Hello,

I’m attempting to remove multiple rules from a DO firewall using the API but I keep getting a 422 response.

Given the following firewall definition:

{
  "firewall": {
    "id": "[REDACTED]",
    "name": "test-firewall",
    "status": "succeeded",
    "inbound_rules": [{
        "protocol": "tcp",
        "ports": "80",
        "sources": {
          "addresses": [
            "192.80.22.1"
          ]
        }
      },
      {
        "protocol": "tcp",
        "ports": "443",
        "sources": {
          "addresses": [
            "192.80.22.1"
          ]
        }
      }
    ],
    "outbound_rules": [],
    "created_at": "2019-08-19T15: 41: 53Z",
    "droplet_ids": [],
    "tags": [],
    "pending_changes": []
  }
}

I attempt to remove both of the inbound rules with the following request:

curl -X DELETE https://api.digitalocean.com/v2/firewalls/$ID/rules \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer $TOKEN' \
  -d '{
  "inbound_rules": [{
    "protocol": "tcp",
    "ports": "80",
    "sources": {
      "addresses": ["192.80.22.1"]
    }
  }, {
    "protocol": "tcp",
    "ports": "443",
    "sources": {
      "addresses": ["192.80.22.1"]
    }
  }]
}'

The response I get is:

{"id":"unprocessable_entity","message":"must have at least one rule","request_id":"[REDACTED]"}

If I attempt to delete just one of the rules instead of both with the following request:

curl -X DELETE https://api.digitalocean.com/v2/firewalls/$ID/rules \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer $TOKEN' \
  -d '{
  "inbound_rules": [{
    "protocol": "tcp",
    "ports": "443",
    "sources": {
      "addresses": ["192.80.22.1"]
    }
  }]
}'

The request succeeds.

My understanding from the docs is that I should be able to send an array of rules for deletion, however this doesn’t seem to work in practice. Does anyone have any ideas on a solution or is this a bug?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Thanks for the reply Bobby, but after sleeping on this I’ve come to a solution. The problem is that a DO firewall isn’t valid if it has no rules (inbound or outbound). When running my first request to delete all inbound rules the firewall goes into an invalid state since it has no rules at all and therefore the request is not completed. Ensuring that I add rules before removing rules solves this issue.

Hello,

I’ve just just tested this with the example from the documentation and it worked for me:

curl -X DELETE -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '
{
  "outbound_rules": [
        {
          "protocol": "tcp",
          "ports": "80",
          "destinations": {
            "addresses": [
              "192.168.1.1"
            ]
          }
        },
        {
          "protocol": "tcp",
          "ports": "443",
          "destinations": {
            "addresses": [
              "192.168.1.1"
            ]
          }
        }
  ]
} ' "https://api.digitalocean.com/v2/firewalls/$ID/rules" 

I would suggest adjusting your curl request so that it matches the one above.

Hope that this helps!
Regards,
Bobby

Submit an Answer