Activate Security Center by using Terraform - Security Center

Terraform is an open source developer tool created by HashiCorp. Terraform lets you manage cloud infrastructures with code. As one of the mainstream Terraform providers, Alibaba Cloud has released multiple resources and data sources related to Security Center in Terraform. You can use Terraform to manage the resources to meet your business requirements such as automated deployment and continuous enhancement of cloud infrastructures. This topic describes how to activate Security Center through Terraform.

Note

You can run the sample code with one click.

Setup

To mitigate risks associated with compromised Alibaba Cloud accounts, we recommend using a RAM user and creating an AccessKey pair for them.

Assign the following policy to the RAM user to grant the minimum permissions for managing resources in this example.

This policy allows the RAM user to describe, modify, and create resources related to Security Center. Adjust the actions and resource scope in the policy based on your needs.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sas:Describe*",  // Allows viewing information related to Security Center
                "sas:CreateInstance",  // Allows creating Security Center instances
                "sas:UpdateInstance",  // Allows upgrading Security Center instances
                "sas:Modify*"          // Add this parameter if you need to modify other settings
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances"  // May require permissions to query ECS instances for association with Security Center
            ],
            "Resource": "*"
        }
    ]
}

Prepare the Terraform environment using one of the following methods:
- Use Terraform in Terraform Explorer: Terraform Explorer provided by Alibaba Cloud allows developers to run Terraform online without installation. This method is ideal for efficiently and conveniently using and debugging Terraform at no cost.
- Use Terraform in Cloud Shell: Alibaba Cloud Cloud Shell comes pre-installed with Terraform and configured identity credentials, allowing you to run Terraform commands directly. This method is ideal for using and debugging Terraform efficiently, conveniently, and at a low cost.
- Install and configure Terraform: This method is best for scenarios with poor network connectivity or when a custom development environment is needed.

Required resources

alicloud_threat_detection_instance: This resource is used to configure and manage the threat detection services of Alibaba Cloud.

Activate Security Center

Important

After you activate the Security Center instance, make sure to carefully manage its lifecycle to avoid unnecessary costs.

The following code example shows how to activate the Enterprise edition of Security Center with a subscription in the Hangzhou (cn-hangzhou) region.

Create and go to the execution directory.
```
mkdir /usr/local/terraform
cd /usr/local/terraform
```
Note
You must create an execution directory for each Terraform project.

Create the terraform.tf file and configure the file content.

vim terraform.tf

The content of the terraform.tf file is as follows:

# Configure provider as Alibaba Cloud and set the region to Hangzhou (cn-hangzhou)
provider "alicloud" {
  region = "cn-hangzhou"
}

# Define the resource name. The default value is "terraform-example"
variable "name" {
  default = "terraform-example"
}

# Version code. The default value is "level2" (Enterprise edition)
variable "version_code" {
  default = "level2"
}

# Number of servers to purchase. The default value is "30"
variable "buy_number" {
  default = "30"
}

# Billing method. The default value is "Subscription"
variable "payment_type" {
  default = "Subscription"
}

# Subscription duration. The default value is "1" (Unit: month)
variable "period" {
  default = "1"
}

# Renewal status. The default value is "ManualRenewal"
variable "renewal_status" {
  default = "ManualRenewal"
}

# Log analysis storage capacity. The default value is "100" (Unit: GB)
variable "sas_sls_storage" {
  default = "100"
}

# Anti-ransomware data capacity. The default value is "100" (Unit: GB)
variable "sas_anti_ransomware" {
  default = "100"
}


# Web tamper-proofing switch. The default value is "1" (Yes)
variable "sas_webguard_boolean" {
  default = "1"
}

# Web tamper-proofing quota. The default value is "100"
variable "sas_webguard_order_num" {
  default = "100"
}

# Cloud honeypot switch. The default value is "1" (Yes)
variable "honeypot_switch" {
  default = "1"
}

# Cloud honeypot quota. The default value is "32"
variable "honeypot" {
  default = "32"
}

# Malicious file detection SDK switch. The default value is "1" (Yes)
variable "sas_sdk_switch" {
  default = "1"
}

# Malicious file detection SDK quota. The default value is "1000" (Unit: 10,000 times)
variable "sas_sdk" {
  default = "1000"
}
# Container image scan times. The step size is 20, which means only multiples of 20 can be entered
variable "container_image_scan_new" {
  default = "100"
}
# CTDR switch
variable "Threat_analysis_switch_1" {
  default = "1"
}
# CTDR log data. The increment is 100, which means only multiples of 100 can be entered
variable "threat_analysis_flow" {
  default = "100"
}
# CTDR log storage capacity. The default value is "1000" (Unit: GB)
variable "threat_analysis_sls_storage" {
  default = "1000"
}
# Threat detection resources defined by variables
resource "alicloud_threat_detection_instance" "default" {
  version_code                = var.version_code
  buy_number                  = var.buy_number
  payment_type                = var.payment_type
  period                      = var.period
  renewal_status              = var.renewal_status
  sas_sls_storage             = var.sas_sls_storage
  sas_anti_ransomware         = var.sas_anti_ransomware
  container_image_scan_new    = var.container_image_scan_new
  sas_webguard_boolean        = var.sas_webguard_boolean
  sas_webguard_order_num      = var.sas_webguard_order_num
  honeypot_switch             = var.honeypot_switch
  honeypot                    = var.honeypot
  sas_sdk_switch              = var.sas_sdk_switch
  sas_sdk                     = var.sas_sdk
  threat_analysis_switch_1    = var.Threat_analysis_switch_1
  threat_analysis_flow        = var.threat_analysis_flow
  threat_analysis_sls_storage = var.threat_analysis_sls_storage
}

Parameter	Required	Description	Example value
modify_type	No	If you need to upgrade or downgrade the instance, this parameter is required. Add it to the code above. Valid values: Upgrade: Upgrade Security Center. Downgrade: Downgrade Security Center.	Upgrade
version_code	Yes	The edition of Security Center. Valid values: level7: Anti-virus level3: Advanced level2: Enterprise level8: Ultimate level10: Value-added Plan	level2
buy_number	No	The number of servers that you want to protect. Note This parameter is required only when version_code is set to level3, level2, or level8.	30
v_core	No	The number of virtual CPUs (vCPUs) of servers that you want to protect. Note This parameter is required only when version_code is set to level7 or level8.	100
payment_type	Yes	The billing method. Valid value: Subscription	Subscription
period	No	The subscription duration. Unit: months. Valid values: 1, 6, 12, 24, 36, 60.	1
renewal_status	No	The renewal mode. Valid values: AutoRenewal: Auto-renewal. ManualRenewal (default): Manual renewal.	ManualRenewal
renewal_period	No	The auto-renewal duration. Unit: months. Note This parameter is required when renewal_status is set to AutoRenewal.	12
sas_sls_storage	No	The log storage capacity. Unit: GB. Valid values: 0 to 600,000. The value must be a multiple of 10. Note To comply with the requirement of the Cybersecurity Law that logs must be stored for at least 180 days, we recommend you configure 50 GB of log storage capacity for each server.	100
sas_anti_ransomware	No	The data backup capacity for anti-ransomware. Unit: GB. Valid values: 10 to 9,999,999,999. Must be a multiple of 10.	100
container_image_scan_new	No	The container image scan. We recommend that you set this parameter to the number of images that need to be detected each month. Unit: count. Valid values: 0 to 200,000. Must be a multiple of 20. Note Security Center identifies an image by its unique digest value. If the digest value remains unchanged, only the first scan on the image consumes one container image scan quota. If it changes, a new scan will consume an additional quota. For example, if you plan to scan 10 images and expect the digest values to change 20 times during your subscription, set the quota to 30. This total quota consists of the number of images plus the anticipated changes in digest values.	100
sas_webguard_boolean	No	Specifies whether to enable the web tamper-proofing feature. Valid values: 1: Yes 0: No	1
sas_webguard_order_num	No	The quota for web tamper-proofing. Unit: times. Valid values: 0 to 9,999. Note This parameter is required only when sas_webguard_boolean is set to 1.	100
sas_sc	No	Specifies whether to enable the security dashboard. Valid values: Note This parameter is not supported in regions outside China, and it's supported only when version_code is set to level3, level2, or level8. true: Yes false: No	false
honeypot_switch	No	Specifies whether to enable the cloud honeypot feature. Valid values: 1: Yes 2: No	1
honeypot	No	The quota for the cloud honeypot feature. Unit: count. Valid values: 20 to 500. Note This parameter is required only when honeypot_switch is set to 1.	20
sas_sdk_switch	No	Specifies whether to enable SDK for malicious file detection. Valid values: 1: Yes 0: No	1
sas_sdk	No	The number of times malicious file detection is performed. Unit: 10,000 times. Valid values: 10 to 9,999,999,999. The value must be a multiple of 10.	10
Threat_analysis_switch_1	No	Specifies whether to enable Cloud Threat Detection and Response (CTDR). Valid values: 0: No 1: Yes	1
Threat_analysis_flow	No	The log data to add for CTDR. Unit: GB/day. Valid values: 100 to 9,999,999,999. The value must be a multiple of 100. Note This parameter is required only when Threat_analysis_switch_1 is set to 1.	100
Threat_analysis_sls_storage	No	The log storage capacity for CTDR. Unit: GB. Valid values: 0 to 9,999,999,999. The value must be a multiple of 1,000.	1000

Run the terraform init command to initialize the configuration.
If the following message is returned, Terraform is initialized:
Run the terraform apply command to create a Security Center instance. During the execution, enter yes as prompted and press the Enter key. Wait for the command to complete. If the following message appears, the authorization is complete.
```
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: 
```
If the following message is returned, Security Center is activated:
```
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
```

Verify the result

Run the Terraform show command

Run the following command to query the details of the resources created with Terraform:

terraform show

Use the console

Log on to the Security Center console and check whether the Enterprise edition and related features are activated.

References

For more information about Terraform, see What is Terraform?
Purchase Security Center