Delete high-risk ports from DNAT mappings on a NAT gateway in bulk.
Template name
ACS-VPC-BulkyDeleteForwardEntry deletes specified high-risk ports from DNAT mappings on a NAT gateway.
Template description
Deletes high-risk ports mapped by DNAT entries on a NAT gateway.
Template type
Automated
Owner
Alibaba Cloud
Input parameters
|
Parameter |
Description |
Type |
Required |
Default value |
Limit |
|
instanceId |
The ID of the NAT gateway. |
String |
Yes |
||
|
port |
The high-risk port. |
List |
Yes |
||
|
regionId |
The region ID. |
String |
No |
{{ ACS::RegionId }} |
|
|
rateControl |
The task execution concurrency rate. |
Json |
No |
{'Mode': 'Concurrency', 'MaxErrors': 0, 'Concurrency': 10} |
|
|
OOSAssumeRole |
The RAM role assumed by CloudOps Orchestration Service (OOS). |
String |
No |
"" |
Output parameters
None
Permission policy that is required to execute the template
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DeleteForwardEntry",
"vpc:DescribeForwardTableEntries",
"vpc:DescribeNatGateways"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Details
For more information, see ACS-VPC-BulkyDeleteForwardEntry.yml at GitHub.
Template content
FormatVersion: OOS-2019-06-01
Description:
en: Deletes the specified high-risk ports mapped on the DNAT table.
zh-cn: Deletes the specified high-risk ports mapped on the DNAT table.
name-en: ACS-VPC-BulkyDeleteForwardEntry
name-zh-cn: ACS-VPC-BulkyDeleteForwardEntry
categories:
- security
Parameters:
regionId:
Label:
en: Region ID
zh-cn: Region ID
Type: String
AssociationProperty: RegionId
Default: '{{ ACS::RegionId }}'
instanceId:
Label:
en: The instance ID of the NAT Gateway.
zh-cn: The instance ID of the NAT Gateway.
Type: String
port:
Label:
en: The high-risk port (backend port)
zh-cn: The high-risk port (backend port)
Type: List
rateControl:
Label:
en: Rate Control
zh-cn: Concurrency rate for task execution
Type: Json
AssociationProperty: RateControl
Default:
Mode: Concurrency
MaxErrors: 0
Concurrency: 10
OOSAssumeRole:
Label:
en: OOSAssumeRole
zh-cn: The RAM role that OOS assumes
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: describeNatGateways
Action: ACS::ExecuteAPI
Description:
en: Queries the DNAT table ID of the NAT Gateway instance.
zh-cn: Queries the DNAT table ID of the NAT Gateway instance.
Properties:
Service: VPC
API: DescribeNatGateways
Parameters:
RegionId: '{{ regionId }}'
NatGatewayId: '{{ instanceId }}'
Outputs:
ForwardTableIds:
Type: String
ValueSelector: .NatGateways.NatGateway[].ForwardTableIds.ForwardTableId[]
- Name: describeForwardTableEntries
Action: ACS::ExecuteAPI
Description:
en: Queries the IDs of DNAT entries that match the high-risk ports.
zh-cn: Queries the IDs of DNAT entries that match the high-risk ports.
Properties:
Service: VPC
API: DescribeForwardTableEntries
Parameters:
RegionId: '{{ regionId }}'
ForwardTableId: '{{ describeNatGateways.ForwardTableIds }}'
InternalPort: '{{ ACS::TaskLoopItem }}'
Loop:
RateControl: '{{ rateControl }}'
Items: '{{ port }}'
Outputs:
ForwardEntryId-all:
AggregateType: Fn::ListJoin
AggregateField: ForwardEntryId
Outputs:
ForwardEntryId:
Type: Json
ValueSelector: .ForwardTableEntries.ForwardTableEntry[].ForwardEntryId
- Name: deleteForwardEntry
Action: ACS::ExecuteAPI
Description:
en: Deletes the specified high-risk ports mapped on the DNAT table.
zh-cn: Deletes the specified high-risk ports mapped on the DNAT table.
Properties:
Service: VPC
API: DeleteForwardEntry
Parameters:
RegionId: '{{ regionId }}'
ForwardEntryId: '{{ ACS::TaskLoopItem }}'
ForwardTableId: '{{ describeNatGateways.ForwardTableIds }}'
Loop:
Items:
'Fn::Jq':
- All
- '.[] | (select(. != null))'
- '{{ describeForwardTableEntries.ForwardEntryId-all }}'
RateControl:
Mode: Concurrency
MaxErrors: 0
Concurrency: 1
Metadata:
ALIYUN::OOS::Interface:
ParameterGroups:
- Parameters:
- port
Label:
default:
zh-cn: Configure Parameters
en: Configure Parameters
- Parameters:
- regionId
- instanceId
Label:
default:
zh-cn: Select Instance
en: Select Instance
- Parameters:
- rateControl
- OOSAssumeRole
Label:
default:
zh-cn: Advanced Options
en: Advanced Options