Add lb firewall (#767)

* Add documentation for LB firewalls * Newlines / minor formatting change * Remove unused title prop to fix lint Co-authored-by: jrolheiser <jrolheiser@digitalocean.com>
digitalocean · Dec 21, 2022 · b804d5e · b804d5e
1 parent e763e13
commit b804d5e
Show file tree

Hide file tree

Showing 8 changed files with 57 additions and 4 deletions.
diff --git a/specification/resources/load_balancers/examples.yml b/specification/resources/load_balancers/examples.yml
@@ -18,6 +18,9 @@ load_balancer_basic_create_request:
     - 3164445
     project_id: 9cc10173-e9ea-4176-9dbc-a4cee4c4ff30
     http_idle_timeout_seconds: 60
+    firewall:
+      deny: ["cidr:1.2.0.0/16", "ip:2.3.4.5"]
+      allow: ["ip:1.2.3.4", "cidr:2.3.4.0/24"]
 
 load_balancer_ssl_termination_create_request:
   description: Terminating SSL at the load balancer using a managed SSL
@@ -111,4 +114,7 @@ load_balancer_update_request:
     enable_backend_keepalive: true
     vpc_uuid: c33931f2-a26a-4e61-b85c-4e95a2ec431b
     project_id: 9cc10173-e9ea-4176-9dbc-a4cee4c4ff30
-    http_idle_timeout_seconds: 60
+    http_idle_timeout_seconds: 60
+    firewall:
+      deny: ["cidr:1.2.0.0/16", "ip:2.3.4.5"]
+      allow: ["ip:1.2.3.4", "cidr:2.3.4.0/24"]
diff --git a/specification/resources/load_balancers/examples/curl/loadBalancers_create.yml b/specification/resources/load_balancers/examples/curl/loadBalancers_create.yml
@@ -4,12 +4,12 @@ source: |-
   curl -X POST \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
-    -d '{"name": "example-lb-01","size_unit": 1, "region": "nyc3", "forwarding_rules":[{"entry_protocol":"http","entry_port":80,"target_protocol":"http","target_port":80,"certificate_id":"","tls_passthrough":false}, {"entry_protocol": "https","entry_port": 444,"target_protocol": "https","target_port": 443,"tls_passthrough": true}], "health_check":{"protocol":"http","port":80,"path":"/","check_interval_seconds":10,"response_timeout_seconds":5,"healthy_threshold":5,"unhealthy_threshold":3}, "sticky_sessions":{"type":"none"}, "droplet_ids": [3164444, 3164445]}' \
+    -d '{"name": "example-lb-01","size_unit": 1, "region": "nyc3", "forwarding_rules":[{"entry_protocol":"http","entry_port":80,"target_protocol":"http","target_port":80,"certificate_id":"","tls_passthrough":false}, {"entry_protocol": "https","entry_port": 444,"target_protocol": "https","target_port": 443,"tls_passthrough": true}], "health_check":{"protocol":"http","port":80,"path":"/","check_interval_seconds":10,"response_timeout_seconds":5,"healthy_threshold":5,"unhealthy_threshold":3}, "sticky_sessions":{"type":"none"}, "firewall":{"deny":["ip:1.2.3.4","cidr:2.3.4.0/24"],"allow":["cidr:1.2.0.0/16","ip:2.3.4.5"]}, "droplet_ids": [3164444, 3164445]}' \
     "https://api.digitalocean.com/v2/load_balancers"
 
   # Create new load balancer with Droplet tag
   curl -X POST \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
-    -d '{"name": "example-lb-01", "region": "nyc3", "size_unit": 1, "forwarding_rules":[{"entry_protocol":"http","entry_port":80,"target_protocol":"http","target_port":80,"certificate_id":"","tls_passthrough":false}, {"entry_protocol": "https","entry_port": 444,"target_protocol": "https","target_port": 443,"tls_passthrough": true}], "health_check":{"protocol":"http","port":80,"path":"/","check_interval_seconds":10,"response_timeout_seconds":5,"healthy_threshold":5,"unhealthy_threshold":3}, "sticky_sessions":{"type":"none"}, "tag": "web:prod"}' \
+    -d '{"name": "example-lb-01", "region": "nyc3", "size_unit": 1, "forwarding_rules":[{"entry_protocol":"http","entry_port":80,"target_protocol":"http","target_port":80,"certificate_id":"","tls_passthrough":false}, {"entry_protocol": "https","entry_port": 444,"target_protocol": "https","target_port": 443,"tls_passthrough": true}], "health_check":{"protocol":"http","port":80,"path":"/","check_interval_seconds":10,"response_timeout_seconds":5,"healthy_threshold":5,"unhealthy_threshold":3}, "sticky_sessions":{"type":"none"}, "firewall":{"deny":["ip:1.2.3.4", "cidr:2.3.4.0/24"],"allow":["cidr:1.2.0.0/16","ip:2.3.4.5"]}, "tag": "web:prod"}' \
     "https://api.digitalocean.com/v2/load_balancers"
diff --git a/specification/resources/load_balancers/examples/curl/loadBalancers_update.yml b/specification/resources/load_balancers/examples/curl/loadBalancers_update.yml
@@ -3,5 +3,5 @@ source: |-
   curl -X PUT \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
-    -d '{"name":"example-lb-01","size_unit":"2","region":"nyc3","algorithm":"least_connections","forwarding_rules":[{"entry_protocol":"http","entry_port":80,"target_protocol":"http","target_port":80},{"entry_protocol":"https","entry_port":444,"target_protocol":"https","target_port":443,"tls_passthrough":true}],"health_check":{"protocol":"http","port":80,"path":"/","check_interval_seconds":10,"response_timeout_seconds":5,"healthy_threshold":5,"unhealthy_threshold":3},"sticky_sessions":{"type":"cookies", "cookie_name": "DO_LB", "cookie_ttl_seconds": 300}, "droplet_ids": [3164444, 3164445]}' \
+    -d '{"name":"example-lb-01","size_unit":"2","region":"nyc3","algorithm":"least_connections","forwarding_rules":[{"entry_protocol":"http","entry_port":80,"target_protocol":"http","target_port":80},{"entry_protocol":"https","entry_port":444,"target_protocol":"https","target_port":443,"tls_passthrough":true}],"health_check":{"protocol":"http","port":80,"path":"/","check_interval_seconds":10,"response_timeout_seconds":5,"healthy_threshold":5,"unhealthy_threshold":3},"sticky_sessions":{"type":"cookies", "cookie_name": "DO_LB", "cookie_ttl_seconds": 300}, "firewall":{"deny":["ip:1.2.3.4","cidr:2.3.4.0/24"], "allow":["cidr:1.2.0.0/16","ip:2.3.4.5"]}, "droplet_ids": [3164444, 3164445]}' \
     "https://api.digitalocean.com/v2/load_balancers/4de7ac8b-495b-4884-9a69-1050c6793cd6"
diff --git a/specification/resources/load_balancers/examples/go/loadBalancers_create.yml b/specification/resources/load_balancers/examples/go/loadBalancers_create.yml
@@ -47,6 +47,10 @@ source: |-
           },
           DropletIDs:          []int{3164444, 3164445},
           RedirectHttpToHttps: false,
+          Firewall:            &godo.LBFirewall{
+              Deny: []string{"ip:1.2.3.4", "cidr:2.3.4.0/24"},
+              Allow: []string{"cidr:1.2.0.0/16", "ip:2.3.4.5"},
+          }
     // Create new load balancer with Droplet tag
     //     Tag:                 "web:prod",
     //     RedirectHttpToHttps: false,

diff --git a/specification/resources/load_balancers/examples/go/loadBalancers_update.yml b/specification/resources/load_balancers/examples/go/loadBalancers_update.yml
@@ -49,6 +49,10 @@ source: |-
           },
           DropletIDs:          []int{3164444, 3164445},
           RedirectHttpToHttps: false,
+          Firewall:            &godo.LBFirewall{
+              Deny: []string{"ip:1.2.3.4", "cidr:2.3.4.0/24"},
+              Allow: []string{"cidr:1.2.0.0/16", "ip:2.3.4.5"},
+          }
       }
 
       lb, _, err := c.LoadBalancers.Update(ctx, "c2c97ca7-6f63-4e23-8909-906fd86efb5e", updateRequest)

diff --git a/specification/resources/load_balancers/models/lb_firewall.yml b/specification/resources/load_balancers/models/lb_firewall.yml
@@ -0,0 +1,24 @@
+type: object
+
+description: An object specifying allow and deny rules to control traffic to the load balancer.
+
+properties:
+  deny:
+    type: array
+    items:
+      type: string
+    example:
+      - ip:1.2.3.4
+      - cidr:2.3.0.0/16
+    default: []
+    description: the rules for denying traffic to the load balancer (in the form 'ip:1.2.3.4' or 'cidr:1.2.0.0/16')
+
+  allow:
+    type: array
+    items:
+      type: string
+    example:
+      - ip:1.2.3.4
+      - cidr:2.3.0.0/16
+    default: []
+    description: the rules for allowing traffic to the load balancer (in the form 'ip:1.2.3.4' or 'cidr:1.2.0.0/16')
diff --git a/specification/resources/load_balancers/models/load_balancer_base.yml b/specification/resources/load_balancers/models/load_balancer_base.yml
@@ -154,5 +154,8 @@ properties:
       record creation for Let's Encrypt certificates that are added to the
       load balancer.
 
+  firewall:
+    $ref: 'lb_firewall.yml'
+
 required:
   - forwarding_rules
diff --git a/specification/resources/load_balancers/responses/examples.yml b/specification/resources/load_balancers/responses/examples.yml
@@ -67,6 +67,9 @@ load_balancer_basic_response:
       disable_lets_encrypt_dns_records: false
       project_id: 9cc10173-e9ea-4176-9dbc-a4cee4c4ff30
       http_idle_timeout_seconds: 60
+      firewall:
+        deny: ["cidr:1.2.0.0/16", "ip:2.3.4.5"]
+        allow: ["ip:1.2.3.4", "cidr:2.3.4.0/24"]
 
 load_balancer_ssl_termination_response:
   value:
@@ -324,6 +327,9 @@ load_balancer_update_response:
       disable_lets_encrypt_dns_records: false
       project_id: 9cc10173-e9ea-4176-9dbc-a4cee4c4ff30
       http_idle_timeout_seconds: 60
+      firewall:
+        deny: ["cidr:1.2.0.0/16", "ip:2.3.4.5"]
+        allow: ["ip:1.2.3.4", "cidr:2.3.4.0/24"]
 
 load_balancers_all:
   value:
@@ -392,6 +398,9 @@ load_balancers_all:
       enable_backend_keepalive: false
       vpc_uuid: c33931f2-a26a-4e61-b85c-4e95a2ec431b
       disable_lets_encrypt_dns_records: false
+      firewall:
+        deny: ["cidr:1.2.0.0/16", "ip:2.3.4.5"]
+        allow: ["ip:1.2.3.4", "cidr:2.3.4.0/24"]
     - id: 56775c3f-04ab-4fb3-a7ed-40ef9bc8eece
       name: prod-web-lb-01
       ip: 45.55.125.24
@@ -455,6 +464,9 @@ load_balancers_all:
       disable_lets_encrypt_dns_records: false
       project_id: 9cc10173-e9ea-4176-9dbc-a4cee4c4ff30
       http_idle_timeout_seconds: 60
+      firewall:
+        deny: ["cidr:1.2.0.0/16", "ip:2.3.4.5"]
+        allow: ["ip:1.2.3.4", "cidr:2.3.4.0/24"]
     links: {}
     meta:
       total: 2