How do I use Terraform to activate Cloud Firewall? - Cloud Firewall

Activate Cloud Firewall programmatically using the alicloud_cloud_firewall_instance Terraform resource.

Run this example directly in Terraform Explorer without any local setup.

Prerequisites

Before you begin, ensure that you have:

A Resource Access Management (RAM) user with an AccessKey pair. Using a RAM user instead of your Alibaba Cloud root account limits the blast radius if credentials are compromised. See Create a RAM user and Create an AccessKey pair.

The following permissions attached to the RAM user — the Cloud Firewall permissions to manage firewall instances, and AliyunBSSFullAccess to handle subscription billing through BSS OpenAPI:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "yundun-cloudfirewall:CreateFirewall",
                "yundun-cloudfirewall:DescribeFirewalls",
                "yundun-cloudfirewall:DeleteFirewall"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "bssapi:*",
                "bss:*"
            ],
            "Resource": "*"
        }
    ]
}

Terraform 0.12.28 or later. Verify with terraform --version.
A Terraform environment set up using one of these options:
Option Best for
Terraform Explorer Quick testing with no local installation
Cloud Shell Fast setup with credentials pre-configured
Local installation Custom environments or restricted network access

Option	Best for
Terraform Explorer	Quick testing with no local installation
Cloud Shell	Fast setup with credentials pre-configured
Local installation	Custom environments or restricted network access

Important

Activating Cloud Firewall incurs charges. Unsubscribe from the service when you no longer need it. For subscription billing, terraform destroy does not unsubscribe — see Release resources.

Terraform resource

alicloud_cloud_firewall_instance: activates Cloud Firewall.

Arguments

Argument	Description
`payment_type`	Billing method. Valid values: `Subscription`, `PayAsYouGo`.
`spec`	Edition. Valid values: `premium_version`, `enterprise_version`, `ultimate_version`.
`ip_number`	Number of public IP addresses to protect. Valid values: 20–4000.
`band_width`	Peak Internet traffic to protect, in Mbit/s. Valid values: 10–15000.
`cfw_log`	Whether to enable the audit log feature. Valid values: `true`, `false`.
`cfw_log_storage`	Log storage capacity. Ignored if `cfw_log` is `false`.
`period`	Subscription period in months. Valid values: `1`, `3`, `6`, `12`, `24`, `36`.

The cfw_service argument was removed in provider version 1.209.1 and is no longer supported.

Attributes exported after apply

After terraform apply, the following attributes are available for use in other resources:

Attribute	Description
`id`	The instance ID, in the format `vipcloudfw-cn-xxxxxxxx`.
`create_time`	The time the instance was created.
`end_time`	The subscription end time.
`release_time`	The release time of the instance.
`renewal_duration_unit`	The unit for the renewal duration.
`renewal_status`	The renewal status of the instance.
`status`	The current status of the instance.

Activate Cloud Firewall

Create a working directory and a main.tf file with the following configuration:

resource "alicloud_cloud_firewall_instance" "example" {
  # Billing method. Valid values: Subscription, PayAsYouGo.
  payment_type    = "Subscription"
  # Edition. Valid values: premium_version, enterprise_version, ultimate_version.
  spec            = "premium_version"
  # Number of public IP addresses to protect. Valid values: 20-4000.
  ip_number       = 20
  # Peak Internet traffic to protect in Mbit/s. Valid values: 10-15000.
  band_width      = 10
  # Enable audit log. Valid values: true, false.
  cfw_log         = false
  # Log storage capacity. Ignored when cfw_log is false.
  cfw_log_storage = 1000
  # Subscription period in months. Valid values: 1, 3, 6, 12, 24, 36.
  period          = 1
}

Initialize Terraform:
```
terraform init
```
A successful initialization ends with:
```
Terraform has been successfully initialized!
```
Preview the changes:
```
terraform plan
```

Apply the configuration:

terraform apply

Enter yes when prompted. A successful run ends with:

alicloud_cloud_firewall_instance.example: Creating...
alicloud_cloud_firewall_instance.example: Creation complete after 4s [id=vipcloudfw-cn-x0r36mo****]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Verify the result

Run Terraform show

Query the resources managed by Terraform:

terraform show

Check the Cloud Firewall console

Log on to the Cloud Firewall console. On the Cloud Firewall consoleOverview page, click Upgrade

Release resources

Important

For subscription billing, terraform destroy removes the instance from the Terraform state file but does not unsubscribe from Cloud Firewall. After running terraform destroy, log on to the Cloud Firewall console and manually unsubscribe.

Complete sample code

Run this example with a few clicks in Terraform Explorer.

resource "alicloud_cloud_firewall_instance" "example" {
  # Billing method. Valid values: Subscription, PayAsYouGo.
  payment_type    = "Subscription"
  # Edition. Valid values: premium_version, enterprise_version, ultimate_version.
  spec            = "premium_version"
  # Number of public IP addresses to protect. Valid values: 20-4000.
  ip_number       = 20
  # Peak Internet traffic to protect in Mbit/s. Valid values: 10-15000.
  band_width      = 10
  # Enable audit log. Valid values: true, false.
  cfw_log         = false
  # Log storage capacity. Ignored when cfw_log is false.
  cfw_log_storage = 1000
  # Subscription period in months. Valid values: 1, 3, 6, 12, 24, 36.
  period          = 1
}