ACS-ECS-RevokeSecurityGroupRules - CloudOps Orchestration Service

Template name

ACS-ECS-RevokeSecurityGroupRules

Execute Now

Template description

Deletes a security group rule.

Template type

Automated

Owner

Alibaba Cloud

Input parameters

Parameter	Description	Type	Required	Default value	Limit
securityGroupId	The security group ID.	String	Yes
direction	The direction in which the security group rule is applied.	String	Yes
policy	The access control implemented by the security group rule.	String	Yes
portRange	The port range.	String	Yes
sourceCidrIp	The source IPv4 CIDR block.	String	Yes
regionId	The region ID.	String	No	{{ ACS::RegionId }}
OOSAssumeRole	The Resource Access Management (RAM) role that is assumed by CloudOps Orchestration Service (OOS).	String	No	""

Output parameters

None

Permission policy that is required to execute the template

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:RevokeSecurityGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

References

For more information, see ACS-ECS-RevokeSecurityGroupRules.yml at GitHub.

Template content

FormatVersion: OOS-2019-06-01
Description:
  en: Del the security gorup rule
  zh-cn: the description in Chinese
  name-en: ACS-ECS-RevokeSecurityGroupRules
  name-zh-cn: the description in Chinese
  categories:
    - instance_manage
    - computenest
Parameters:
  regionId:
    Label:
      en: RegionId
      zh-cn: the description in Chinese
    Type: String
    AssociationProperty: RegionId
    Default: '{{ ACS::RegionId }}'
  securityGroupId:
    Label:
      en: SecurityGroupId
      zh-cn: the description in Chinese
    Type: String
    AssociationProperty: ALIYUN::ECS::SecurityGroup::SecurityGroupId
    AssociationPropertyMetadata:
      regionId: regionId
  direction:
    Label:
      en: Direction
      zh-cn: the description in Chinese
    Description:
      en: <ul class="ul">
        <li class="li" >egress: security group outbound direction</li>
        <li class="li" >ingress: security group incoming direction</li>
        <li class="li">all: direction-insensitive</li></ul>
      zh-cn: <ul class="ul">
        <li class="li" >The description in Chinese</li>
        <li class="li" >The description in Chinese</li>
        <li class="li">The description in Chinese</li></ul>
    Type: String
    AllowedValues:
      - egress
      - ingress
      - all
  policy:
    Label:
      en: Policy
      zh-cn: the description in Chinese
    Description:
      en: <ul class="ul">
        <li class="li">Accept: Accept access</li>
        <li class="li">Arop: Access denied</li>
        </ul>
      zh-cn: <ul class="ul">
        <li class="li">The description in Chinese</li>
        <li class="li">The description in Chinese</li>
        </ul>
    Type: String
    AllowedValues:
      - Accept
      - Drop
  portRange:
    Label:
      en: PortRange
      zh-cn: the description in Chinese
    Description:
      en: 'Use a slash (/) to separate the start and end ports. Example: 1/200, -1/-1, 22/22'
      zh-cn: the description in Chinese Example: 1/200, -1/-1, 22/22
    Type: String
  sourceCidrIp:
    Label:
      en: SourceCidrIp
      zh-cn: the description in Chinese
    Description:
      en: 'Examples: 10.0.0.0/8 and 10.0.0.0/0'
      zh-cn: the description in Chinese
    Type: String
  OOSAssumeRole:
    Label:
      en: OOSAssumeRole
      zh-cn: the description in Chinese
    Type: String
    Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: describeSecurityGroupRules
  Action: ACS::ExecuteAPI
  Description:
    en: Get security group rules
    zh-cn: the description in Chinese
  Properties:
    Service: ECS
    API: DescribeSecurityGroupAttribute
    Parameters:
      RegionId: '{{ regionId }}'
      SecurityGroupId: '{{ securityGroupId }}'
      Direction: '{{ direction }}'
  Outputs:
    rules:
      Type: Json
      ValueSelector: .Permissions.Permission | map( select(.Policy == "{{ policy }}") ) | map( select(.PortRange == "{{ portRange }}") ) |  map( select(.SourceCidrIp == "{{ sourceCidrIp }}") )
- Name: delSecurityGroupRule
  Action: ACS::ExecuteAPI
  Description:
    en: Delete security group rule
    zh-cn: the description in Chinese
  Properties:
    Service: ECS
    API: RevokeSecurityGroup
    Parameters:
      SecurityGroupId: '{{ securityGroupId }}'
      RegionId: '{{ regionId }}'
      Policy:
        Fn::Select:
          - Policy
          - '{{ ACS::TaskLoopItem }}'
      PortRange:
        Fn::Select:
          - PortRange
          - '{{ ACS::TaskLoopItem }}'
      SourceCidrIp:
        Fn::Select:
          - SourceCidrIp
          - '{{ ACS::TaskLoopItem }}'
      IpProtocol:
        Fn::Select:
          - IpProtocol
          - '{{ ACS::TaskLoopItem }}'
  Loop:
    Items: '{{ describeSecurityGroupRules.rules }}'
    RateControl:
      MaxErrors: 0
      Mode: Concurrency
      Concurrency: 1
Metadata:
  ALIYUN::OOS::Interface:
    ParameterGroups:
      - Parameters:
          - direction
          - policy
          - portRange
          - sourceCidrIp
        Label:
          default:
            zh-cn: the description in Chinese
            en: Configure Parameters
      - Parameters:
          - regionId
          - securityGroupId
        Label:
          default:
            zh-cn: the description in Chinese
            en: Select Security Group
      - Parameters:
          - OOSAssumeRole
        Label:
          default:
            zh-cn: the description in Chinese
            en: Control Options