This topic describes how to use Terraform to change the priority of an Internet firewall access control policy.
The sample code in this topic is ready to use and can be run directly. Run
Prerequisites
-
Because an Alibaba Cloud account has full permissions for all your resources, a compromised account poses a significant security threat. We recommend that you use a Resource Access Management (RAM) user and create an AccessKey for that user. For more information, see Create a RAM user and Create an AccessKey.
-
The RAM user is granted the least privilege required to use Cloud Firewall. For more information, see Manage RAM user permissions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-cloudfirewall:*", "yundun-ndr:*" ], "Resource": "*" } ] } -
A Terraform runtime environment is prepared. You can use one of the following methods to run Terraform:
Use Terraform in Explorer: Alibaba Cloud provides an online Terraform runtime environment that does not require you to install Terraform. You can log on to use and test Terraform online. This method is suitable for scenarios where you want to quickly and easily test and debug Terraform at no cost.
Cloud Shell: Alibaba Cloud Cloud Shell has pre-installed Terraform components and configured identity credentials. You can run Terraform commands directly in Cloud Shell. This method is suitable for scenarios where you want to quickly and easily access and use Terraform at a low cost.
Install and configure Terraform on your local machine: This method is suitable for scenarios with poor network connectivity or when you need a custom developer environment.
ImportantMake sure that your Terraform version is 0.12.28 or later. To check the current version, run the
terraform --versioncommand.
Resource used
alicloud_cloud_firewall_control_policy_order: Manages the priority of a Cloud Firewall access control policy.
Change the priority of an Internet access control policy
This example changes the priority of an Internet firewall access control policy.
-
Create a working directory. In the working directory, create a configuration file named
main.tf. The main.tf file is the main Terraform file that defines the resources to deploy. Before you proceed, make sure that you have an Internet access control policy configured:resource "alicloud_cloud_firewall_control_policy" "example" { # The application type supported by the access control policy. Valid values: ANY, HTTP, HTTPS, MQTT, Memcache, MongoDB, MySQL, RDP, Redis, SMTP, SMTPS, SSH, SSL, VNC. application_name = "ANY" # The action that Cloud Firewall performs on the traffic. Valid values: accept, drop, log. acl_action = "accept" # The description. description = "Created_by_terraform" # The type of the destination address in the access control policy. Valid values: net, group, domain, location. destination_type = "net" # The destination address in the access control policy. destination = "100.1.1.0/24" # The traffic direction for the access control policy. Valid values: in, out. direction = "out" # The protocol type supported by the access control policy. Valid values: ANY, TCP, UDP, ICMP. proto = "ANY" # The source address in the access control policy. source = "1.2.3.0/24" # The type of the source address in the access control policy. Valid values: net, group, location. source_type = "net" }# Change the priority of the Internet firewall access control policy resource "alicloud_cloud_firewall_control_policy_order" "example" { # The unique ID of the access control policy. acl_uuid = alicloud_cloud_firewall_control_policy.example.acl_uuid # The traffic direction for the access control policy. Valid values: in, out. direction = "out" # The priority of the access control policy. Priority values start from 1. A smaller value indicates a higher priority. Note: A value of -1 indicates the lowest priority. order = 1 } -
Run the following command to initialize the Terraform runtime environment.
terraform initThe following output indicates that Terraform is initialized.
Initializing provider plugins... - Finding latest version of hashicorp/alicloud... - Installing hashicorp/alicloud v1.231.0... - Installed hashicorp/alicloud v1.231.0 (signed by HashiCorp) Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. -
Create an execution plan and preview the changes.
terraform plan -
Run the following command to change the priority of the Internet firewall access control policy.
terraform applyWhen prompted, enter
yesand press the Enter key. Wait for the command to finish. If the following output is displayed, the priority of the Internet firewall access control policy is changed.Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # alicloud_cloud_firewall_control_policy_order.example will be created + resource "alicloud_cloud_firewall_control_policy_order" "example" { + acl_uuid = "ef9bdf22-07d4-4080-8ec0-824ec3f0c*" + direction = "out" + id = (known after apply) + order = 1 } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_cloud_firewall_control_policy_order.example: Creating... alicloud_cloud_firewall_control_policy_order.example: Creation complete after 1s [id=ef9bdf22-07d4-4080-8ec0-824ec3f0c***:out] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. -
Verification results
-
Run the following command to query the details of the resources created by Terraform.
terraform show# alicloud_cloud_firewall_control_policy_order.example: resource "alicloud_cloud_firewall_control_policy_order" "example" { acl_uuid = "ef9bdf22-07d4-4080-8ec0-824ec3f0c***" direction = "out" id = "ef9bdf22-07d4-4080-8ec0-824ec3f0c***:out" order = 1 } -
Log on to the Cloud Firewall console. On the Access Control > Internet Border page, search for the policy ID to view the priority of the policy.
-
Clean up resources
When you no longer need the resources created or managed by Terraform, run the following command to release them. For more information about the terraform destroy command, see Common commands.
terraform destroyComplete example
The sample code in this topic is ready to use and can be run directly. Run