Provider sees the changes in ips sensor entries but it doesn't apply them in state

[Vokunne]

Hi there,

I've faced the issue when changes for ips sensor entries (at least, for "os" "severity" "application" & "exampt_ip" variables) in "fortios_ips_sensor" terraform resource don't record into the terraform state file.

Terraform: 1.15.5
Provider: 1.24.1
FortiOS: 7.4.12

What's going wrong.
At apply stage terraform says:

  module.ips.test-sensors["test"] will be updated in-place
  ~ resource "fortios_ips_sensor" "test-sensors" {
        id                      = "test"
        name                = "test"
        # (9 unchanged attributes hidden)
      ~ entries {
            id                 = 1
          ~ os               = "Linux BSD" -> "BSD Linux"
            # (19 unchanged attributes hidden)
          - exempt_ip {
              - dst_ip = "10.0.1.0 255.255.255.224" -> null
              - id         = 1 -> null
              - src_ip  = "10.0.1.10 255.255.255.255" -> null
            }
          - exempt_ip {
              - dst_ip = "10.0.1.13 255.255.255.255" -> null
              - id         = 2 -> null
              - src_ip  = "10.0.13.16 255.255.255.240" -> null
            }
            # (2 unchanged blocks hidden)
        }
      ~ entries {
          ~ application        = "Oracle MSSQL MySQL DB2 PostgreSQL" -> "DB2 MSSQL MySQL Oracle PostgreSQL"
            id                         = 2
          ~ severity              = "high critical" -> "critical high"
            # (18 unchanged attributes hidden)
        }
        # (1 unchanged block hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.

After "apply", the terraform state contains the same values as they were before "apply" command:

"module": **********,
      "mode": "managed",
      "type": "fortios_ips_sensor",
      "name": **********
      "provider": **********,
      "instances": [
        {
          "index_key": "test",
          "schema_version": 0,
          "attributes": {
            "block_malicious_url": "enable",
            "comment": "This is a test IPS sensor",
            "dynamic_sort_subtable": "false",
            "entries": [
              {
                "action": "pass",
                "application": "all",
                "cve": [],
                "default_action": "pass",
                "default_status": "enable",
                "exempt_ip": [          <---------- This exampt_ip had to be deleted during the last apply, but it still exist
                  {
                    "dst_ip": "10.0.1.0 255.255.255.224",
                    "id": 1,
                    "src_ip": "10.0.1.10 255.255.255.255"
                  },
                  {
                    "dst_ip": "10.0.1.13 255.255.255.255",
                    "id": 2,
                    "src_ip": "10.0.13.16 255.255.255.240"
                  }
                ],
                "id": 1,   
                "last_modified": "",
                "location": "all",
                "log": "enable",
                "log_attack_context": "enable",
                "log_packet": "disable",
                "os": "Linux BSD",       <----------- Must be changed to "BSD Linux"
                "protocol": "all",
                "quarantine": "none",
                "quarantine_expiry": "1h",
                "quarantine_log": "disable",
                "rate_count": 0,
                "rate_duration": 60,
                "rate_mode": "continuous",
                "rate_track": "none",
                "rule": [],
                "severity": "all",
                "status": "enable",
                "vuln_type": [
                  {
                    "id": 11
                  },
                  {
                    "id": 12
                  }
                ]
              },
              {
                "action": "reset",
                "application": "Oracle MSSQL MySQL DB2 PostgreSQL", <------- Must be changed to "DB2 MSSQL MySQL Oracle PostgreSQL"
                "cve": [],
                "default_action": "pass",
                "default_status": "enable",
                "exempt_ip": [],
                "id": 2,
                "last_modified": "",
                "location": "server",
                "log": "enable",
                "log_attack_context": "enable",
                "log_packet": "disable",
                "os": "Linux",
                "protocol": "MSSQL SSH SSL",
                "quarantine": "attacker",
                "quarantine_expiry": "1h",
                "quarantine_log": "enable",
                "rate_count": 0,
                "rate_duration": 60,
                "rate_mode": "continuous",
                "rate_track": "none",
                "rule": [],
                "severity": "high critical",        <--------- Must be changed to "critical high"
                "status": "enable",
                "vuln_type": []
              }

I tried to use update_if_exist = true, but regretfully, nothing happened. Is it a bug or I missed something? Thanks in advance

[MaxxLiu22]

Hi @Vokunne ,

Thank you for the question.

Regarding os, severity, and application, the behavior you are seeing is expected. These fields accept values in various orders, but FortiOS stores them in a fixed order internally. The same behavior can be observed in the CLI. For example, if I configure:

FGVMULTM25002523 (2) # set os BSD Windows
FGVMULTM25002523 (2) # show
config entries
    edit 2
        set os Windows BSD
    next
end

Since these attributes are stored as strings, Terraform performs a strict comparison and considers a different order to be a change, even if the values are functionally equivalent. You may need to adjust the value order in your Terraform configuration to match the order stored by FortiOS.

As for exempt_ip, I commented it out in my Terraform configuration and terraform apply successfully removed it from both FortiOS and the state file. Based on your results, I suspect that exempt_ip may not be getting deleted successfully in your scenario. As a result, FortiOS retains the configuration, and the refreshed state file correctly reflects the actual device configuration.

Could you try deleting exempt_ip directly from FortiOS CLI to see if that is accepted by FOS?

If the issue only occurs when using Terraform, could you please share your fortios_ips_sensor configuration? That would help me reproduce the behavior and investigate further.

Thanks,
Maxx

[Vokunne]

Hi @MaxxLiu22

I apologize for the delayed reply.
Yes, I quite agree with about sorting values for os, severity and application by FortiOS. I've already met this case and usually, I aligned my with this internal rule. But now, it doesn't work at all.
I've made some changes in these values in order to check out behavior. Here are results:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
Terraform will perform the following actions:
  # <output omitted>ips-sensors["test"] will be updated in-place
  ~ resource "fortios_ips_sensor" "ips-sensors" {
        id                      = "test"
        name                    = "test"
        # (9 unchanged attributes hidden)
      ~ entries {
            id                 = 1
          ~ os                 = "Linux BSD" -> "BSD Linux Windows"
            # (19 unchanged attributes hidden)
          - exempt_ip {
              - dst_ip = "10.0.1.0 255.255.255.224" -> null
              - id     = 1 -> null
              - src_ip = "10.0.1.10 255.255.255.255" -> null
            }
          - exempt_ip {
              - dst_ip = "10.0.1.13 255.255.255.255" -> null
              - id     = 2 -> null
              - src_ip = "10.0.13.16 255.255.255.240" -> null
            }
            # (2 unchanged blocks hidden)
        }
      ~ entries {
          ~ application        = "Oracle MSSQL MySQL DB2 PostgreSQL" -> "DB2 MSSQL MySQL Oracle PostgreSQL"
            id                 = 2
          ~ protocol           = "MSSQL SSH SSL" -> "MSSQL SSH SSL UDP"
          ~ severity           = "high critical" -> "critical high"
            # (17 unchanged attributes hidden)
        }
        # (1 unchanged block hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.

Then "apply" command:

Terraform will perform the following actions:
  # <output_omitted>ips-sensors["test"] will be updated in-place
  ~ resource "fortios_ips_sensor" "ips-sensors" {
        id                      = "test"
        name                    = "test"
        # (9 unchanged attributes hidden)
      ~ entries {
            id                 = 1
          ~ os                 = "Linux BSD" -> "BSD Linux Windows"
            # (19 unchanged attributes hidden)
          - exempt_ip {
              - dst_ip = "10.0.1.0 255.255.255.224" -> null
              - id     = 1 -> null
              - src_ip = "10.0.1.10 255.255.255.255" -> null
            }
          - exempt_ip {
              - dst_ip = "10.0.1.13 255.255.255.255" -> null
              - id     = 2 -> null
              - src_ip = "10.0.13.16 255.255.255.240" -> null
            }
            # (2 unchanged blocks hidden)
        }
      ~ entries {
          ~ application        = "Oracle MSSQL MySQL DB2 PostgreSQL" -> "DB2 MSSQL MySQL Oracle PostgreSQL"
            id                 = 2
          ~ protocol           = "MSSQL SSH SSL" -> "MSSQL SSH SSL UDP"
          ~ severity           = "high critical" -> "critical high"
            # (17 unchanged attributes hidden)
        }
        # (1 unchanged block hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

The next plan is trying to sort the order and if you align code there won't be any changes in TF state. It looks like the provider looks into the Fortigate's config first and then compare changes with terraform state but without taking into consideration the upcoming changes from tf config.

Here is my config (sorry, it's a bit long)

variables.tf

variable "comment" {
  description = "value"
  sensitive   = false
  type        = string
  default     = null
}
variable "replacemsg_group" {
  description = "value"
  sensitive   = false
  type        = string
  default     = null
}
variable "block_malicious_url" {
  description = "value"
  sensitive   = false
  type        = string
  default     = "disable"
}
variable "scan_botnet_connections" {
  description = "value"
  sensitive   = false
  type        = string
  default     = "disable"
}
variable "extended_log" {
  description = "value"
  sensitive   = false
  type        = string
  default     = "disable"
}
variable "protocols" {
  description = "List of signatures grouped by protocols. FortiOS v7.4.12 - 49 protocols"
  sensitive   = false
  type        = set(string)
  default = [
    "BO", "CAPWAP", "DCERPC", "DHCP", "DNP3", "DNS", "FTGD", "FTP", "FTPS", "H323", "HTTP", "HTTP3", "HTTPS", "ICMP", 
    "IEC104", "IM", "IMAP", "IMAPS", "LDAP", "MISC", "MODBUS", "MSRP", "MSSQL", "NBSS", "NNTP", "P2P", "POP3", "POP3S",
    "RADIUS", "RAWTCP", "RDT", "RLDNP3", "RPC", "RTCP", "RTP", "RTSP", "SCCP", "SIP", "SMTP", "SMTPS", "SNMP", "SSH", "SSL", 
    "T3", "TCP", "TELNET", "TFN", "UDP"
  ]
}

variable "os" {
  description = "List of sinatures grouped by operating systems"
  sensitive   = false
  type        = set(string)
  default     = ["BSD", "Linux", "MacOS", "Solaris", "Windows"]
}

variable "severity" {
  description = "List of signatures grouped by severity level"
  sensitive   = false
  type        = set(string)
  default     = ["critical", "high",  "low", "info"]
}

variable "application" {
  description = "List of signatures grouped by applications. FortiOS v7.4.12 - 36 applications"
  sensitive   = false
  type        = set(string)
  default = [
    "Adobe", "Apache", "Apple", "ASP_app", "CA", "CGI_app", "Cisco", "DB2", "HP", "IBM", "IE", "IIS", "IM", "Ipswitch",
    "MailEnable", "MediaPlayer", "Mozilla", "MS_Exchange", "MS_Office", "MSSQL", "MySQL", "Netscape", "Novell", "Oracle",
    "P2P", "PHP_app", "PostgreSQL", "Real", "Samba", "SAP", "SCADA", "Sendmail", "Sun", "Veritas", "Winamp"
  ]
}

variable "vulnerability" {
  description = "List of signatures grouped by vulnerabilities' types"
  sensitive   = false
  type        = list(string)
  default = [
    "N/A", "DoS", "Buffer Errors", "Numeric Errors", "CSRF", "XSS", "Path Traversal", "Code Injection", "SQL Injection",
    "Format String", "Malware", "Anomaly", "Improper Authentication", "Information Disclosure",
    "Permission/Privilege/Access Control", "OS Command Injection", "Resource Management Errors", "Other"
  ]
}

variable "ips-filter-entries" {
  description = "This variable describes IPS entries for type FILTER on NGFWs"
  sensitive   = false
  type = map(object({
    status = string
    location = string
    severity = set(string)
    protocol = set(string)
    os = set(string)
    application = set(string)
    vulnerability = optional(list(string), [])
    cve = optional(set(string), [])
    default_action = optional(string, "all")
    default_status = optional(string, "all")
    rule = optional(set(string), null)
    exempt_ip = optional(list(object({ src_ip = optional(string, "0.0.0.0"), dst_ip = optional(string, "0.0.0.0") })), null)
    log = optional(string, "enable")
    log_packet = optional(string, "disable")
    log_attack_context = optional(string, "enable")
    action = optional(string, "default")
    quarantine = optional(string, "attacker")
    quarantine_expiry = optional(string, "10m")
    quarantine_log = optional(string, "enable")
  }))
  default = {
    test = {
      status         = "enable"
      location       = "all"
      severity       = ["all"]
      protocol       = ["all"]
      os             = ["BSD", "Linux", "Windows"]
      application    = ["all"]
      vulnerability  = ["Malware", "Anomaly"]
      default_action = "pass"
      default_status = "enable"
      action         = "pass"
      quarantine     = "none"
    }
    test2 = {
      status            = "enable"
      location          = "server"
      severity          = ["critical", "high"]
      protocol          = ["MSSQL", "SSH", "SSL", "UDP"]
      os                = ["Linux"]
      application       = ["DB2", "MSSQL", "MySQL", "Oracle", "PostgreSQL"]
      default_action    = "pass"
      default_status    = "enable"
      action            = "reset"
      quarantine_expiry = "1h"
    }
  }
}

variable "ips-signature-entries" {
  description = "This variable describes IPS entries for type SIGNATURE on NGFWs"
  sensitive   = false
  type = map(object({
    status = string
    location       = optional(string, null)        # NOT REQUIRED for signature entries. It MUST BE set to null
    severity       = optional(set(string), null)  # NOT REQUIRED for signature entries. It MUST BE set to null
    protocol       = optional(set(string), null)  # NOT REQUIRED for signature entries. It MUST BE set to null
    os             = optional(set(string), null)  # NOT REQUIRED for signature entries. It MUST BE set to null
    application    = optional(set(string), null)  # NOT REQUIRED for signature entries. It MUST BE set to null
    vulnerability  = optional(list(string), null) # NOT REQUIRED for signature entries. It MUST BE set to null
    cve            = optional(set(string), null)  # NOT REQUIRED for signature entries. It MUST BE set to null
    default_action = optional(string, null)       # NOT REQUIRED for signature entries. It MUST BE set to null
    default_status = optional(string, null)       # NOT REQUIRED for signature entries. It MUST BE set to null

    
    rule = set(string)
    exempt_ip = optional(list(object({
      src_ip = optional(string, ""),
      dst_ip = optional(string, "")
      })), []
    )
    log = optional(string, "enable")
    log_packet = optional(string, "disable")
    log_attack_context = optional(string, "disable")
    action = optional(string, "default")
    quarantine = optional(string, "attacker")
    quarantine_expiry = optional(string, "10m")
    quarantine_log = optional(string, "enable")
  }))
  default = {
    test = {
      status = "enable"
      rule   = [40473, 43545]
      exempt_ip = [
        { src_ip = "10.0.1.10/32", dst_ip = "10.0.1.0/27" },
        { src_ip = "10.0.13.16/28", dst_ip = "10.0.1.13/32" }
      ]
      log                = "enable"
      log_packet         = "disable"
      log_attack_context = "disable"
      action             = "pass"
      quarantine_expiry  = "1h"
      quarantine_log     = "disable"
    }
  }
}

[Vokunne]

locals.tf

locals {
  ips-sensors = {
    test = {
      name                    = "test"
      comment                 = try("This is a test IPS sensor", var.comment)
      replacemsg_group        = try("", var.replacemsg_group)
      block_malicious_url     = try("enable", var.block_malicious_url)
      scan_botnet_connections = try("block", var.scan_botnet_connections)
      extended_log            = try("enable", var.extended_log)
      entries = [
        var.ips-filter-entries["test"],
        var.ips-filter-entries["test2"],
        var.ips-signature-entries["test"]
      ]
    }
  }  
}

ips.tf

resource "fortios_ips_sensor" ips-sensors" {
  vdomparam       = "root"
  update_if_exist = true

  for_each        = local.ips-sensors

  name                    = each.value.name
  comment                 = each.value.comment
  replacemsg_group        = each.value.replacemsg_group
  block_malicious_url     = each.value.block_malicious_url
  scan_botnet_connections = each.value.scan_botnet_connections
  extended_log            = each.value.extended_log

  dynamic "entries" {
    for_each = each.value.entries
    content {
      status      = entries.value.status
      location    = entries.value.location
      severity    = entries.value.severity != null ? join(" ", tolist(entries.value.severity)) : null
      protocol    = entries.value.protocol != null ? join(" ", tolist(entries.value.protocol)) : null
      os          = entries.value.os != null ? join(" ", tolist(entries.value.os)) : null
      application = entries.value.application != null ? join(" ", tolist(entries.value.application)) : null
      dynamic "vuln_type" {
        for_each = entries.value.vulnerability != null ? entries.value.vulnerability : []
        content {
          id = (index(var.vulnerability, vuln_type.value) + 1)
        }
      }
      dynamic "cve" {
        for_each = entries.value.cve != null ? entries.value.cve : []
        content {
          cve_entry = entries.value.cve
        }
      }
      default_action = entries.value.default_action
      default_status = entries.value.default_status
      dynamic "rule" {
        for_each = entries.value.rule != null ? entries.value.rule : []
        content {
          id = rule.value
        }
      }
      dynamic "exempt_ip" {
        for_each = entries.value.exempt_ip != null ? entries.value.exempt_ip : []
        content {
          src_ip = exempt_ip.value.src_ip
          dst_ip = exempt_ip.value.dst_ip
        }
      }
      log                = entries.value.log
      log_packet         = entries.value.log_packet
      log_attack_context = entries.value.log_attack_context
      action             = entries.value.action
      quarantine         = entries.value.quarantine
      quarantine_expiry  = entries.value.quarantine == "attacker" ? entries.value.quarantine_expiry : null
      quarantine_log     = entries.value.quarantine == "attacker" ? entries.value.quarantine_log : null
    }
  }
}

[Vokunne]

@MaxxLiu22 exampt_ip in my scenario is stuck in the tf state after I deleted one ips entry (type signature) and an index of entries (in local variable) shifted. I think because of incompatibility values for filter and signature entries' types the value exampt_ip hadn't been deleted correctly.
Meanwhile, ips sensor's config on a Fortigate device is absolutely correct.
Maybe using "id" parameter for entries will prevent from shifting their order when one of them is deleted, but I'm not sure if FortiOS allows to have missing id number.

[MaxxLiu22]

Hi @Vokunne,

Thank you for the detailed information.

After adjusting the order of the string elements to match the FortiOS ordering and adding an id to each entry, everything worked correctly.

We will address the string element ordering issue in the next release to provide a better user experience.

FortiOS allows gaps in the ID sequence, so you do not need to use consecutive numbers. If an id is not specified, FortiOS automatically assigns one; however, Terraform is not aware of the auto-generated ID, which can cause it to incorrectly detect differences during state comparisons.

Thanks,
Maxx