defining multiple services in fortios_firewall_policy vs fortios_firewall_security_policy

Question

defining multiple services in fortios_firewall_policy vs fortios_firewall_security_policy

JSmith-Aura opened this issue a year ago · 4 comments

Hi there,

using the old policy creation method you could define multiple services/addresses by putting them in an array of strings like the following:

resource "fortios_firewall_security_policy" "test2" {

  srcintf             = ["port2"]
  dstintf             = ["port1"]
  srcaddr             = ["swscan.apple.com", "google-play"]
  dstaddr             = ["swscan.apple.com", "update.microsoft.com"]

}

This makes it easy to define these rules elsewhere, such as a var block and automatically create them.

However in the new fortios_firewall_policy I've had to do the following:

resource "fortios_firewall_policy" "new_hosts_to_proxy" {
  provider = fortios.fortigate
  for_each = { for i, v in var.service_vms : i => v }


  action                      = "accept"
  name                        = "${each.value.name} to proxy"
  status                      = "enable"
  nat = "disable"

  srcintf {
      name = "${each.key + 10}${each.value.name}"
  }

  srcaddr {
      name = fortios_firewall_address.fortigate_addresses[each.key].name
  }


  service {
    name = "PROXY"
  }

  service {
    name = "WEB_PROXY"
  }

  dstaddr {
      name = "proxy.ais"
  }

  dstintf {
      name = "VM Network"
  }
}

Is there a way of suppling an array just like the previous version that I've missed?

Answer 1 · 2023-06-30T17:54:16.000Z

Hi @JSmith-Aura ,

Thank you for your question, this is a API feature by designed on purpose, not convenient to use now, but I guess they may add more arguments into block in the future, so far there is no way to define it like an array, sorry for the inconvenience.

Thanks,
Maxx

Answer 2 · 2023-07-02T22:24:00.000Z

Ah okay. So effectively there is no way to define these items in an object and then dynamically/statically add them as there was previously?

Answer 3 · 2023-07-07T18:02:10.000Z

Hi @JSmith-Aura ,

Here is an easier way to define multiple blocks dynamically like the internet_service_name block, we can define a list variable and use keyword dynamic to define them. Hope that is helpful for you.

variable internet_service_name {
  type        = list(string)
  default     = ["Amazon-AWS", "GitHub-GitHub"]
  description = "internet_service_name"
}


resource "fortios_firewall_policy" "myrule" {
  action            = "accept"
  name              = "terraform test"
  policyid          = 2
  schedule          = "always"

  dstintf {
    name = "port1"
  }

  dynamic "internet_service_name" {
    for_each = var.internet_service_name
    content{
      name = internet_service_name.value
    }
  }

  srcaddr {
    name = "FABRIC_DEVICE"
  }

  srcintf {
    name = "port2"
  } 
}

Thanks,
Maxx

Answer 4 · 2023-07-16T22:33:32.000Z

Ah yes thanks dynamic blocks make sense.