Template name
ACS-VPC-BulkyDeleteForwardEntry
Template description
Deletes a high-risk port that is mapped by using a DNAT entry on a NAT gateway.
Template type
Automated
Owner
Alibaba Cloud
Input parameters
Parameter | Description | Type | Required | Default value | Limit |
instanceId | The ID of the NAT gateway. | String | Yes | ||
port | The high-risk port. | List | Yes | ||
regionId | The region ID. | String | No | {{ ACS::RegionId }} | |
rateControl | The rate control settings. | Json | No | {'Mode': 'Concurrency', 'MaxErrors': 0, 'Concurrency': 10} | |
OOSAssumeRole | The Resource Access Management (RAM) role that is assumed by CloudOps Orchestration Service (OOS). | String | No | "" |
Output parameters
None
Permission policy that is required to execute the template
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DeleteForwardEntry",
"vpc:DescribeForwardTableEntries",
"vpc:DescribeNatGateways"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
References
For more information, see ACS-VPC-BulkyDeleteForwardEntry.yml at GitHub.
Template content
FormatVersion: OOS-2019-06-01
Description:
en: Del the specified risk ports mapped on dnat table
zh-cn: the description in Chinese
name-en: ACS-VPC-BulkyDeleteForwardEntry
name-zh-cn: the description in Chinese
categories:
- security
Parameters:
regionId:
Label:
en: RegionId
zh-cn: the description in Chinese
Type: String
AssociationProperty: RegionId
Default: '{{ ACS::RegionId }}'
instanceId:
Label:
en: The id of natgateway instance.
zh-cn: the description in Chinese
Type: String
port:
Label:
en: The risk port
zh-cn: the description in Chinese
Type: List
rateControl:
Label:
en: RateControl
zh-cn: the description in Chinese
Type: Json
AssociationProperty: RateControl
Default:
Mode: Concurrency
MaxErrors: 0
Concurrency: 10
OOSAssumeRole:
Label:
en: OOSAssumeRole
zh-cn: the description in Chinese
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: describeNatGateways
Action: ACS::ExecuteAPI
Description:
en: Query dnat table id of the natgateway instance
zh-cn: the description in Chinese
Properties:
Service: VPC
API: DescribeNatGateways
Parameters:
RegionId: '{{ regionId }}'
NatGatewayId: '{{ instanceId }}'
Outputs:
ForwardTableIds:
Type: String
ValueSelector: .NatGateways.NatGateway[].ForwardTableIds.ForwardTableId[]
- Name: describeForwardTableEntries
Action: ACS::ExecuteAPI
Description:
en: Query the dnat entry id which matches the risk ports
zh-cn: the description in Chinese
Properties:
Service: VPC
API: DescribeForwardTableEntries
Parameters:
RegionId: '{{ regionId }}'
ForwardTableId: '{{ describeNatGateways.ForwardTableIds }}'
InternalPort: '{{ ACS::TaskLoopItem }}'
Loop:
RateControl: '{{ rateControl }}'
Items: '{{ port }}'
Outputs:
ForwardEntryId-all:
AggregateType: Fn::ListJoin
AggregateField: ForwardEntryId
Outputs:
ForwardEntryId:
Type: Json
ValueSelector: .ForwardTableEntries.ForwardTableEntry[].ForwardEntryId
- Name: deleteForwardEntry
Action: ACS::ExecuteAPI
Description:
en: Del the specified risk ports mapped on dnat table
zh-cn: the description in Chinese
Properties:
Service: VPC
API: DeleteForwardEntry
Parameters:
RegionId: '{{ regionId }}'
ForwardEntryId: '{{ ACS::TaskLoopItem }}'
ForwardTableId: '{{ describeNatGateways.ForwardTableIds }}'
Loop:
Items:
'Fn::Jq':
- All
- 'foreach .[] as $item ([[],[]]; if $item == null then [[],.[0]] else [(.[0] + [$item]),[]] end; if $item == null then .[1] else empty end) | .[]'
- '{{ describeForwardTableEntries.ForwardEntryId-all }}'
RateControl:
Mode: Concurrency
MaxErrors: 0
Concurrency: 1
Metadata:
ALIYUN::OOS::Interface:
ParameterGroups:
- Parameters:
- port
Label:
default:
zh-cn: the description in Chinese
en: Configure Parameters
- Parameters:
- regionId
- instanceId
Label:
default:
zh-cn: the description in Chinese
en: Select Instances
- Parameters:
- rateControl
- OOSAssumeRole
Label:
default:
zh-cn: the description in Chinese
en: Control Options