Activate Security Center by using Terraform - Security Center

Terraform is an open source developer tool provided by HashiCorp. Terraform allows you to manage cloud infrastructures by using code. Alibaba Cloud is one of the mainstream cloud service providers that support integration with Terraform. Alibaba Cloud released multiple Security Center-related resources and data sources in Terraform. You can use Terraform to manage the resources to meet your business requirements. For example, you can use simple code for automated deployment and continuous enhancement of cloud infrastructures. This topic describes how to activate Security Center by using Terraform.

Prerequisites

The Terraform runtime environment is installed. Alibaba Cloud allows you to use Terraform based on the following methods:

Install and configure Terraform on your computer: You must install Terraform based on your development environment and configure your Alibaba Cloud credentials.
Make sure that the version of Terraform is 0.14 or later, and the version of alicloud is 1.199.0 or later.
Use Terraform in Cloud Shell: The Terraform components are pre-installed in Cloud Shell, and authentication credentials are configured. After you log on to Cloud Shell, you can run Terraform commands in Cloud Shell.

You can select one of the preceding methods based on your business requirements and usage habits. This topic provides an example on how to activate Security Center in Cloud Shell.

Activate Security Center

Create an execution directory and go to the execution directory.
```
mkdir /usr/local/terraform
cd /usr/local/terraform
```
Note
You must create an execution directory for each Terraform project.

Create a file named terraform.tf and configure the file.

vim terraform.tf

Configure the terraform.tf file based on the following code:

resource "alicloud_threat_detection_instance" "default" {
  version_code           = "level2"
  buy_number             = "30"
  payment_type           = "Subscription"
  period                 = 1
  renewal_status         = "ManualRenewal"
  sas_sls_storage        = "100"
  sas_anti_ransomware    = "100"
  container_image_scan   = "30"
  sas_webguard_boolean	 = "1"
  sas_webguard_order_num = "100"
  honeypot_switch        = "1"
  honeypot               = "32"
  sas_sdk_switch         = "1"
  sas_sdk                = "1000"
}

Parameter	Required	Description	Example
version_code	Yes	The edition of Security Center. Valid values: level7: Anti-virus edition level3: Advanced edition level2: Enterprise edition level8: Ultimate edition level10: Value-added Plan edition	level2
buy_number	No	The number of servers that you want to protect by using Security Center. Note This parameter is required only when version_code is set to level3, level2, or level8.	30
v_core	No	The number of cores of servers that you want to protect by using Security Center. Note This parameter is required only when version_code is set to level7 or level8.	100
payment_type	Yes	The billing method. Valid values: Subscription	Subscription
period	No	The subscription duration. Unit: months. Valid values: 1, 6, 12, 24, 36, and 60.	1
renewal_status	No	The renewal method. Valid values: AutoRenewal ManualRenewal (default)	ManualRenewal
renewal_period	No	The auto-renewal duration. Unit: months. Note This parameter is required only when renewal_status is set to AutoRenewal.	12
sas_sls_storage	No	The log storage capacity. Unit: GB. Valid values: 0 to 600000. The value must be a multiple of 10. Note The Cybersecurity Law of the People's Republic of China stipulates that logs must be retained for at least 180 days. We recommend that you allocate 40 GB of log storage capacity to each server to store logs.	100
sas_anti_ransomware	No	The anti-ransomware capacity. Unit: GB. Valid values: 10 to 9999999999. The value must be a multiple of 10.	100
container_image_scan	No	The quota for container image scan. We recommend that you set the value to the number of images that you want to scan every month. Valid values: 0 to 200000. The value must be a multiple of 20. Note Security Center identifies an image based on a unique digest value. If the digest value of an image does not change, the quota specified by Container Image Scan is deducted by one only for the first scan. If the digest value of an image changes and the image is scanned again, the quota specified by Container Image Scan is deducted again. The quota is deducted by one each time the digest value changes. For example, if you want to scan 10 images and the estimated total number of times the digest values of the images change is 20 within the subscription, set Container Image Scan to 30. This indicates that the value of Container Image Scan equals the number of images that you want to scan plus the number of times the digest values change.	30
sas_webguard_boolean	No	Specifies whether to enable web tamper proofing. Valid values: 1: yes 0: no	1
sas_webguard_order_num	No	The quota for web tamper proofing. Valid values: 0 to 9999. Note This parameter is required only when sas_webguard_boolean is set to 1.	100
honeypot_switch	No	Specifies whether to enable cloud honeypot. Valid values: 1: yes 2: no	1
honeypot	No	The quota for cloud honeypot. Valid values: 20 to 500. Note This parameter is required only when honeypot_switch is set to 1.	20
sas_sdk_switch	No	Specifies whether to enable SDK for malicious file detection. Valid values: 1: yes 0: no	1
sas_sdk	No	The quota on SDK for malicious file detection. Unit: 10,000 times. Valid values: 10 to 9999999999. The value must be a multiple of 10.	10

Run the terraform init command to initialize Terraform.
If the following information is returned, Terraform is initialized:
```
Terraform has been successfully initialized!
```
Run the terraform plan command to create an execution plan.
Run the terraform apply command to activate Security Center.

Enter yes when Cloud Shell returns the following information:

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

If the following information is returned, Security Center is activated:

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Upgrade and downgrade Security Center

You can upgrade or downgrade Security Center by using Terraform.

Create an execution directory and go to the execution directory.
```
mkdir /usr/local/terraform
cd /usr/local/terraform
```
Note
You must create an execution directory for each Terraform project.

Create a file named terraform.tf and configure the file.

vim terraform.tf

Configure the terraform.tf file based on the following code:

resource "alicloud_threat_detection_instance" "default" {
  modify_type            = "Upgrade"
  version_code           = "level2"
  buy_number             = "30"
  payment_type           = "Subscription"
  period                 = 1
  renewal_status         = "ManualRenewal"
  sas_sls_storage        = "100"
  sas_anti_ransomware    = "100"
  container_image_scan   = "30"
  sas_webguard_boolean	 = "1"
  sas_webguard_order_num = "100"
  honeypot_switch        = "1"
  honeypot               = "32"
  sas_sdk_switch         = "1"
  sas_sdk                = "1000"
}

Parameter	Required	Description	Example
modify_type	Yes	Specifies whether to upgrade or downgrade Security Center. Valid values: Upgrade Downgrade	Upgrade
version_code	Yes	The edition of Security Center. Valid values: level7: Anti-virus edition level3: Advanced edition level2: Enterprise edition level8: Ultimate edition level10: Value-added Plan edition	level2
buy_number	No	The number of servers that you want to protect by using Security Center. Note This parameter is required only when version_code is set to level3, level2, or level8.	30
v_core	No	The number of cores of servers that you want to protect by using Security Center. Note This parameter is required only when version_code is set to level7 or level8.	100
payment_type	Yes	The billing method. Valid values: Subscription	Subscription
period	No	The subscription duration. Unit: months. Valid values: 1, 6, 12, 24, 36, and 60.	1
renewal_status	No	The renewal method. Valid values: AutoRenewal ManualRenewal (default)	ManualRenewal
renewal_period	No	The auto-renewal duration. Unit: months. Note This parameter is required only when renewal_status is set to AutoRenewal.	12
sas_sls_storage	No	The log storage capacity. Unit: GB. Valid values: 0 to 600000. The value must be a multiple of 10. Note The Cybersecurity Law of the People's Republic of China stipulates that logs must be retained for at least 180 days. We recommend that you allocate 40 GB of log storage capacity to each server to store logs.	100
sas_anti_ransomware	No	The anti-ransomware capacity. Unit: GB. Valid values: 10 to 9999999999. The value must be a multiple of 10.	100
container_image_scan	No	The quota for container image scan. We recommend that you set the value to the number of images that you want to scan every month. Valid values: 0 to 200000. The value must be a multiple of 20. Note Security Center identifies an image based on a unique digest value. If the digest value of an image does not change, the quota specified by Container Image Scan is deducted by one only for the first scan. If the digest value of an image changes and the image is scanned again, the quota specified by Container Image Scan is deducted again. The quota is deducted by one each time the digest value changes. For example, if you want to scan 10 images and the estimated total number of times the digest values of the images change is 20 within the subscription, set Container Image Scan to 30. This indicates that the value of Container Image Scan equals the number of images that you want to scan plus the number of times the digest values change.	30
sas_webguard_boolean	No	Specifies whether to enable web tamper proofing. Valid values: 1: yes 0: no	1
sas_webguard_order_num	No	The quota for web tamper proofing. Valid values: 0 to 9999. Note This parameter is required only when sas_webguard_boolean is set to 1.	100
honeypot_switch	No	Specifies whether to enable cloud honeypot. Valid values: 1: yes 2: no	1
honeypot	No	The quota for cloud honeypot. Valid values: 20 to 500. Note This parameter is required only when honeypot_switch is set to 1.	20
sas_sdk_switch	No	Specifies whether to enable SDK for malicious file detection. Valid values: 1: yes 0: no	1
sas_sdk	No	The quota on SDK for malicious file detection. Unit: 10,000 times. Valid values: 10 to 9999999999. The value must be a multiple of 10.	10

Run the terraform init command to initialize Terraform.
If the following information is returned, Terraform is initialized:
```
Terraform has been successfully initialized!
```
Run the terraform plan command to create an execution plan.
Run the terraform apply command to change the specifications of Security Center.

Enter yes when Cloud Shell returns the following information:

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

If the following information is returned, the specifications are changed:

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Security Center:Activate Security Center by using Terraform

Prerequisites

Activate Security Center

Upgrade and downgrade Security Center

References