Removing Multiple Firewall Rules Fails with 422 Unprocessable Entity

August 19, 2019 232 views
DigitalOcean API DigitalOcean Cloud Firewalls

Hello,

I’m attempting to remove multiple rules from a DO firewall using the API but I keep getting a 422 response.

Given the following firewall definition:

{
  "firewall": {
    "id": "[REDACTED]",
    "name": "test-firewall",
    "status": "succeeded",
    "inbound_rules": [{
        "protocol": "tcp",
        "ports": "80",
        "sources": {
          "addresses": [
            "192.80.22.1"
          ]
        }
      },
      {
        "protocol": "tcp",
        "ports": "443",
        "sources": {
          "addresses": [
            "192.80.22.1"
          ]
        }
      }
    ],
    "outbound_rules": [],
    "created_at": "2019-08-19T15: 41: 53Z",
    "droplet_ids": [],
    "tags": [],
    "pending_changes": []
  }
}

I attempt to remove both of the inbound rules with the following request:

curl -X DELETE https://api.digitalocean.com/v2/firewalls/$ID/rules \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer $TOKEN' \
  -d '{
  "inbound_rules": [{
    "protocol": "tcp",
    "ports": "80",
    "sources": {
      "addresses": ["192.80.22.1"]
    }
  }, {
    "protocol": "tcp",
    "ports": "443",
    "sources": {
      "addresses": ["192.80.22.1"]
    }
  }]
}'

The response I get is:

{"id":"unprocessable_entity","message":"must have at least one rule","request_id":"[REDACTED]"}

If I attempt to delete just one of the rules instead of both with the following request:

curl -X DELETE https://api.digitalocean.com/v2/firewalls/$ID/rules \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer $TOKEN' \
  -d '{
  "inbound_rules": [{
    "protocol": "tcp",
    "ports": "443",
    "sources": {
      "addresses": ["192.80.22.1"]
    }
  }]
}'

The request succeeds.

My understanding from the docs is that I should be able to send an array of rules for deletion, however this doesn’t seem to work in practice. Does anyone have any ideas on a solution or is this a bug?

2 Answers

Thanks for the reply Bobby, but after sleeping on this I’ve come to a solution. The problem is that a DO firewall isn’t valid if it has no rules (inbound or outbound). When running my first request to delete all inbound rules the firewall goes into an invalid state since it has no rules at all and therefore the request is not completed. Ensuring that I add rules before removing rules solves this issue.

Hello,

I’ve just just tested this with the example from the documentation and it worked for me:

curl -X DELETE -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '
{
  "outbound_rules": [
        {
          "protocol": "tcp",
          "ports": "80",
          "destinations": {
            "addresses": [
              "192.168.1.1"
            ]
          }
        },
        {
          "protocol": "tcp",
          "ports": "443",
          "destinations": {
            "addresses": [
              "192.168.1.1"
            ]
          }
        }
  ]
} ' "https://api.digitalocean.com/v2/firewalls/$ID/rules" 

I would suggest adjusting your curl request so that it matches the one above.

Hope that this helps!
Regards,
Bobby

Have another answer? Share your knowledge.