No matter what I try I am unable to push configuration to fortimanager

[ccaiccie]

inventory-file

[fortimanager]
192.168.122.51

[fortimanager:vars]
ansible_user=admin
ansible_password=password
ansible_network_os=fortinet.fortimanager.fortimanager
 
playbook file

• hosts: fortimanager
  collections:

  • fortinet.fortimanager
    connection: httpapi
    gather_facts: false
    vars:
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 443
    tasks:
  • name: Configure IPv4 addresses.
    fmgr_firewall_address:
    bypass_validation: False
    adom: root
    state: present
    firewall_address:
    allow-routing: disable
    associated-interface: any
    name: 'ansible-test'
    visibility: disable

• hosts: fortimanager
  collections:

  • fortinet.fortimanager
    connection: httpapi
    gather_facts: false
    vars:
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 443
    tasks:
  • name: Configure IPv4 addresses.
    fmgr_firewall_address:
    bypass_validation: False
    adom: root
    state: present
    firewall_address:
    allow-routing: disable
    associated-interface: any
    name: 'ansible-test'
    visibility: disable

<192.168.122.51> EXEC /bin/sh -c 'rm -f -r /home/superuser/.ansible/tmp/ansible-local-4971aga3wpy3/ansible-tmp-1673134266.360391-95251768668581/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/home/superuser/.ansible/tmp/ansible-local-4971aga3wpy3/ansible-tmp-1673134266.360391-95251768668581/AnsiballZ_fmgr_firewall_address.py", line 102, in
_ansiballz_main()
File "/home/superuser/.ansible/tmp/ansible-local-4971aga3wpy3/ansible-tmp-1673134266.360391-95251768668581/AnsiballZ_fmgr_firewall_address.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/superuser/.ansible/tmp/ansible-local-4971aga3wpy3/ansible-tmp-1673134266.360391-95251768668581/AnsiballZ_fmgr_firewall_address.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.fortinet.fortimanager.plugins.modules.fmgr_firewall_address', init_globals=None, run_name='main', alter_sys=False)
File "/usr/lib/python3.10/runpy.py", line 227, in run_module
return _run_code(code, {}, init_globals, run_name, mod_spec)
File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible_collections/fortinet/fortimanager/plugins/modules/fmgr_firewall_address.py", line 2191, in
File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible_collections/fortinet/fortimanager/plugins/modules/fmgr_firewall_address.py", line 2182, in main
File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible_collections/fortinet/fortimanager/plugins/module_utils/napi.py", line 146, in init
File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible_collections/fortinet/fortimanager/plugins/module_utils/napi.py", line 326, in get_system_status
File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible/module_utils/connection.py", line 185, in rpc
ansible.module_utils.connection.ConnectionError: An attempt was made at communicating with a FMG with no valid session and an unexpected error was discovered.

[DEPRECATION WARNING]: Distribution ubuntu 22.04 on host 192.168.122.51 should use /usr/bin/python3, but is using /usr/bin/python for backward compatibility with prior Ansible releases. A
future Ansible release will default to using the discovered platform python for this host. See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for
more information. This feature will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [192.168.122.51]: FAILED! => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File "/home/superuser/.ansible/tmp/ansible-local-4971aga3wpy3/ansible-tmp-1673134266.360391-95251768668581/AnsiballZ_fmgr_firewall_address.py", line 102, in \n _ansiballz_main()\n File "/home/superuser/.ansible/tmp/ansible-local-4971aga3wpy3/ansible-tmp-1673134266.360391-95251768668581/AnsiballZ_fmgr_firewall_address.py", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/home/superuser/.ansible/tmp/ansible-local-4971aga3wpy3/ansible-tmp-1673134266.360391-95251768668581/AnsiballZ_fmgr_firewall_address.py", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.fortinet.fortimanager.plugins.modules.fmgr_firewall_address', init_globals=None, run_name='main', alter_sys=False)\n File "/usr/lib/python3.10/runpy.py", line 227, in run_module\n return _run_code(code, {}, init_globals, run_name, mod_spec)\n File "/usr/lib/python3.10/runpy.py", line 86, in _run_code\n exec(code, run_globals)\n File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible_collections/fortinet/fortimanager/plugins/modules/fmgr_firewall_address.py", line 2191, in \n File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible_collections/fortinet/fortimanager/plugins/modules/fmgr_firewall_address.py", line 2182, in main\n File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible_collections/fortinet/fortimanager/plugins/module_utils/napi.py", line 146, in init\n File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible_collections/fortinet/fortimanager/plugins/module_utils/napi.py", line 326, in get_system_status\n File "/tmp/ansible_fmgr_firewall_address_payload_iqs22y_6/ansible_fmgr_firewall_address_payload.zip/ansible/module_utils/connection.py", line 185, in rpc\nansible.module_utils.connection.ConnectionError: An attempt was made at communicating with a FMG with no valid session and an unexpected error was discovered.\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",

Do you guys recommend a specific ansible version / python?

[jpforcioli]

Hi,

Did you configure something like this on your FMG?

config system admin user
    edit admin
        set rpc-permit read-write
    next
end

BR.

[ccaiccie]

Yes, I have it configured already.

[Wallpix]

I have the exact same issue. This is the same issue as this old one that was patched a while ago. Ref; ftntcorecse/fndn_ansible#4

Fresh new install in new venv with Python 3.8 and Ansible 2.13.8

ansible==6.7.0
ansible-core==2.13.8
cffi==1.15.1
cryptography==40.0.1
Jinja2==3.1.2
MarkupSafe==2.1.2
packaging==23.0
pycparser==2.21
PyYAML==6.0
resolvelib==0.8.1

I got the latest collections from Galaxy.

fortinet.fortimanager         2.1.7  
fortinet.fortios              2.2.1  

That's pretty much the only collections installed in this venv.

Running the sample playbook from https://ansible-galaxy-fortimanager-docs.readthedocs.io/en/latest/playbook.html or any other playbooks returns the same error.

in __rpc__\nansible.module_utils.connection.ConnectionError: An attempt was made at communicating with a FMG with no valid session and an unexpected error was discovered.\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

There is no attempt to connect to the FortiManager from Ansible (I ran a tcpdump and there is no connection).
But a curl command for a similar API call (JSON RPC) does work so as far as permissions and configuration goes on the FortiManager side, it's OK.

There is no recommendations in the documentation for the version of Python and Ansible for any specific versions of the FortiManager collection.

I am also trying to find the proper recipe to make this work.

[Wallpix]

We tried to run another more simple playbook by simply log in with fmgr_sys_login_user. The key error is:
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1
As per the fmgr_sys_login_user.py (in the collection / plugins / modules folder) the expected rc code should be 0.

Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

But even if we set

rc_succeeded: [0, 1]

we still get an error with code 1.

We tried the same call in Postman and we get an rc code of 0.
url: https://{{host}}/jsonrpc
body:

{
    "id": 1,
    "method": "exec",
    "params": [
        {
            "data": {
                "user": "{{user}}",
                "passwd": "{{password}}"
            },
            "url": "/sys/login/user"
        }
    ]
}

Answer:

{
    "id": 1,
    "result": [
        {
            "status": {
                "code": 0,
                "message": "OK"
            },
            "url": "/sys/login/user"
        }
    ],
    "session": "vxRtEGZz6GbDIQXL5MwoG7o9bgZUJgfsEXMLCQOrMM9DATc5YPRFwQ3wik9iHPk357BR5IJQoYnnQyZqUyiMsQ=="
}

Code is 0 in the ouput.

We believe that the permissions in the Fortimanager, for our user, are allowing us to login (hence Postman output) but the Ansible Collection equivalent must be doing something else as a RC of 1 is returned.

Our FortiManager version is v7.2.2 GA build1334

With this playbook, we still do not see Ansible connecting to the FortiManager in our tcpdump.

This is simply trying a login... any help would be appreciated.

[MaxxLiu22]

Hi all,

I can reproduce this issue with latest ansible-core version, could you please downgrade it to 2.12.3 by run python3 -m pip install --user ansible-core==2.12.3 and try again. Let me know if this issue still exists.

Thanks,
Maxx

[Wallpix]

Same error message...

ansible --version
ansible [core 2.12.3]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/psirois/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/psirois/venv-forti/lib64/python3.8/site-packages/ansible
  ansible collection location = /home/psirois/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/psirois/venv-forti/bin/ansible
  python version = 3.8.13 (default, Jun 14 2022, 17:49:07) [GCC 8.5.0 20210514 (Red Hat 8.5.0-13)]
  jinja version = 3.1.2
  libyaml = True

Here is the output of the playbook run (redacted to remove sensible information):

PLAY [fortimanager_devprod] *****************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************
ok: [fmg301.domain.local]

TASK [save vars to file for debug] **********************************************************************************************************************************************
changed: [fmg301.domain.local]

TASK [Trying to log in the FortiManager] ****************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: An attempt was made at communicating with a FMG with no valid session and an unexpected error was discovered.
fatal: [fmg301.domain.local]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/home/devuser/.ansible/tmp/ansible-local-18487286w_rnbwh/ansible-tmp-1682430123.0147347-1848928-139376717415139/AnsiballZ_fmgr_sys_login_user.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/home/devuser/.ansible/tmp/ansible-local-18487286w_rnbwh/ansible-tmp-1682430123.0147347-1848928-139376717415139/AnsiballZ_fmgr_sys_login_user.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/devuser/.ansible/tmp/ansible-local-18487286w_rnbwh/ansible-tmp-1682430123.0147347-1848928-139376717415139/AnsiballZ_fmgr_sys_login_user.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.fortinet.fortimanager.plugins.modules.fmgr_sys_login_user', init_globals=dict(_module_fqn='ansible_collections.fortinet.fortimanager.plugins.modules.fmgr_sys_login_user', _modlib_path=modlib_path),\n  File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_fmgr_sys_login_user_payload_q17wfj56/ansible_fmgr_sys_login_user_payload.zip/ansible_collections/fortinet/fortimanager/plugins/modules/fmgr_sys_login_user.py\", line 252, in <module>\n  File \"/tmp/ansible_fmgr_sys_login_user_payload_q17wfj56/ansible_fmgr_sys_login_user_payload.zip/ansible_collections/fortinet/fortimanager/plugins/modules/fmgr_sys_login_user.py\", line 243, in main\n  File \"/tmp/ansible_fmgr_sys_login_user_payload_q17wfj56/ansible_fmgr_sys_login_user_payload.zip/ansible_collections/fortinet/fortimanager/plugins/module_utils/napi.py\", line 146, in __init__\n  File \"/tmp/ansible_fmgr_sys_login_user_payload_q17wfj56/ansible_fmgr_sys_login_user_payload.zip/ansible_collections/fortinet/fortimanager/plugins/module_utils/napi.py\", line 326, in get_system_status\n  File \"/tmp/ansible_fmgr_sys_login_user_payload_q17wfj56/ansible_fmgr_sys_login_user_payload.zip/ansible/module_utils/connection.py\", line 200, in __rpc__\nansible.module_utils.connection.ConnectionError: An attempt was made at communicating with a FMG with no valid session and an unexpected error was discovered.\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP **********************************************************************************************************************************************************************
fmg301.domain.local  : ok=2    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

[MaxxLiu22]

Hi @Wallpix ,

Your environment looks good to me, this error usually happens when credentials' information are wrong, could you help me delete the local log file ~/tmp/fortimanager.ansible.log and enable log in playbook, then to see what information can be collected. you will see all the communication api history between ansible and fmg, you are free to hide the sensitive information.

- hosts: fortimanagers
  connection: httpapi
  collections:
  - fortinet.fortimanager
  vars:
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
   - name: Create a script on FortiManager.
     fmgr_dvmdb_script:
        adom: 'root'
        state: 'present'
        enable_log: True
        dvmdb_script:
           desc: 'The script create via Ansible'
           type: 'cli'
           name: 'fooscript'
           content: |
                      config system global
                         set timezone 04
                      end

Thanks,
Maxx

[Wallpix]

So, our userID to connect to FortiManager does not have system access (in its applied profile) as we were trying to go with the least permissions required for this API access. The log file location was also overlooked. We did enable logging at some point but we did not find the file location until you pointed it out. Oh and by the way, it's /tmp/fortimanager.ansible.log and not ~/tmp/fortimanager.ansible.log.

This is now clear that the issue is related to the userID access as per the following logs:

2023-04-27 16:17:09.804156: FortiManager object connected to FortiManager: https://127.0.0.1:443
2023-04-27 16:17:09.804193: request: {"method": "get", "params": [{"url": "sys/status"}], "session": "OruZarwqJ/U4CTOHoRKfdJOrsMceITxFSL9pzk1fpV0Eji/XLvE10WqR/P8Hk1HwG92yfqmc5grYn2ilpHz0iQ==", "id": 2, "verbose": 1}
2023-04-27 16:17:09.823602: response: {
   "id": 2,
   "result": [
      {
         "status": {
            "code": -11,
            "message": "No permission for the resource"
         },
         "url": "sys/status"
      }
   ],
   "session": 29259
}

Maybe the error message should be a bit more detailed. The session did work, but some access were denied. Also, is there any reference to this requirement either in the collection's documentation of the FortiManager admin guide?