Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
heng
Staff
Staff

Created on ‎08-13-2023 10:28 PM Edited on ‎09-28-2023 08:37 AM By Moderator

Article Id 268712

Technical Tip: Using API Token to login into FortiManager with Terraform

Description

This article describes how to use API tokens to log in to FortiManager with Terraform.

Terraform supports two types of authentication which are static credentials (username/password and API token) and environment variables. 'API token' also refers to API keys in this context. 

Since Terraform does not support letting the provider define the logout logic, the static credential using username/password is not feasible as it will fill up the login session for each Terraform execution until the limit where the FortiManager will deny the next login when the maximum login session is reached. 

To avoid this issue, it is recommended to use static credentials using API tokens instead. 

REST API admins using the token authentication method is possible as of FortiManager version 7.2.2 and above. 
Scope FortiManager version 7.2.2 and above. 
Solution

In FortiManager

 

GUI Method:

 

  1. Create the REST API admin under System Settings -> Administrators -> Create New -> REST API Admin.
  2. Generate the API key, edit the REST API admin that has just been created now, e.g. restapi_admin and re-generate the API key. The key will be used in the Terraform provider login script.

 

image.png

 

image.png

 

image.png

 

When using an API key as the authentication method, the trust host must be provided to allow the source IP address access.

 

heng_0-1695915077949.png

 

CLI Method:

 

  1. To create the REST API admin using SSH or wen console CLI, run the following configuration:

 

config system admin user
    edit <username>
        set trusthost1 <source subnet> <mask>
        set profileid "Super_User"
        set user_type api
        set rpc-permit read-write
    next
end

 

     2. Use the same CLI command to re-generate the API key: 

 

execute api-user generate-key <API username>  

 

Example:

 

execute api-user generate-key restapi_admin
New API key: m4hcu1ud98bymok54ahiuf646gepnekm

 

In Terraform:

 

Use the token in the Terraform provider section script by adding it to the .tf script file. In this example, the user is logged in to ADOM: root.

 

Example:

 

provider "fortimanager" {
hostname = "10.47.47.99"
token = "m4hcu1ud98bymok54ahiuf646gepnekm"
insecure = "true"

scopetype = "adom"
adom = "root"
}
2119
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.