sdn-connector configuration does not work by default
Closed this issue · 2 comments
The sdn-connector configuration as specified for ha-azure setup, does not work by default. Specifically talking about this ha-setup:
https://github.com/fortinet/fortigate-terraform-deploy/tree/main/azure/7.4/ha-port1-mgmt-crosszone
While the virtual machine gets managed identities assigned which can be used by the sdn-connector, the managed identities are not configured accordingly. This would require granting them permissions as lined out in the official fortigate documentation: https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/430141/access-control
However, the current state makes use of an app registration, which again is not provisioned with the code. So the current state is somewhere inbetween using managed identities and using an app registration, of which neither is fully supported by default. Additionally, the role definition is also not available in the template.
It would be nice if the app-registration part could be deleted, the managed identity be used, a custom role definition being added and eventually applied to the newly created managed identities. All of this would be possible.
Alternatively, it would be nice if missing steps to get this fully functional would at least be documented in the README.
added the fabric connector piece in the readme file.