Cloud Firewall:Use Terraform to create an access control policy for the Internet firewall

Before you begin

• An Alibaba Cloud account has all permissions on resources within the account. If an Alibaba Cloud account is leaked, the resources are exposed to major risks. We recommend that you use a Resource Access Management (RAM) user and create an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create an AccessKey pair.

• The following sample code describes how to grant permissions to a RAM user based on the principle of least privilege (PoLP). You must grant the required permissions on Cloud Firewall to the RAM user. For more information, see Grant permissions to RAM users.

  {
      "Version": "1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "yundun-cloudfirewall:*",
                  "yundun-ndr:*"
              ],
              "Resource": "*"
          }
      ]
  }

• Prepare the Terraform environment. You can use one of the following methods to use Terraform:

  Use Terraform in Terraform Explorer: Alibaba Cloud provides Terraform Explorer, an online runtime environment for Terraform. You can use Terraform after you log on to Terraform Explorer without the need to install Terraform. For more information, see Use Terraform in Terraform Explorer. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at no additional cost.

  Use Terraform in Cloud Shell: Terraform is preinstalled in Cloud Shell and identity credentials are configured. You can directly run Terraform commands in Cloud Shell. For more information, see Use Terraform in Cloud Shell. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at low cost.

  Install and configure Terraform on your on-premises machine: This method is suitable for scenarios in which network conditions are poor or a custom development environment is used. For more information, see Install and configure Terraform in the local PC.

  Important

  You must install Terraform 0.12.28 or later. You can run the terraform --version command to query the Terraform version.

Resource

alicloud_cloud_firewall_control_policy: creates an access control policy for Cloud Firewall.

Use Terraform to create an access control policy for the Internet firewall

This section describes how to create an access control policy for the Internet firewall.

1. Create a working directory and a configuration file named main.tf in the directory. main.tf: This file is the main file of Terraform and defines the resources that you want to deploy.

   resource "alicloud_cloud_firewall_control_policy" "example" {
     # The application types that are supported by the policy. Valid values: ANY, HTTP, HTTPS, MQTT, Memcache, MongoDB, MySQL, RDP, Redis, SMTP, SMTPS, SSH, SSL, and VNC. 
     application_name = "ANY"
     # The action on the traffic if the traffic meets the conditions that you specify in the policy. Valid values: accept, drop, and log. 
     acl_action       = "accept"
     # The description.
     description      = "Created_by_terraform"
     # The type of the destination address in the policy. Valid values: net, group, domain, and location. 
     destination_type = "net"
     # The destination address in the policy. 
     destination      = "100.1.X.X/24"
     # The direction of the traffic to which the policy applies. Valid values: in and out. 
     direction        = "out"
     # The protocol types that are supported by the policy. Valid values: ANY, TCP, UDP, and ICMP. 
     proto            = "ANY"
     # The source address in the policy. 
     source           = "1.2.X.X/24"
     # The type of the source address in the policy. Valid values: net, group, and location. 
     source_type      = "net"
   }

2. Run the following command to initialize Terraform:

   terraform init

   If the following information is returned, Terraform is initialized.

   Initializing the backend...
   
   Initializing provider plugins...
   - Checking for available provider plugins...
   - Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.203.0...
   
   
   Warning: registry.terraform.io: For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers.
   
   
   Terraform has been successfully initialized!
   
   You may now begin working with Terraform. Try running "terraform plan" to see
   any changes that are required for your infrastructure. All Terraform commands
   should now work.
   
   If you ever set or change modules or backend configuration for Terraform,
   rerun this command to reinitialize your working directory. If you forget, other
   commands will detect it and remind you to do so if necessary.

3. Create an execution plan and preview the changes.

   terraform plan

4. Run the following command to create the access control policy for the Internet firewall:

   terraform apply

   During the execution, enter yes as prompted and press the Enter key. Wait until the command is successfully executed. If the following information appears, the operation is successful:

   Do you want to perform these actions?
     Terraform will perform the actions described above.
     Only 'yes' will be accepted to approve.
   
     Enter a value: yes
   
   alicloud_cloud_firewall_control_policy.example: Creating...
   alicloud_cloud_firewall_control_policy.example: Creation complete after 1s [id=ef9bdf22-07d4-4080-8ec0-824ec3****:out]
   
   Apply complete!  Resources: 1 added, 0 changed, 0 destroyed.

5. Verify the result.

   • You can run the following command to view the details of the created access control policy:

     terraform show

     # alicloud_cloud_firewall_control_policy.example:
     resource "alicloud_cloud_firewall_control_policy" "example" {
         acl_action       = "accept"
         acl_uuid         = "ef9bdf22-07d4-4080-8ec0-824ec3f0****"
         application_name = "ANY"
         description      = "Created_by_terraform"
         dest_port        = "0/0"
         dest_port_type   = "port"
         destination      = "100.X.X.X/24"
         destination_type = "net"
         direction        = "out"
         id               = "ef9bdf22-07d4-4080-8ec0-824ec****:out"
         ip_version       = "4"
         proto            = "ANY"
         release          = "true"
         source           = "1.X.X.X/24"
         source_type      = "net"
     }

   • Log on to the Cloud Firewall console to search for the access control policy by using the policy ID and view the details of the access control policy.

Release resources

If you no longer require the preceding resources that are created or managed by using Terraform, run the following command to release the resources. For more information about the terraform destroy command, see Common commands.

terraform destroy

resource "alicloud_cloud_firewall_control_policy" "example" {
  # The application types that are supported by the policy. Valid values: ANY, HTTP, HTTPS, MQTT, Memcache, MongoDB, MySQL, RDP, Redis, SMTP, SMTPS, SSH, SSL, and VNC. 
  application_name = "ANY"
  # The action on the traffic if the traffic meets the conditions that you specify in the policy. Valid values: accept, drop, and log. 
  acl_action       = "accept"
  # The description.
  description      = "Created_by_terraform"
  # The type of the destination address in the policy. Valid values: net, group, domain, and location. 
  destination_type = "net"
  # The destination address in the policy. 
  destination      = "100.1.X.X/24"
  # The direction of the traffic to which the policy applies. Valid values: in and out. 
  direction        = "out"
  # The protocol types that are supported by the policy. Valid values: ANY, TCP, UDP, and ICMP. 
  proto            = "ANY"
  # The source address in the policy. 
  source           = "1.2.X.X/24"
  # The type of the source address in the policy. Valid values: net, group, and location. 
  source_type      = "net"
}