search

digitalocean / api-v2

DigitalOcean API v2 feedback
https://developers.digitalocean.com
139 stars 19 forks source link

Cannot create a firewall/various outbound rules via terraform with port_range "all" specified in outbound rule config #166

Open benperove opened 6 years ago

benperove commented 6 years ago

hi there - i tried to launch a firewall from terraform, but it doesn't really work yet 100%. terraform's documentation basically copies digitalocean's documentation verbatim, which states that the use of port_range is optional, and that all can be used to include all ports.

the api docs state this should be possible: https://developers.digitalocean.com/documentation/v2/#add-rules-to-a-firewall

the only way i could get it to work (creating a digitalocean firewall from scratch using terraform), was to setup the firewall config as you would normally (using all does work for port_range on inbound rules). comment out the entire outbound_rule block. run terraform plan then terraform apply and it will create the firewall.

here's the hcl that i'm using to create the firewall with terraform.

resource "digitalocean_firewall" "fwtest" {
    name        = "fwtest"
    droplet_ids = []
    tags        = []

    inbound_rule = [
        {
            protocol         = "tcp"
            port_range       = "80"
            source_addresses = ["1.2.3.4/32"]
        },
        {
            protocol         = "tcp"
            port_range       = "443"
            source_addresses = ["1.2.3.4/32"]
        },
        {
            protocol         = "tcp"
            port_range       = "all"
            source_addresses = ["1.2.3.4/32"]
        }
    ]

/*  outbound_rule = [
        {
            protocol              = "icmp"
            port_range            = "0"
            destination_addresses = ["0.0.0.0/0", "::/0"]
        },
        {
            protocol              = "tcp"
            port_range            = "0"
            destination_addresses = ["0.0.0.0/0", "::/0"]
        },
        {
            protocol              = "udp"
            port_range            = "0"
            destination_addresses = ["0.0.0.0/0", "::/0"]
        }
    ] */
}

next, add the three outbound rules from the digitalocean web console.

digitalocean_api_firewall_issues

now uncomment the outbound_rule block and run terraform refresh. also worth noting - any inbound rules created from terraform using port_range = "all" will need to be changed back to port_range = "0" in order to make terraform happy.

if your outbound rules are setup like the hcl config here, terraform plan should now be green with no changes to be made.

so something is not quite right when adding rules via the api with the use of "all" to give sources/tags full access to whatever the protocol specified.

rafaelrosafu commented 6 years ago

@benperove thanks for reporting it, it's very useful feedback. We do have this issue on our radar and some ideas to fix it, we just didn't get there yet. We will update this issue when it's done, I'll do my best to increase it's priority.

fushnisoft commented 6 years ago

I have used this to represent "all" when sending a firewall update:

"ports": "1-65535"

The API accepts it and the web UI shows an empty space or "All ports" so I assume that means all in both cases :)