Automate WAF Cloud Resource Updates via ModifyCloudResource API - Web Application Firewall

Modifies the configuration of a cloud resource connected to WAF.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:ModifyCloudResource

update

DefenseResource

acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}

DefenseResource

acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#ResourceInstanceId}-{#Port}-{#Product}

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the WAF instance. Note Call DescribeInstance to query the ID of the WAF instance.	waf_v3prepaid_public_cn-***
ResourceManagerResourceGroupId	string	No	The ID of the resource group.	rg-acfm***q
Listen	object	Yes	The listener configuration.
TLSVersion	string	No	The Transport Layer Security (TLS) version. This parameter applies only when you use the HTTPS protocol. Valid values: tlsv1 tlsv1.1 tlsv1.2	tlsv1.2
EnableTLSv3	boolean	No	Indicates whether TLS 1.3 is supported. This parameter applies only when you use the HTTPS protocol. Valid values: true: TLS 1.3 is supported. false: TLS 1.3 is not supported.	true
CipherSuite	integer	No	The type of the cipher suite to add. This parameter applies only when you use the HTTPS protocol. Valid values: 1: adds all cipher suites. 2: adds strong cipher suites. This value is available only when TLSVersion is set to tlsv1.2. 99: adds custom cipher suites.	1
CustomCiphers	array	No	The custom cipher suites.
	string	No	The custom cipher suites to add. This parameter is used only when CipherSuite is set to 99.	ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384
ResourceProduct `deprecated`	string	No	The type of the cloud service. Valid values: clb4: Layer 4 Classic Load Balancer (CLB). clb7: Layer 7 CLB. ecs: Elastic Compute Service (ECS). nlb: Network Load Balancer (NLB).	clb7
ResourceInstanceId `deprecated`	string	No	The ID of the cloud service instance.	lb-***
Port `deprecated`	integer	No	The listening port of the cloud service instance that is added to WAF.	80
Protocol	string	Yes	The protocol type. Valid values: http: HTTP. https: HTTPS.	http
Certificates	array<object>	No	The certificate information.
	object	No	The certificate information.
CertificateId	string	No	The ID of the certificate.	123-cn-hangzhou
AppliedType	string	No	The type of the certificate for the HTTPS protocol. Valid values: default: a default certificate. extension: an extension certificate.	default
Http2Enabled	boolean	No	Indicates whether HTTP/2 is enabled. This parameter applies only when you use the HTTPS protocol. Valid values: true: enables HTTP/2. false (default): disables HTTP/2.	true
Redirect	object	No	The forwarding configuration.
RequestHeaders	array<object>	No	The custom header fields used to mark traffic that is processed by WAF.
	object	No	The value of this parameter is in the *[{"k":"key","v":"value"}]* format. key specifies the custom request header field, and value specifies the value of the field. Note If the custom header field already exists in the request, the original value is overwritten with the specified value.
Key	string	No	The custom request header field.	key1
Value	string	No	The value of the custom request header field.	value1
XffHeaderMode	integer	No	The method that WAF uses to obtain the real IP address of a client. Valid values: 0: WAF obtains the real IP address of the client from the request. Use this value when no Layer 7 proxy resides before WAF. 1: WAF reads the first value of the X-Forwarded-For (XFF) header as the client IP address. 2: WAF reads the value of a custom header field as the client IP address.	0
XffHeaders	array	No	The custom header fields that are used to obtain the client IP address. Note This parameter is required only when XffHeaderMode is set to 2.
	string	No	The name of the custom header field. Note This parameter is required only when XffHeaderMode is set to 2.	header1
ReadTimeout	integer	No	The read timeout period. Unit: seconds. Valid values: 1 to 3600.	1
WriteTimeout	integer	No	The write timeout period. Unit: seconds. Valid values: 1 to 3600.	1
Keepalive	boolean	No	Indicates whether persistent connections are enabled. Valid values: true (default): enables persistent connections. false: disables persistent connections.	true
KeepaliveRequests	integer	No	The maximum number of requests that can be served through one persistent connection. Valid values: 60 to 1000.	1000
KeepaliveTimeout	integer	No	The timeout period for an idle persistent connection. Valid values: 10 to 3600. Default value: 3600. Unit: seconds.	15
XffProto	boolean	No	Indicates whether the X-Forwarded-Proto header is used to pass the protocol used by WAF. Valid values: true (default): passes the protocol. false: does not pass the protocol.	true
MaxBodySize	integer	No	The maximum size of a request body. Valid values: 2 to 10. Default value: 2. Unit: GB.	2
RegionId	string	Yes	The region of the WAF instance. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
CloudResourceId	string	No	The ID of the cloud resource that is added to WAF. Note Call CreateCloudResource to add a cloud resource. The resource ID is included in the response.	lb-***-80-clb7

Response elements

Element	Type	Description	Example
	object
RequestId	string	The request ID.	D7861F61-5B61-46CE-A47C-***
CloudResource	string	The ID of the cloud resource that is added to WAF.	lb-xxx-80-clb7

Examples

Success response

JSON format

{
  "RequestId": "D7861F61-5B61-46CE-A47C-***",
  "CloudResource": "lb-xxx-80-clb7"
}

Error codes

HTTP status code	Error code	Error message	Description
400	Waf.Pullin.CertExpired	Certificate expired, certificate ID:%s .
400	Waf.Pullin.CertNotExist	Certificate does not exist in SSL Certificate Center, certificate type:%s, certificate ID:%s.	Certificate does not exist in SSL Certificate Center, certificate type:%s, certificate ID:%s.
400	Waf.Pullin.OnlyBeOneDefaultCert	There can be only one default certificate.	There can be only one default certificate.
400	Waf.Control.CloudProductInfoNotMartch	The value of the cloud product, port, instance, and input parameter to which the resource ID of the cloud product is connected to WAF does not match.	The value of the cloud product, port, instance, and input parameter to which the resource ID of the cloud product is connected to WAF does not match.
400	Waf.Control.CloudProductInfoEmpty	The resource Id of the cloud product accessing WAF is null or null values exist in the three input parameters of the cloud product name, port, and cloud product instance.	The resource Id of the cloud product accessing WAF is null or null values exist in the three input parameters of the cloud product name, port, and cloud product instance.
400	Waf.Control.DefenseResourceEmpty	CloudResourceId parameter is illegal.	CloudResourceId parameter is illegal

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.