Category: HashiCorp

Terraform Fortigate Provider Authentication Issue

Working with automation tools like Terraform can sometimes present unexpected challenges. Recently, we encountered a tricky authentication issue with the Fortigate Terraform Provider, specifically when attempting to create firewall resources. In this blog post, we’ll walk you through the problem, the error message we received, and how we ultimately solved it.

The problem

We were configuring the Fortigate Terraform Provider for a client project when we encountered a persistent authentication issue. Despite our best efforts to configure everything correctly, we kept running into a 401 Unauthorized error, which prevented us from successfully connecting the provider to the device and creating firewall resources.

Here’s the configuration we were using:

terraform {
  required_providers {
    fortios = {
      source  = "fortinetdev/fortios"
      version = "1.20.0"
    }
  }
}

provider "fortios" {
  hostname = "%ip-or-fqdn%"
  username = "%username%"
  token    = "%token%"
  insecure = "true"
}

resource "fortios_firewall_address" "trname" {
  name   = "test1"
  subnet = "22.1.1.0"
}

The error we kept seeing was as follows:

```
fortios_firewall_address.trname: Creating...
â•·
│ Error: [Warning] Can not update device version: 
│ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
│ <html><head>
│ <title>401 Unauthorized</title>
│ </head><body>
│ <h1>Unauthorized</h1>
│ <p>This server could not verify that you
│ are authorized to access the document
│ requested.  Either you supplied the wrong
│ credentials (e.g., bad password), or your
│ browser doesn't understand how to supply
│ the credentials required.</p>
│ <p>Additionally, a 401 Unauthorized
│ error was encountered while trying to use an ErrorDocument to handle the request.</p>
╵
```

This error clearly indicated that the server was unable to verify our credentials, which caused the resource creation to fail.

The solution

The real breakthrough came when my colleague Michael Meelis opened a GitHub issue to bring attention to the problem. A fellow user responded with a suggestion that ultimately resolved the issue. It turned out that a small but crucial tweak in the authentication settings was needed.

You can find the full discussion and solution in this GitHub issue.

The solution involved correctly configuring the API token and making adjustments to the authentication process. After implementing the suggested changes from the GitHub discussion, the authentication settings worked as expected, and we were able to successfully use the Fortigate Terraform Provider to create firewall resources.

myfgt # config system global 

myfgt (global) # set rest-api-key-url-query enable 

myfgt (global) # show
config system global
    set hostname "myfgt"
    set rest-api-key-url-query enable
    set timezone "US/Pacific"
end

myfgt (global) # end

Conclusion

Authentication and configuration issues like the “401 Unauthorized” error can be frustrating, but with the right approach, collaboration, and persistence, they can be resolved. Utilizing platforms like GitHub to share problems and find solutions proved essential to our success in this case.

Hope it was useful for someone! Please respond below if you have any comments or additional information!