All Products
Search

This Product

    Cloud Firewall:Use Terraform to create a VPC firewall for an Enterprise Edition transit router of a CEN instance

    Document Center

    Cloud Firewall:Use Terraform to create a VPC firewall for an Enterprise Edition transit router of a CEN instance

    Last Updated:Dec 23, 2024

    This topic describes how to create a virtual private cloud (VPC) firewall for an Enterprise Edition transit router of a Cloud Enterprise Network (CEN) instance by using Terraform.

    Note

    You can run the sample code in this topic with a few clicks. For more information, visit Terraform Explorer.

    Before you begin

    • An Alibaba Cloud account has all permissions on resources within the account. If an Alibaba Cloud account is leaked, the resources are exposed to major risks. We recommend that you use a Resource Access Management (RAM) user and create an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create an AccessKey pair.

    • The following sample code describes how to attach the AliyunBSSFullAccess policy and grant the required permissions on Cloud Firewall to a RAM user.

      The AliyunBSSFullAccess policy grants all permissions on the Alibaba Cloud Transactions and Bills Management OpenAPI (BSS OpenAPI). For more information, see Grant permissions to RAM users. 

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "yundun-cloudfirewall:CreateVpcFirewallCenConfigure",
                "yundun-cloudfirewall:CreateVpcFirewallCenManualConfigure",
                "yundun-cloudfirewall:ModifyVpcFirewallCenConfigure",
                "yundun-cloudfirewall:ModifyVpcFirewallCenSwitchStatus",
                "yundun-cloudfirewall:DeleteVpcFirewallCenConfigure",
                "yundun-cloudfirewall:DescribeVpcFirewallCenDetail",
                "yundun-cloudfirewall:DescribeVpcFirewallCenList"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "bssapi:*",
                "bss:*"
            ],
            "Resource": "*"
        }
    ]
}

    • Prepare the Terraform environment. You can use one of the following methods to use Terraform:

      Use Terraform in Terraform Explorer: Alibaba Cloud provides Terraform Explorer, an online runtime environment for Terraform. You can use Terraform after you log on to Terraform Explorer without the need to install Terraform. For more information, see Use Terraform in Terraform Explorer. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at no additional cost.

      Use Terraform in Cloud Shell: Terraform is preinstalled in Cloud Shell and identity credentials are configured. You can directly run Terraform commands in Cloud Shell. For more information, see Use Terraform in Cloud Shell. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at low cost.

      Install and configure Terraform on your on-premises machine: This method is suitable for scenarios in which network conditions are poor or a custom development environment is used. For more information, see Install and configure Terraform in the local PC.

      Important

      You must install Terraform 0.12.28 or later. You can run the terraform --version command to query the Terraform version.

    Resource

    alicloud_cloud_firewall_vpc_cen_tr_firewall: creates a VPC firewall for an Enterprise Edition transit router of a CEN instance.

    Create a VPC firewall

    Procedure

    This section describes how to create a VPC firewall for an Enterprise Edition transit router of a CEN instance.

    1. Create a working directory and a configuration file named main.tf in the directory. main.tf: This file is the main file of Terraform and defines the resources that you want to deploy. 

      variable "name" {
  default = "terraform-example"
}

provider "alicloud" {
  region = "cn-hangzhou"
}

variable "description" {
  default = "Created by Terraform"
}

variable "firewall_name" {
  default = "tf-example"
}

variable "tr_attachment_master_cidr" {
  default = "192.168.3.192/26"
}

variable "firewall_subnet_cidr" {
  default = "192.168.3.0/25"
}

variable "region" {
  default = "cn-hangzhou"
}

variable "tr_attachment_slave_cidr" {
  default = "192.168.3.128/26"
}

variable "firewall_vpc_cidr" {
  default = "192.168.3.0/24"
}

variable "zone1" {
  default = "cn-hangzhou-h"
}

variable "firewall_name_update" {
  default = "tf-example-1"
}

variable "zone2" {
  default = "cn-hangzhou-i"
}

data "alicloud_cen_transit_router_available_resources" "default" {
}

data "alicloud_zones" "default" {
  available_resource_creation = "VSwitch"
}

resource "alicloud_cen_instance" "cen" {
  description       = "terraform example"
  cen_instance_name = var.name
}

resource "alicloud_cen_transit_router" "tr" {
  transit_router_name        = var.name
  transit_router_description = "tr-created-by-terraform"
  cen_id                     = alicloud_cen_instance.cen.id
}

resource "alicloud_vpc" "vpc1" {
  description = "created by terraform"
  cidr_block  = "192.168.1.0/24"
  vpc_name    = var.name
}

resource "alicloud_vswitch" "vpc1vsw1" {
  cidr_block   = "192.168.1.0/25"
  vswitch_name = var.name
  vpc_id       = alicloud_vpc.vpc1.id
  zone_id      = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[1]
}

resource "alicloud_vswitch" "vpc1vsw2" {
  vpc_id       = alicloud_vpc.vpc1.id
  cidr_block   = "192.168.1.128/26"
  vswitch_name = var.name
  zone_id      = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[2]
}

resource "alicloud_route_table" "foo" {
  vpc_id           = alicloud_vpc.vpc1.id
  route_table_name = var.name
  description      = var.name
}

resource "alicloud_cen_transit_router_vpc_attachment" "tr-vpc1" {
  zone_mappings {
    vswitch_id = alicloud_vswitch.vpc1vsw1.id
    zone_id    = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[1]
  }
  zone_mappings {
    zone_id    = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[2]
    vswitch_id = alicloud_vswitch.vpc1vsw2.id
  }
  vpc_id            = alicloud_vpc.vpc1.id
  cen_id            = alicloud_cen_instance.cen.id
  transit_router_id = alicloud_cen_transit_router.tr.transit_router_id
  depends_on        = [alicloud_route_table.foo]
}

resource "time_sleep" "wait_10_minutes" {
  depends_on = [alicloud_cen_transit_router_vpc_attachment.tr-vpc1]

  create_duration = "10m"
}

resource "alicloud_cloud_firewall_vpc_cen_tr_firewall" "default" {
  cen_id                    = alicloud_cen_transit_router_vpc_attachment.tr-vpc1.cen_id
  firewall_name             = var.name
  firewall_subnet_cidr      = var.firewall_subnet_cidr
  tr_attachment_slave_cidr  = var.tr_attachment_slave_cidr
  firewall_description      = "VpcCenTrFirewall created by terraform"
  region_no                 = var.region
  tr_attachment_master_cidr = var.tr_attachment_master_cidr
  firewall_vpc_cidr         = var.firewall_vpc_cidr
  transit_router_id         = alicloud_cen_transit_router.tr.transit_router_id
  route_mode                = "managed"

  depends_on = [time_sleep.wait_10_minutes]
}

    2. Run the following command to initialize Terraform: 

      terraform init

      If the following information is returned, Terraform is initialized: 

      Initializing the backend...

Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "time" (hashicorp/time) 0.12.1...
- Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.238.0...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.alicloud: version = "~> 1.238"
* provider.time: version = "~> 0.12"


Warning: registry.terraform.io: For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers.


Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

    3. Create an execution plan and preview the changes. 

      terraform plan

    4. Run the following command to create the VPC firewall: 

      terraform apply

      During the execution, enter yes as prompted and press the Enter key. Wait until the command is successfully executed. If the following information appears, the operation is successful:

      Note

      If no VPC firewall is created for the transit router specified in the main.tf file, the system creates a VPC firewall based on the file. If a VPC firewall is already created for the transit router, the system modifies the configurations of the VPC firewall based on the file. The numbers of resources in the outputs of the plan and apply commands vary based on the resources within your account. The actual resources within your account shall prevail. 

      alicloud_vpc.vpc1: Creating...
alicloud_vpc.vpc1: Creation complete after 7s [id=vpc-bp1apj641aaonvpocqrn8]
alicloud_route_table.foo: Creating...
alicloud_vswitch.vpc1vsw1: Creating...
alicloud_vswitch.vpc1vsw2: Creating...
alicloud_route_table.foo: Creation complete after 3s [id=vtb-bp1owz6rahb5oqftbd4pt]
alicloud_vswitch.vpc1vsw1: Creation complete after 7s [id=vsw-bp1kqr2wtnz9nyqzpqpvg]
alicloud_vswitch.vpc1vsw2: Still creating... [10s elapsed]
alicloud_vswitch.vpc1vsw2: Creation complete after 13s [id=vsw-bp1dpzmh55f6ezk3m1q02]
alicloud_cen_transit_router_vpc_attachment.tr-vpc1: Creating...
alicloud_cen_transit_router_vpc_attachment.tr-vpc1: Still creating... [10s elapsed]
alicloud_cen_transit_router_vpc_attachment.tr-vpc1: Still creating... [20s elapsed]
alicloud_cen_transit_router_vpc_attachment.tr-vpc1: Still creating... [30s elapsed]
alicloud_cen_transit_router_vpc_attachment.tr-vpc1: Still creating... [40s elapsed]
alicloud_cen_transit_router_vpc_attachment.tr-vpc1: Still creating... [50s elapsed]
alicloud_cen_transit_router_vpc_attachment.tr-vpc1: Still creating... [1m0s elapsed]
alicloud_cen_transit_router_vpc_attachment.tr-vpc1: Still creating... [1m10s elapsed]
alicloud_cen_transit_router_vpc_attachment.tr-vpc1: Creation complete after 1m17s [id=cen-9sbqmk479yu5y1y66d:tr-attach-e9ji0mjibg9y10ets4]
time_sleep.wait_10_minutes: Creating...
time_sleep.wait_10_minutes: Still creating... [10s elapsed]
time_sleep.wait_10_minutes: Still creating... [20s elapsed]
time_sleep.wait_10_minutes: Still creating... [30s elapsed]
time_sleep.wait_10_minutes: Still creating... [40s elapsed]
time_sleep.wait_10_minutes: Still creating... [50s elapsed]
time_sleep.wait_10_minutes: Still creating... [1m0s elapsed]
time_sleep.wait_10_minutes: Still creating... [1m10s elapsed]
time_sleep.wait_10_minutes: Still creating... [1m20s elapsed]
time_sleep.wait_10_minutes: Still creating... [1m30s elapsed]
time_sleep.wait_10_minutes: Still creating... [1m40s elapsed]
time_sleep.wait_10_minutes: Still creating... [1m50s elapsed]
time_sleep.wait_10_minutes: Still creating... [2m0s elapsed]
time_sleep.wait_10_minutes: Still creating... [2m10s elapsed]
time_sleep.wait_10_minutes: Still creating... [2m20s elapsed]
time_sleep.wait_10_minutes: Still creating... [2m30s elapsed]
time_sleep.wait_10_minutes: Still creating... [2m40s elapsed]
time_sleep.wait_10_minutes: Still creating... [2m50s elapsed]
time_sleep.wait_10_minutes: Still creating... [3m0s elapsed]
time_sleep.wait_10_minutes: Still creating... [3m10s elapsed]
time_sleep.wait_10_minutes: Still creating... [3m20s elapsed]
time_sleep.wait_10_minutes: Still creating... [3m30s elapsed]
time_sleep.wait_10_minutes: Still creating... [3m40s elapsed]
time_sleep.wait_10_minutes: Still creating... [3m50s elapsed]
time_sleep.wait_10_minutes: Still creating... [4m0s elapsed]
time_sleep.wait_10_minutes: Still creating... [4m10s elapsed]
time_sleep.wait_10_minutes: Still creating... [4m20s elapsed]
time_sleep.wait_10_minutes: Still creating... [4m30s elapsed]
time_sleep.wait_10_minutes: Still creating... [4m40s elapsed]
time_sleep.wait_10_minutes: Still creating... [4m50s elapsed]
time_sleep.wait_10_minutes: Still creating... [5m0s elapsed]
time_sleep.wait_10_minutes: Still creating... [5m10s elapsed]
time_sleep.wait_10_minutes: Still creating... [5m20s elapsed]
time_sleep.wait_10_minutes: Still creating... [5m30s elapsed]
time_sleep.wait_10_minutes: Still creating... [5m40s elapsed]
time_sleep.wait_10_minutes: Still creating... [5m50s elapsed]
time_sleep.wait_10_minutes: Still creating... [6m0s elapsed]
time_sleep.wait_10_minutes: Still creating... [6m10s elapsed]
time_sleep.wait_10_minutes: Still creating... [6m20s elapsed]
time_sleep.wait_10_minutes: Still creating... [6m30s elapsed]
time_sleep.wait_10_minutes: Still creating... [6m40s elapsed]
time_sleep.wait_10_minutes: Still creating... [6m50s elapsed]
time_sleep.wait_10_minutes: Still creating... [7m0s elapsed]
time_sleep.wait_10_minutes: Still creating... [7m10s elapsed]
time_sleep.wait_10_minutes: Still creating... [7m20s elapsed]
time_sleep.wait_10_minutes: Still creating... [7m30s elapsed]
time_sleep.wait_10_minutes: Still creating... [7m40s elapsed]
time_sleep.wait_10_minutes: Still creating... [7m50s elapsed]
time_sleep.wait_10_minutes: Still creating... [8m0s elapsed]
time_sleep.wait_10_minutes: Still creating... [8m10s elapsed]
time_sleep.wait_10_minutes: Still creating... [8m20s elapsed]
time_sleep.wait_10_minutes: Still creating... [8m30s elapsed]
time_sleep.wait_10_minutes: Still creating... [8m40s elapsed]
time_sleep.wait_10_minutes: Still creating... [8m50s elapsed]
time_sleep.wait_10_minutes: Still creating... [9m0s elapsed]
time_sleep.wait_10_minutes: Still creating... [9m10s elapsed]
time_sleep.wait_10_minutes: Still creating... [9m20s elapsed]
time_sleep.wait_10_minutes: Still creating... [9m30s elapsed]
time_sleep.wait_10_minutes: Still creating... [9m40s elapsed]
time_sleep.wait_10_minutes: Still creating... [9m50s elapsed]
time_sleep.wait_10_minutes: Still creating... [10m0s elapsed]
time_sleep.wait_10_minutes: Creation complete after 10m0s [id=2024-12-17T03:55:32Z]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Creating...
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [10s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [20s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [30s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [40s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [50s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [1m0s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [1m10s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [1m20s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [1m30s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [1m40s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [1m50s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [2m0s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [2m10s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [2m20s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [2m30s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [2m40s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [2m50s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [3m0s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [3m10s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [3m20s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [3m30s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [3m40s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [3m50s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [4m0s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [4m10s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [4m20s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Still creating... [4m30s elapsed]
alicloud_cloud_firewall_vpc_cen_tr_firewall.default: Creation complete after 4m39s [id=vfw-tr-f6524a0da36e44d285f8]

Apply complete!  Resources: 7 added, 0 changed, 0 destroyed.

    5. Verify the result.

      Run the terraform show command

      You can run the following command to view the details of the created access control policy: 

      terraform show

      Result

      shell@Alicloud:~$ terraform show
# alicloud_cen_instance.cen:
resource "alicloud_cen_instance" "cen" {
    cen_instance_name = "terraform-example"
    description       = "terraform example"
    id                = "cen-74686vyua3r13lv0nc"
    name              = "terraform-example"
    protection_level  = "REDUCED"
    resource_group_id = "rg-acfmykq77cck7dq"
    status            = "Active"
}

# alicloud_cen_transit_router.tr:
resource "alicloud_cen_transit_router" "tr" {
    cen_id                     = "cen-74686vyua3r13lv0nc"
    id                         = "cen-74686vyua3r13lv0nc:tr-bp1sxqrc3lh4lyd3ya6oh"
    status                     = "Active"
    support_multicast          = false
    transit_router_description = "tr-created-by-terraform"
    transit_router_id          = "tr-bp1sxqrc3lh4lyd3ya6oh"
    transit_router_name        = "terraform-example"
    type                       = "Enterprise"
}

# alicloud_cen_transit_router_vpc_attachment.tr-vpc1:
resource "alicloud_cen_transit_router_vpc_attachment" "tr-vpc1" {
    auto_publish_route_enabled            = false
    cen_id                                = "cen-74686vyua3r13lv0nc"
    create_time                           = "2024-12-17T10:10Z"
    id                                    = "cen-74686vyua3r13lv0nc:tr-attach-2y3fayi094mukex3l8"
    payment_type                          = "PayAsYouGo"
    resource_type                         = "VPC"
    status                                = "Attached"
    transit_router_attachment_id          = "tr-attach-2y3fayi094mukex3l8"
    transit_router_id                     = "tr-bp1sxqrc3lh4lyd3ya6oh"
    transit_router_vpc_attachment_options = {
        "ipv6Support" = "disable"
    }
    vpc_id                                = "vpc-bp14jln06jkpbsk8l31w1"
    vpc_owner_id                          = 1415189284827022

    zone_mappings {
        vswitch_id = "vsw-bp1ivri7xd5fslxm4hehi"
        zone_id    = "cn-hangzhou-j"
    }
    zone_mappings {
        vswitch_id = "vsw-bp1mr7iopn8oxte35uvfv"
        zone_id    = "cn-hangzhou-i"
    }
}

# alicloud_cloud_firewall_vpc_cen_tr_firewall.default:
resource "alicloud_cloud_firewall_vpc_cen_tr_firewall" "default" {
    cen_id                    = "cen-74686vyua3r13lv0nc"
    firewall_description      = "VpcCenTrFirewall created by terraform"
    firewall_name             = "terraform-example"
    firewall_subnet_cidr      = "192.168.3.0/25"
    firewall_vpc_cidr         = "192.168.3.0/24"
    id                        = "vfw-tr-beec8a3d978e470a84cf"
    region_no                 = "cn-hangzhou"
    route_mode                = "managed"
    status                    = "Ready"
    tr_attachment_master_cidr = "192.168.3.192/26"
    tr_attachment_slave_cidr  = "192.168.3.128/26"
    transit_router_id         = "tr-bp1sxqrc3lh4lyd3ya6oh"
}

# alicloud_route_table.foo:
resource "alicloud_route_table" "foo" {
    associate_type    = "VSwitch"
    create_time       = "2024-12-17T10:10:19Z"
    description       = "terraform-example"
    id                = "vtb-bp1s12vu1hlo4aws55i3l"
    name              = "terraform-example"
    resource_group_id = "rg-acfmykq77cck7dq"
    route_table_name  = "terraform-example"
    status            = "Available"
    vpc_id            = "vpc-bp14jln06jkpbsk8l31w1"
}

# alicloud_vpc.vpc1:
resource "alicloud_vpc" "vpc1" {
    cidr_block            = "192.168.1.0/24"
    classic_link_enabled  = false
    create_time           = "2024-12-17T10:10:13Z"
    description           = "created by terraform"
    enable_ipv6           = false
    id                    = "vpc-bp14jln06jkpbsk8l31w1"
    ipv6_cidr_blocks      = []
    name                  = "terraform-example"
    resource_group_id     = "rg-acfmykq77cck7dq"
    route_table_id        = "vtb-bp1c8tifgo0qlyeiqkd3n"
    router_id             = "vrt-bp1462y6c9htwfa0eub0y"
    router_table_id       = "vtb-bp1c8tifgo0qlyeiqkd3n"
    secondary_cidr_blocks = []
    status                = "Available"
    user_cidrs            = []
    vpc_name              = "terraform-example"
}

# alicloud_vswitch.vpc1vsw1:
resource "alicloud_vswitch" "vpc1vsw1" {
    availability_zone = "cn-hangzhou-i"
    cidr_block        = "192.168.1.0/25"
    create_time       = "2024-12-17T10:10:23Z"
    id                = "vsw-bp1mr7iopn8oxte35uvfv"
    name              = "terraform-example"
    status            = "Available"
    vpc_id            = "vpc-bp14jln06jkpbsk8l31w1"
    vswitch_name      = "terraform-example"
    zone_id           = "cn-hangzhou-i"
}

# alicloud_vswitch.vpc1vsw2:
resource "alicloud_vswitch" "vpc1vsw2" {
    availability_zone = "cn-hangzhou-j"
    cidr_block        = "192.168.1.128/26"
    create_time       = "2024-12-17T10:10:29Z"
    id                = "vsw-bp1ivri7xd5fslxm4hehi"
    name              = "terraform-example"
    status            = "Available"
    vpc_id            = "vpc-bp14jln06jkpbsk8l31w1"
    vswitch_name      = "terraform-example"
    zone_id           = "cn-hangzhou-j"
}

# data.alicloud_cen_transit_router_available_resources.default:
data "alicloud_cen_transit_router_available_resources" "default" {
    id        = "3179849974"
    resources = [
        {
            available_zones   = [
                "cn-hangzhou-h",
                "cn-hangzhou-i",
                "cn-hangzhou-j",
                "cn-hangzhou-k",
                "cn-hangzhou-b",
            ]
            master_zones      = [
                "cn-hangzhou-h",
                "cn-hangzhou-i",
                "cn-hangzhou-j",
                "cn-hangzhou-k",
                "cn-hangzhou-b",
            ]
            slave_zones       = [
                "cn-hangzhou-h",
                "cn-hangzhou-i",
                "cn-hangzhou-j",
                "cn-hangzhou-k",
                "cn-hangzhou-b",
            ]
            support_multicast = false
        },
    ]
}

# data.alicloud_zones.default:
data "alicloud_zones" "default" {
    available_resource_creation = "VSwitch"
    enable_details              = false
    id                          = "2291150053"
    ids                         = [
        "cn-hangzhou-b",
        "cn-hangzhou-e",
        "cn-hangzhou-f",
        "cn-hangzhou-g",
        "cn-hangzhou-h",
        "cn-hangzhou-i",
        "cn-hangzhou-j",
        "cn-hangzhou-k",
    ]
    instance_charge_type        = "PostPaid"
    multi                       = false
    spot_strategy               = "NoSpot"
    zones                       = [
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hangzhou-b"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hangzhou-e"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hangzhou-f"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hangzhou-g"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hangzhou-h"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hangzhou-i"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hangzhou-j"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
        {
            available_disk_categories   = []
            available_instance_types    = []
            available_resource_creation = []
            id                          = "cn-hangzhou-k"
            local_name                  = ""
            multi_zone_ids              = []
            slb_slave_zone_ids          = []
        },
    ]
}

# time_sleep.wait_10_minutes:
resource "time_sleep" "wait_10_minutes" {
    create_duration = "10m"
    id              = "2024-12-17T10:21:49Z"
}

      Log on to the Cloud Firewall console

      image

    Release resources

    If you no longer require the preceding resources that are created or managed by using Terraform, run the following command to release the resources. For more information about the terraform destroy command, see Common commands. 

    terraform destroy

    Complete sample code

    You can run the sample code with a few clicks. For more information, visit Terraform Explorer.

    Sample code

    variable "name" {
  default = "terraform-example"
}

provider "alicloud" {
  region = "cn-hangzhou"
}

variable "description" {
  default = "Created by Terraform"
}

variable "firewall_name" {
  default = "tf-example"
}

variable "tr_attachment_master_cidr" {
  default = "192.168.3.192/26"
}

variable "firewall_subnet_cidr" {
  default = "192.168.3.0/25"
}

variable "region" {
  default = "cn-hangzhou"
}

variable "tr_attachment_slave_cidr" {
  default = "192.168.3.128/26"
}

variable "firewall_vpc_cidr" {
  default = "192.168.3.0/24"
}

variable "zone1" {
  default = "cn-hangzhou-h"
}

variable "firewall_name_update" {
  default = "tf-example-1"
}

variable "zone2" {
  default = "cn-hangzhou-i"
}

data "alicloud_cen_transit_router_available_resources" "default" {
}

data "alicloud_zones" "default" {
  available_resource_creation = "VSwitch"
}

resource "alicloud_cen_instance" "cen" {
  description       = "terraform example"
  cen_instance_name = var.name
}

resource "alicloud_cen_transit_router" "tr" {
  transit_router_name        = var.name
  transit_router_description = "tr-created-by-terraform"
  cen_id                     = alicloud_cen_instance.cen.id
}

resource "alicloud_vpc" "vpc1" {
  description = "created by terraform"
  cidr_block  = "192.168.1.0/24"
  vpc_name    = var.name
}

resource "alicloud_vswitch" "vpc1vsw1" {
  cidr_block   = "192.168.1.0/25"
  vswitch_name = var.name
  vpc_id       = alicloud_vpc.vpc1.id
  zone_id      = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[1]
}

resource "alicloud_vswitch" "vpc1vsw2" {
  vpc_id       = alicloud_vpc.vpc1.id
  cidr_block   = "192.168.1.128/26"
  vswitch_name = var.name
  zone_id      = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[2]
}

resource "alicloud_route_table" "foo" {
  vpc_id           = alicloud_vpc.vpc1.id
  route_table_name = var.name
  description      = var.name
}

resource "alicloud_cen_transit_router_vpc_attachment" "tr-vpc1" {
  zone_mappings {
    vswitch_id = alicloud_vswitch.vpc1vsw1.id
    zone_id    = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[1]
  }
  zone_mappings {
    zone_id    = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[2]
    vswitch_id = alicloud_vswitch.vpc1vsw2.id
  }
  vpc_id            = alicloud_vpc.vpc1.id
  cen_id            = alicloud_cen_instance.cen.id
  transit_router_id = alicloud_cen_transit_router.tr.transit_router_id
  depends_on        = [alicloud_route_table.foo]
}

resource "time_sleep" "wait_10_minutes" {
  depends_on = [alicloud_cen_transit_router_vpc_attachment.tr-vpc1]

  create_duration = "10m"
}

resource "alicloud_cloud_firewall_vpc_cen_tr_firewall" "default" {
  cen_id                    = alicloud_cen_transit_router_vpc_attachment.tr-vpc1.cen_id
  firewall_name             = var.name
  firewall_subnet_cidr      = var.firewall_subnet_cidr
  tr_attachment_slave_cidr  = var.tr_attachment_slave_cidr
  firewall_description      = "VpcCenTrFirewall created by terraform"
  region_no                 = var.region
  tr_attachment_master_cidr = var.tr_attachment_master_cidr
  firewall_vpc_cidr         = var.firewall_vpc_cidr
  transit_router_id         = alicloud_cen_transit_router.tr.transit_router_id
  route_mode                = "managed"

  depends_on = [time_sleep.wait_10_minutes]
}