-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERROR: produced an unexpected new value: Root resource was present, but now absent. #333
Comments
For what it's worth, after some debugging, I noticed that after a successful POST to the firewall address endpoint by the provider, it immediately performs a GET against the returned resource id. As the POST itself will return a status for the initial request (success/failure), it felt redundant to perform the extra GET after a success being returned. Though, I may be misunderstanding the purpose of that extra GET request and why it's on all firewall address actions except DELETE. I've pulled the provider locally, removed that extra GET, and verified that my firewall addresses, address groups, services, service groups, and policies are building correctly. This is just a data point I've collected. Still not sure why the firewall would return a |
Hi @natemellendorf , Thank you for raising this issue and providing this valuable information. It is quite strange; it appears that the FOS return shows two objects existing in the current URL path, but the content is missing, resulting in a 404 error. As you mentioned, if this issue occurs randomly across different resources, it may be related to the logic of how the backend handles requests. I wonder if it is possible for you to provide your var.policy_config file and hide sensitive information since I can't reproduce this issue on my end when creating 20 firewall addresses. Alternatively, we could enable the debug function on FOS to see what is happening on the backend.
Thanks, |
Thanks for taking a look and responding to my issue. Your observation and subsequent concern is where I landed too. I enabled those debug commands on one of the six Fortinet NGFWs two days ago, and they didn’t reveal much for me. I’ll start over, enable them again, and run the apply until the firewall produces the error. I’ll also supply a full working example of my terraform configuration with sensitive info redacted. I should have this for you tomorrow,. thanks again,
|
I have a simple replication here terraform {
required_providers {
fortimanager = {
source = "fortinetdev/fortimanager"
version = "1.12.1"
}
}
}
provider "fortimanager" {
hostname = "x.x.x.x"
username = "admin"
password = "password"
}
locals {
fqdns_intune = split("\n", file("urls-intune.txt"))
}
resource "fortimanager_object_firewall_address" "intune_fqdn" {
for_each = toset(local.fqdns_intune)
name = "Intune ${each.value}"
type = "fqdn"
fqdn = each.value
comment = "Intune ${each.value}"
} Where
(actual list is much longer but truncated to this to test, and produces same error) diag logs I'm seeing on the fortimanager Request [/usr/local/apache2/bin/httpd: 8030: 2292
]: {
"client": "\/usr\/local\/apache2\/bin\/httpd:8030",
"id": 2292,
"method": "add",
"params": [
{
"data": {
"comment": "Intune *.windowsupdate.com",
"fqdn": "*.windowsupdate.com",
"name": "Intune *.windowsupdate.com",
"type": "fqdn"
},
"url": "\/pm\/config\/adom\/root\/obj\/firewall\/address"
}
],
"session": "xxx",
"src": "x.x.x.x"
}
Request [/usr/local/apache2/bin/httpd: 8030: 2298
]: {
"client": "\/usr\/local\/apache2\/bin\/httpd:8030",
"id": 2298,
"method": "get",
"params": [
{
"data": null,
"url": "\/pm\/config\/adom\/root\/obj\/firewall\/address\/Intune\/*.windowsupdate.com"
}
],
"session": "xxx",
"src": "x.x.x.x",
"verbose": 1
} As Nate mentioned, can see the GET there |
btw I found this issue isn't present in version |
Hi @rdkls , Thank you for bringing this issue to my attention. I was able to reproduce it, and since this issue related to the Terraform FMG provider, I have opened a separate case to track it. The root cause appears to be the presence of a space in the address name. During the GET request, Terraform may not handle this special character properly, which prevents it from locating the object it just created. I have reported the issue to the development team for resolution. Thanks, |
Hi @natemellendorf I am proceeding to close this case. If you have any further questions, please feel free to reopen it or create a new case |
Good evening, everyone.
We're in the process of deploying multiple Fortinet NGFW instances in AWS.
Things have been going smoothly, but we've hit a snag and we're not sure what to make of it.
I'll provide debugs and details below, but let me know if more information is needed.
Setup
We have multiple fortinet providers configured, each having a unique alias.
We have our firewall configuration tied to a single terraform module, which we duplicate and pass each provider into.
Example logic in the module, which creates all the addresses that are passed in:
Issue
When running a terraform plan, everything looks great. I'll see my firewalls each needing to have their policies applied.
However, when running terraform apply, we get inconsistent results. Sometimes everything applies smoothly, and others, the apply will fail on any of our firewalls. When it fails, this is the error message we get:
Debugs
debug.json
Observation
I noticed that when these failures occur, I see this in the trace:
\"matched_count\":2,\n
I see a similar log for other resources that create successfully, but they log:
\"matched_count\":1,\n
As these firewalls have little to no firewall configuration on them when we apply terraform, I find this behavior puzzling.
When I login the firewall that produced the error message,
I’ll find that the resource that threw the error was created.
Running a terraform apply again will produce the typical 500 server error, because the resource already exists on the firewall (or I believe that’s why)
This error occurs randomly. As in, it happens to any one of the multiple firewalls we're configuring. It also happens to random resources, not just
CVIAWS020
. However, in my testing, it seems to only happen to firewall addresses (objects).The text was updated successfully, but these errors were encountered: