGate).

We really appreciate all the work you're doing on this provider, you're making really fast progress and it's very meaningful for us!

frankshen01 added a commit that referenced this issue Dec 3, 2020
@frankshen01
Fix unable to change interface name on VpnIpsecPhase1Interface #105
27c747a
frankshen01 added a commit that referenced this issue Dec 3, 2020
@frankshen01
Make mkey of all table resources as ForceNew and Required #105
792be38
frankshen01 added a commit that referenced this issue Dec 3, 2020
@frankshen01
Mark mkey of all table resources as ForceNew and Required #105
eee2e6d
@frankshen01
Copy link
Contributor

frankshen01 commented Dec 3, 2020
edited

Hi @StratusChris, thanks for your kind words. The feature has been supported and released, please see the latest version(v1.6.15): https://registry.terraform.io/providers/fortinetdev/fortios/latest. Let me know if you need anything else. Thanks again!

@MaxxLiu22
Copy link

I will go ahead to close this case, if you still have questions, feel free to reopen it or another case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mbdraks @StratusChris @frankshen01 @blkistsg @MaxxLiu22