fortios_firewallservice_custom unexpectedly sets icmptype and icmpcode

[niels-vd-k]

Hello!

Just ran into some odd behavior. Basically whenever I try to update or import a custom ICMP service, Terraform unexpectedly sets icmptype and icmpcode to 0, even if the service previously had these values unset. It should be leaving these values unset unless the Terraform resource explicitly defines them, and it especially shouldn't be changing them without telling me about it.

I'm thinking this might be related to #131 which should've been fixed in v1.24.0.

We're running FortiOS 7.4.12. Terraform version is;

OpenTofu v1.12.0
on windows_amd64
+ provider registry.opentofu.org/fortinetdev/fortios v1.24.1

---

To reproduce, start by creating an ICMP service (which clearly shows icmptype is unset);

config firewall service custom
    edit "Test"
        set uuid 8b0e4ff0-59b1-51f1-0164-32c0cf9414c8
        set protocol ICMP
        unset icmptype
    next
end

I then import it like so;

resource "fortios_firewallservice_custom" "test" {
  name = "Test"

  protocol = "ICMP"
}

import {
  id = "Test"
  to = fortios_firewallservice_custom.test
}

Upon applying, Terraform shows that icmpcode and icmptype are both 0, even though they are actually unset. It doesn't count this as a change;

  # fortios_firewallservice_custom.test will be updated in-place
  # (imported from "Test")
  ~ resource "fortios_firewallservice_custom" "test" {
        app_service_type      = "disable"
        check_reset_range     = "default"
        color                 = 0
      + dynamic_sort_subtable = "false"
        fabric_object         = "disable"
      + get_all_tables        = "false"
        helper                = "auto"
        icmpcode              = 0
        icmptype              = 0
        id                    = "Test"
        iprange               = "0.0.0.0"
        name                  = "Test"
        protocol              = "ICMP"
        protocol_number       = 0
        proxy                 = "disable"
        session_ttl           = 0
        tcp_halfclose_timer   = 0
        tcp_halfopen_timer    = 0
        tcp_rst_timer         = 0
        tcp_timewait_timer    = 0
        udp_idle_timer        = 0
        uuid                  = "8b0e4ff0-59b1-51f1-0164-32c0cf9414c8"
    }

Then when applying, the service is updated to have both icmptype and icmpcode set;

config firewall service custom
    edit "Test"
        set uuid 8b0e4ff0-59b1-51f1-0164-32c0cf9414c8
        set protocol ICMP
        set icmptype 0
        set icmpcode 0
    next
end

Similar behavior happens when Terraform updates a service. If I let Terraform create one like so;

resource "fortios_firewallservice_custom" "test2" {
  name = "Test2"

  protocol = "ICMP"
}

Then it won't set icmptype and icmpcode when applying;

  # fortios_firewallservice_custom.test2 will be created
  + resource "fortios_firewallservice_custom" "test2" {
      + app_service_type      = (known after apply)
      + check_reset_range     = (known after apply)
      + dynamic_sort_subtable = "false"
      + fabric_object         = (known after apply)
      + get_all_tables        = "false"
      + helper                = (known after apply)
      + id                    = (known after apply)
      + iprange               = (known after apply)
      + name                  = "Test2"
      + protocol              = "ICMP"
      + protocol_number       = (known after apply)
      + proxy                 = (known after apply)
      + uuid                  = (known after apply)
      + vdomparam             = (known after apply)
      + visibility            = (known after apply)
    }

The CLI shows this as well;

config firewall service custom
    edit "Test2"
        set uuid 4c5735a4-59b3-51f1-6f76-34dffa2bd815
        set protocol ICMP
        unset icmptype
    next
end

But when I then set a comment on this resource;

resource "fortios_firewallservice_custom" "test2" {
  name    = "Test2"
  comment = "hello world"

  protocol = "ICMP"
}

Terraform will show that the comment is the only thing that changed;

  # fortios_firewallservice_custom.test2 will be updated in-place
  ~ resource "fortios_firewallservice_custom" "test2" {
      + comment               = "hello world"
        id                    = "Test2"
        name                  = "Test2"
        # (20 unchanged attributes hidden)
    }

Yet after applying, icmptype and icmpcode were both set once again;

config firewall service custom
    edit "Test2"
        set uuid 4c5735a4-59b3-51f1-6f76-34dffa2bd815
        set protocol ICMP
        set comment "hello world"
        set icmptype 0
        set icmpcode 0
    next
end

[MaxxLiu22]

Hi @niels-vd-k,

Thank you for raising this issue. I was able to reproduce it on my side. This behavior is currently limited by the existing Terraform plugin framework we are using, and we are planning to upgrade the framework in the future. We have noted the issue and will work on a fix. Thank you as well for the detailed information you provided.

Thanks,
Maxx