godo icon indicating copy to clipboard operation
godo copied to clipboard

Published 20 hours ago verified publisher icon digitalocean

Add vpc_ids to Firewall API sources/destinations

Open houstonheat opened this issue 3 years ago • 1 comments

/v2/firewalls allows us to manage firewall rules with the help of sources and destinations (of direct addresses, droplet_ids , load_balancer_uids and tags ), meanwhile DO web interface provides all these sources + available VPCs (through api/v1 endpoint).

For now godo and DO terraform provider can't assign VPC to firewall rule by ID :( I can try to provide PR's by myself if this request will be shipped: https://ideas.digitalocean.com/ideas/FWX-I-37

Sorry for offtop but I'm not sure where to post DO API feature request 🌚

houstonheat avatar Apr 14 '21 18:04 houstonheat

Hi @houstonheat,

I've passed this request onto our VPC team. I can't give you a timeline yet, but it is something they are hoping to support via the API as well. In the meantime, you should be able to work around this in Terraform using something like the config below. As you can pass a CIDR range to a firewall for both sources and destinations, you can reference the ip_range attribute of the VPC:

resource "digitalocean_vpc" "example" {
  name   = "example-project-network"
  region = "nyc3"
}

resource "digitalocean_firewall" "example" {
  name = "only-the-example-vpc"

  droplet_ids = [digitalocean_droplet.web.id]

  inbound_rule {
    protocol         = "tcp"
    port_range       = "8000"
    source_addresses = [digitalocean_vpc.example.ip_range]
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "8000"
    destination_addresses = [digitalocean_vpc.example.ip_range]
  }
}

Thanks for the feedback!

andrewsomething avatar Apr 14 '21 19:04 andrewsomething