This topic describes how to create an access control policy in a specific policy group for a virtual private cloud (VPC) firewall by using Terraform.
You can run the sample code in this topic with a few clicks. For more information, visit Terraform Explorer.
Before you begin
An Alibaba Cloud account has all permissions on resources within the account. If an Alibaba Cloud account is leaked, the resources are exposed to major risks. We recommend that you use a Resource Access Management (RAM) user and create an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create an AccessKey pair.
The following sample code provides an example on how to grant permissions to a RAM user. For more information, see Grant permissions to RAM users.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-cloudfirewall:*", "yundun-ndr:*", "vpc:CreateVpc", "vpc:DeleteVpc", "vpc:DescribeVpcs", "vpc:CreateVSwitch", "vpc:DeleteVSwitch", "vpc:DescribeVSwitches", "vpc:CreateRouteEntry", "vpc:DeleteRouteEntry", "vpc:DescribeRouteEntries", "vpc:CreateVpcPeerConnection", "vpc:DeleteVpcPeerConnection", "vpc:DescribeVpcPeerConnections", "cloudfirewall:CreateVpcFirewall", "cloudfirewall:DeleteVpcFirewall", "cloudfirewall:DescribeVpcFirewalls" ], "Resource": "*" } ] }Prepare the Terraform environment. You can use one of the following methods to use Terraform:
Use Terraform in Terraform Explorer: Alibaba Cloud provides Terraform Explorer, an online runtime environment for Terraform. You can use Terraform after you log on to Terraform Explorer without the need to install Terraform. For more information, see Use Terraform in Terraform Explorer. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at no additional cost.
Use Terraform in Cloud Shell: Terraform is preinstalled in Cloud Shell and identity credentials are configured. You can directly run Terraform commands in Cloud Shell. For more information, see Use Terraform in Cloud Shell. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at low cost.
Install and configure Terraform on your on-premises machine: This method is suitable for scenarios in which network conditions are poor or a custom development environment is used. For more information, see Install and configure Terraform in the local PC.
ImportantYou must install Terraform 0.12.28 or later. You can run the
terraform --versioncommand to query the Terraform version.
Resource
alicloud_cloud_firewall_vpc_firewall_control_policy: creates an access control policy.
Procedure
Create a working directory and a configuration file named
main.tfin the directory. main.tf is the main file of Terraform and defines the resources that you want to deploy. Make sure that a virtual private cloud (VPC) firewall is created.variable "region" { default = "cn-heyuan" } provider "alicloud" { region = var.region } # Obtain the ID of the current Alibaba Cloud account. data "alicloud_account" "current" { } # Create VPC 1. resource "alicloud_vpc" "vpc" { vpc_name = "dd-tf-vpc-01" cidr_block = "192.168.0.0/16" } # Create VPC 2. resource "alicloud_vpc" "vpc1" { vpc_name = "dd-tf-vpc-02" cidr_block = "172.16.0.0/12" } # Create a vSwitch and allocate the CIDR block 192.168.10.0/24 to the vSwitch. resource "alicloud_vswitch" "vsw" { vpc_id = alicloud_vpc.vpc.id cidr_block = "192.168.10.0/24" zone_id = "cn-heyuan-a" vswitch_name = "dd-tf-vpc-01-example-1" } # Create a vSwitch and allocate the CIDR block 192.168.20.0/24 to the vSwitch. resource "alicloud_vswitch" "vsw1" { vpc_id = alicloud_vpc.vpc.id cidr_block = "192.168.20.0/24" zone_id = "cn-heyuan-b" vswitch_name = "dd-tf-vpc-01-example-2" } # Create a vSwitch and allocate the CIDR block 172.16.10.0/24 to the vSwitch. resource "alicloud_vswitch" "vsw2" { vpc_id = alicloud_vpc.vpc1.id cidr_block = "172.16.10.0/24" zone_id = "cn-heyuan-a" vswitch_name = "dd-tf-vpc-02-example-11" } # Create a vSwitch and allocate the CIDR block 172.16.20.0/24 to the vSwitch. resource "alicloud_vswitch" "vsw3" { vpc_id = alicloud_vpc.vpc1.id cidr_block = "172.16.20.0/24" zone_id = "cn-heyuan-b" vswitch_name = "dd-tf-vpc-02-example-22" } # Create a VPC peering connection. resource "alicloud_vpc_peer_connection" "default" { # The name of the VPC peering connection. peer_connection_name = "terraform-example-vpc-peer-connection" # The ID of the initiator VPC. vpc_id = alicloud_vpc.vpc.id # The Alibaba Cloud account ID of the acceptor VPC. accepting_ali_uid = data.alicloud_account.current.id # The region ID of the acceptor VPC. If the two VPCs are in the same region, enter the region ID of the initiator VPC. If the VPCs are in different regions, enter a different region ID. accepting_region_id = "cn-heyuan" # The ID of the acceptor VPC. accepting_vpc_id = alicloud_vpc.vpc1.id # The description. description = "terraform-example" # Specifies whether to forcibly delete the VPC peering connection. force_delete = true } # The acceptor VPC. resource "alicloud_vpc_peer_connection_accepter" "default" { instance_id = alicloud_vpc_peer_connection.default.id } # Configure a route vpc-A. resource "alicloud_route_entry" "foo" { # The ID of the route table VPC-A. route_table_id = alicloud_vpc.vpc.route_table_id # The custom destination CIDR block. destination_cidrblock = "1.2.3.4/32" # The type of the next hop. nexthop_type = "VpcPeer" # The ID of the next hop. nexthop_id = alicloud_vpc_peer_connection.default.id } # Configure a route vpc-B. resource "alicloud_route_entry" "foo1" { # The ID of the route table VPC-A. route_table_id = alicloud_vpc.vpc1.route_table_id # The custom destination CIDR block. destination_cidrblock = "4.3.X.X/32" # The type of the next hop. nexthop_type = "VpcPeer" # The ID of the next hop. nexthop_id = alicloud_vpc_peer_connection.default.id } # Create other required resources. resource "time_sleep" "wait_before_firewall" { # Make sure that a Cloud Enterprise Network (CEN) instance and a VPC peering connection are created. depends_on = [ alicloud_route_entry.foo, alicloud_route_entry.foo1 ] create_duration = "720s" # Specify a value based on your business requirements. } # The latency. resource "null_resource" "wait_for_firewall" { provisioner "local-exec" { command = "echo waiting for firewall to be ready" } # Make sure that a CEN instance is created. depends_on = [time_sleep.wait_before_firewall] } # The VPC peering connection or express connect circuit. resource "alicloud_cloud_firewall_vpc_firewall" "default" { # The required dependencies. depends_on = [ null_resource.wait_for_firewall ] timeouts { create = "30m" # The timeout period of the creation operation. } # The name of the instance. vpc_firewall_name = "tf-test" # The ID of the user. member_uid = data.alicloud_account.current.id local_vpc { # The ID of the initiator VPC. vpc_id = alicloud_vpc.vpc.id # The region. region_no = "cn-heyuan" # The route. local_vpc_cidr_table_list { # The ID of the route table. local_route_table_id = alicloud_vpc.vpc.route_table_id local_route_entry_list { # The next hop. local_next_hop_instance_id = alicloud_vpc_peer_connection.default.id # The destination CIDR block. local_destination_cidr = alicloud_route_entry.foo.destination_cidrblock } } } peer_vpc { # The ID of the acceptor VPC. vpc_id = alicloud_vpc.vpc1.id # The region. region_no = "cn-heyuan" # The route. peer_vpc_cidr_table_list { # The ID of the route table. peer_route_table_id = alicloud_vpc.vpc1.route_table_id peer_route_entry_list { # The destination CIDR block. peer_destination_cidr = alicloud_route_entry.foo1.destination_cidrblock # The next hop. peer_next_hop_instance_id = alicloud_vpc_peer_connection.default.id } } } # The status of the resource. Valid values: # open: The VPC firewall is automatically enabled after it is created. # close: The VPC firewall is not automatically enabled after it is created. status = "open" }resource "alicloud_cloud_firewall_vpc_firewall_control_policy" "default" { # The priority of the access control policy. The priority value starts from 1. A smaller value indicates a higher priority. order = "1" # The destination address in the policy. destination = "0.0.0.0/0" # The application types that are supported by the policy. application_name = "ANY" # The description of the policy. description = "Created_by_Terraform" # The type of the source address in the policy. Valid values: net and group. source_type = "net" # Optional. The destination port in the policy. dest_port = "80/88" # The action on traffic if the traffic meets the conditions that you specify in the policy. Valid values: accept, drop, and log. acl_action = "accept" # The language of the content within the request and response. Valid values: zh and en. lang = "zh" # If you set the destination type to net, the value of destination must be a CIDR block. destination_type = "net" # The source address in the policy. source = "0.0.0.0/0" # The type of the destination port in the policy. Valid values: port and group. dest_port_type = "port" # The protocol type in the policy. Valid values: ANY, TCP, UDP, and ICMP. proto = "TCP" # The status of the policy. By default, a policy is enabled after it is created. release = true # The ID of the current Alibaba Cloud account. member_uid = data.alicloud_account.current.id # The ID of the VPC firewall. vpc_firewall_id = alicloud_cloud_firewall_vpc_firewall.default.id }Run the following command to initialize
Terraform:terraform initIf the following information is returned, Terraform is initialized:
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/alicloud... - Using hashicorp/alicloud v1.231.0 from the shared cache directory Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. ╷ │ Warning: Additional provider information from registry │ │ The remote registry returned warnings for registry.terraform.io/hashicorp/alicloud: │ - For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers. ╵ ╷ │ Warning: Incomplete lock file information for providers │ │ Due to your customized provider installation methods, Terraform was forced to calculate lock file checksums locally for the following providers: │ - hashicorp/alicloud │ │ The current .terraform.lock.hcl file only includes checksums for linux_amd64, so Terraform running on another platform will fail to install these providers. │ │ To calculate additional checksums for another platform, run: │ terraform providers lock -platform=linux_amd64 │ (where linux_amd64 is the platform to generate) ╵ Terraform has been successfully initialized!Create an execution plan and preview the changes.
terraform planRun the following command to create the access control policy in a specific policy group for the specified VPC firewall:
terraform applyDuring the execution, enter
yesas prompted and press the Enter key. Wait until the command is successfully executed. If the following information appears, the operation is successful:Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # alicloud_cloud_firewall_vpc_firewall_control_policy.default will be created + resource "alicloud_cloud_firewall_vpc_firewall_control_policy" "default" { + acl_action = "accept" + acl_uuid = (known after apply) + application_id = (known after apply) + application_name = "ANY" + description = "Created_by_Terraform" + dest_port = "80/88" + dest_port_group_ports = (known after apply) + dest_port_type = "port" + destination = "0.0.0.0/0" + destination_group_cidrs = (known after apply) + destination_group_type = (known after apply) + destination_type = "net" + hit_times = (known after apply) + id = (known after apply) + lang = "zh" + member_uid = "1413397765616***" + order = 1 + proto = "TCP" + release = true + source = "0.0.0.0/0" + source_group_cidrs = (known after apply) + source_group_type = (known after apply) + source_type = "net" + vpc_firewall_id = "vfw-c7536567ab694fb1a***" } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_cloud_firewall_vpc_firewall_control_policy.default: Creating... alicloud_cloud_firewall_vpc_firewall_control_policy.default: Creation complete after 0s [id=vfw-c7536567ab694fb1a59f:ca14e184-15dc-4a68-b0d8-fb71a15ff***] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.Verify the result.
Run the terraform show command
You can run the following command to view the details of the created access control policy:
terraform show# alicloud_cloud_firewall_vpc_firewall_control_policy.default: resource "alicloud_cloud_firewall_vpc_firewall_control_policy" "default" { acl_action = "accept" acl_uuid = "ba164e52-acd2-4899-bf72-6816b13a****" application_id = "0" application_name = "ANY" description = "Created_by_Terraform" dest_port = "80/88" dest_port_group_ports = [] dest_port_type = "port" destination = "0.X.X.0/0" destination_group_cidrs = [] destination_type = "net" hit_times = 0 id = "vfw-d7b8ce273791475b****:ba164e52-acd2-4899-bf72-6816b13a****" lang = "zh" member_uid = "1415189284827****" order = 1 proto = "TCP" release = true source = "0.X.X.0/0" source_group_cidrs = [] source_type = "net" vpc_firewall_id = "vfw-d7b8ce273791475b****" }Log on to the Cloud Firewall console
Log on to the Cloud Firewall console and go to the Access Control > VPC Border page. On the VPC Border page, view the details of the access control policy.
Release resources
If you no longer require the preceding resources that are created or managed by using Terraform, run the following command to release the resources. For more information about the terraform destroy command, see Common commands.
terraform destroyComplete sample code
You can run the sample code in this topic with a few clicks. For more information, visit Terraform Explorer.