Cloud Firewall:Use Terraform to activate Cloud Firewall

Before you begin

• An Alibaba Cloud account has all permissions on resources within the account. If an Alibaba Cloud account is leaked, the resources are exposed to major risks. We recommend that you use a Resource Access Management (RAM) user and create an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create an AccessKey pair.

• The following sample code describes how to attach the AliyunBSSFullAccess policy and grant the required permissions on Cloud Firewall to a RAM user. The AliyunBSSFullAccess policy grants all permissions on the Alibaba Cloud Transactions and Bills Management OpenAPI (BSS OpenAPI). For more information, see Grant permissions to RAM users.

  {
      "Version": "1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "yundun-cloudfirewall:CreateFirewall",
                  "yundun-cloudfirewall:DescribeFirewalls",
                  "yundun-cloudfirewall:DeleteFirewall"
              ],
              "Resource": "*"
          },
          {
              "Effect": "Allow",
              "Action": [
                  "bssapi:*",
                  "bss:*"
              ],
              "Resource": "*"
          }
      ]
  }

• Prepare the Terraform environment. You can use one of the following methods to use Terraform:

  Use Terraform in Terraform Explorer: Alibaba Cloud provides Terraform Explorer, an online runtime environment for Terraform. You can use Terraform after you log on to Terraform Explorer without the need to install Terraform. For more information, see Use Terraform in Terraform Explorer. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at no additional cost.

  Use Terraform in Cloud Shell: Terraform is preinstalled in Cloud Shell and identity credentials are configured. You can directly run Terraform commands in Cloud Shell. For more information, see Use Terraform in Cloud Shell. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at low cost.

  Install and configure Terraform on your on-premises machine: This method is suitable for scenarios in which network conditions are poor or a custom development environment is used. For more information, see Install and configure Terraform in the local PC.

  Important

  You must install Terraform 0.12.28 or later. You can run the terraform --version command to query the Terraform version.

Resource

alicloud_cloud_firewall_instance: activates Cloud Firewall.

This section describes how to activate Cloud Firewall.

1. Create a working directory and a configuration file named main.tf in the directory. main.tf: This file is the main file of Terraform and defines the resources that you want to deploy.

   resource "alicloud_cloud_firewall_instance" "example" {
     # The billing method of Cloud Firewall. Valid values: Subscription and PayAsYouGo. 
     payment_type    = "Subscription"
     # The edition of Cloud Firewall. Valid values: premium_version, enterprise_version, and ultimate_version. 
     spec            = "premium_version"
     # The number of public IP addresses that can be protected. Valid values: 20 to 4000. 
     ip_number       = 20
     # The peak Internet traffic that can be protected. Valid values: 10 to 15000. Unit: Mbit/s. 
     band_width      = 10
     # Specifies whether to enable the audit log feature. Valid values: true and false. 
     cfw_log         = false
     # The log storage capacity. This parameter is ignored if cfw_log is set to false. 
     cfw_log_storage = 1000
     # The cfw_service parameter is no longer supported and is removed from v1.209.1. 
     # cfw_service     = false
     # The subscription duration. Valid values: 1, 3, 6, 12, 24, and 36. 
     period          = 1
   }

2. Run the following command to initialize Terraform:

   terraform init

   If the following information is returned, Terraform is initialized.

   Initializing the backend...
   
   Initializing provider plugins...
   - Checking for available provider plugins...
   - Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.203.0...
   
   
   Warning: registry.terraform.io: For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers.
   
   
   Terraform has been successfully initialized!
   
   You may now begin working with Terraform. Try running "terraform plan" to see
   any changes that are required for your infrastructure. All Terraform commands
   should now work.
   
   If you ever set or change modules or backend configuration for Terraform,
   rerun this command to reinitialize your working directory. If you forget, other
   commands will detect it and remind you to do so if necessary.

3. Create an execution plan and preview the changes.

   terraform plan

4. Run the following command to activate Cloud Firewall:

   terraform apply

   During the execution, enter yes as prompted and press the Enter key. Wait until the command is successfully executed. If the following information appears, the operation is successful:

   An execution plan has been generated and is shown below.
   Resource actions are indicated with the following symbols:
     + create
   
   Terraform will perform the following actions:
   
     # alicloud_cloud_firewall_instance.example will be created
     + resource "alicloud_cloud_firewall_instance" "example" {
         + band_width            = 10
         + cfw_log               = false
         + cfw_log_storage       = 1000
         + cfw_service           = false
         + create_time           = (known after apply)
         + end_time              = (known after apply)
         + id                    = (known after apply)
         + ip_number             = 20
         + payment_type          = "Subscription"
         + period                = 6
         + release_time          = (known after apply)
         + renewal_duration_unit = (known after apply)
         + renewal_status        = (known after apply)
         + spec                  = "premium_version"
         + status                = (known after apply)
       }
   
   Plan: 1 to add, 0 to change, 0 to destroy.
   
   Do you want to perform these actions?
     Terraform will perform the actions described above.
     Only 'yes' will be accepted to approve.
   
     Enter a value: yes
   
   alicloud_cloud_firewall_instance.example: Creating...
   alicloud_cloud_firewall_instance.example: Creation complete after 4s [id=vipcloudfw-cn-x0r36mo****]
   
   Apply complete!  Resources: 1 added, 0 changed, 0 destroyed.

5. Verify the result.

   Run the terraform show command

   You can run the following command to query the resources that are created by Terraform:

   terraform show

   

   Log on to the Cloud Firewall console

   Log on to the Cloud Firewall console. On the Overview page, click Upgrade to view the current configurations of Cloud Firewall.

Release resources

Complete sample code

resource "alicloud_cloud_firewall_instance" "example" {
  # The billing method of Cloud Firewall. Valid values: Subscription and PayAsYouGo. 
  payment_type    = "Subscription"
  # The edition of Cloud Firewall. Valid values: premium_version, enterprise_version, and ultimate_version. 
  spec            = "premium_version"
  # The number of public IP addresses that can be protected. Valid values: 20 to 4000. 
  ip_number       = 20
  # The peak Internet traffic that can be protected. Valid values: 10 to 15000. Unit: Mbit/s. 
  band_width      = 10
  # Specifies whether to enable the audit log feature. Valid values: true and false. 
  cfw_log         = false
  # The log storage capacity. This parameter is ignored if cfw_log is set to false. 
  cfw_log_storage = 1000
  # The cfw_service parameter is no longer supported and is removed from v1.209.1. 
  # cfw_service     = false
  # The subscription duration. Valid values: 1, 3, 6, 12, 24, and 36. 
  period          = 1
}