This topic describes how to change the priority of an access control policy that is created for the Internet firewall by using Terraform.
You can run the sample code in this topic with a few clicks. For more information, visit Terraform Explorer.
Before you begin
An Alibaba Cloud account has all permissions on resources within the account. If an Alibaba Cloud account is leaked, the resources are exposed to major risks. We recommend that you use a Resource Access Management (RAM) user and create an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create an AccessKey pair.
The following sample code describes how to grant permissions to a RAM user based on the principle of least privilege (PoLP). You must grant the required permissions on Cloud Firewall to the RAM user. For more information, see Grant permissions to RAM users.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-cloudfirewall:*", "yundun-ndr:*" ], "Resource": "*" } ] }Prepare the Terraform environment. You can use one of the following methods to use Terraform:
Use Terraform in Terraform Explorer: Alibaba Cloud provides Terraform Explorer, an online runtime environment for Terraform. You can use Terraform after you log on to Terraform Explorer without the need to install Terraform. For more information, see Use Terraform in Terraform Explorer. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at no additional cost.
Use Terraform in Cloud Shell: Terraform is preinstalled in Cloud Shell and identity credentials are configured. You can directly run Terraform commands in Cloud Shell. For more information, see Use Terraform in Cloud Shell. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at low cost.
Install and configure Terraform on your on-premises machine: This method is suitable for scenarios in which network conditions are poor or a custom development environment is used. For more information, see Install and configure Terraform in the local PC.
ImportantYou must install Terraform 0.12.28 or later. You can run the
terraform --versioncommand to query the Terraform version.
Resource
alicloud_cloud_firewall_control_policy: changes the priority of an access control policy created for Cloud Firewall.
Procedure
This section describes how to change the priority of an access control policy that is created for the Internet firewall.
Create a working directory and a configuration file named
main.tfin the directory. main.tf: This file is the main file of Terraform and defines the resources that you want to deploy. You must make sure that an access control policy is created for the Internet firewall.resource "alicloud_cloud_firewall_control_policy" "example" { # The application types that are supported by the policy. Valid values: ANY, HTTP, HTTPS, MQTT, Memcache, MongoDB, MySQL, RDP, Redis, SMTP, SMTPS, SSH, SSL, and VNC. application_name = "ANY" # The action on the traffic if the traffic meets the conditions that you specify in the policy. Valid values: accept, drop, and log. acl_action = "accept" # The description. description = "Created_by_terraform" # The type of the destination address in the policy. Valid values: net, group, domain, and location. destination_type = "net" # The destination address in the policy. destination = "100.1.1.0/24" # The direction of the traffic to which the policy applies. Valid values: in and out. direction = "out" # The protocol types that are supported by the policy. Valid values: ANY, TCP, UDP, and ICMP. proto = "ANY" # The source address in the policy. source = "1.2.3.0/24" # The type of the source address in the policy. Valid values: net, group, and location. source_type = "net" }# Change the priority of an access control policy that is created for the Internet firewall. resource "alicloud_cloud_firewall_control_policy_order" "example" { # The UUID of the access control policy. acl_uuid = alicloud_cloud_firewall_control_policy.example.acl_uuid # The direction of the traffic to which the access control policy applies. Valid values: in and out. direction = "out" # The priority of the access control policy. The priority value starts from 1. A smaller priority value indicates a higher priority. Note: The value -1 indicates the lowest priority. order = 1 }Run the following command to initialize
Terraform:terraform initIf the following information is returned, Terraform is initialized.
Initializing provider plugins... - Finding latest version of hashicorp/alicloud... - Installing hashicorp/alicloud v1.231.0... - Installed hashicorp/alicloud v1.231.0 (signed by HashiCorp) Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.Create an execution plan and preview the changes.
terraform planRun the following command to change the priority of the access control policy that is created for the Internet firewall.
terraform applyDuring the execution, enter
yesas prompted and press the Enter key. Wait until the command is successfully executed. If the following information appears, the operation is successful:Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # alicloud_cloud_firewall_control_policy_order.example will be created + resource "alicloud_cloud_firewall_control_policy_order" "example" { + acl_uuid = "ef9bdf22-07d4-4080-8ec0-824ec3f0c*" + direction = "out" + id = (known after apply) + order = 1 } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_cloud_firewall_control_policy_order.example: Creating... alicloud_cloud_firewall_control_policy_order.example: Creation complete after 1s [id=ef9bdf22-07d4-4080-8ec0-824ec3f0c***:out] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.Verify the result.
You can run the following command to view the details of the created access control policy:
terraform show# alicloud_cloud_firewall_control_policy_order.example: resource "alicloud_cloud_firewall_control_policy_order" "example" { acl_uuid = "ef9bdf22-07d4-4080-8ec0-824ec3f0c***" direction = "out" id = "ef9bdf22-07d4-4080-8ec0-824ec3f0c***:out" order = 1 }Log on to the Cloud Firewall console and go to the Access Control > Internet Border page. On the Internet Border page, search for the access control policy by using the policy ID and view the priority of the access control policy after the change.
Release resources
If you no longer require the preceding resources that are created or managed by using Terraform, run the following command to release the resources. For more information about the terraform destroy command, see Common commands.
terraform destroyComplete sample code
You can run the sample code with a few clicks. For more information, visit Terraform Explorer.