本文介绍如何使用Terraform为指定VPC防火墙策略组添加访问控制策略。
说明
当前示例代码支持一键运行,您可以直接运行代码。一键运行
前提条件
由于阿里云账号(主账号)具有资源的所有权限,一旦发生泄露将面临重大风险。建议您使用RAM用户,并为该RAM用户创建AccessKey,具体操作方式请参见创建RAM用户和创建AccessKey。
使用以下示例为RAM用户授权,具体操作方式请参见为RAM用户授权。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-cloudfirewall:*", "yundun-ndr:*", "vpc:CreateVpc", "vpc:DeleteVpc", "vpc:DescribeVpcs", "vpc:CreateVSwitch", "vpc:DeleteVSwitch", "vpc:DescribeVSwitches", "vpc:CreateRouteEntry", "vpc:DeleteRouteEntry", "vpc:DescribeRouteEntries", "vpc:CreateVpcPeerConnection", "vpc:DeleteVpcPeerConnection", "vpc:DescribeVpcPeerConnections", "cloudfirewall:CreateVpcFirewall", "cloudfirewall:DeleteVpcFirewall", "cloudfirewall:DescribeVpcFirewalls" ], "Resource": "*" } ] }准备Terraform运行环境,您可以选择以下任一方式来使用Terraform。
在Explorer中使用Terraform:阿里云提供了Terraform的在线运行环境,您无需安装Terraform,登录后即可在线使用和体验Terraform。适用于零成本、快速、便捷地体验和调试Terraform的场景。
Cloud Shell:阿里云Cloud Shell中预装了Terraform的组件,并已配置好身份凭证,您可直接在Cloud Shell中运行Terraform的命令。适用于低成本、快速、便捷地访问和使用Terraform的场景。
在本地安装和配置Terraform:适用于网络连接较差或需要自定义开发环境的场景。
重要请确保Terraform版本不低于v0.12.28。如需检查现有版本,请运行
terraform --version命令。
使用的资源
alicloud_cloud_firewall_vpc_firewall_control_policy:添加访问控制策略。
为指定VPC防火墙策略组添加访问控制策略
本示例将调整互联网防火墙访问控制策略优先级。
创建一个工作目录,并且在工作目录中创建以下名为
main.tf的配置文件。main.tfTerraform主文件,定义了将要部署的资源。确保您已创建好VPC防火墙实例:variable "region" { default = "cn-heyuan" } provider "alicloud" { region = var.region } # 获取当前阿里云uid data "alicloud_account" "current" { } # 创建VPC 1 resource "alicloud_vpc" "vpc" { vpc_name = "dd-tf-vpc-01" cidr_block = "192.168.0.0/16" } # 创建VPC 2 resource "alicloud_vpc" "vpc1" { vpc_name = "dd-tf-vpc-02" cidr_block = "172.16.0.0/12" } # 创建一个Vswitch CIDR 块为 192.168.10.0/24 resource "alicloud_vswitch" "vsw" { vpc_id = alicloud_vpc.vpc.id cidr_block = "192.168.10.0/24" zone_id = "cn-heyuan-a" vswitch_name = "dd-tf-vpc-01-example-1" } # 创建另一个Vswitch CIDR 块为 192.168.20.0/24 resource "alicloud_vswitch" "vsw1" { vpc_id = alicloud_vpc.vpc.id cidr_block = "192.168.20.0/24" zone_id = "cn-heyuan-b" vswitch_name = "dd-tf-vpc-01-example-2" } # 创建一个Vswitch CIDR 块为 172.16.10.0/24 resource "alicloud_vswitch" "vsw2" { vpc_id = alicloud_vpc.vpc1.id cidr_block = "172.16.10.0/24" zone_id = "cn-heyuan-a" vswitch_name = "dd-tf-vpc-02-example-11" } # 创建另一个Vswitch CIDR 块为 172.16.20.0/24 resource "alicloud_vswitch" "vsw3" { vpc_id = alicloud_vpc.vpc1.id cidr_block = "172.16.20.0/24" zone_id = "cn-heyuan-b" vswitch_name = "dd-tf-vpc-02-example-22" } # 创建VPC对等连接 resource "alicloud_vpc_peer_connection" "default" { # 对等连接名称 peer_connection_name = "terraform-example-vpc-peer-connection" # 发起方VPC_ID vpc_id = alicloud_vpc.vpc.id # 接收方 VPC 对等连接的 Alibaba Cloud 账号 ID accepting_ali_uid = data.alicloud_account.current.id # 接收方 VPC 对等连接的区域 ID。同区域创建时,输入与发起方相同的区域 ID;跨区域创建时,输入不同的区域 ID。 accepting_region_id = "cn-heyuan" # 接收端VPC_ID accepting_vpc_id = alicloud_vpc.vpc1.id # 描述 description = "terraform-example" # 是否强制删除 force_delete = true } # 接收端 resource "alicloud_vpc_peer_connection_accepter" "default" { instance_id = alicloud_vpc_peer_connection.default.id } # 配置路由条目-vpc-A resource "alicloud_route_entry" "foo" { # VPC-A 路由表ID route_table_id = alicloud_vpc.vpc.route_table_id # 目标网段,自定义 destination_cidrblock = "1.2.3.4/32" # 下一跳类型 nexthop_type = "VpcPeer" # 下一跳id nexthop_id = alicloud_vpc_peer_connection.default.id } # 配置路由条目2 -vpc-B resource "alicloud_route_entry" "foo1" { # VPC-A 路由表id route_table_id = alicloud_vpc.vpc1.route_table_id # 目标网段,自定义 destination_cidrblock = "4.3.2.1/32" # 下一跳类型 nexthop_type = "VpcPeer" # 下一跳id nexthop_id = alicloud_vpc_peer_connection.default.id } # 先创建其他前置资源 resource "time_sleep" "wait_before_firewall" { # 确保云企业网实例,网络连接实例创建好后 depends_on = [ alicloud_route_entry.foo, alicloud_route_entry.foo1 ] create_duration = "720s" # 根据需要设置时间 } # 延迟 resource "null_resource" "wait_for_firewall" { provisioner "local-exec" { command = "echo waiting for firewall to be ready" } # 确保云企业网实例创建 depends_on = [time_sleep.wait_before_firewall] } # VPC对等连接高速通道防火墙实例 resource "alicloud_cloud_firewall_vpc_firewall" "default" { # 前置依赖 depends_on = [ null_resource.wait_for_firewall ] timeouts { create = "30m" # 给创建加上超时时间 } # 实例名称 vpc_firewall_name = "tf-test" # 用户uid member_uid = data.alicloud_account.current.id local_vpc { # 发起端vpc id vpc_id = alicloud_vpc.vpc.id # 地域 region_no = "cn-heyuan" # 路由条目 local_vpc_cidr_table_list { # 路由表id local_route_table_id = alicloud_vpc.vpc.route_table_id local_route_entry_list { # 下一跳 local_next_hop_instance_id = alicloud_vpc_peer_connection.default.id # 目标网块 local_destination_cidr = alicloud_route_entry.foo.destination_cidrblock } } } peer_vpc { # 接收端vpc id vpc_id = alicloud_vpc.vpc1.id # 地域 region_no = "cn-heyuan" # 路由条目 peer_vpc_cidr_table_list { # 路由表id peer_route_table_id = alicloud_vpc.vpc1.route_table_id peer_route_entry_list { # 目标网块 peer_destination_cidr = alicloud_route_entry.foo1.destination_cidrblock # 下一跳 peer_next_hop_instance_id = alicloud_vpc_peer_connection.default.id } } } # 资源的状态。有效值: # open: 创建 VPC 边界防火墙后,保护机制自动启用。 # close: 创建 VPC 边界防火墙后,不自动启用保护。 status = "open" }resource "alicloud_cloud_firewall_vpc_firewall_control_policy" "default" { # 访问控制策略的优先级。优先级值从 1 开始,较小的优先级值表示更高的优先级。 order = "1" # 访问控制策略中的目的地址。 destination = "0.0.0.0/0" # 访问控制策略支持的应用类型。 application_name = "ANY" # VPC 防火墙访问控制策略的信息描述。 description = "Created_by_Terraform" # 访问控制策略中的源地址类型。有效值:net,group。 source_type = "net" # (可选)访问控制策略中的目的端口。 dest_port = "80/88" # 云防火墙在流量上执行的操作。有效值:accept,drop,log。 acl_action = "accept" # 请求和响应内容的语言。有效值:zh,en。 lang = "zh" # net,则 destination 的值必须是一个 CIDR 块。 destination_type = "net" # VPC 防火墙访问控制策略中的源地址。 source = "0.0.0.0/0" # 访问控制策略中的目的端口类型。有效值:port,group。 dest_port_type = "port" # 访问控制策略中的协议类型。有效值:ANY,TCP,UDP,ICMP。 proto = "TCP" # 访问控制策略的启用状态。默认情况下,策略创建后会启用。 release = true # 当前阿里云账户的uid member_uid = data.alicloud_account.current.id # VPC 防火墙实例的 ID vpc_firewall_id = alicloud_cloud_firewall_vpc_firewall.default.id }执行以下命令,初始化
Terraform运行环境。terraform init返回如下信息,表示Terraform初始化成功。
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/alicloud... - Using hashicorp/alicloud v1.231.0 from the shared cache directory Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. ╷ │ Warning: Additional provider information from registry │ │ The remote registry returned warnings for registry.terraform.io/hashicorp/alicloud: │ - For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers. ╵ ╷ │ Warning: Incomplete lock file information for providers │ │ Due to your customized provider installation methods, Terraform was forced to calculate lock file checksums locally for the following providers: │ - hashicorp/alicloud │ │ The current .terraform.lock.hcl file only includes checksums for linux_amd64, so Terraform running on another platform will fail to install these providers. │ │ To calculate additional checksums for another platform, run: │ terraform providers lock -platform=linux_amd64 │ (where linux_amd64 is the platform to generate) ╵ Terraform has been successfully initialized!创建执行计划,并预览变更。
terraform plan执行以下命令,调整互联网防火墙访问控制策略优先级。
terraform apply在执行过程中,根据提示输入
yes并按下Enter键,等待命令执行完成,若出现以下信息,则表示调整互联网防火墙访问控制策略优先级成功。Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # alicloud_cloud_firewall_vpc_firewall_control_policy.default will be created + resource "alicloud_cloud_firewall_vpc_firewall_control_policy" "default" { + acl_action = "accept" + acl_uuid = (known after apply) + application_id = (known after apply) + application_name = "ANY" + description = "Created_by_Terraform" + dest_port = "80/88" + dest_port_group_ports = (known after apply) + dest_port_type = "port" + destination = "0.0.0.0/0" + destination_group_cidrs = (known after apply) + destination_group_type = (known after apply) + destination_type = "net" + hit_times = (known after apply) + id = (known after apply) + lang = "zh" + member_uid = "1413397765616***" + order = 1 + proto = "TCP" + release = true + source = "0.0.0.0/0" + source_group_cidrs = (known after apply) + source_group_type = (known after apply) + source_type = "net" + vpc_firewall_id = "vfw-c7536567ab694fb1a***" } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_cloud_firewall_vpc_firewall_control_policy.default: Creating... alicloud_cloud_firewall_vpc_firewall_control_policy.default: Creation complete after 0s [id=vfw-c7536567ab694fb1a59f:ca14e184-15dc-4a68-b0d8-fb71a15ff***] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.验证结果
执行terraform show命令
您可以使用以下命令查询Terraform已创建的资源详细信息。
terraform show# alicloud_cloud_firewall_vpc_firewall_control_policy.default: resource "alicloud_cloud_firewall_vpc_firewall_control_policy" "default" { acl_action = "accept" acl_uuid = "ba164e52-acd2-4899-bf72-6816b13a****" application_id = "0" application_name = "ANY" description = "Created_by_Terraform" dest_port = "80/88" dest_port_group_ports = [] dest_port_type = "port" destination = "0.X.X.0/0" destination_group_cidrs = [] destination_type = "net" hit_times = 0 id = "vfw-d7b8ce273791475b****:ba164e52-acd2-4899-bf72-6816b13a****" lang = "zh" member_uid = "1415189284827****" order = 1 proto = "TCP" release = true source = "0.X.X.0/0" source_group_cidrs = [] source_type = "net" vpc_firewall_id = "vfw-d7b8ce273791475b****" }登录云防火墙控制台
登录云防火墙控制台,在访问控制>VPC边界页面,查看VPC边界防火墙访问控制策略详细信息。
清理资源
当您不再需要上述通过Terraform创建或管理的资源时,请运行以下命令以释放资源。关于terraform destroy的更多信息,请参见Terraform常用命令。
terraform destroy完整示例
说明
当前示例代码支持一键运行,您可以直接运行代码。一键运行
示例代码
该文章对您有帮助吗?