本文介紹如何使用Terraform為指定VPC防火牆策略組添加存取控制策略。
說明
當前範例程式碼支援一鍵運行,您可以直接運行代碼。
前提條件
由於阿里雲帳號(主帳號)具有資源的所有許可權,一旦發生泄露將面臨重大風險。建議您使用RAM使用者,並為該RAM使用者建立AccessKey,具體操作方式請參見建立RAM使用者和建立AccessKey。
使用以下樣本為RAM使用者授權,具體操作方式請參見為RAM使用者授權。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-cloudfirewall:*", "yundun-ndr:*", "vpc:CreateVpc", "vpc:DeleteVpc", "vpc:DescribeVpcs", "vpc:CreateVSwitch", "vpc:DeleteVSwitch", "vpc:DescribeVSwitches", "vpc:CreateRouteEntry", "vpc:DeleteRouteEntry", "vpc:DescribeRouteEntries", "vpc:CreateVpcPeerConnection", "vpc:DeleteVpcPeerConnection", "vpc:DescribeVpcPeerConnections", "cloudfirewall:CreateVpcFirewall", "cloudfirewall:DeleteVpcFirewall", "cloudfirewall:DescribeVpcFirewalls" ], "Resource": "*" } ] }準備Terraform運行環境,您可以選擇以下任一方式來使用Terraform。
在Explorer中使用Terraform:阿里雲提供了Terraform的線上運行環境,您無需安裝Terraform,登入後即可線上使用和體驗Terraform。適用於零成本、快速、便捷地體驗和調試Terraform的情境。
Cloud Shell:阿里雲Cloud Shell中預裝了Terraform的組件,並已配置好身份憑證,您可直接在Cloud Shell中運行Terraform的命令。適用於低成本、快速、便捷地訪問和使用Terraform的情境。
在本地安裝和配置Terraform:適用於網路連接較差或需要自訂開發環境的情境。
重要請確保Terraform版本不低於v0.12.28。如需檢查現有版本,請運行
terraform --version命令。
使用的資源
alicloud_cloud_firewall_vpc_firewall_control_policy:添加存取控制策略。
為指定VPC防火牆策略組添加存取控制策略
建立一個工作目錄,並且在工作目錄中建立以下名為
main.tf的設定檔。main.tfTerraform主檔案,定義了將要部署的資源。確保您已建立好VPC防火牆執行個體:variable "region" { default = "cn-heyuan" } provider "alicloud" { region = var.region } # 擷取當前阿里雲uid data "alicloud_account" "current" { } # 建立VPC 1 resource "alicloud_vpc" "vpc" { vpc_name = "dd-tf-vpc-01" cidr_block = "192.168.0.0/16" } # 建立VPC 2 resource "alicloud_vpc" "vpc1" { vpc_name = "dd-tf-vpc-02" cidr_block = "172.16.0.0/12" } # 建立一個Vswitch CIDR 塊為 192.168.10.0/24 resource "alicloud_vswitch" "vsw" { vpc_id = alicloud_vpc.vpc.id cidr_block = "192.168.10.0/24" zone_id = "cn-heyuan-a" vswitch_name = "dd-tf-vpc-01-example-1" } # 建立另一個Vswitch CIDR 塊為 192.168.20.0/24 resource "alicloud_vswitch" "vsw1" { vpc_id = alicloud_vpc.vpc.id cidr_block = "192.168.20.0/24" zone_id = "cn-heyuan-b" vswitch_name = "dd-tf-vpc-01-example-2" } # 建立一個Vswitch CIDR 塊為 172.16.10.0/24 resource "alicloud_vswitch" "vsw2" { vpc_id = alicloud_vpc.vpc1.id cidr_block = "172.16.10.0/24" zone_id = "cn-heyuan-a" vswitch_name = "dd-tf-vpc-02-example-11" } # 建立另一個Vswitch CIDR 塊為 172.16.20.0/24 resource "alicloud_vswitch" "vsw3" { vpc_id = alicloud_vpc.vpc1.id cidr_block = "172.16.20.0/24" zone_id = "cn-heyuan-b" vswitch_name = "dd-tf-vpc-02-example-22" } # 建立VPC對等串連 resource "alicloud_vpc_peer_connection" "default" { # 對等串連名稱 peer_connection_name = "terraform-example-vpc-peer-connection" # 發起方VPC_ID vpc_id = alicloud_vpc.vpc.id # 接收方 VPC 對等串連的 Alibaba Cloud 帳號 ID accepting_ali_uid = data.alicloud_account.current.id # 接收方 VPC 對等串連的地區 ID。同地區建立時,輸入與發起方相同的地區 ID;跨地區建立時,輸入不同的地區 ID。 accepting_region_id = "cn-heyuan" # 接收端VPC_ID accepting_vpc_id = alicloud_vpc.vpc1.id # 描述 description = "terraform-example" # 是否強制移除 force_delete = true } # 接收端 resource "alicloud_vpc_peer_connection_accepter" "default" { instance_id = alicloud_vpc_peer_connection.default.id } # 配置路由條目-vpc-A resource "alicloud_route_entry" "foo" { # VPC-A 路由表ID route_table_id = alicloud_vpc.vpc.route_table_id # 目標網段,自訂 destination_cidrblock = "1.2.3.4/32" # 下一跳類型 nexthop_type = "VpcPeer" # 下一跳id nexthop_id = alicloud_vpc_peer_connection.default.id } # 配置路由條目2 -vpc-B resource "alicloud_route_entry" "foo1" { # VPC-A 路由表id route_table_id = alicloud_vpc.vpc1.route_table_id # 目標網段,自訂 destination_cidrblock = "4.3.X.X/32" # 下一跳類型 nexthop_type = "VpcPeer" # 下一跳id nexthop_id = alicloud_vpc_peer_connection.default.id } # 先建立其他前置資源 resource "time_sleep" "wait_before_firewall" { # 確保雲企業網執行個體,網路連接執行個體建立好後 depends_on = [ alicloud_route_entry.foo, alicloud_route_entry.foo1 ] create_duration = "720s" # 根據需要設定時間 } # 延遲 resource "null_resource" "wait_for_firewall" { provisioner "local-exec" { command = "echo waiting for firewall to be ready" } # 確保雲企業網執行個體建立 depends_on = [time_sleep.wait_before_firewall] } # VPC對等串連Express Connect防火牆執行個體 resource "alicloud_cloud_firewall_vpc_firewall" "default" { # 前置依賴 depends_on = [ null_resource.wait_for_firewall ] timeouts { create = "30m" # 給建立加上逾時時間 } # 執行個體名稱 vpc_firewall_name = "tf-test" # 使用者uid member_uid = data.alicloud_account.current.id local_vpc { # 發起端vpc id vpc_id = alicloud_vpc.vpc.id # 地區 region_no = "cn-heyuan" # 路由條目 local_vpc_cidr_table_list { # 路由表id local_route_table_id = alicloud_vpc.vpc.route_table_id local_route_entry_list { # 下一跳 local_next_hop_instance_id = alicloud_vpc_peer_connection.default.id # 目標網塊 local_destination_cidr = alicloud_route_entry.foo.destination_cidrblock } } } peer_vpc { # 接收端vpc id vpc_id = alicloud_vpc.vpc1.id # 地區 region_no = "cn-heyuan" # 路由條目 peer_vpc_cidr_table_list { # 路由表id peer_route_table_id = alicloud_vpc.vpc1.route_table_id peer_route_entry_list { # 目標網塊 peer_destination_cidr = alicloud_route_entry.foo1.destination_cidrblock # 下一跳 peer_next_hop_instance_id = alicloud_vpc_peer_connection.default.id } } } # 資源的狀態。有效值: # open: 建立 VPC 邊界防火牆後,保護機制自動啟用。 # close: 建立 VPC 邊界防火牆後,不自動啟用保護。 status = "open" }resource "alicloud_cloud_firewall_vpc_firewall_control_policy" "default" { # 存取控制策略的優先順序。優先順序值從 1 開始,較小的優先順序值表示更高的優先順序。 order = "1" # 存取控制策略中的目的地址。 destination = "0.0.0.0/0" # 存取控制策略支援的應用類型。 application_name = "ANY" # VPC 防火牆存取控制策略的資訊描述。 description = "Created_by_Terraform" # 存取控制策略中的源地址類型。有效值:net,group。 source_type = "net" # (可選)存取控制策略中的目的連接埠。 dest_port = "80/88" # Cloud Firewall在流量上執行的操作。有效值:accept,drop,log。 acl_action = "accept" # 請求和響應內容的語言。有效值:zh,en。 lang = "zh" # net,則 destination 的值必須是一個 CIDR 塊。 destination_type = "net" # VPC 防火牆存取控制策略中的源地址。 source = "0.0.0.0/0" # 存取控制策略中的目的連接埠類型。有效值:port,group。 dest_port_type = "port" # 存取控制策略中的協議類型。有效值:ANY,TCP,UDP,ICMP。 proto = "TCP" # 存取控制策略的啟用狀態。預設情況下,策略建立後會啟用。 release = true # 當前阿里雲賬戶的uid member_uid = data.alicloud_account.current.id # VPC 防火牆執行個體的 ID vpc_firewall_id = alicloud_cloud_firewall_vpc_firewall.default.id }執行以下命令,初始化
Terraform運行環境。terraform init返回如下資訊,表示Terraform初始化成功。
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/alicloud... - Using hashicorp/alicloud v1.231.0 from the shared cache directory Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. ╷ │ Warning: Additional provider information from registry │ │ The remote registry returned warnings for registry.terraform.io/hashicorp/alicloud: │ - For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers. ╵ ╷ │ Warning: Incomplete lock file information for providers │ │ Due to your customized provider installation methods, Terraform was forced to calculate lock file checksums locally for the following providers: │ - hashicorp/alicloud │ │ The current .terraform.lock.hcl file only includes checksums for linux_amd64, so Terraform running on another platform will fail to install these providers. │ │ To calculate additional checksums for another platform, run: │ terraform providers lock -platform=linux_amd64 │ (where linux_amd64 is the platform to generate) ╵ Terraform has been successfully initialized!建立執行計畫,並預覽變更。
terraform plan執行以下命令,為指定VPC防火牆策略組添加存取控制策略。
terraform apply在執行過程中,根據提示輸入
yes並按下Enter鍵,等待命令執行完成,若出現以下資訊,則表示為VPC防火牆添加存取控制策略成功。Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # alicloud_cloud_firewall_vpc_firewall_control_policy.default will be created + resource "alicloud_cloud_firewall_vpc_firewall_control_policy" "default" { + acl_action = "accept" + acl_uuid = (known after apply) + application_id = (known after apply) + application_name = "ANY" + description = "Created_by_Terraform" + dest_port = "80/88" + dest_port_group_ports = (known after apply) + dest_port_type = "port" + destination = "0.0.0.0/0" + destination_group_cidrs = (known after apply) + destination_group_type = (known after apply) + destination_type = "net" + hit_times = (known after apply) + id = (known after apply) + lang = "zh" + member_uid = "1413397765616***" + order = 1 + proto = "TCP" + release = true + source = "0.0.0.0/0" + source_group_cidrs = (known after apply) + source_group_type = (known after apply) + source_type = "net" + vpc_firewall_id = "vfw-c7536567ab694fb1a***" } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_cloud_firewall_vpc_firewall_control_policy.default: Creating... alicloud_cloud_firewall_vpc_firewall_control_policy.default: Creation complete after 0s [id=vfw-c7536567ab694fb1a59f:ca14e184-15dc-4a68-b0d8-fb71a15ff***] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.驗證結果
執行terraform show命令
您可以使用以下命令查詢Terraform已建立的資來源詳細資料。
terraform show# alicloud_cloud_firewall_vpc_firewall_control_policy.default: resource "alicloud_cloud_firewall_vpc_firewall_control_policy" "default" { acl_action = "accept" acl_uuid = "ba164e52-acd2-4899-bf72-6816b13a****" application_id = "0" application_name = "ANY" description = "Created_by_Terraform" dest_port = "80/88" dest_port_group_ports = [] dest_port_type = "port" destination = "0.X.X.0/0" destination_group_cidrs = [] destination_type = "net" hit_times = 0 id = "vfw-d7b8ce273791475b****:ba164e52-acd2-4899-bf72-6816b13a****" lang = "zh" member_uid = "1415189284827****" order = 1 proto = "TCP" release = true source = "0.X.X.0/0" source_group_cidrs = [] source_type = "net" vpc_firewall_id = "vfw-d7b8ce273791475b****" }登入Cloud Firewall控制台
登入Cloud Firewall控制台,在存取控制>VPC邊界頁面,查看VPC邊界防火牆存取控制策略詳細資料。
清理資源
當您不再需要上述通過Terraform建立或管理的資源時,請運行以下命令以釋放資源。關於terraform destroy的更多資訊,請參見常用命令。
terraform destroy完整樣本
說明
當前範例程式碼支援一鍵運行,您可以直接運行代碼。