Alibaba Cloud

» alicloud_account
This data source provides information about the current account.
» Example Usage
data "alicloud_account" "current" {

}
output "current_account_id" {
value = "${data.alicloud_account.current.id}"
}
» Attributes Reference
The following attributes are exported:

• id - Account ID (e.g. ”1239306421830812”). It can be used to construct
an ARN.
» alicloud_caller_identity
This data source provides the identity of the current user.
NOTE: Available in 1.65.0+.
» Example Usage
data "alicloud_caller_identity" "current" {

}
output "current_user_arn" {
value = "${data.alicloud_caller_identity.current.id}"
}

• id - Principal ID.
• arn - The Alibaba Cloud Resource Name (ARN) of the user making the
call.
1
• account_id - Account ID.
• identity_type - The type of the princiapal. RAMUser for users.
» alicloud_file_crc64_checksum
This data source compute file crc64 checksum.
» Example Usage
data "alicloud_file_crc64_checksum" "default" {

filename = "exampleFileName"
}
output "file_crc64_checksum" {
value = "${data.alicloud_file_crc64_checksum.defualt.checksum}"
}
» Argument Reference
The following arguments are supported:

• filename - (Required) The name of the file to be computed crc64 check-
sum.

• id - file crc64 ID
• checksum - the file checksum of crc64.
» alicloud_regions
This data source provides Alibaba Cloud regions.
2
» Example Usage
data "alicloud_regions" "current_region_ds" {

current = true
}
output "current_region_id" {
value = "${data.alicloud_regions.current_region_ds.regions.0.id}"
}

• name - (Optional) The name of the region to select, such as eu-central-1.
• current - (Optional) Set to true to match only the region configured in
the provider.
• output_file - (Optional) File name where to save data source results
(after running terraform plan).
NOTE: You will get an error if you set current to true and name to a different
value from the one you configured in the provider. It is better to either use name
or current, but not both at the same time.
The following attributes are exported in addition to the arguments listed above:
• ids - A list of region IDs.
• regions - A list of regions. Each element contains the following attributes:
– id - ID of the region.
– local_name - Name of the region in the local language.
» alicloud_zones
This data source provides availability zones that can be accessed by an Alibaba
Cloud account within the region configured in the provider.
NOTE: If one zone is sold out, it will not be exported.
» Example Usage
# Declare the data source
3
data "alicloud_zones" "zones_ds" {
available_instance_type = "ecs.n4.large"
available_disk_category = "cloud_ssd"
}
# Create an ECS instance with the first matched zone

resource "alicloud_instance" "instance" {
availability_zone = "${data.alicloud_zones.zones_ds.zones.0.id}"
# Other properties...
}

• available_instance_type - (Optional) Filter the results by a specific
instance type.
• available_resource_creation - (Optional) Filter the results by a spe-
cific resource type. Valid values: Instance, Disk, VSwitch, Rds, KVStore,
FunctionCompute, Elasticsearch, Slb.
• available_disk_category - (Optional) Filter the results by a specific
disk category. Can be either cloud, cloud_efficiency, cloud_ssd,
ephemeral_ssd.
• multi - (Optional, type: bool) Indicate whether the zones can be used in
a multi AZ configuration. Default to false. Multi AZ is usually used to
launch RDS instances.
• instance_charge_type - (Optional) Filter the results by a specific ECS
instance charge type. Valid values: PrePaid and PostPaid. Default to
PostPaid.
• network_type - (Optional) Filter the results by a specific network type.
Valid values: Classic and Vpc.
• spot_strategy - - (Optional) Filter the results by a specific ECS spot
type. Valid values: NoSpot, SpotWithPriceLimit and SpotAsPriceGo.
Default to NoSpot.
• enable_details - (Optional, Available in 1.36.0+) Default to false and
only output id in the zones block. Set it to true can output more details.
• available_slb_address_type - (Available in 1.45.0+) Filter the results
by a slb instance address type. Can be either Vpc, classic_internet or
classic_intranet
• available_slb_address_ip_version - (Available in 1.45.0+) Filter the
results by a slb instance address version. Can be either ipv4, or ipv6.
-> NOTE: The disk category cloud has been outdated and can only be
4
used by non-I/O Optimized ECS instances. Many availability zones don’t
support it. It is recommended to use cloud_efficiency or cloud_ssd.
• ids - A list of zone IDs.
• zones - A list of availability zones. Each element contains the following
attributes:
– id - ID of the zone.
– local_name - Name of the zone in the local language.
– available_instance_types - Allowed instance types.
– available_resource_creation - Type of resources that can be cre-
ated.
– available_disk_categories - Set of supported disk categories.
– multi_zone_ids - A list of zone ids in which the multi zone.
– slb_slave_zone_ids - A list of slb slave zone ids in which the slb
master zone.
» alicloud_actiontrails
This data source provides a list of action trail of the current Alibaba Cloud user.
» Example Usage
data "alicloud_actiontrails" "trails" {

name_regex = "tf-testacc-actiontrail"
}
output "first_trail_name" {
value = "${data.alicloud_actiontrails.trails.actiontrails.0.name}"
}

• name_regex - (Optional) A regex string to filter results action trail name.
5
• names - A list of trail names.
• actiontrails - A list of actiontrails. Each element contains the following
attributes:
– name - The name of the trail.
– event_rw - Indicates whether the event is a read or a write event.
– oss_bucket_name - The name of the specified OSS bucket.
– oss_key_prefix - The prefix of the specified OSS bucket name.
– role_name - The role in ActionTrail.
– sls_project_arn - The unique ARN of the Log Service project.
– sls_write_role_arn - The unique ARN of the Log Service role.
» alicloud_actiontrail
Provides a new resource to manage Action Trail.
NOTE: Available in 1.35.0+
» Example Usage
# Create a new action trail.

resource "alicloud_actiontrail" "foo" {
name = "action-trail"
event_rw = "Write-test"
oss_bucket_name = "${alicloud_oss_bucket.bucket.id}"
role_name = "${alicloud_ram_role_policy_attachment.attach.role_name}"
oss_key_prefix = "at-product-account-audit-B"
}

• name - (Required, ForceNew) The name of the trail to be created, which
must be unique for an account.
• event_rw - (Optional) Indicates whether the event is a read or a write
event. Valid values: Read, Write, and All. Default value: Write.
• oss_bucket_name - (Required) The OSS bucket to which the trail delivers
logs. Ensure that this is an existing OSS bucket.
• role_name - (Required) The RAM role in ActionTrail permitted by the
user.
6
• oss_key_prefix - (Optional) The prefix of the specified OSS bucket name.
This parameter can be left empty.
• sls_project_arn - (Optional) The unique ARN of the Log Service
project.
• sls_write_role_arn - (Optional) The unique ARN of the Log Service
role.
NOTE: sls_project_arn and sls_write_role_arn should be set or not set
at the same time when actiontrail delivers logs.

• id - The action trail id. The value is same as its name.
» Import
Action trail can be imported using the id, e.g.

$ terraform import alicloud_actiontrail.foo abc12345678
» alicloud_alikakfa_consumer_groups
This data source provides a list of ALIKAFKA Consumer Groups in an Alibaba
Cloud account according to the specified filters.
» Example Usage
data "alicloud_alikafka_consumer_groups" "consumer_groups_ds" {

instance_id = "xxx"
consumer_id_regex = "CID-alikafkaGroupDatasourceName"
output_file = "consumerGroups.txt"
}
output "first_group_name" {
value = "${data.alicloud_alikafka_consumer_groups.consumer_groups_ds.consumer_ids.0}"
}
7

• instance_id - (Required) ID of the ALIKAFKA Instance that owns the
consumer groups.
• consumer_id_regex - (Optional) A regex string to filter results by the
consumer group id.
• consumer_ids - A list of consumer group ids.
» alicloud_alikakfa_instances
This data source provides a list of ALIKAFKA Instances in an Alibaba Cloud
account according to the specified filters.
» Example Usage
variable "instance_name" {
default = "alikafkaInstanceName"
}
data "alicloud_zones" "default" {

available_resource_creation= "VSwitch"
}
resource "alicloud_vpc" "default" {
cidr_block = "172.16.0.0/12"
}
resource "alicloud_vswitch" "default" {

vpc_id = "${alicloud_vpc.default.id}"
cidr_block = "172.16.0.0/24"
availability_zone = "${data.alicloud_zones.default.zones.0.id}"
}
resource "alicloud_alikafka_instance" "default" {
8
name = "${var.instance_name}"
topic_quota = "50"
disk_type = "1"
disk_size = "500"
deploy_type = "4"
io_max = "20"
vswitch_id = "${alicloud_vswitch.default.id}"
}
data "alicloud_alikafka_instances" "instances_ds" {

name_regex = "alikafkaInstanceName"
output_file = "instances.txt"
}
output "first_instance_name" {
value = "${data.alicloud_alikafka_instances.instances_ds.instances.0.name}"
}

• ids - (Optional) A list of instance IDs to filter results.
• name_regex - (Optional) A regex string to filter results by the instance
name.
• ids - A list of instance IDs.
• names - A list of instance names.
• instances - A list of instances. Each element contains the following
attributes:
– id - ID of the instance.
– name - Name of the instance.
– create_time - The create time of the instance.
– service_status - The current status of the instance. -1: unknown
status, 0: wait deploy, 1: initializing, 2: preparing, 3 starting, 5: in
service, 7: wait upgrade, 8: upgrading, 10: released, 15: freeze, 101:
deploy error, 102: upgrade error.
9
– deploy_type - The deploy type of the instance. 0: sharing instance,
1: vpc instance, 2: vpc instance(support ip mapping), 3: eip instance,
4: eip/vpc instance, 5: vpc instance.
– vpc_id - The ID of attaching VPC to instance.
– vswitch_id - The ID of attaching vswitch to instance.
– io_max - The peak value of io of the instance.
– eip_max - The peak bandwidth of the instance.
– disk_type - The disk type of the instance. 0: efficient cloud disk ,
1: SSD.
– disk_size - The disk size of the instance.
– topic_quota - The max num of topic can be create of the instance.
– zone_id - The ID of attaching zone to instance.
– paid_type - The paid type of the instance.
– spec_type - The spec type of the instance.
» alicloud_alikafka_sasl_acls
This data source provides a list of ALIKAFKA Sasl acls in an Alibaba Cloud
» Example Usage
data "alicloud_alikafka_sasl_acls" "sasl_acls_ds" {

instance_id = "xxx"
username = "username"
acl_resource_type = "Topic"
acl_resource_name = "testTopic"
output_file = "saslAcls.txt"
}
output "first_sasl_acl_username" {
value = "${data.alicloud_alikafka_sasl_acls.sasl_acls_ds.acls.0.username}"
}

sasl acls.
• username - (Required) Get results for the specified username.
10
• acl_resource_type - (Required) Get results for the specified resource
type.
• acl_resource_name - (Required) Get results for the specified resource
name.
• acls - A list of sasl acls. Each element contains the following attributes:
– username - The username of the sasl acl.
– acl_resource_type - The resource type of the sasl acl.
– acl_resource_name - The resource name of the sasl acl.
– acl_resource_pattern_type - The resource pattern type of the sasl
acl.
– host - The host of the sasl acl.
– acl_operation_type - The operation type of the sasl acl.
» alicloud_alikafka_sasl_users
This data source provides a list of ALIKAFKA Sasl users in an Alibaba Cloud
» Example Usage
data "alicloud_alikafka_sasl_users" "sasl_users_ds" {

instance_id = "xxx"
name_regex = "username"
output_file = "saslUsers.txt"
}
output "first_sasl_username" {
value = "${data.alicloud_alikafka_sasl_users.sasl_users_ds.users.0.username}"
}
11
sasl users.
• name_regex - (Optional) A regex string to filter results by the username.
• names - A list of sasl usernames.
• users - A list of sasl users. Each element contains the following attributes:
– username - The username of the user.
– password - The password of the user.
» alicloud_alikafka_topics
This data source provides a list of ALIKAFKA Topics in an Alibaba Cloud
» Example Usage
data "alicloud_alikafka_topics" "topics_ds" {

instance_id = "xxx"
name_regex = "alikafkaTopicName"
output_file = "topics.txt"
}
output "first_topic_name" {
value = "${data.alicloud_alikafka_topics.topics_ds.topics.0.topic}"
}

• name_regex - (Optional) A regex string to filter results by the topic name.
12
• names - A list of topic names.
• topics - A list of topics. Each element contains the following attributes:
– topic - The name of the topic.
– create_time - Time of creation.
– local_topic - whether the current topic is kafka local topic or not.
– compact_topic - whether the current topic is kafka compact topic
or not.
– partition_num - Partition number of the topic.
– remark - Remark of the topic.
– status - The current status code of the topic. There are three values
to describe the topic status: 0 stands for the topic is in service, 1
stands for freezing and 2 stands for pause.
» alicloud_alikafka_consumer_group
Provides an ALIKAFKA consumer group resource.
NOTE: Only the following regions support create alikafka consumer group.
[cn-hangzhou,cn-beijing,cn-shenzhen,cn-shanghai,cn-qingdao,cn-hongkong,cn-huhehaote,cn-zhangjiak
» Example Usage
Basic Usage
variable "consumer_id" {
default = "CID-alikafkaGroupDatasourceName"
}

}
cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/24"
13
}

name = "tf-testacc-alikafkainstance"
topic_quota = "50"
disk_type = "1"
disk_size = "500"
deploy_type = "5"
io_max = "20"
}
resource "alicloud_alikafka_consumer_group" "default" {

consumer_id = "${var.consumer_id}"
instance_id = "${alicloud_alikafka_instance.default.id}"
}

• instance_id - (Required, ForceNew) ID of the ALIKAFKA Instance that
owns the groups.
• consumer_id - (Required, ForceNew) ID of the consumer group. The
length cannot exceed 64 characters.
• tags - (Optional, Available in v1.63.0+) A mapping of tags to assign to
the resource.

• id - The key of the resource supplied above. The value is formulated as
<instance_id>:<consumer_id>.
» Import
ALIKAFKA GROUP can be imported using the id, e.g.

$ terraform import alicloud_alikafka_consumer_group.group alikafka_post-cn-123455abc:consume
14
» alicloud_alikafka_instance
Provides an ALIKAFKA instance resource.
NOTE: ALIKAFKA instance resource only support create post pay instance.
Creation or modification may took about 10-40 minutes.
NOTE: Only the following regions support create alikafka pre paid instance.
NOTE: Only the following regions support create alikafka post paid instance.
» Example Usage
Basic Usage
variable "instance_name" {
default = "alikafkaInstanceName"
}

}
cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/24"
}

name = "${var.instance_name}"
topic_quota = "50"
disk_type = "1"
disk_size = "500"
deploy_type = "4"
io_max = "20"
}
15

• name - (Optional) Name of your Kafka instance. The length should be-
tween 3 and 64 characters. If not set, will use instance id as instance
name.
• topic_quota - (Required) The max num of topic can be create of the
instance. When modify this value, it only adjust to a greater value.
• disk_type - (Required, ForceNew) The disk type of the instance. 0: effi-
cient cloud disk , 1: SSD.
• disk_size - (Required) The disk size of the instance. When modify this
value, it only support adjust to a greater value.
• deploy_type - (Required, ForceNew) The deploy type of the instance.
Currently only support two deploy type, 4: eip/vpc instance, 5: vpc in-
stance.
• io_max - (Required) The max value of io of the instance. When modify
this value, it only support adjust to a greater value.
• eip_max - (Optional) The max bandwidth of the instance. When modify
this value, it only support adjust to a greater value.
• paid_type - (Optional) The paid type of the instance. Support two type,
”PrePaid”: pre paid type instance, ”PostPaid”: post paid type instance.
Default is PostPaid. When modify this value, it only support adjust from
post pay to pre pay.
• spec_type - (Optional) The spec type of the instance. Support two type,
”normal”: normal version instance, ”professional”: professional version
instance. Default is normal. When modify this value, it only support
adjust from normal to professional. Note only pre paid type instance
support professional specific type.
• vswitch_id - (Required, ForceNew) The ID of attaching vswitch to in-
stance.
the resource.
NOTE: Arguments io_max, disk_size, topic_quota, eip_max should follow
the following constraints.
io_max disk_size(min-max:lag) topic_quota(min-max:lag) eip_max(min-max:lag)

20 500-6100:100 50-450:1 1-160:1
30 800-6100:100 50-450:1 1-240:1
60 1400-6100:100 80-450:1 1-500:1
90 2100-6100:100 100-450:1 1-500:1
120 2700-6100:100 150-450:1 1-500:1
16
» Removing alicloud_alikafka_instance from your configuration
The alicloud_alikafka_instance resource allows you to manage your alikafka

instance, but Terraform cannot destroy it if your instance type is pre paid(post
paid type can destroy normally). Removing this resource from your configura-
tion will remove it from your statefile and management, but will not destroy the
instance. You can resume managing the instance via the alikafka Console.

• id - The key of the resource supplied above, also call instance id.
• vpc_id - The ID of attaching VPC to instance.
• zone_id - The Zone to launch the kafka instance.
» Import
ALIKAFKA TOPIC can be imported using the id, e.g.

$ terraform import alicloud_alikafka_instance.instance alikafka_post-cn-123455abc
» alicloud_alikafka_sasl_acl
Provides an ALIKAFKA sasl acl resource.
NOTE: Only the following regions support create alikafka sasl user.
» Example Usage
Basic Usage
variable "username" {
default = "testusername"
}
variable "password" {
default = "testpassword"
}
17
}
cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/24"
}

topic_quota = "50"
disk_type = "1"
disk_size = "500"
deploy_type = "5"
io_max = "20"
}
resource "alicloud_alikafka_topic" "default" {

topic = "test-topic"
remark = "topic-remark"
}
resource "alicloud_alikafka_sasl_user" "default" {

username = "${var.username}"
password = "${var.password}"
}
resource "alicloud_alikafka_sasl_acl" "default" {

username = "${alicloud_alikafka_sasl_user.default.username}"
acl_resource_type = "Topic"
acl_resource_name = "${alicloud_alikafka_topic.default.topic}"
acl_resource_pattern_type = "LITERAL"
acl_operation_type = "Write"
}
18

owns the groups.
• username - (Required, ForceNew) Username for the sasl user. The length
should between 1 to 64 characters. The user should be an existed sasl
user.
• acl_resource_type - (Required, ForceNew) Resource type for this acl.
The resource type can only be ”Topic” and ”Group”.
• acl_resource_name - (Required, ForceNew) Resource name for this acl.
The resource name should be a topic or consumer group name.
• acl_resource_pattern_type - (Required, ForceNew) Resource pattern
type for this acl. The resource pattern support two types ”LITERAL”
and ”PREFIXED”. ”LITERAL”: A literal name defines the full name of
a resource. The special wildcard character ”*” can be used to represent a
resource with any name. ”PREFIXED”: A prefixed name defines a prefix
for a resource.
• acl_operation_type - (Required, ForceNew) Operation type for this acl.
The operation type can only be ”Write” and ”Read”.

<instance_id>:<username>:<acl_resource_type>:<acl_resource_name>:<acl_resource_pattern_
• host - The host of the acl.
» Import

$ terraform import alicloud_alikafka_sasl_acl.acl alikafka_post-cn-123455abc:username:Topic:
» alicloud_alikafka_sasl_user
Provides an ALIKAFKA sasl user resource.
NOTE: Only the following regions support create alikafka sasl user.
19
» Example Usage
Basic Usage
variable "username" {
default = "testusername"
}
variable "password" {
default = "testpassword"
}

}
cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/24"
}

topic_quota = "50"
disk_type = "1"
disk_size = "500"
deploy_type = "5"
io_max = "20"
}
resource "alicloud_alikafka_sasl_user" "default" {

username = "${var.username}"
password = "${var.password}"
}
20
owns the groups.
• username - (Required, ForceNew) Username for the sasl user. The length
should between 1 to 64 characters. The characters can only contain ’a’-’z’,
’A’-’Z’, ’0’-’9’, ’_’ and ’-’.
• password - (Optional, Sensitive) Operation password. It may consist of
letters, digits, or underlines, with a length of 1 to 64 characters. You have
to specify one of password and kms_encrypted_password fields.
• kms_encrypted_password - (Optional) An KMS encrypts password
used to a db account. You have to specify one of password and
kms_encrypted_password fields.
• kms_encryption_context - (Optional, MapString) An KMS encryption
context used to decrypt kms_encrypted_password before creating or up-
dating a user with kms_encrypted_password. See Encryption Context.
It is valid when kms_encrypted_password is set.

<instance_id>:<username>.
» Import

$ terraform import alicloud_alikafka_sasl_user.user alikafka_post-cn-123455abc:username
» alicloud_alikafka_topic
Provides an ALIKAFKA topic resource.
NOTE: Only the following regions support create alikafka topic. [cn-hangzhou,cn-beijing,cn-shenzhen,cn-s
» Example Usage
Basic Usage
}
21
cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/24"
}

topic_quota = "50"
disk_type = "1"
disk_size = "500"
deploy_type = "5"
io_max = "20"
}
variable "topic" {
default = "alikafkaTopicName"
}
resource "alicloud_alikafka_topic" "default" {

topic = "${var.topic}"
local_topic = "false"
compact_topic = "false"
partition_num = "12"
remark = "dafault_kafka_topic_remark"
}

• instance_id - (Required, ForceNew) InstanceId of your Kafka resource,
the topic will create in this instance.
• topic - (Required, ForceNew) Name of the topic. Two topics on a sin-
gle instance cannot have the same name. The length cannot exceed 64
characters.
• local_topic - (Optional, ForceNew) Whether the topic is localTopic or
not.
• compact_topic - (Optional, ForceNew) Whether the topic is compact-
22
Topic or not. Compact topic must be a localTopic.
• partition_num - (Optional) The number of partitions of the topic. The
number should between 1 and 48.
• remark - (Required) This attribute is a concise description of topic. The
length cannot exceed 64.
the resource.

<instance_id>:<topic>.
» Import
ALIKAFKA TOPIC can be imported using the id, e.g.

$ terraform import alicloud_alikafka_topic.topic alikafka_post-cn-123455abc:topicName
» alicloud_adb_clusters
The alicloud_adb_clusters data source provides a collection of ADB clusters
available in Alibaba Cloud account. Filters support regular expression for the
cluster description, searches by tags, and other filters which are listed below.
NOTE: Available in v1.71.0+.
» Example Usage
data "alicloud_adb_clusters" "adb_clusters_ds" {

description_regex = "am-\\w+"
status = "Running"
}
output "first_adb_cluster_id" {
value = "${data.alicloud_adb_clusters.adb_clusters_ds.clusters.0.id}"
}
23

• description_regex - (Optional) A regex string to filter results by cluster
description.
• ids - (Optional) A list of ADB cluster IDs.
• status - (Optional) status of the cluster.
the resource.
– Key: It can be up to 64 characters in length. It cannot begin with
”aliyun”, ”acs:”, ”http://”, or ”https://”. It cannot be a null string.
– Value: It can be up to 128 characters in length. It cannot begin with
”aliyun”, ”acs:”, ”http://”, or ”https://”. It can be a null string.
• ids - A list of ADB cluster IDs.
• descriptions - A list of ADB cluster descriptions.
• clusters - A list of ADB clusters. Each element contains the following
attributes:
– id - The ID of the ADB cluster.
– description - The description of the ADB cluster.
– charge_type - Billing method. Value options: PostPaid for Pay-As-
You-Go and PrePaid for subscription.
– network_type - The DBClusterNetworkType of the ADB cluster.
– region_id - Region ID the cluster belongs to.
– zone_id - The ZoneId of the ADB cluster.
– expire_time - Expiration time. Pay-As-You-Go clusters never ex-
pire.
– expired - The expired of the ADB cluster.
– status - Status of the cluster.
– lock_mode - The LockMode of the ADB cluster.
– create_time - The CreateTime of the ADB cluster.
– vpc_id - ID of the VPC the cluster belongs to.
– db_node_count - The DBNodeCount of the ADB cluster.
– db_node_class - The DBNodeClass of the ADB cluster.
– db_node_storage - The DBNodeStorage of the ADB cluster.
24
» alicloud_adb_zones
This data source provides availability zones for ADB that can be accessed by
an Alibaba Cloud account within the region configured in the provider.
» Example Usage

data "alicloud_adb_zones" "zones_ids" {}

• multi - (Optional) Indicate whether the zones can be used in a multi AZ
configuration. Default to false. Multi AZ is usually used to launch ADB
instances.
attributes:
» alicloud_adb_account
Provides a ADB account resource and used to manage databases.
» Example Usage
variable "creation" {
default = "ADB"
25
}
variable "name" {
default = "adbaccountmysql"
}

available_resource_creation = "${var.creation}"
}

name = "${var.name}"
cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}
resource "alicloud_adb_cluster" "cluster" {

db_cluster_version = "3.0"
db_cluster_category = "Cluster"
db_node_class = "C8"
db_node_count = 2
db_node_storage = 200
pay_type = "PostPaid"
description = "${var.name}"
}
resource "alicloud_db_account" "account" {

db_cluster_id = "${alicloud_db_instance.instance.id}"
account_name = "tftestnormal"
account_password = "Test12345"
account_description = "${var.name}"
}

• db_cluster_id - (Required, ForceNew) The Id of cluster in which account
26
belongs.
• account_name - (Required, ForceNew) Operation account requiring a
uniqueness check. It may consist of lower case letters, numbers, and
underlines, and must start with a letter and have no more than 16
characters.
• account_password - (Optional) Operation password. It may consist of
letters, digits, or underlines, with a length of 6 to 32 characters.
• kms_encrypted_password - (Optional) An KMS encrypts password used
to a db account. If the account_password is filled in, this field will be
ignored.
• kms_encryption_context - (Optional) An KMS encryption context used
to decrypt kms_encrypted_password before creating or updating a db
account with kms_encrypted_password. See Encryption Context. It is
valid when kms_encrypted_password is set.
• account_description - (Optional) Account description. It cannot begin
with https://. It must start with a Chinese character or English letter. It
can include Chinese and English characters, underlines (_), hyphens (-),
and numbers. The length may be 2-256 characters.

• id - The current account resource ID. Composed of instance ID and ac-
count name with format <instance_id>:<name>.
» Import
ADB account can be imported using the id, e.g.

$ terraform import alicloud_adb_account.example "am-12345:tf_account"
» alicloud_adb_backup_policy
Provides a ADB cluster backup policy resource and used to configure cluster
backup policy.
NOTE: Available in v1.71.0+. Each DB cluster has a backup policy and it will
be set default values when destroying the resource.
» Example Usage
variable "name" {
27
default = "adbClusterconfig"
}
default = "ADB"
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}
resource "alicloud_adb_cluster" "default" {

db_node_count = 2
vswitch_id = "vsw-t4nq4tr8wcuj7397rbws2"
}
resource "alicloud_adb_backup_policy" "policy" {

db_cluster_id = "${alicloud_adb_cluster.default.id}"
preferred_backup_period = "Tuesday,Wednesday"
preferred_backup_time = "10:00Z-11:00Z"
}
» Removing alicloud_adb_cluster from your configuration
The alicloud_adb_backup_policy resource allows you to manage your adb clus-

ter policy, but Terraform cannot destroy it. Removing this resource from your
28
configuration will remove it from your statefile and management, but will not
destroy the cluster policy. You can resume managing the cluster via the adb
Console.

• db_cluster_id - (Required, ForceNew) The Id of cluster that can run
database.
• preferred_backup_period - (Optional) ADB Cluster backup period.
Valid values: [Monday, Tuesday, Wednesday, Thursday, Friday, Saturday,
Sunday]. Default to [”Tuesday”, ”Thursday”, ”Saturday”].
• preferred_backup_time - (Optional) ADB Cluster backup time, in the
format of HH:mmZ- HH:mmZ. Time setting interval is one hour. Default
to ”02:00Z-03:00Z”. China time is 8 hours behind it.

• id - The current backup policy resource ID. It is same as ’db_cluster_id’.
• backup_retention_period - Cluster backup retention days, Fixed for 7
days, not modified.
» Import
ADB backup policy can be imported using the id or cluster id, e.g.
$ terraform import alicloud_adb_backup_policy.example "am-12345678"
» alicloud_adb_cluster
Provides a ADB cluster resource. A ADB cluster is an isolated database environ-
ment in the cloud. A ADB cluster can contain multiple user-created databases.
» Example Usage
» Create a ADB MySQL cluster
variable "name" {
29
default = "adbClusterconfig"
}
default = "ADB"
}
}
cidr_block = "172.16.0.0/16"
}
cidr_block = "172.16.0.0/24"
}
resource "alicloud_adb_cluster" "default" {
db_node_count = 2
}

• db_cluster_version - (Optional, ForceNew) Cluster version. Value op-
tions: 3.0, Default to 3.0.
• db_cluster_category - (Optional, ForceNew) Cluster category. Value
options: Basic, Cluster.
• db_node_class - (Required, ForceNew) The db_node_class of cluster
node.
• db_node_count - (Required, ForceNew) The db_node_count of cluster
node.
• db_node_storage - (Required, ForceNew) The db_node_storage of clus-
ter node.
• zone_id - (Optional) The Zone to launch the DB cluster.
• pay_type - (Optional, ForceNew) Valid values are PrePaid, PostPaid,
30
Default to PostPaid. Currently, the resource can not supports change
pay type.
• renewal_status - (Optional) Valid values are AutoRenewal, Normal,
NotRenewal, Default to NotRenewal.
• auto_renew_period - (Optional) Auto-renewal period of an cluster, in the
unit of the month. It is valid when pay_type is PrePaid. Valid value:1,
2, 3, 6, 12, 24, 36, Default to 1.
• period - (Optional) The duration that you will buy DB cluster (in month).
It is valid when pay_type is PrePaid. Valid values: [1~9], 12, 24, 36.
Default to 1.
• security_ips - (Optional) List of IP addresses allowed to access all
databases of an cluster. The list contains up to 1,000 IP addresses, sepa-
rated by commas. Supported formats include 0.0.0.0/0, 10.23.12.24 (IP),
and 10.23.12.24/24 (Classless Inter-Domain Routing (CIDR) mode. /24
represents the length of the prefix in an IP address. The range of the
prefix length is [1,32]).
• vswitch_id - (Optional, ForceNew) The virtual switch ID to launch DB
instances in one VPC.
• maintain_time - (Optional) Maintainable time period format of the in-
stance: HH:MMZ-HH:MMZ (UTC time)
• description - (Optional) The description of cluster.
• tags - (Optional) A mapping of tags to assign to the resource.
NOTE: Because of data backup and migration, change DB cluster type and
storage would cost 15~30 minutes. Please make full preparation before changing
them.
» Removing alicloud_adb_cluster from your configuration
The alicloud_adb_cluster resource allows you to manage your adb cluster, but
Terraform cannot destroy it if your cluster type is pre paid(post paid type can
destroy normally). Removing this resource from your configuration will remove
it from your statefile and management, but will not destroy the cluster. You
can resume managing the cluster via the adb Console.

• id - The ADB cluster ID.
31
» Timeouts
The timeouts block allows you to specify timeouts for certain actions:
• create - (Defaults to 50 mins) Used when creating the adb cluster (until
it reaches the initial Running status).
• update - (Defaults to 20 mins) Used when updating the adb cluster (until
• delete - (Defaults to 10 mins) Used when terminating the adb cluster.
» Import
ADB cluster can be imported using the id, e.g.

$ terraform import alicloud_adb_cluster.example am-abc12345678
» alicloud_gpdb_instances
The alicloud_gpdb_instances data source provides a collection of AnalyticDB
for PostgreSQL instances available in Alicloud account. Filters support regular
expression for the instance name or availability_zone.
» Example Usage
data "alicloud_gpdb_instances" "gpdb" {

availability_zone = "cn-beijing-c"
name_regex = "gp-.+\\d+"
}
output "instance_id" {
value = "${data.alicloud_gpdb_instances.gpdb.instances.0.id}"
}

• ids - (Optional) A list of instance IDs.
• name_regex - (Optional) A regex string to apply to the instance name.
• availability_zone - (Optional) Instance availability zone.
32
• vswitch_id - (Optional) Used to retrieve instances belong to specified
vswitch resources.
the resource.
• output_file - (Optional) The name of file that can save the collection of
instances after running terraform plan.
• ids - The ids list of AnalyticDB for PostgreSQL instances.
• names - The names list of AnalyticDB for PostgreSQL instance.
• instances - A list of AnalyticDB for PostgreSQL instances. Its every
element contains the following attributes:
– id - The instance id.
– description - The description of an instance.
– charge_type - Billing method. Value options are PostPaid for Pay-
As-You-Go and PrePaid for yearly or monthly subscription.
– region_id - Region ID the instance belongs to.
– availability_zone - Instance availability zone.
– creation_time - The time when you create an instance. The format
is YYYY-MM-DDThh:mm:ssZ, such as 2011-05-30T12:11:4Z.
– status - Status of the instance.
– engine - Database engine type. Supported option is gpdb.
– engine_version - Database engine version.
– network_type - Classic network or VPC.
– instance_class - The group type.
– instance_group_count - The number of groups.
» alicloud_gpdb_instances
The alicloud_gpdb_instances data source provides a collection of AnalyticDB
for PostgreSQL instances available in Alicloud account. Filters support regular
expression for the instance name or availability_zone.
» Example Usage
data "alicloud_gpdb_instances" "gpdb" {

availability_zone = "cn-beijing-c"
name_regex = "gp-.+\\d+"
33
}
output "instance_id" {
value = "${data.alicloud_gpdb_instances.gpdb.instances.0.id}"
}

vswitch resources.
the resource.
• ids - The ids list of AnalyticDB for PostgreSQL instances.
• names - The names list of AnalyticDB for PostgreSQL instance.
• instances - A list of AnalyticDB for PostgreSQL instances. Its every
– id - The instance id.
– description - The description of an instance.
– creation_time - The time when you create an instance. The format
is YYYY-MM-DDThh:mm:ssZ, such as 2011-05-30T12:11:4Z.
– engine - Database engine type. Supported option is gpdb.
– instance_class - The group type.
– instance_group_count - The number of groups.
34
» alicloud_gpdb_connection
Provides a connection resource to allocate an Internet connection string for
instance.
NOTE: Each instance will allocate a intranet connection string automatically
and its prefix is instance ID. To avoid unnecessary conflict, please specified a
internet connection prefix before applying the resource.
» Example Usage
default = "Gpdb"
}
variable "name" {
default = "gpdbConnectionBasic"
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}
resource "alicloud_gpdb_instance" "default" {

engine = "gpdb"
engine_version = "4.3"
instance_class = "gpdb.group.segsdx2"
instance_group_count = "2"
}
35
resource "alicloud_gpdb_connection" "default" {
instance_id = "${alicloud_gpdb_instance.default.id}"
connection_prefix = "testAbc"
}

• instance_id - (Required, ForceNew) The Id of instance that can run
database.
• connection_prefix - (ForceNew) Prefix of an Internet connection string.
It must be checked for uniqueness. It may consist of lowercase letters,
numbers, and underlines, and must start with a letter and have no more
than 30 characters. Default to + ’-tf’.
• port - (Optional) Internet connection port. Valid value: [3200-3999]. De-
fault to 3306.
» Timeouts

• create - (Defaults to 10 mins) Used when creating the Internet connection
(until DB instance reaches the initial Running status).
• update - (Defaults to 10 mins) Used when activating the DB instance
during update.
• delete - (Defaults to 10 mins) Used when terminating the DB instance.

• id - The current instance connection resource ID. Composed of instance ID
and connection string with format <instance_id>:<connection_prefix>.
• connection_string - Connection instance string.
• ip_address - The ip address of connection string.
» Import
AnalyticDB for PostgreSQL’s connection can be imported using the id, e.g.
$ terraform import alicloud_gpdb_connection.example abc12345678
36
» alicloud_gpdb_instance
Provides a AnalyticDB for PostgreSQL instance resource supports replica set
instances only. the AnalyticDB for PostgreSQL provides stable, reliable, and
automatic scalable database services. You can see detail product introduction
here
NOTE: The following regions don’t support create Classic network Gpdb in-
stance. [ap-southeast-2,ap-southeast-3,ap-southeast-5,ap-south-1,me-east-1,ap-northeast-1,eu-west
NOTE: Create instance or change instance would cost 10~15 minutes. Please
make full preparation.
» Example Usage
» Create a Gpdb instance

available_resource_creation = "Gpdb"
}

name = "vpc-123456"
cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
name = "vpc-123456"
}
resource "alicloud_gpdb_instance" "example" {

description = "tf-gpdb-test""
engine = "gpdb"
instance_class = "gpdb.group.segsdx2"
instance_group_count = "2"
security_ip_list = ["10.168.1.12", "100.69.7.112"]
}
37

• engine (Required, ForceNew) Database engine: gpdb. System Default
value: gpdb.
• engine_version - (Required, ForceNew) Database version. Value options
can refer to the latest docs CreateDBInstance EngineVersion.
• instance_class - (Required) Instance specification. see Instance specifi-
cations.
• instance_group_count - (Required) The number of groups. Valid values:
[2,4,8,16,32]
• description - (Optional) The name of DB instance. It a string of 2 to
256 characters.
• instance_charge_type - (Optional, ForceNew) Valid values are PrePaid,
PostPaid,System default to PostPaid.
• zone_id - (Optional, ForceNew) The Zone to launch the DB instance. it
supports multiple zone. If it is a multi-zone and vswitch_id is specified,
the vswitch must in one of them. The multiple zone ID can be retrieved
by setting multi to ”true” in the data source alicloud_zones.
• security_ip_list - (Optional) List of IP addresses allowed to access
all databases of an instance. The list contains up to 1,000 IP addresses,
separated by commas. Supported formats include 0.0.0.0/0, 10.23.12.24
(IP), and 10.23.12.24/24 (Classless Inter-Domain Routing (CIDR) mode.
/24 represents the length of the prefix in an IP address. The range of the
the resource.
» Timeouts

• create - (Defaults to 30 mins) Used when creating the DB instance (until

• id - The ID of the Instance.
38
» Import
AnalyticDB for PostgreSQL can be imported using the id, e.g.

$ terraform import alicloud_gpdb_instance.example gp-bp1291daeda44194
» alicloud_api_gateway_apis
This data source provides the apis of the current Alibaba Cloud user.
» Example Usage
data "alicloud_api_gateway_apis" "data_apigatway_apis" {

output_file = "output_ApiGatawayApis"
}
output "first_api_id" {
value = "${data.alicloud_api_gateway_apis.data_apigatway.apis.0.id}"
}

• api_id - (Deprecated, Optional) (It has been deprecated from version
1.52.2, and use field ’ids’ to replace.) ID of the specified API.
• group_id - (Optional) ID of the specified group.
• name_regex - (Optional) A regex string to filter api gateway apis by name.
• ids - (Optional, Available 1.52.2+) A list of api IDs.
• ids - A list of api IDs.
• names - A list of api names.
• apis - A list of apis. Each element contains the following attributes:
– id - API ID, which is generated by the system and globally unique.
– name - API name.
– description - API description.
– region_id - The ID of the region where the API is located.
39
– group_id - The group id that the apis belong to.
– group_name - The group name that the apis belong to.
» alicloud_api_gateway_apps
This data source provides the apps of the current Alibaba Cloud user.
» Example Usage
data "alicloud_api_gateway_apps" "data_apigatway" {

output_file = "outapps"
}
output "first_app_id" {
value = "${data.alicloud_api_gateway_apps.data_apigatway.apps.0.id}"
}

• name_regex - (Optional) A regex string to filter apps by name.
• ids - (Optional, Available in 1.52.2+) A list of app IDs.
the resource.
• ids - A list of app IDs.
• names - A list of app names.
• apps - A list of apps. Each element contains the following attributes:
– id - App ID, which is generated by the system and globally unique.
– name - App name.
– description - App description.
– created_time - Creation time (Greenwich mean time).
– modified_time - Last modification time (Greenwich mean time).
– app_code - App code.
40
» alicloud_api_gateway_groups
This data source provides the api groups of the current Alibaba Cloud user.
» Example Usage
data "alicloud_api_gateway_groups" "data_apigatway" {

output_file = "outgroups"
}
output "first_group_id" {
value = "${data.alicloud_api_gateway_groups.data_apigatway.groups.0.id}"
}

• name_regex - (Optional) A regex string to filter api gateway groups by
name.
• ids - (Optional, Available 1.52.1+) A list of api group IDs.
• ids - A list of api group IDs.
• names - A list of api group names.
• groups - A list of api groups. Each element contains the following at-
tributes:
– id - API group ID, which is generated by the system and globally
unique.
– name - API group name.
– description - API group description.
– region_id - The ID of the region where the API group is located.
– sub_domain - Second-level domain name automatically assigned to
the API group.
– created_time - Creation time (Greenwich mean time).
– modified_time - Last modification time (Greenwich mean time).
– traffic_limit - Upper QPS limit of the API group; default value:
500, which can be increased by submitting an application.
– billing_status - Billing status.
41
– NORMAL: The API group is normal.
– LOCKED: Locked due to outstanding payment.
– illegal_status - Locking in invalid state.
– NORMAL: The API group is normal.
– LOCKED: Locked due to illegality.
» alicloud_api_gateway_api
Provides an api resource.When you create an API, you must enter the basic
information about the API, and define the API request information, the API
backend service and response information.
For information about Api Gateway Api and how to use it, see Create an API
NOTE: Terraform will auto build api while it uses alicloud_api_gateway_api
to build api.
» Example Usage
Basic Usage
resource "alicloud_api_gateway_api" "apiGatewayApi" {
name = "terraformapi"
group_id = "${alicloud_api_gateway_group.apiGatewayGroup.id}"
description = "description"
auth_type = "APP"
request_config = {
protocol = "HTTP"
method = "GET"
path = "/test/path1"
mode = "MAPPING"
}
service_type = "HTTP"
http_service_config = {
address = "http://apigateway-backend.alicloudapi.com:8080"
method = "GET"
path = "/web/cloudapi"
timeout = 12
aone_name = "cloudapi-openapi"
}
request_parameters = [
42
{
name = "aaa"
type = "STRING"
required = "OPTIONAL"
in = "QUERY"
in_service = "QUERY"
name_service = "testparams"
},
]
stage_names = [
"RELEASE",
"TEST",
]
}

• name - (Required) The name of the api gateway api. Defaults to null.
• group_id - (Required, ForcesNew) The api gateway that the api belongs
to. Defaults to null.
• description - (Required) The description of the api. Defaults to null.
• auth_type - (Required) The authorization Type including APP and
ANONYMOUS. Defaults to null.
• request_config - (Required, Type: list) Request_config defines how
users can send requests to your API.
• service_type - (Required) The type of backend service. Type including
HTTP,VPC and MOCK. Defaults to null.
• http_service_config - (Optional, Type: list) http_service_config de-
fines the config when service_type selected ’HTTP’.
• http_vpc_service_config - (Optional, Type: list) http_vpc_service_config
defines the config when service_type selected ’HTTP-VPC’.
• fc_service_config - (Optional, Type: list) fc_service_config defines the
config when service_type selected ’FunctionCompute’.
• mock_service_config - (Optional, Type: list) http_service_config de-
fines the config when service_type selected ’MOCK’.
• request_parameters - (Required, Type: list) request_parameters defines
the request parameters of the api.
• constant_parameters - (Required, Type: list) constant_parameters de-
fines the constant parameters of the api.
• system_parameters - (Required, Type: list) system_parameters defines
the system parameters of the api.
• stage_names - (Optional, Type: list) Stages that the api need to be de-
43
ployed. Valid value: RELEASE | PRE | TEST.
» Block request_config
The request_config mapping supports the following:

• protocol - (Required) The protocol of api which supports values of
’HTTP’,’HTTPS’ or ’HTTP,HTTPS’
• method - (Required) The method of the api, including ’GET’,’POST’,’PUT’
and etc..
• path - (Required) The request path of the api.
• mode - (Required) The mode of the parameters between request parame-
ters and service parameters, which support the values of ’MAPPING’ and
’PASSTHROUGH’
• body_format - (Optional) The body format of the api, which support the
values of ’STREAM’ and ’FORM’
» Block http_service_config
The http_service_config mapping supports the following:

• address - (Required) The address of backend service.
• path - (Required) The path of backend service.
• method - (Required) The http method of backend service.
• timeout - (Required) Backend service time-out time; unit: millisecond.
» Block http_vpc_service_config
The http_vpc_service_config mapping supports the following:

• name - (Required) The name of vpc instance.
• path - (Required) The path of backend service.
• method - (Required) The http method of backend service.
» Block fc_vpc_service_config
The fc_service_config mapping supports the following:

• region - (Required) The region that the function compute service belongs
to.
• function_name - (Required) The function name of function compute ser-
vice.
• service_name - (Required) The service name of function compute service.
44
• arn_role - (Optional) RAM role arn attached to the Function Compute
service. This governs both who / what can invoke your Function, as well
as what resources our Function has access to. See User Permissions for
more details.
» Block mock_service_config
The mock_service_config mapping supports the following:

• result - (Required) The result of the mock service.
» Block request_parameters
The request_parameters mapping supports the following:

• name - (Required) Request’s parameter name.
• type - (Required) Parameter type which supports values of ’STRING’,’INT’,’BOOLEAN’,’LONG’,”FLOA
and ”DOUBLE”
• required - (Required) Parameter required or not; values: REQUIRED
and OPTIONAL.
• in - (Required) Request’s parameter location; values: BODY, HEAD,
QUERY, and PATH.
• in_service - (Required) Backend service’s parameter location; values:
BODY, HEAD, QUERY, and PATH.
• name_service - (Required) Backend service’s parameter name.
• description - (Optional) The description of parameter.
• default_value - (Optional) The default value of the parameter.
» Block constant_parameters
The constant_parameters mapping supports the following:

• name - (Required) Constant parameter name.
• in - (Required) Constant parameter location; values: ’HEAD’ and
’QUERY’.
• value - (Required) Constant parameter value.
• description - (Optional) The description of Constant parameter.
» Block system_parameters
The system_parameters mapping supports the following:

• name - (Required) System parameter name which supports values includ-
ing in system parameter list
45
• in - (Required) System parameter location; values: ’HEAD’ and ’QUERY’.
• name_service - (Required) Backend service’s parameter name.

• id - The ID of the api resource of api gateway.
• api_id - The ID of the api of api gateway.
» Import
Api gateway api can be imported using the id.Format to <API Group Id>:<API
Id> e.g.
$ terraform import alicloud_api_gateway_api.example "ab2351f2ce904edaa8d92a0510832b91:e4f728
» alicloud_api_gateway_app
Provides an app resource.It must create an app before calling a third-party API
because the app is the identity used to call the third-party API.
For information about Api Gateway App and how to use it, see Create An APP
NOTE: Terraform will auto build api app while it uses alicloud_api_gateway_app
to build api app.
» Example Usage
Basic Usage
resource "alicloud_api_gateway_app" "apiTest" {
name = "ApiGatewayAPp"
description = "description of the app"
}

• name - (Required) The name of the app.
• description - (Optional) The description of the app. Defaults to null.
the resource.
46

• id - The ID of the app of api gateway.
» Import
Api gateway app can be imported using the id, e.g.

$ terraform import alicloud_api_gateway_app.example "7379660"
» alicloud_api_gateway_app_attachment
Provides an app attachment resource.It is used for authorizing a specific api to
an app accessing.
For information about Api Gateway App attachment and how to use it, see Add
specified API access authorities
NOTE: Terraform will auto build app attachment while it uses alicloud_api_gateway_app_attachment
to build.
» Example Usage
Basic Usage
resource "alicloud_api_gateway_app_attachment" "foo" {
api_id = "d29d25b9cfdf4742b1a3f6537299a749"
group_id = "aaef8cdbb404420f9398a74ed1db7fff"
app_id = "20898181"
stage_name = "PRE"
}

• api_id - (Required�ForceNew) The api_id that app apply to access.
• group_id - (Required�ForceNew) The group that the api belongs to.
• app_id - (Required�ForceNew) The app that apply to the authorization.
• stage_name - (Required�ForceNew) Stage that the app apply to access.
47

• id - The ID of the app attachment of api gateway., formatted as
<group_id>:<api_id>:<app_id>:<stage_name>.
» alicloud_api_gateway_group
Provides an api group resource.To create an API, you must firstly create a group
which is a basic attribute of the API.
For information about Api Gateway Group and how to use it, see Create An
Api Group
NOTE: Terraform will auto build api group while it uses alicloud_api_gateway_group
to build api group.
» Example Usage
Basic Usage
resource "alicloud_api_gateway_group" "apiGroup" {
name = "ApiGatewayGroup"
description = "description of the api group"
}

• name - (Required) The name of the api gateway group. Defaults to null.
• description - (Required) The description of the api gateway group. De-
faults to null.

• id - The ID of the api group of api gateway.
• sub_domain - (Available in 1.69.0+) Second-level domain name automati-
cally assigned to the API group.
• vpc_domain - (Available in 1.69.0+) Second-level VPC domain name au-
tomatically assigned to the API group.
48
» Import
Api gateway group can be imported using the id, e.g.

$ terraform import alicloud_api_gateway_group.example "ab2351f2ce904edaa8d92a0510832b91"
» alicloud_api_gateway_app
Provides an vpc authorization resource.This authorizes the API gateway to
access your VPC instances.
For information about Api Gateway vpc and how to use it, see Set Vpc Access
NOTE: Terraform will auto build vpc authorization while it uses
alicloud_api_gateway_vpc_access to build vpc.
» Example Usage
Basic Usage
resource "alicloud_api_gateway_vpc_access" "foo" {
name = "ApiGatewayVpc"
vpc_id = "vpc-awkcj192ka9zalz"
instance_id = "i-kai2ks92kzkw92ka"
port = 8080
}

• name - (Required�ForceNew) The name of the vpc authorization.
• vpc_id - (Required�ForceNew) The vpc id of the vpc authorization.
• instance_id - (Required�ForceNew) ID of the instance in VPC
(ECS/Server Load Balance).
• port - (Required�ForceNew) ID of the port corresponding to the instance.

• id - The ID of the vpc authorization of api gateway.
49
» Import
Api gateway app can be imported using the id, e.g.

$ terraform import alicloud_api_gateway_vpc_access.example "APiGatewayVpc:vpc-aswcj19ajsz:i-
» alicloud_ess_alarms
This data source provides available alarm resources.
NOTE Available in 1.72.0+
» Example Usage
data "alicloud_ess_alarm" "alarm_ds" {

scaling_group_id = "scaling_group_id"
ids = ["alarm_id1", "alarm_id2"]
name_regex = "alarm_name"
}
output "first_scaling_rule" {
value = "${data.alicloud_alarms.alarm_ds.configurations.0.id}"
}

• scaling_group_id - (Optional) Scaling group id the alarms belong to.
• name_regex - (Optional) A regex string to filter resulting alarms by name.
• ids - (Optional) A list of alarm IDs.
• metric_type - (Optional) The type for the alarm’s associated metric. Sup-
ported value: system, custom. ”system” means the metric data is collected
by Aliyun Cloud Monitor Service(CMS), ”custom” means the metric data
is upload to CMS by users. Defaults to system.
• ids - A list of alarm ids.
50
• names - A list of alarm names.
• alarms - A list of alarms. Each element contains the following attributes:
– id - The id of alarm.
– name - The name for ess alarm.
– description - The description for the alarm.
– enable - Whether to enable specific ess alarm.
– alarm_actions - The list of actions to execute when this alarm tran-
sition into an ALARM state. Each action is specified as ess scaling
rule ari.
– scaling_group_id - The scaling group associated with this alarm.
– metric_type - The type for the alarm’s associated metric.
– metric_name - The name for the alarm’s associated metric. See
Block_metricNames_and_dimensions below for details.
– period - The period in seconds over which the specified statistic is
applied.
– statistics - The statistic to apply to the alarm’s associated metric.
– threshold - The value against which the specified statistics is com-
pared.
– comparison_operator - The arithmetic operation to use when com-
paring the specified Statistic and Threshold. The specified Statistic
value is used as the first operand.
– evaluation_count - The number of times that needs to satisfies
comparison condition before transition into ALARM state.
– cloud_monitor_group_id - Defines the application group id defined
by CMS which is assigned when you upload custom metric to CMS,
only available for custom metirc.
– dimensions - The dimension map for the alarm’s associated metric.
– state - The state of alarm task.
» alicloud_ess_lifecycle_hooks
This data source provides available lifecycle hook resources.
» Example Usage
data "alicloud_ess_lifecycle_hooks" "ds" {

name_regex = "lifecyclehook_name"
}
output "first_lifecycle_hook" {
value = "${data.alicloud_ess_lifecycle_hooks.ds.hooks.0.id}"
51
}

• scaling_group_id - (Optional) Scaling group id the lifecycle hooks belong
to.
• name_regex - (Optional) A regex string to filter resulting lifecycle hook
by name.
• ids - (Optional) A list of lifecycle hook IDs.
• ids - A list of lifecycle hook ids.
• names - A list of lifecycle hook names.
• hooks - A list of lifecycle hooks. Each element contains the following
attributes:
– id - ID of the lifecycle hook.
– scaling_group_id - ID of the scaling group.
– name - Name of the lifecycle hook.
– default_result - Defines the action the Auto Scaling group should
take when the lifecycle hook timeout elapses.
– heartbeat_timeout - Defines the amount of time, in seconds, that
can elapse before the lifecycle hook times out. When the lifecycle
hook times out, Auto Scaling performs the action defined in the de-
fault_result parameter.
– lifecycle_transition - Type of Scaling activity attached to lifecy-
cle hook.
– notification_arn - The Arn of notification target.
– notification_metadata - Additional information that you want to
include when Auto Scaling sends a message to the notification target.
» alicloud_ess_notifications
This data source provides available notification resources.
52
» Example Usage
data "alicloud_ess_notifications" "ds" {

}
output "first_notification" {
value = "${data.alicloud_ess_notifications.ds.notifications.0.id}"
}

• scaling_group_id - (Required) Scaling group id the notifications belong
to.
• ids - (Optional)A list of notification ids.
• ids - A list of notification ids.
• notifications - A list of notifications. Each element contains the follow-
ing attributes:
– id - ID of the notification.
– notification_arn - The Alibaba Cloud Resource Name (ARN) for
the notification object.
– notification_types - The notification types of Auto Scaling events
and resource changes.
» alicloud_ess_scaling_configurations
This data source provides available scaling configuration resources.
» Example Usage
data "alicloud_ess_scaling_configurations" "scalingconfigurations_ds" {

53
ids = ["scaling_configuration_id1", "scaling_configuration_id2"]
name_regex = "scaling_configuration_name"
}
value = "${data.alicloud_ess_scaling_configurations.scalingconfigurations_ds.configuration
}

• scaling_group_id - (Optional) Scaling group id the scaling configura-
tions belong to.
• name_regex - (Optional) A regex string to filter resulting scaling configu-
rations by name.
• ids - (Optional) A list of scaling configuration IDs.
• ids - A list of scaling configuration ids.
• names - A list of scaling configuration names.
• configurations - A list of scaling rules. Each element contains the fol-
lowing attributes:
– id - ID of the scaling rule.
– name - Name of the scaling configuration.
– image_id - Image ID of the scaling configuration.
– instance_type - Instance type of the scaling configuration.
– security_group_id - Security group ID of the scaling configuration.
– internet_charge_type - Internet charge type of the scaling config-
uration.
– internet_max_bandwidth_in - Internet max bandwidth in of the
scaling configuration.
– internet_max_bandwidth_out - Internet max bandwidth of the scal-
ing configuration.
– system_disk_category - System disk category of the scaling config-
uration.
– system_disk_size - System disk size of the scaling configuration.
– data_disks - Data disks of the scaling configuration.
– size - Size of data disk.
54
– category - Category of data disk.
– snapshot_id - Size of data disk.
– device - Device attribute of data disk.
– delete_with_instance - Delete_with_instance attribute of data
disk.
– lifecycle_state - Lifecycle state of the scaling configuration.
– creation_time - Creation time of the scaling configuration.
» alicloud_ess_scaling_groups
This data source provides available scaling group resources.
» Example Usage
data "alicloud_ess_scaling_groups" "scalinggroups_ds" {

ids = ["scaling_group_id1", "scaling_group_id2"]
name_regex = "scaling_group_name"
}
output "first_scaling_group" {
value = "${data.alicloud_ess_scaling_groups.scalinggroups_ds.groups.0.id}"
}

• name_regex - (Optional) A regex string to filter resulting scaling groups
by name.
• ids - (Optional) A list of scaling group IDs.
• ids - A list of scaling group ids.
• names - A list of scaling group names.
• groups - A list of scaling groups. Each element contains the following
attributes:
– id - ID of the scaling group.
55
– name - Name of the scaling group.
– active_scaling_configuration -Active scaling configuration for
scaling group.
– launch_template_id - Active launch template ID for scaling group.
– launch_template_version - Version of active launch template.
– region_id - Region ID the scaling group belongs to.
– min_size - The minimum number of ECS instances.
– max_size - The maximum number of ECS instances.
– cooldown_time - Default cooldown time of scaling group.
– removal_policies - Removal policy used to select the ECS instance
to remove from the scaling group.
– load_balancer_ids - Slb instances id which the ECS instance at-
tached to.
– db_instance_ids - Db instances id which the ECS instance attached
to.
– vswitch_ids - Vswitches id in which the ECS instance launched.
– lifecycle_state - Lifecycle state of scaling group.
– total_capacity - Number of instances in scaling group.
– active_capacity - Number of active instances in scaling group.
– pending_capacity - Number of pending instances in scaling group.
– removing_capacity - Number of removing instances in scaling
group.
– creation_time - Creation time of scaling group.
» alicloud_ess_scaling_rules
This data source provides available scaling rule resources.
» Example Usage
data "alicloud_ess_scaling_rules" "scalingrules_ds" {

ids = ["scaling_rule_id1", "scaling_rule_id2"]
name_regex = "scaling_rule_name"
}
value = "${data.alicloud_ess_scaling_rules.scalingrules_ds.rules.0.id}"
}
56

• scaling_group_id - (Optional) Scaling group id the scaling rules belong
to.
• type - (Optional) Type of scaling rule.
• name_regex - (Optional) A regex string to filter resulting scaling rules by
name.
• ids - (Optional) A list of scaling rule IDs.
• ids - A list of scaling rule ids.
• names - A list of scaling rule names.
• rules - A list of scaling rules. Each element contains the following at-
tributes:
– id - ID of the scaling rule.
– name - Name of the scaling rule.
– type - Type of the scaling rule.
– cooldown - Cooldown time of the scaling rule.
– adjustment_type - Adjustment type of the scaling rule.
– adjustment_value - Adjustment value of the scaling rule.
– min_adjustment_magnitude - Min adjustment magnitude of scaling
rule.
– scaling_rule_ari - Ari of scaling rule.
» alicloud_ess_scheduled_tasks
This data source provides available scheduled task resources.
» Example Usage
data "alicloud_ess_scheduled_tasks" "ds" {

scheduled_task_id = "scheduled_task_id"
name_regex = "scheduled_task_name"
}
57
output "first_scheduled_task" {
value = "${data.alicloud_ess_scheduled_tasks.ds.tasks.0.id}"
}

• scheduled_task_id - (Optional) The id of the scheduled task.
• scheduled_action - (Optional) The operation to be performed when a
scheduled task is triggered.
• name_regex - (Optional) A regex string to filter resulting scheduled tasks
by name.
• ids - (Optional) A list of scheduled task IDs.
• ids - A list of scheduled task ids.
• names - A list of scheduled task names.
• tasks - A list of scheduled tasks. Each element contains the following
attributes:
– id - ID of the scheduled task id.
– name - Name of the scheduled task name.
– scheduled_action - The operation to be performed when a sched-
uled task is triggered.
– description - Description of the scheduled task.
– launch_expiration_time - The time period during which a failed
scheduled task is retried.
– launch_time - The time at which the scheduled task is triggered.
– recurrence_type - Specifies the recurrence type of the scheduled
task.
– recurrence_value - Specifies how often a scheduled task recurs.
– recurrence_end_time - Specifies the end time after which the sched-
uled task is no longer repeated.
» alicloud_ess_alarm
Provides a ESS alarm task resource.
58
» Example Usage

available_disk_category = "cloud_efficiency"
available_resource_creation = "VSwitch"
}
data "alicloud_images" "ecs_image" {

most_recent = true
name_regex = "^centos_6\\w{1,5}[64].*"
}
data "alicloud_instance_types" "default" {

cpu_core_count = 1
memory_size = 2
}
resource "alicloud_vpc" "foo" {

name = "tf-testAccEssAlarm_basic"
cidr_block = "172.16.0.0/16"
}
resource "alicloud_vswitch" "foo" {

name = "tf-testAccEssAlarm_basic_foo"
vpc_id = "${alicloud_vpc.foo.id}"
cidr_block = "172.16.0.0/24"
}
resource "alicloud_vswitch" "bar" {

name = "tf-testAccEssAlarm_basic_bar"
cidr_block = "172.16.1.0/24"
}
resource "alicloud_ess_scaling_group" "foo" {

min_size = 1
max_size = 1
scaling_group_name = "tf-testAccEssAlarm_basic"
removal_policies = ["OldestInstance", "NewestInstance"]
vswitch_ids = ["${alicloud_vswitch.foo.id}", "${alicloud_vswitch.bar.id}"]
}
59
resource "alicloud_ess_scaling_rule" "foo" {
scaling_rule_name = "tf-testAccEssAlarm_basic"
scaling_group_id = "${alicloud_ess_scaling_group.foo.id}"
adjustment_type = "TotalCapacity"
adjustment_value = 2
cooldown = 60
}
resource "alicloud_ess_alarm" "foo" {

name = "tf-testAccEssAlarm_basic"
description = "Acc alarm test"
alarm_actions = ["${alicloud_ess_scaling_rule.foo.ari}"]
metric_type = "system"
metric_name = "CpuUtilization"
period = 300
statistics = "Average"
threshold = 200.3
comparison_operator = ">="
evaluation_count = 2
}
» Module Support
You can use to the existing autoscaling-rule module to create alarm task, differ-
ent type rules and scheduled task one-click.

• name - (Optional) The name for ess alarm.
• description - (Optional) The description for the alarm.
• enable - (Optional, Available in 1.48.0+) Whether to enable specific ess
alarm. Default to true.
• alarm_actions - (Required) The list of actions to execute when this alarm
transition into an ALARM state. Each action is specified as ess scaling
rule ari.
• scaling_group_id - (Required, ForceNew) The scaling group associated
with this alarm, the ’ForceNew’ attribute is available in 1.56.0+.
• metric_type - (Optional, ForceNew) The type for the alarm’s associated
metric. Supported value: system, custom. ”system” means the metric
data is collected by Aliyun Cloud Monitor Service(CMS), ”custom” means
the metric data is upload to CMS by users. Defaults to system.
60
• metric_name - (Required) The name for the alarm’s associated metric.
See Block_metricNames_and_dimensions below for details.
• period - (Optional, ForceNew) The period in seconds over which the
specified statistic is applied. Supported value: 60, 120, 300, 900. Defaults
to 300.
• statistics - (Optional) The statistic to apply to the alarm’s associated
metric. Supported value: Average, Minimum, Maximum. Defaults to
Average.
• threshold - (Required) The value against which the specified statistics is
compared.
• comparison_operator - (Optional) The arithmetic operation to use when
comparing the specified Statistic and Threshold. The specified Statistic
value is used as the first operand. Supported value: >=, <=, >, <.
Defaults to >=.
• evaluation_count - (Optional) The number of times that needs to satis-
fies comparison condition before transition into ALARM state. Defaults
to 3.
• cloud_monitor_group_id - (Optional) Defines the application group id
defined by CMS which is assigned when you upload custom metric to CMS,
only available for custom metirc.
• dimensions - (Optional) The dimension map for the alarm’s associated
metric (documented below). For all metrics, you can not set the dimension
key as ”scaling_group” or ”userId”, which is set by default, the second
dimension for metric, such as ”device” for ”PackagesNetIn”, need to be
set by users.
» Block metricNames_and_dimensions
Supported metric names and dimensions :
MetricName Dimensions
CpuUtilization user_id,scaling_group
ClassicInternetRx user_id,scaling_group
ClassicInternetTx user_id,scaling_group
VpcInternetRx user_id,scaling_group
VpcInternetTx user_id,scaling_group
IntranetRx user_id,scaling_group
IntranetTx user_id,scaling_group
LoadAverage user_id,scaling_group
MemoryUtilization user_id,scaling_group
SystemDiskReadBps user_id,scaling_group
SystemDiskWriteBps user_id,scaling_group
SystemDiskReadOps user_id,scaling_group
SystemDiskWriteOps user_id,scaling_group
61
MetricName Dimensions
PackagesNetIn user_id,scaling_group,device
PackagesNetOut user_id,scaling_group,device
TcpConnection user_id,scaling_group,state
NOTE: Dimension user_id and scaling_group is automatically filled, which

means you only need to care about dimension device and state when needed.
» Attribute Reference

• id - The id for ess alarm.
• state - The state of specified alarm.
» Import
Ess alarm can be imported using the id, e.g.

$ terraform import alicloud_ess_alarm.example asg-2ze500_045efffe-4d05
» alicloud_ess_attachment
Attaches several ECS instances to a specified scaling group or remove them from
it.
NOTE: ECS instances can be attached or remove only when the scaling group
is active and it has no scaling activity in progress.
NOTE: There are two types ECS instances in a scaling group: ”AutoCreated”
and ”Attached”. The total number of them can not larger than the scaling group
”MaxSize”.
» Example Usage
variable "name" {
default = "essattachmentconfig"
}

62
}

cpu_core_count = 2
memory_size = 4
}
data "alicloud_images" "default" {

name_regex = "^ubuntu_18.*64"
most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}
resource "alicloud_security_group" "default" {

}
resource "alicloud_security_group_rule" "default" {

type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "22/22"
priority = 1
security_group_id = "${alicloud_security_group.default.id}"
cidr_ip = "172.16.0.0/24"
}
resource "alicloud_ess_scaling_group" "default" {

min_size = 0
max_size = 2
63
scaling_group_name = "${var.name}"
vswitch_ids = ["${alicloud_vswitch.default.id}"]
}
resource "alicloud_ess_scaling_configuration" "default" {

scaling_group_id = "${alicloud_ess_scaling_group.default.id}"
image_id = "${data.alicloud_images.default.images.0.id}"
instance_type = "${data.alicloud_instance_types.default.instance_types.0.id}"
force_delete = true
active = true
enable = true
}
resource "alicloud_instance" "default" {

count = 2
security_groups = ["${alicloud_security_group.default.id}"]
internet_charge_type = "PayByTraffic"
internet_max_bandwidth_out = "10"
instance_charge_type = "PostPaid"
system_disk_category = "cloud_efficiency"
instance_name = "${var.name}"
}
resource "alicloud_ess_attachment" "default" {

instance_ids = ["${alicloud_instance.default.0.id}", "${alicloud_instance.default.1.id
force = true
}

• scaling_group_id - (Required) ID of the scaling group of a scaling con-
figuration.
• instance_ids - (Required) ID of the ECS instance to be attached to the
scaling group. You can input up to 20 IDs.
• force - (Optional) Whether to remove forcibly ”AutoCreated” ECS in-
stances in order to release scaling group capacity ”MaxSize” for attaching
ECS instances. Default to false.
64
NOTE: ”AutoCreated” ECS instance will be deleted after it is removed from
scaling group, but ”Attached” will be not.
NOTE: Restrictions on attaching ECS instances:
• The attached ECS instances and the scaling group must have the same
region and network type(Classic or VPC).
• The attached ECS instances and the instance with active scaling configu-
rations must have the same instance type.
• The attached ECS instances must in the running state.
• The attached ECS instances has not been attached to other scaling groups.
• The attached ECS instances supports Subscription and Pay-As-You-Go
payment methods.

• id - (Required, ForceNew) The ESS attachment resource ID.
• instance_ids - (Required)ID of list ”Attached” ECS instance.
• force - Whether to delete ”AutoCreated” ECS instances.
» Import
ESS attachment can be imported using the id or scaling group id, e.g.
$ terraform import alicloud_ess_attachment.example asg-abc123456
» alicloud_ess_notification
Provides a ESS notification resource. More about Ess notification, see Autoscal-
ing Notification.
» Example Usage
variable "name" {
default = "tf-testAccEssNotification-%d"
}
data "alicloud_regions" "default" {

current = true
}
65
data "alicloud_account" "default" {
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

min_size = 1
max_size = 1
}
resource "alicloud_mns_queue" "default"{

name="${var.name}"
}
resource "alicloud_ess_notification" "default" {

notification_types = ["AUTOSCALING:SCALE_OUT_SUCCESS","AUTOSCALING:SCALE_OUT_ERROR"]
notification_arn = "acs:ess:${data.alicloud_regions.default.regions.0.id}:${data.aliclou
}

• scaling_group_id - (Required, ForceNew) The ID of the Auto Scaling
group.
66
• notification_arn - (Required, ForceNew) The Alibaba Cloud Re-
source Name (ARN) for the notification object. The format of
notification_arn is acs:ess:{region}:{account-id}:{resource-relative-id}.
Valid values for resource-relative-id: ’cloudmonitor’, ’queue/’,
’topic/’.
• notification_types - (Required) The notification types of Auto Scaling
events and resource changes. Supported notification types: ’AUTOSCAL-
ING:SCALE_OUT_SUCCESS’, ’AUTOSCALING:SCALE_IN_SUCCESS’,
’AUTOSCALING:SCALE_OUT_ERROR’, ’AUTOSCALING:SCALE_IN_ERROR’,
’AUTOSCALING:SCALE_REJECT’, ’AUTOSCALING:SCALE_OUT_START’,
’AUTOSCALING:SCALE_IN_START’, ’AUTOSCALING:SCHEDULE_TASK_EXPIRING’.

• id - The ID of notification resource, which is composed of ’scal-
ing_group_id’ and ’notification_arn’ in the format of ’:’.
» Import
Ess notification can be imported using the id, e.g.

$ terraform import alicloud_ess_notification.example 'scaling_group_id:notification_arn'
» alicloud_ess_lifecycle_hook
Provides a ESS lifecycle hook resource. More about Ess lifecycle hook, see
LifecycleHook.
» Example Usage

}

name = "testAccEssScalingGroup_vpc"
cidr_block = "172.16.0.0/16"
}
67
cidr_block = "172.16.0.0/24"
}
resource "alicloud_vswitch" "bar" {

cidr_block = "172.16.1.0/24"
}
resource "alicloud_ess_scaling_group" "foo" {

min_size = 1
max_size = 1
scaling_group_name = "testAccEssScaling_group"
vswitch_ids = ["${alicloud_vswitch.foo.id}", "${alicloud_vswitch.bar.id}"]
}
resource "alicloud_ess_lifecycle_hook" "foo" {

name = "testAccEssLifecycle_hook"
lifecycle_transition = "SCALE_OUT"
heartbeat_timeout = 400
notification_metadata = "helloworld"
}
» Module Support
You can use to the existing autoscaling module to create a lifecycle hook, scaling
group and configuration one-click.

• scaling_group_id - (Required, ForceNew) The ID of the Auto Scaling
group to which you want to assign the lifecycle hook.
• name - (Optional, ForceNew) The name of the lifecycle hook, which must
contain 2-64 characters (English or Chinese), starting with numbers, En-
glish letters or Chinese characters, and can contain number, underscores
_, hypens -, and decimal point .. If this parameter value is not specified,
the default value is lifecycle hook id.
68
• lifecycle_transition - (Required) Type of Scaling activity attached to
lifecycle hook. Supported value: SCALE_OUT, SCALE_IN.
• heartbeat_timeout - (Optional) Defines the amount of time, in seconds,
that can elapse before the lifecycle hook times out. When the lifecycle hook
times out, Auto Scaling performs the action defined in the default_result
parameter. Default value: 600.
• default_result - (Optional) Defines the action the Auto Scaling group
should take when the lifecycle hook timeout elapses. Applicable value:
CONTINUE, ABANDON, default value: CONTINUE.
• notification_arn - (Optional) The Arn of notification target.
• notification_metadata - (Optional) Additional information that you
want to include when Auto Scaling sends a message to the notification
target.

• id - The ID of lifecycle hook.
• scaling_group_id - The scalingGroupId to which lifecycle belongs.
• name - The name of lifecycle hook.
• default_result - The action the Auto Scaling group should take when
the lifecycle hook timeout elapses.
• heartbeat_timeout - The amount of time that can elapse before the
lifecycle hook time out.
• lifecycle_transition - Type of Scaling activity attached to lifecycle
hook.
• notification_metadata - Additional information that will be sent to
notification target.
• notification_arn - The arn of notification target.
» Import
Ess lifecycle hook can be imported using the id, e.g.

$ terraform import alicloud_ess_lifecycle_hook.example ash-l12345
» alicloud_ess_scaling_configuration
Provides a ESS scaling configuration resource.
NOTE: Several instance types have outdated in some regions and availabil-
ity zones, such as ecs.t1.*, ecs.s2.*, ecs.n1.* and so on. If you want to
69
keep them, you should set is_outdated to true. For more about the upgraded
instance type, refer to alicloud_instance_types datasource.
» Example Usage
variable "name" {
default = "essscalingconfiguration"
}

}

cpu_core_count = 2
memory_size = 4
}

most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

}

type = "ingress"
70
ip_protocol = "tcp"
policy = "accept"
priority = 1
cidr_ip = "172.16.0.0/24"
}

min_size = 1
max_size = 1
}

force_delete = true
}
» Module Support
You can use to the existing autoscaling module to create a configuration, scaling
group and lifecycle hook one-click.

• scaling_group_id - (Required, ForceNew) ID of the scaling group of a
• image_id - (Required) ID of an image file, indicating the image resource
selected when an instance is enabled.
• instance_type - (Optional) Resource type of an ECS instance.
• instance_types - (Optional, Available in 1.46.0+) Resource types of an
ECS instance.
• instance_name - (Optional) Name of an ECS instance. Default to ”ESS-
Instance”. It is valid from version 1.7.1.
71
• io_optimized - (Deprecated) It has been deprecated on instance resource.
All the launched alicloud instances will be I/O optimized.
• is_outdated - (Optional) Whether to use outdated instance type. Default
to false.
• security_group_id - (Optional) ID of the security group used to create
new instance. It is conflict with security_group_ids.
• security_group_ids - (Optional, Available in 1.43.0+) List IDs of
the security group used to create new instances. It is conflict with
security_group_id.
• scaling_configuration_name - (Optional) Name shown for the sched-
uled task. which must contain 2-64 characters (English or Chinese), start-
ing with numbers, English letters or Chinese characters, and can contain
number, underscores _, hypens -, and decimal point .. If this parameter
value is not specified, the default value is ScalingConfigurationId.
• internet_charge_type - (Optional) Network billing type, Values: Pay-
ByBandwidth or PayByTraffic. Default to PayByBandwidth.
• internet_max_bandwidth_in - (Optional) Maximum incoming band-
width from the public network, measured in Mbps (Mega bit per second).
The value range is [1,200].
• internet_max_bandwidth_out - (Optional) Maximum outgoing band-
The value range for PayByBandwidth is [0,100].
• system_disk_category - (Optional) Category of the system disk.
The parameter value options are ephemeral_ssd, cloud_efficiency,
cloud_ssd, cloud_essd and cloud. cloud only is used to some no I/O
optimized instance. Default to cloud_efficiency.
• system_disk_size - (Optional) Size of system disk, in GiB. Optional
values: cloud: 20-500, cloud_efficiency: 20-500, cloud_ssd: 20-500,
ephemeral_ssd: 20-500 The default value is max{40, ImageSize}. If this
parameter is set, the system disk size must be greater than or equal to
max{40, ImageSize}.
• enable - (Optional) Whether enable the specified scaling group(make it
active) to which the current scaling configuration belongs.
• active - (Optional) Whether active current scaling configuration in the
specified scaling group. Default to false.
• substitute - (Optional) The another scaling configuration which will
be active automatically and replace current configuration when setting
active to ’false’. It is invalid when active is ’true’.
• user_data - (Optional) User-defined data to customize the startup behav-
iors of the ECS instance and to pass data into the ECS instance.
• key_name - (Optional) The name of key pair that can login ECS instance
successfully without password. If it is specified, the password would be
invalid.
• role_name - (Optional) Instance RAM role name. The name is provided
and maintained by RAM. You can use alicloud_ram_role to create a
new one.
72
• force_delete - (Optional) The last scaling configuration will be deleted
forcibly with deleting its scaling group. Default to false.
• data_disk - (Optional) DataDisk mappings to attach to ecs instance. See
Block datadisk below for details.
• instance_ids - (Deprecated) It has been deprecated from version 1.6.0.
New resource alicloud_ess_attachment replaces it.
• tags - (Optional) A mapping of tags to assign to the resource. It will be
applied for ECS instances finally.
”aliyun”, ”http://”, or ”https://”. It cannot be a null string.
”aliyun”, ”http://”, or ”https://” It can be a null string.
• override - (Optional, Available in 1.46.0+) Indicates whether to overwrite
the existing data. Default to false.
• password_inherit - (Optional, Available in 1.62.0+) Specifies whether to
use the password that is predefined in the image. If the PasswordInherit
parameter is set to true, the password and kms_encrypted_password
will be ignored. You must ensure that the selected image has a password
configured.
• password - (Optional, ForceNew, Available in 1.60.0+) The password of
the ECS instance. The password must be 8 to 30 characters in length. It
must contains at least three of the following character types: uppercase
letters, lowercase letters, digits, and special characters. Special characters
include () ~!@#$%^&*-_+=\|{}[]:;'<>,.?/, The password of Windows-
based instances cannot start with a forward slash (/).
• kms_encrypted_password - (Optional, ForceNew, Available in 1.60.0+)
An KMS encrypts password used to a db account. If the password is
filled in, this field will be ignored.
• kms_encryption_context - (Optional, MapString, Available in 1.60.0+)
An KMS encryption context used to decrypt kms_encrypted_password
before creating or updating a db account with kms_encrypted_password.
See Encryption Context. It is valid when kms_encrypted_password is
set.
NOTE: Before enabling the scaling group, it must have a active scaling config-
uration.
NOTE: If the number of attached ECS instances by instance_ids is smaller
than MinSize, the Auto Scaling Service will automatically create ECS Pay-As-
You-Go instance to cater to MinSize. For example, MinSize=5 and 2 existing
ECS instances has been attached to the scaling group. When the scaling group
is enabled, it will create 3 instnaces automatically based on its current active
NOTE: Restrictions on attaching ECS instances:
• The attached ECS instances and the scaling group must have the same
region and network type(Classic or VPC).
73
• The attached ECS instances and the instance with active scaling configu-
rations must have the same instance type.
• The attached ECS instances must in the running state.
• The attached ECS instances has not been attached to other scaling groups.
• The attached ECS instances supports Subscription and Pay-As-You-Go
payment methods.
NOTE: The last scaling configuration can’t be set to inactive and deleted alone.
» Block datadisk
The datadisk mapping supports the following:

• size - (Optional) Size of data disk, in GB. The value ranges [5,2000] for
a cloud disk, [5,1024] for an ephemeral disk, [5,800] for an ephemeral_ssd
disk, [20,32768] for cloud_efficiency, cloud_ssd, cloud_essd disk.
• category - (Optional) Category of data disk. The parameter value options
are ephemeral_ssd, cloud_efficiency, cloud_ssd and cloud.
• snapshot_id - (Optional) Snapshot used for creating the data disk. If
this parameter is specified, the size parameter is neglected, and the size
of the created disk is the size of the snapshot.
• delete_with_instance - (Optional) Whether to delete data disks at-
tached on ecs when release ecs instance. Optional value: true or false,
default to true.

• id - The scaling configuration ID.
» Import
ESS scaling configuration can be imported using the id, e.g.

$ terraform import alicloud_ess_scaling_configuration.example asg-abc123456
» alicloud_ess_scaling_group
Provides a ESS scaling group resource which is a collection of ECS instances
with the same application scenarios.
74
It defines the maximum and minimum numbers of ECS instances in the group,
and their associated Server Load Balancer instances, RDS instances, and other
attributes.
NOTE: You can launch an ESS scaling group for a VPC network via specifying
parameter vswitch_ids.
» Example Usage
variable "name" {
default = "essscalinggroupconfig"
}

}

cpu_core_count = 2
memory_size = 4
}

most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

75
}

type = "ingress"
ip_protocol = "tcp"
policy = "accept"
priority = 1
cidr_ip = "172.16.0.0/24"
}
resource "alicloud_vswitch" "default2" {

cidr_block = "172.16.1.0/24"
name = "${var.name}-bar"
}

min_size = 1
max_size = 1
default_cooldown = 20
vswitch_ids = ["${alicloud_vswitch.default.id}", "${alicloud_vswitch.default2.id}"]
}
» Module Support
You can use to the existing autoscaling module to create a scaling group, con-
figuration and lifecycle hook one-click.

• min_size - (Required) Minimum number of ECS instances in the scaling
group. Value range: [0, 1000].
• max_size - (Required) Maximum number of ECS instances in the scaling
group. Value range: [0, 1000].
• desired_capacity - (Optional,Available in 1.76.0+) Expected number of
ECS instances in the scaling group. Value range: [min_size, max_size].
76
• scaling_group_name - (Optional) Name shown for the scaling group,
which must contain 2-64 characters (English or Chinese), starting with
numbers, English letters or Chinese characters, and can contain numbers,
underscores _, hyphens -, and decimal points .. If this parameter is not
specified, the default value is ScalingGroupId.
• default_cooldown - (Optional) Default cool-down time (in seconds) of
the scaling group. Value range: [0, 86400]. The default value is 300s.
• vswitch_id - (Deprecated) It has been deprecated from version 1.7.1 and
new field ’vswitch_ids’ replaces it.
• vswitch_ids - (Optional) List of virtual switch IDs in which the ecs in-
stances to be launched.
• removal_policies - (Optional) RemovalPolicy is used to select the ECS
instances you want to remove from the scaling group when multiple can-
didates for removal exist. Optional values:
– OldestInstance: removes the first ECS instance attached to the scal-
ing group.
– NewestInstance: removes the first ECS instance attached to the scal-
ing group.
– OldestScalingConfiguration: removes the ECS instance with the old-
est scaling configuration.
– Default values: OldestScalingConfiguration and OldestInstance. You
can enter up to two removal policies.
• db_instance_ids - (Optional) If an RDS instance is specified in the scal-
ing group, the scaling group automatically attaches the Intranet IP ad-
dresses of its ECS instances to the RDS access whitelist.
– The specified RDS instance must be in running status.
– The specified RDS instance’s whitelist must have room for more IP
addresses.
• loadbalancer_ids - (Optional) If a Server Load Balancer instance is spec-
ified in the scaling group, the scaling group automatically attaches its ECS
instances to the Server Load Balancer instance.
– The Server Load Balancer instance must be enabled.
– At least one listener must be configured for each Server Load Bal-
ancer and it HealthCheck must be on. Otherwise, creation will fail
(it may be useful to add a depends_on argument targeting your
alicloud_slb_listener in order to make sure the listener with
its HealthCheck configuration is ready before creating your scaling
group).
– The Server Load Balancer instance attached with VPC-type ECS
instances cannot be attached to the scaling group.
– The default weight of an ECS instance attached to the Server Load
Balancer instance is 50.
• multi_az_policy - (Optional, ForceNew) Multi-AZ scaling group ECS
instance expansion and contraction strategy. PRIORITY, BALANCE or
COST_OPTIMIZED(Available in 1.54.0+).
• on_demand_base_capacity - (Optional, Available in 1.54.0+) The mini-
77
mum amount of the Auto Scaling group’s capacity that must be fulfilled
by On-Demand Instances. This base portion is provisioned first as your
group scales.
• on_demand_percentage_above_base_capacity - (Optional, Available
in 1.54.0+) Controls the percentages of On-Demand Instances and Spot
Instances for your additional capacity beyond OnDemandBaseCapacity.
• spot_instance_pools - (Optional, Available in 1.54.0+) The number of

Spot pools to use to allocate your Spot capacity. The Spot pools is com-
posed of instance types of lowest price.
• spot_instance_remedy - (Optional, Available in 1.54.0+) Whether to
replace spot instances with newly created spot/onDemand instance when
receive a spot recycling message.
NOTE: When detach loadbalancers, instances in group will be remove from

loadbalancer’s Default Server Group; On the contrary, When attach load-
balancers, instances in group will be added to loadbalancer’s Default Server
Group.
NOTE: When detach dbInstances, private ip of instances in group will be re-
move from dbInstance’s WhiteList; On the contrary, When attach dbInstances,
private ip of instances in group will be added to dbInstance’s WhiteList.
NOTE: on_demand_base_capacity,on_demand_percentage_above_base_capacity,spot_instance_pools,s
are valid only if multi_az_policy is ’COST_OPTIMIZED’.

• id - The scaling group ID.
• min_size - The minimum number of ECS instances.
• max_size - The maximum number of ECS instances.
• scaling_group_name - The name of the scaling group.
• default_cooldown - The default cool-down of the scaling group.
• removal_policies - The removal policy used to select the ECS instance
to remove from the scaling group.
• db_instance_ids - The db instances id which the ECS instance attached
to.
• loadbalancer_ids - The slb instances id which the ECS instance attached
to.
• vswitch_ids - The vswitches id in which the ECS instance launched.
78
» Import
ESS scaling group can be imported using the id, e.g.

$ terraform import alicloud_ess_scaling_group.example asg-abc123456
» alicloud_ess_scaling_rule
Provides a ESS scaling rule resource.
» Example Usage
variable "name" {
default = "essscalingruleconfig"
}

}

cpu_core_count = 2
memory_size = 4
}

most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}
79
}

type = "ingress"
ip_protocol = "tcp"
policy = "accept"
priority = 1
cidr_ip = "172.16.0.0/24"
}

min_size = 1
max_size = 1
}

force_delete = "true"
}
resource "alicloud_ess_scaling_rule" "default" {

}
» Module Support
You can use to the existing autoscaling-rule module to create different type rules,
alarm task and scheduled task one-click.
80

• scaling_group_id - (Required) ID of the scaling group of a scaling rule.
• adjustment_type - (Optional) Adjustment mode of a scaling rule. Op-
tional values:
– QuantityChangeInCapacity: It is used to increase or decrease a spec-
ified number of ECS instances.
– PercentChangeInCapacity: It is used to increase or decrease a speci-
fied proportion of ECS instances.
– TotalCapacity: It is used to adjust the quantity of ECS instances in
the current scaling group to a specified value.
• adjustment_value - (Optional) Adjusted value of a scaling rule. Value
range:
– QuantityChangeInCapacity�(0, 500] U (-500, 0]
– PercentChangeInCapacity�[0, 10000] U [-100, 0]
– TotalCapacity�[0, 1000]
• scaling_rule_name - (Optional) Name shown for the scaling rule, which
must contain 2-64 characters (English or Chinese), starting with numbers,
English letters or Chinese characters, and can contain number, underscores
_, hypens -, and decimal point .. If this parameter value is not specified,
the default value is scaling rule id.
• cooldown - (Optional) Cool-down time of a scaling rule. Value range: [0,
86,400], in seconds. The default value is empty�if not set, the return value
will be 0, which is the default value of integer.
• scaling_rule_type - (Optional, Available in 1.58.0+) The scaling
rule type, either ”SimpleScalingRule”, ”TargetTrackingScalingRule”,
”StepScalingRule”. Default to ”SimpleScalingRule”.
• estimated_instance_warmup - (Optional, Available in 1.58.0+) The es-
timated time, in seconds, until a newly launched instance will contribute
CloudMonitor metrics. Default to 300.
• metric_name - (Optional, Available in 1.58.0+) A CloudMonitor metric
name.
• target_value - (Optional, Available in 1.58.0+) The target value for the
metric.
• disable_scale_in - (Optional, Available in 1.58.0+) Indicates whether
scale in by the target tracking policy is disabled. Default to false.
• step_adjustment - (Optional, Available in 1.58.0+) Steps for StepScalin-
gRule. See Block stepAdjustment below for details.
» Block stepAdjustment
The stepAdjustment mapping supports the following:

• metric_interval_lower_bound - (Optional) The lower bound of step.
81
• metric_interval_upper_bound - (Optional) The upper bound of step.
• scaling_adjustment - (Optional) The adjust value of step.

• id - The scaling rule ID.
» Import
ESS scaling rule can be imported using the id, e.g.

$ terraform import alicloud_ess_scaling_rule.example abc123456
» alicloud_ess_schedule
NOTE: This resource has been deprecated from v1.45.0. New resource
alicloud_ess_scheduled_task will replace.
» alicloud_ess_scheduled_task
Provides a ESS schedule resource.
» Example Usage
variable "name" {
default = "essscheduleconfig"
}

}

cpu_core_count = 2
memory_size = 4
}
82
most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

}

type = "ingress"
ip_protocol = "tcp"
policy = "accept"
priority = 1
cidr_ip = "172.16.0.0/24"
}

min_size = 1
max_size = 1
}

83
force_delete = "true"
}
resource "alicloud_ess_scaling_rule" "default" {

cooldown = 60
}
resource "alicloud_ess_scheduled_task" "default" {

scheduled_action = "${alicloud_ess_scaling_rule.default.ari}"
launch_time = "2019-05-21T11:37Z"
scheduled_task_name = "${var.name}"
}
» Module Support
You can use to the existing autoscaling-rule module to create scheduled task,
different type rules and alarm task one-click.

• scheduled_action - (Required) The operation to be performed when a
scheduled task is triggered. Enter the unique identifier of a scaling rule.
• scheduled_task_name - (Optional) Display name of the scheduled task,
which must be 2-40 characters (English or Chinese) long.
• description - (Optional) Description of the scheduled task, which is 2-
200 characters (English or Chinese) long.
• launch_time - (Required) The time at which the scheduled task is trig-
gered. Specify the time in the ISO 8601 standard in the YYYY-MM-
DDThh:mm:ssZ format. The time must be in UTC. You cannot enter a
time point later than 90 days from the date of scheduled task creation. If
the recurrence_type parameter is specified, the task is executed repeat-
edly at the time specified by LaunchTime. Otherwise, the task is only
executed once at the date and time specified by LaunchTime.
• launch_expiration_time - (Optional) The time period during which a
failed scheduled task is retried. Unit: seconds. Valid values: 0 to 21600.
Default value: 600
• recurrence_type - (Optional) Specifies the recurrence type of the sched-
uled task. If set, both recurrence_value and recurrence_end_time
84
must be set. Valid values:
– Daily: The scheduled task is executed once every specified number
of days.
– Weekly: The scheduled task is executed on each specified day of a
week.
– Monthly: The scheduled task is executed on each specified day of a
month.
– Cron: (Available in 1.60.0+) The scheduled task is executed based
on the specified cron expression.
• recurrence_value - (Optional) Specifies how often a scheduled task re-
curs. The valid value depends on recurrence_type
– Daily: You can enter one value. Valid values: 1 to 31.
– Weekly: You can enter multiple values and separate them with com-
mas (,). For example, the values 0 to 6 correspond to the days of the
week in sequence from Sunday to Saturday.
– Monthly: You can enter two values in A-B format. Valid values of A
and B: 1 to 31. The value of B must be greater than or equal to the
value of A.
– Cron: You can enter a cron expression which is written in UTC and
consists of five fields: minute, hour, day of month (date), month,
and day of week. The expression can contain wildcard characters
including commas (,), question marks (?), hyphens (-), asterisks (*),
number signs (#), forward slashes (/), and the L and W letters.
• recurrence_end_time - (Optional) Specifies the end time after which
the scheduled task is no longer repeated. Specify the time in the ISO
8601 standard in the YYYY-MM-DDThh:mm:ssZ format. The time must
be in UTC. You cannot enter a time point later than 365 days from the
date of scheduled task creation.
• task_enabled - (Optional) Specifies whether to start the scheduled task.

Default to true.

• id - The schedule task ID.
» Import
ESS schedule task can be imported using the id, e.g.

$ terraform import alicloud_ess_scheduled_task.example abc123456
85
» alicloud_ess_scalinggroup_vserver_groups
Attaches/Detaches vserver groups to a specified scaling group.
NOTE: The load balancer of which vserver groups belongs to must be in active
status.
NOTE: If scaling group’s network type is VPC, the vserver groups must be in
the same VPC.
NOTE: A scaling group can have at most 5 vserver groups attached by default.
NOTE: Vserver groups and the default group of loadbalancer share the same
backend server quota.
NOTE: When attach vserver groups to scaling group, existing ECS instances
will be added to vserver groups; Instead, ECS instances will be removed from
vserver group when detach.
NOTE: Detach action will be executed before attach action.
NOTE: Vserver group is defined uniquely by loadbalancer_id, vserver_group_id,
port.
NOTE: Modifing weight attribute means detach vserver group first and then,
attach with new weight parameter.
NOTE: Resource alicloud_ess_scalinggroup_vserver_groups is available
in 1.53.0+.
» Example Usage
variable "name" {
default = "testAccEssVserverGroupsAttachment"
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
86
}
resource "alicloud_slb" "default" {

}
resource "alicloud_slb_server_group" "default" {

load_balancer_id = "${alicloud_slb.default.id}"
name = "test"
}
resource "alicloud_slb_listener" "default" {

count = 2
load_balancer_id = "${element(alicloud_slb.default.*.id, count.index)}"
backend_port = "22"
frontend_port = "22"
protocol = "tcp"
bandwidth = "10"
health_check_type = "tcp"
}

min_size = "2"
max_size = "2"
depends_on = ["alicloud_slb_listener.default"]
}
resource "alicloud_ess_scalinggroup_vserver_groups" "default" {

vserver_groups {
loadbalancer_id = "${alicloud_slb.default.id}"
vserver_attributes {
vserver_group_id = "${alicloud_slb_server_group.default.id}"
port = "100"
weight = "60"
}
}
}
87

• scaling_group_id - (Required) ID of the scaling group.
• vserver_groups - (Optional) A list of vserver groups attached on scaling
group. See Block vserver_group below for details.
• force - (Optional, Available in 1.64.0+) If instances of scaling group are
attached/removed from slb backend server when attach/detach vserver
group from scaling group. Default to true.
» Block vserver_group
the vserver_group supports the following:

• loadbalancer_id - (Required) Loadbalancer server ID of VServer Group.
• vserver_attributes - (Required) A list of VServer Group attributes. See
Block vserver_attribute below for details.
» Block vserver_attribute
• vserver_group_id - (Required) ID of VServer Group.

• port - (Required) - The port will be used for VServer Group backend
server.
• weight - (Required) The weight of an ECS instance attached to the
VServer Group.

• id - (Required, ForceNew) The ESS vserver groups attachment resource
ID.
» Import
ESS vserver groups can be imported using the id, e.g.

$ terraform import alicloud_ess_vserver_groups.example abc123456
88
» alicloud_ddosbgp_instances
This data source provides a list of Anti-DDoS Advanced instances in an Alibaba
NOTE: Available in 1.57.0+ .
» Example Usage
data "alicloud_ddosbgp_instances" "instance" {

name_regex = "^ddosbgp"
}
output "instance" {
value = "${alicloud_ddosbgp_instances.instance.*.id}"
}

name.
• region - (Optional) A region of instance.
* ids - A list of instance IDs. * names - A list of instance names. * instances
- A list of apis. Each element contains the following attributes: * id - The
instance’s id. * name - The instance’s remark. * type - The instance’s type. *
region - The instance’s region. * base_bandwidth - The instance’s base defend
bandwidth. * bandwidth - The instance’s elastic defend bandwidth. * ip_type
- The instance’s IP version. * ip_count - The instance’s count of ip config.
» alicloud_ddoscoo_instances
This data source provides a list of BGP-Line Anti-DDoS Pro instances in an
Alibaba Cloud account according to the specified filters.
89
» Example Usage
data "alicloud_ddoscoo_instances" "instance" {

name_regex = "^ddoscoo"
}
output "instance" {
value = "${alicloud_ddoscoo_instances.instance.*.id}"
}

name.
* ids - A list of instance IDs. * names - A list of instance names. * instances - A
list of apis. Each element contains the following attributes: * id - The instance’s
id. * name - The instance’s remark. * base_bandwidth - The instance’s base
defend bandwidth. * bandwidth - The instance’s elastic defend bandwidth. *
service_bandwidth - The instance’s business bandwidth. * port_count - The
instance’s count of port retransmission config. * domain_count - The instance’s
count of domain retransmission config.
» alicloud_ddosbgp_instance
Anti-DDoS Advanced instance resource. ”Ddosbgp” is the short term of this
product.
NOTE: The endpoint of bssopenapi used only support ”business.aliyuncs.com”
at present.
90
» Example Usage
Basic Usage
provider "alicloud" {
endpoints {
bssopenapi = "business.aliyuncs.com"
}
}
resource "alicloud_ddosbgp_instance" "instance" {

name = "yourDdosbgpInstanceName"
base_bandwidth = "20"
bandwidth = "201"
ip_count = "100"
ip_type = "IPv4"
}

• type - (Required, ForceNew) Type of the instance. Valid values: Enter-
prise,Professional. Default to Enterprise
• name - (Required) Name of the instance. This name can have a string of
1 to 63 characters.
• base_bandwidth - (Optional, ForceNew) Base defend bandwidth of the
instance. Valid values: 20. The unit is Gbps. Default to 20.
• bandwidth - (Required, ForceNew) Elastic defend bandwidth of the in-
stance. This value must be larger than the base defend bandwidth. Valid
values: 51,91,101,201,301. The unit is Gbps.
• ip_count - (Required, ForceNew) IP count of the instance. Valid values:
100.
• ip_type - (Required, ForceNew) IP version of the instance. Valid values:
IPv4,IPv6.
• period - (Optional, ForceNew) The duration that you will buy Ddosbgp
instance (in month). Valid values: [1~9], 12, 24, 36. Default to 12. At
present, the provider does not support modify ”period”.

• id - The ID of the instance resource of Ddosbgp. ## Import
91
Ddosbgp instance can be imported using the id, e.g.
$ terraform import alicloud_ddosbgp.example ddosbgp-abc123456
» alicloud_ddoscoo_instance
BGP-Line Anti-DDoS instance resource. ”Ddoscoo” is the short term of this
product. See What is Anti-DDoS Pro.
NOTE: The product region only support cn-hangzhou.
at present.
» Example Usage
Basic Usage
endpoints {
}
}
resource "alicloud_ddoscoo_instance" "newInstance" {

name = "yourDdoscooInstanceName"
bandwidth = "30"
base_bandwidth = "30"
service_bandwidth = "100"
port_count = "50"
domain_count = "50"
period = "1"
}

• name - (Required) Name of the instance. This name can have a string of
1 to 63 characters.
• base_bandwidth - (Required) Base defend bandwidth of the instance.
Valid values: 30, 60, 100, 300, 400, 500, 600. The unit is Gbps. Only
support upgrade.
92
• bandwidth - (Required) Elastic defend bandwidth of the instance. This
value must be larger than the base defend bandwidth. Valid values: 30,
60, 100, 300, 400, 500, 600. The unit is Gbps. Only support upgrade.
• service_bandwidth - (Required) Business bandwidth of the instance. At
leaset 100. Increased 100 per step, such as 100, 200, 300. The unit is
Mbps. Only support upgrade.
• port_count - (Required) Port retransmission rule count of the instance.
At least 50. Increase 5 per step, such as 55, 60, 65. Only support upgrade.
• domain_count - (Required) Domain retransmission rule count of the in-
stance. At least 50. Increase 5 per step, such as 55, 60, 65. Only support
upgrade.
• period - (Optional, ForceNew) The duration that you will buy Ddoscoo
instance (in month). Valid values: [1~9], 12, 24, 36. Default to 1. At
present, the provider does not support modify ”period”.

• id - The ID of the instance resource of Ddoscoo.
» Import
Ddoscoo instance can be imported using the id, e.g.

$ terraform import alicloud_ddoscoo_instance.example ddoscoo-cn-123456
» alicloud_cdn_domain
DEPRECATED: This resource is based on CDN’s old version OpenAPI and
it has been deprecated from version 1.34.0. Please use new resource ali-
cloud_cdn_domain_new and its config alicloud_cdn_domain_config instead.
Provides a CDN Accelerated Domain resource.
» Example Usage
# Add a CDN Accelerated Domain with configs.

resource "alicloud_cdn_domain" "domain" {
domain_name = "${your_cdn_domain_name}"
cdn_type = "web"
source_type = "domain"
sources = ["${your_cdn_domain_source1}", "${your_cdn_domain_source2}"]
93
// configs
optimize_enable = "off"
page_compress_enable = "off"
range_enable = "off"
video_seek_enable = "off"
block_ips = ["1.2.3.4", "111.222.111.111"]
parameter_filter_config {
enable = "on"
hash_key_args = ["hello", "youyouyou"]
}
page_404_config {
page_type = "other"
custom_page_url = "http://${your_cdn_domain_name}/notfound/"
}
refer_config {
refer_type = "block"
refer_list = ["www.xxxx.com", "www.xxxx.cn"]
allow_empty = "off"
}
auth_config {
auth_type = "type_a"
master_key = "helloworld1"
slave_key = "helloworld2"
}
http_header_config {
header_key = "Content-Type",
header_value = "text/plain"
}
http_header_config {
header_key = "Access-Control-Allow-Origin",
header_value = "*"
}
cache_config {
cache_content = "/hello/world",
ttl = 1000
cache_type = "path"
}
cache_config {
cache_content = "/hello/world/youyou",
ttl = 1000
cache_type = "path"
}
cache_config {
cache_content = "txt,jpg,png",
ttl = 2000
94
cache_type = "suffix"
}
}

• domain_name - (Required) Name of the accelerated domain. This name
without suffix can have a string of 1 to 63 characters, must contain only
alphanumeric characters or ”-”, and must not begin or end with ”-”, and ”-
” must not in the 3th and 4th character positions at the same time. Suffix
.sh and .tel are not supported.
• cdn_type - (Required) Cdn type of the accelerated domain. Valid values
are web, download, video, liveStream.
• source_type - (Optional) Source type of the accelerated domain. Valid
values are ipaddr, domain, oss. You must set this parameter when
cdn_type value is not liveStream.
• source_port - (Optional) Source port of the accelerated domain. Valid
values are 80 and 443. Default value is 80. You must use 80 when the
source_type is oss.
• sources - (Optional, Type: list) Sources of the accelerated domain. It’s a
list of domain names or IP address and consists of at most 20 items. You
must set this parameter when cdn_type value is not liveStream.
• scope - (Optional) Scope of the accelerated domain. Valid values are
domestic, overseas, global. Default value is domestic. This parame-
ter’s setting is valid Only for the international users and domestic L3 and
above users .
» Domain config
The config supports the following:
• optimize_enable - (Optional) Page Optimize config of the accelerated
domain. Valid values are on and off. Default value is off. It can effec-
tively remove the page redundant content, reduce the file size and improve
the speed of distribution when this parameter value is on.
• page_compress_enable - (Optional) Page Compress config of the acceler-
ated domain. Valid values are on and off. Default value is off.
• range_enable - (Optional) Range Source config of the accelerated domain.
Valid values are on and off. Default value is off.
• video_seek_enable - (Optional) Video Seek config of the accelerated do-
main. Valid values are on and off. Default value is off.
95
» Block parameter_filter_config
parameter_filter_config - (Optional, Type: set) Parameter filter con-

fig of the accelerated domain. It’s a set and consists of at most one
item. * enable - (Optional) This parameter indicates whether or not the
parameter_filter_config is enable. Valid values are on and off. Default
value is off.
* hash_key_args - (Optional, Type: list) Reserved parameters of parameter_filter_config.
It’s a list of string and consists of at most 10 items.
» Block page_404_config
page_404_config - (Optional, Type: set) Error Page config of the accelerated

domain. It’s a set and consists of at most one item. * page_type - (Optional)
Page type of the error page. Valid values are default, charity, other. Default
value is default. * custom_page_url - (Optional) Custom page url of the er-
ror page. It must be the full path under the accelerated domain name. It’s
value must be http://promotion.alicdn.com/help/oss/error.html when
page_type value is charity and It can not be set when page_type value is
default.
» Block refer_config
refer_config - (Optional, Type: set) Refer anti-theft chain config of the ac-
celerated domain. It’s a set and consists of at most 1 item. * refer_type -
(Optional) Refer type of the refer config. Valid values are block and allow.
Default value is block. * refer_list - (Required, Type: list) A list of domain
names of the refer config. * allow_empty - (Optional) This parameter indicates
whether or not to allow empty refer access. Valid values are on and off. Default
value is on.
» Block auth_config
auth_config - (Optional, Type: set) Auth config of the accelerated domain.

It’s a set and consist of at most 1 item. * auth_type - (Optional) Auth type
of the auth config. Valid values are no_auth, type_a, type_b and type_c.
Default value is no_auth. * master_key - (Optional) Master authentication
key of the auth config. This parameter can have a string of 6 to 32 characters
and must contain only alphanumeric characters. * slave_key - (Optional) Slave
authentication key of the auth config. This parameter can have a string of 6
to 32 characters and must contain only alphanumeric characters. * timeout
- (Optional, Type: int) Authentication cache time of the auth config. Default
value is 1800. It’s value is valid only when the auth_type is type_b or type_c.
96
» Block certificate_config
certificate_config - (Optional, Type: set) Certificate config of the acceler-

ated domain. It’s a set and consist of at most 1 item. * server_certificate_status
- (Optional) This parameter indicates whether or not enable https. Valid values
are on and off. Default value is on. * server_certificate - (Optional) The
SSL server certificate string. This is required if server_certificate_status
is on * private_key - (Optional) The SSL private key. This is required if
server_certificate_status is on
» Block http_header_config
http_header_config - (Optional, Type: set) Http header config of the

accelerated domain. It’s a set and consist of at most 8 items. The
header_key for each item can not be repeated. * header_key - (Re-
quired) Header key of the http header. Valid values are Content-Type,
Cache-Control, Content-Disposition, Content-Language�Expires,
Access-Control-Allow-Origin, Access-Control-Allow-Methods and
Access-Control-Max-Age. * header_value - (Required) Header value of the
http header.
» Block cache_config
cache_config - (Optional, Type: set) Cache config of the accelerated domain.

It’s a set and each item’s cache_content can not be repeated. * cache_type
- (Required) Cache type of the cache config. Valid values are suffix and path.
* cache_content - (Required) Cache content of the cache config. It’s value is a
path string when the cache_type is path. When the cache_type is suffix, it’s
value is a string which contains multiple file suffixes separated by commas. * ttl
- (Required, Type: int) Cache time of the cache config. * weight - (Optional,
Type: int) Weight of the cache config. This parameter’s value is between 1 and
99. Default value is 1. The higher the value, the higher the priority.

• domain_name - The accelerated domain name.
• sources - The accelerated domain sources.
• cdn_type - The cdn type of the accelerated domain.
• source_type - The source type ot the accelerated domain.
• scope - The accelerated domain scope.
97
• optimize_enable - The page optimize config of the accelerated domain.
• page_compress_enable - The page compress config of the accelerated
domain.
• range_enable - The range source config of the accelerated domain.
• video_seek_enable - The video seek config of the accelerated domain.
• parameter_filter_config - The parameter filter config of the acceler-
ated domain.
• page_404_config - The error page config of the accelerated domain.
• refer_config - The refer config of the accelerated domain.
• auth_config - The auth config of the accelerated domain.
• http_header_config - The http header configs of the accelerated domain.
• cache_config - The cache configs of the accelerated domain.
» alicloud_cdn_domain_config
Provides a CDN Accelerated Domain resource.
For information about domain config and how to use it, see Batch set config
» Example Usage
Basic Usage
# Create a new Domain config.
resource "alicloud_cdn_domain_new" "domain" {
domain_name = "tf-testacc%d.xiaozhu.com"
cdn_type = "web"
scope = "overseas"
sources {
content = "1.1.1.1"
type = "ipaddr"
priority = "20"
port = 80
weight = "15"
}
}
resource "alicloud_cdn_domain_config" "config" {
domain_name = "${alicloud_cdn_domain_new.domain.domain_name}"
98
function_name = "ip_allow_list_set"
function_args {
arg_name = "ip_list"
arg_value = "110.110.110.110"
}
}

• domain_name - (Required, ForceNew) Name of the accelerated domain.
This name without suffix can have a string of 1 to 63 characters, must
contain only alphanumeric characters or ”-”, and must not begin or end
with ”-”, and ”-” must not in the 3th and 4th character positions at the
same time. Suffix .sh and .tel are not supported.
• function_name - (Required, ForceNew) The name of the domain config.
• function_args - (Required, ForceNew, Type: list) The args of the domain
config.
» Block function_args
The function_args block supports the following:

• arg_name - (Required) The name of arg.
• arg_value - (Required) The value of arg.

• id - The ID of the domain config. The value is formate as
<domain_name>:<function_name>.
» Import
CDN domain config can be imported using the id, e.g.

terraform import alicloud_cdn_domain_config.example cdn:config-abc123456
99
» alicloud_cdn_domain_new
Provides a CDN Accelerated Domain resource. This resource is based on CDN’s
new version OpenAPI.
For information about Cdn Domain New and how to use it, see Add a domain.
» Example Usage
Basic Usage
# Create a new Domain.
resource "alicloud_cdn_domain_new" "domain" {
domain_name = "terraform.test.com"
cdn_type = "web"
scope = "overseas"
sources {
content = "1.1.1.1"
type = "ipaddr"
priority = 20
port = 80
weight = 10
}
}

• domain_name - (Required) Name of the accelerated domain. This name
without suffix can have a string of 1 to 63 characters, must contain only
alphanumeric characters or ”-”, and must not begin or end with ”-”, and ”-
” must not in the 3th and 4th character positions at the same time. Suffix
.sh and .tel are not supported.
• cdn_type - (Required, ForceNew) Cdn type of the accelerated domain.
Valid values are web, download, video.
• scope - (Optional) Scope of the accelerated domain. Valid values are
domestic, overseas, global. Default value is domestic. This parame-
ter’s setting is valid Only for the international users and domestic L3 and
above users .
• sources - (Optional, Type: list) The source address list of the accelerated
domain. Defaults to null. See Block Sources.
100
• certificate_config - (Optional, Type: list, Available in 1.52.0+) Cer-
tificate config of the accelerated domain. It’s a list and consist of at most
1 item.
• resource_group_id - (Optional, Available in v1.67.0+) Resource group
ID.
» Block sources
The sources block supports the following:

• content - (Required) The adress of source. Valid values can be ip or
doaminName. Each item’s content can not be repeated.
• type - (Required) The type of the source. Valid values are ipaddr, domain
and oss.
• port - (Optional, Type: int) The port of source. Valid values are 443 and
80. Default value is 80.
• priority - (Optional, Type: int) Priority of the source. Valid values are
0 and 100. Default value is 20.
• weight - (Optional, Type: int) Weight of the source. Valid values are
from 0 to 100. Default value is 10, but if type is ipaddr, the value can
only be 10.
» Block certificate_config
The certificate_config block supports the following:

• server_certificate_status - (Optional) This parameter indicates
whether or not enable https. Valid values are on and off. Default value
is on.
• server_certificate - (Optional) The SSL server certificate string. This
is required if server_certificate_status is on
• private_key - (Optional) The SSL private key. This is required if
server_certificate_status is on
• force_set - (Optional) Set 1 to ignore the repeated verification for cer-
tificate name, and cover the information of the origin certificate (with the
same name). Set 0 to work the verification.
• cert_name - (Optional) The SSL certificate name.
• cert_type - (Optional) The SSL certificate type, can be ”upload”, ”cas”
and ”free”.
the resource.
101

• id - The cdn domain id. The value is same as the domain name.
» Import
CDN domain can be imported using the id, e.g.

terraform import alicloud_cdn_domain_new.example xxxx.com
» alicloud_yundun_bastionhost_instances
This data source provides a list of cloud Bastionhost instances in an Alibaba
» Example Usage
data "alicloud_yundun_bastionhost_instances" "instance" {

name_regex = "^bastionhost"
}
output "instance" {
value = "${alicloud_yundun_bastionhost_instances.instance.*.id}"
}

• description_regex - (Optional) A regex string to filter results by the
instance description.
• ids - (Optional) Matched instance IDs to filter data source result.
• output_file - (Optional) File name to persist data source output.
• descriptions - (Optional) Descriptions to filter data source result.
• tags - (Optional, Available in v1.67.0+) A map of tags assigned
to the bastionhost instance. It must be in the format: data
"alicloud_yundun_bastionhost_instances" "instance" { tags
= { tagKey1 = "tagValue1" } }
102
The following attributes are exported in addition to the arguments listed

above: * instances - A list of apis. Each element contains the following
attributes: * id - The instance’s id. * description - The instance’s remark.
* user_vswitch_id - The instance’s vSwitch ID. * private_domain - The in-
stance’s private domain name. * public_domain - The instance’s public domain
name. * instance_status - The instance’s status. * public_network_access
- The instance’s public network access configuration. * security_group_ids -
The instance’s security group configuration. * tags - A map of tags assigned
to the bastionhost instance.
» alicloud_yundun_bastionhost_instance
Cloud Bastionhost instance resource (”Yundun_bastionhost” is the short term
of this product).
at present.
NOTE: In order to destroy Cloud Bastionhost instance , users are required to
apply for white list first
» Example Usage
Basic Usage
endpoints {
}
}
resource "alicloud_yundun_bastionhost_instance" "default" {

description = "Terraform-test"
plan_code = "alpha.professional"
period = "1"
vswitch_id = "v-testVswitch"
security_group_ids = "sg-test"
}
103

• plan_code - (Required) Plan code of the Cloud Bastionhost to produce.
(alpha.professional, alpha.basic, alpha.premium)
• description - (Required) Description of the instance. This name can
have a string of 1 to 63 characters.
• period - (ForceNew) Duration for initially producing the instance. Valid
values: [1~9], 12, 24, 36. Default to 1. At present, the provider does not
support modify ”period”.
• vswitch_id - (Required, ForceNew) vSwtich ID configured to bastionhost
• security_group_ids - (Required) security group IDs configured to bas-
tionhost
the resource.

• id - The ID of the instance resource of Yundun_bastionhost.
» Import
Yundun_bastionhost instance can be imported using the id, e.g.

$ terraform import alicloud_yundun_bastionhost.example bastionhost-exampe123456
» alicloud_cen_bandwidth_limits
This data source provides CEN Bandwidth Limits available to the user.
» Example Usage
data "alicloud_cen_bandwidth_limits" "bwl" {

instance_ids = ["cen-id1"]
}
output "first_cen_bandwidth_limits_local_region_id" {
value = "${data.alicloud_cen_bandwidth_limits.bwl.limits.0.local_region_id}"
}
104

• instance_ids - (Optional) A list of CEN instances IDs.
• limits - A list of CEN Bandwidth Limits. Each element contains the
following attributes:
– instance_id - ID of the CEN instance.
– local_region_id - ID of local region.
– opposite_region_id - ID of opposite region.
– status - Status of the CEN Bandwidth Limit, including ”Active”
and ”Modifying”.
– bandwidth_limit - The bandwidth limit configured for the intercon-
nected regions communication.
» alicloud_cen_bandwidth_packages
This data source provides CEN Bandwidth Packages available to the user.
» Example Usage
data "alicloud_cen_bandwidth_packages" "bwp" {

instance_id = "cen-id1"
name_regex = "^foo"
}
output "first_cen_bandwidth_package_id" {
value = "${data.alicloud_cen_bandwidth_packages.bwp.packages.0.id}"
}

• instance_id - (Optional) ID of a CEN instance.
105
• ids - (Optional) Limit search to a list of specific CEN Bandwidth Package
IDs.
• name_regex - (Optional) A regex string to filter CEN Bandwidth Package
by name.
• packages - A list of CEN bandwidth package. Each element contains the
– id - ID of the CEN Bandwidth Package.
– instance_id - ID of CEN instance that owns the CEN Bandwidth
Package.
– name - Name of the CEN Bandwidth Package.
– description - Description of the CEN Bandwidth Package.
– business_status - Status of the CEN Bandwidth Package, including
”Normal”, ”FinancialLocked” and ”SecurityLocked”.
– status - Status of the CEN Bandwidth Package in CEN instance,
including ”Idle” and ”InUse”.
– bandwidth - The bandwidth in Mbps of the CEN bandwidth package.
– creation_time - Creation time of the CEN bandwidth package.
– bandwidth_package_charge_type - The billing method, including
”POSTPAY” and ”PREPAY”.
– geographic_region_a_id - Region ID of the interconnected regions.
– geographic_region_b_id - Region ID of the interconnected regions.
» alicloud_cen_instances
This data source provides CEN instances available to the user.
» Example Usage
data "alicloud_cen_instances" "cen_instances_ds" {

ids = ["cen-id1"]
name_regex = "^foo"
}
output "first_cen_instance_id" {
value = "${data.alicloud_cen_instances.cen_instances_ds.instances.0.id}"
}
106

• ids - (Optional) A list of CEN instances IDs.
• name_regex - (Optional) A regex string to filter CEN instances by name.
• ids - A list of CEN instances IDs.
• names - A list of CEN instances names.
• instances - A list of CEN instances. Each element contains the following
attributes:
– id - ID of the CEN instance.
– name - Name of the CEN instance.
– status - Status of the CEN instance, including ”Creating”, ”Active”
and ”Deleting”.
– bandwidth_package_ids - List of CEN Bandwidth Package IDs in
the specified CEN instance.
– child_instance_ids - List of child instance IDs in the specified CEN
instance.
– description - Description of the CEN instance.
» alicloud_cen_region_route_entries
This data source provides CEN Regional Route Entries available to the user.
» Example Usage
data "alicloud_cen_region_route_entries" "entry" {

region_id = "cn-beijing"
}
output "first_region_route_entries_route_entry_cidr_block" {
value = "${data.alicloud_cen_region_route_entries.entry.entries.0.cidr_block}"
}
107

• instance_id - (Required) ID of the CEN instance.
• region_id - (Required) ID of the region.
• entries - A list of CEN Route Entries. Each element contains the follow-
ing attributes:
– cidr_block - The destination CIDR block of the route entry.
– type - Type of the route entry.
– next_hop_id - ID of the next hop.
– next_hop_type - Type of the next hop.
– next_hop_region_id - ID of the region where the next hop is located.
» alicloud_cen_route_entries
This data source provides CEN Route Entries available to the user.
» Example Usage
data "alicloud_cen_route_entries" "entry" {

route_table_id = "vtb-id1"
}
output "first_route_entries_route_entry_cidr_block" {
value = "${data.alicloud_cen_route_entries.entry.entries.0.cidr_block}"
}

• instance_id - (Required) ID of the CEN instance.
• route_table_id - (Required) ID of the route table of the VPC or VBR.
• cidr_block - (Optional) The destination CIDR block of the route entry
to query.
108
• entries - A list of CEN Route Entries. Each element contains the follow-
ing attributes:
– route_table_id - ID of the route table.
– next_hop_id - ID of the next hop.
– next_hop_type - Type of the next hop, including ”Instance”,
”HaVip” and ”RouterInterface”.
– route_type - Type of the route entry, including ”System”, ”Custom”
and ”BGP”.
– operational_mode - Whether to allow the route entry to be pub-
lished or removed to or from CEN.
– publish_status - The publish status of the route entry in CEN,
including ”Published” and ”NonPublished”.
– conflicts - A list of conflicted Route Entries. Each element contains
the following attributes:
∗ cidr_block - The destination CIDR block of the conflicted route
entry.
∗ region_id - ID of the region where the conflicted route entry is
located.
∗ instance_id - ID of the CEN child instance.
∗ instance_type - The type of the CEN child instance.
∗ status - Reasons of exceptions.
» alicloud_cen_bandwidth_limit
Provides a CEN cross-regional interconnection bandwidth resource. To connect
networks in different regions, you must set cross-region interconnection band-
width after buying a bandwidth package. The total bandwidth set for all the
interconnected regions of a bandwidth package cannot exceed the bandwidth of
the bandwidth package. By default, 1 Kbps bandwidth is provided for connec-
tivity test. To run normal business, you must buy a bandwidth package and set
a proper interconnection bandwidth.
For example, a CEN instance is bound to a bandwidth package of 20 Mbps and
the interconnection areas are Mainland China and North America. You can set
the cross-region interconnection bandwidth between US West 1 and China East
109
1, China East 2, China South 1, and so on. However, the total bandwidth set
for all the interconnected regions cannot exceed 20 Mbps.
For information about CEN and how to use it, see Cross-region interconnection
bandwidth
» Example Usage
Basic Usage
variable "name" {
default = "tf-testAccCenBandwidthLimitConfig"
}
alias = "fra"
region = "eu-central-1"
}
alias = "sh"
region = "cn-shanghai"
}
resource "alicloud_vpc" "vpc1" {

provider = "alicloud.fra"
cidr_block = "192.168.0.0/16"
}
resource "alicloud_vpc" "vpc2" {

provider = "alicloud.sh"
cidr_block = "172.16.0.0/12"
}
resource "alicloud_cen_instance" "cen" {

description = "tf-testAccCenBandwidthLimitConfigDescription"
}
resource "alicloud_cen_bandwidth_package" "bwp" {

bandwidth = 5
geographic_region_ids = [
"Europe",
"China"]
110
}
resource "alicloud_cen_bandwidth_package_attachment" "bwp_attach" {

instance_id = "${alicloud_cen_instance.cen.id}"
bandwidth_package_id = "${alicloud_cen_bandwidth_package.bwp.id}"
}
resource "alicloud_cen_instance_attachment" "vpc_attach_1" {

child_instance_id = "${alicloud_vpc.vpc1.id}"
child_instance_region_id = "eu-central-1"
}
resource "alicloud_cen_instance_attachment" "vpc_attach_2" {

child_instance_id = "${alicloud_vpc.vpc2.id}"
child_instance_region_id = "cn-shanghai"
}
resource "alicloud_cen_bandwidth_limit" "foo" {

region_ids = [
"eu-central-1",
"cn-shanghai"]
bandwidth_limit = 4
depends_on = [
"alicloud_cen_bandwidth_package_attachment.bwp_attach",
"alicloud_cen_instance_attachment.vpc_attach_1",
"alicloud_cen_instance_attachment.vpc_attach_2"]
}

• instance_id - (Required, ForceNew) The ID of the CEN.
• region_ids - (Required, ForceNew) List of the two regions to interconnect.
Must be two different regions.
• bandwidth_limit - (Required) The bandwidth configured for the inter-
connected regions communication.
->NOTE: The ”alicloud_cen_bandwidthlimit” resource depends on the
related ”alicloud_cen_bandwidth_package_attachment” resource and ”ali-
cloud_cen_instance_attachment” resource.
111
» Timeouts

• update - (Defaults to 10 mins) Used when activating the cen bandwidth
limit when necessary during update - when changing bandwidth limit.
• delete - (Defaults to 10 mins) Used when terminating the cen bandwidth
limit.

• id - ID of the resource, formatted as <instance_id>:<region_id_1>:<region_id_2>.
->NOTE: The region_id_1 and region_id_2 are sorted lexicographically.
» Import
CEN bandwidth limit can be imported using the id, e.g.

terraform import alicloud_cen_bandwidth_limit.example cen-abc123456:cn-beijing:eu-west-1
->NOTE: The sequence of the region_id_1 and region_id_2 makes no differ-
ence when import. But the in the id of the resource, they are sorted lexico-
graphically.
» alicloud_cen_bandwidth_package
Provides a CEN bandwidth package resource. The CEN bandwidth package
is an abstracted object that includes an interconnection bandwidth and inter-
connection areas. To buy a bandwidth package, you must specify the areas to
connect. An area consists of one or more Alibaba Cloud regions. The areas in
CEN include Mainland China, Asia Pacific, North America, and Europe.
For information about CEN and how to use it, see Manage bandwidth packages.
» Example Usage
Basic Usage
112
resource "alicloud_cen_bandwidth_package" "foo" {
name = "tf-testAccCenBandwidthPackageConfig"
bandwidth = 5
"China",
"Asia-Pacific"]
}

• bandwidth - (Required) The bandwidth in Mbps of the bandwidth pack-
age. Cannot be less than 2Mbps.
• geographic_region_ids - (Required) List of the two areas to connect.
Valid value: China | North-America | Asia-Pacific | Europe | Middle-East.
• name - (Optional) The name of the bandwidth package. Defaults to null.
• description - (Optional) The description of the bandwidth package. De-
fault to null.
• charge_type - (Optional) The billing method. Valid value: PostPaid |
PrePaid. Default to PostPaid. If set to PrePaid, the bandwidth package
can’t be deleted before expired time.
• period - (Optional) The purchase period in month. Valid value: 1, 2, 3,
6, 12. Default to 1.
->NOTE: PrePaid mode will deduct fees from the account directly and the
bandwidth package can’t be deleted before expired time.
->NOTE: The PostPaid mode is only for test. Please open a ticket if you need.

• id - The ID of the bandwidth package.
• expired_time - The time of the bandwidth package to expire.
• status - The status of the bandwidth, including ”InUse” and ”Idle”.
» Import
CEN bandwidth package can be imported using the id, e.g.

$ terraform import alicloud_cen_bandwidth_package.example cenbwp-abc123456
113
» alicloud_cen_bandwidth_package_attachment
Provides a CEN bandwidth package attachment resource. The resource can be
used to bind a bandwidth package to a specified CEN instance.
» Example Usage
Basic Usage
# Create a new bandwidth package attachment and use it to attach a bandwidth package to a ne
name = "tf-testAccCenBandwidthPackageAttachmentConfig"
description = "tf-testAccCenBandwidthPackageAttachmentDescription"
}
resource "alicloud_cen_bandwidth_package" "bwp" {

bandwidth = 20
"China",
"Asia-Pacific"]
}
resource "alicloud_cen_bandwidth_package_attachment" "foo" {

bandwidth_package_id = "${alicloud_cen_bandwidth_package.bwp.id}"
}

• bandwidth_package_id - (Required, ForceNew) The ID of the bandwidth
package.

• id - ID of the resource, the same as bandwidth_package_id.
114
» Import
CEN bandwidth package attachment resource can be imported using the id, e.g.
$terraform import alicloud_cen_bandwidth_package_attachment.example bwp-abc123456
» alicloud_cen_flowlog
This resource used to create a flow log function in Cloud Enterprise Network
(CEN). By using the flow log function, you can capture the traffic data of the
network instances in different regions of a CEN. You can also use the data
aggregated in flow logs to analyze cross-region traffic flows, minimize traffic
costs, and troubleshoot network faults.
For information about CEN flow log and how to use it, see Manage CEN flowlog.
» Example Usage
Basic Usage
# Create a cen flowlog resource and use it to publish a route entry pointing to an ECS.
resource "alicloud_cen_instance" "default" {

name = "my-cen"
}
resource "alicloud_log_project" "default"{
name = "sls-for-flowlog"
description = "create by terraform"
}
resource "alicloud_log_store" "default"{
project = alicloud_log_project.default.name
name = "sls-for-flowlog"
retention_period = 3650
shard_count = 3
auto_split = true
max_split_shard_count = 60
append_meta = true
}
resource "alicloud_cen_flowlog" "default" {

flow_log_name = "my-flowlog"
cen_id = alicloud_cen_instance.default.id
project_name = alicloud_log_project.default.name
115
log_store_name = alicloud_log_store.default.name
}

• cen_id - (Required, ForceNew) The ID of the CEN Instance.
• project_name - (Required, ForceNew) The name of the SLS project.
• log_store_name - (Required, ForceNew) The name of the log store which
is in the project_name SLS project.
• flow_log_name - (Optional) The name of flowlog.
• description - (Optional) The description of flowlog.
• status - (Optional) The status of flowlog. Valid values: [”Active”, ”Inac-
tive”]. Default to ”Active”.

• id - ID of the flowlog.
» Import
CEN flowlog can be imported using the id, e.g.

$ terraform import alicloud_cen_flowlog.default flowlog-tig1xxxxxx
» alicloud_cen_instance
Provides a CEN instance resource. Cloud Enterprise Network (CEN) is a service
that allows you to create a global network for rapidly building a distributed busi-
ness system with a hybrid cloud computing solution. CEN enables you to build
a secure, private, and enterprise-class interconnected network between VPCs in
different regions and your local data centers. CEN provides enterprise-class scal-
ability that automatically responds to your dynamic computing requirements.
For information about CEN and how to use it, see What is Cloud Enterprise
Network.
116
» Example Usage
Basic Usage
name = "tf_test_foo"
description = "an example for cen"
}

• name - (Optional) The name of the CEN instance. Defaults to null. The
name must be 2 to 128 characters in length and can contain letters, num-
bers, periods (.), underscores (_), and hyphens (-). The name must start
with a letter, but cannot start with http:// or https://.
• description - (Optional) The description of the CEN instance. Defaults
to null. The description must be 2 to 256 characters in length. It must
start with a letter, and cannot start with http:// or https://.
» Timeouts

• create - (Defaults to 6 mins) Used when creating the cen instance (until
it reaches the initial Active status).
• delete - (Defaults to 6 mins) Used when terminating the cen instance.

• id - The ID of the CEN instance.
• name - The name of the CEN instance.
• description - The description of the CEN instance.
• protection_level - (Available in 1.76.0+) Indicates the allowed level of
CIDR block overlapping. Valid values:
– FULL: No overlapping CIDR blocks are allowed.
– REDUCE: Overlapping CIDR blocks are allowed. However, the over-
lapping CIDR blocks cannot be identical.
Default to ”REDUCED”.
117
» Import
CEN instance can be imported using the id, e.g.

$ terraform import alicloud_cen_instance.example cen-abc123456
» alicloud_cen_instance_attachment
Provides a CEN child instance attachment resource.
» Example Usage
Basic Usage
# Create a new instance-attachment and use it to attach one child instance to a new CEN
variable "name" {
default = "tf-testAccCenInstanceAttachmentBasic"
}

description = "terraform01"
}
resource "alicloud_vpc" "vpc" {

cidr_block = "192.168.0.0/16"
}
resource "alicloud_cen_instance_attachment" "foo" {

child_instance_id = "${alicloud_vpc.vpc.id}"
child_instance_region_id = "cn-beijing"
}

• child_instance_id - (Required, ForceNew) The ID of the child instance
to attach.
• child_instance_region_id - (Required, ForceNew) The region ID of the
child instance to attach.
118
• child_instance_owner_id - (Optional, Available in 1.42.0+) The uid
of the child instance. Only used when attach a child instance of other
account.
->NOTE: Ensure that the child instance is not used in Express Connect.

• id - ID of the resource, formatted as <instance_id>:<child_instance_id>.
» Import

$ terraform import alicloud_cen_instance_attachment.example cen-abc123456:vpc-abc123456
» alicloud_cen_instance_grant
Provides a CEN child instance grant resource, which allow you to authorize a
VPC or VBR to a CEN of a different account.
For more information about how to use it, see Attach a network in a different
account.
» Example Usage
Basic Usage
# Create a new instance-grant and use it to grant one child instance of account1 to a new CE
access_key = "access123"
secret_key = "secret123"
alias = "account1"
}
access_key = "access456"
secret_key = "secret456"
alias = "account2"
}
variable "name" {
119
default = "tf-testAccCenInstanceGrantBasic"
}

provider = "alicloud.account2"
}

cidr_block = "192.168.0.0/16"
}
resource "alicloud_cen_instance_grant" "foo" {

cen_id = "${alicloud_cen_instance.cen.id}"
cen_owner_id = "uid2"
}
resource "alicloud_cen_instance_attachment" "foo" {

child_instance_region_id = "cn-qingdao"
child_instance_owner_id = "uid1"
depends_on = [
"alicloud_cen_instance_grant.foo"]
}

• cen_id - (Required) The ID of the CEN.
• child_instance_id - (Required) The ID of the child instance to grant.
• cen_owner_id - (Required) The owner UID of the CEN which the child
instance granted to.

• id - ID of the resource, formatted as <cen_id>:<child_instance_id>:<cen_owner_id>.
120
» Import

$ terraform import alicloud_cen_instance_grant.example cen-abc123456:vpc-abc123456:uid123456
» alicloud_cen_route_entry
Provides a CEN route entry resource. Cloud Enterprise Network (CEN) sup-
ports publishing and withdrawing route entries of attached networks. You can
publish a route entry of an attached VPC or VBR to a CEN instance, then
other attached networks can learn the route if there is no route conflict. You
can withdraw a published route entry when CEN does not need it any more.
For information about CEN route entries publishment and how to use it, see
Manage network routes.
» Example Usage
Basic Usage
# Create a cen_route_entry resource and use it to publish a route entry pointing to an ECS.
alias = "hz"
region = "cn-hangzhou"
}
variable "name" {
default = "tf-testAccCenRouteEntryConfig"
}

provider = "alicloud.hz"
}

cpu_core_count = 1
memory_size = 2
}
121
most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/12"
}

vpc_id = "${alicloud_vpc.vpc.id}"
cidr_block = "172.16.0.0/21"
}

description = "foo"
}

internet_max_bandwidth_out = 5
}

}
resource "alicloud_cen_instance_attachment" "attach" {

122
child_instance_region_id = "cn-hangzhou"
depends_on = [
"alicloud_vswitch.default"]
}
resource "alicloud_route_entry" "route" {

route_table_id = "${alicloud_vpc.vpc.route_table_id}"
destination_cidrblock = "11.0.0.0/16"
nexthop_type = "Instance"
nexthop_id = "${alicloud_instance.default.id}"
}
resource "alicloud_cen_route_entry" "foo" {

route_table_id = "${alicloud_vpc.vpc.route_table_id}"
cidr_block = "${alicloud_route_entry.route.destination_cidrblock}"
depends_on = [
"alicloud_cen_instance_attachment.attach"]
}

• route_table_id - (Required, ForceNew) The route table of the attached
VBR or VPC.
• cidr_block - (Required, ForceNew) The destination CIDR block of the
route entry to publish.
->NOTE: The ”alicloud_cen_instance_route_entries” resource depends on
the related ”alicloud_cen_instance_attachment” resource.
->NOTE: The ”alicloud_cen_instance_attachment” resource should depend
on the related ”alicloud_vswitch” resource.

• id - ID of the resource, formatted as <instance_id>:<route_table_id>:<cidr_block>.
123
» Import

$ terraform import alicloud_cen_route_entry.example cen-abc123456:vtb-abc123:192.168.0.0/24
» alicloud_cloud_connect_networks
This data source provides Cloud Connect Networks available to the user.
NOTE: Only the following regions support create Cloud Connect Network.
[cn-shanghai, cn-shanghai-finance-1, cn-hongkong, ap-southeast-1,
ap-southeast-2, ap-southeast-3, ap-southeast-5, ap-northeast-1,
eu-central-1]
» Example Usage
data "alicloud_cloud_connect_networks" "default" {

ids = ["${alicloud_cloud_connect_networks.default.id}"]
name_regex = "^tf-testAcc.*"
}
resource "alicloud_cloud_connect_network" "default" {
name = "tf-testAccCloudConnectNetworkName"
description = "tf-testAccCloudConnectNetworkDescription"
cidr_block = "192.168.0.0/24"
is_default = true
}

• ids - (Optional) A list of CCN instances IDs.
• name_regex - (Optional) A regex string to filter CCN instances by name.
• ids - A list of CCN instances IDs.
• names - A list of CCN instances names.
124
• networks - A list of CCN instances. Each element contains the following
attributes:
– id - ID of the CCN instance.
– name - Name of the CCN instance.
– cidr_block - CidrBlock of the CCN instance.
– is_default - IsDefault of the CCN instance.
» alicloud_cloud_connect_network
Provides a cloud connect network resource. Cloud Connect Network (CCN) is
another important component of Smart Access Gateway. It is a device access
matrix composed of Alibaba Cloud distributed access gateways. You can add
multiple Smart Access Gateway (SAG) devices to a CCN instance and then
attach the CCN instance to a Cloud Enterprise Network (CEN) instance to
connect the local branches to the Alibaba Cloud.
For information about cloud connect network and how to use it, see What is
Cloud Connect Network.
eu-central-1]
» Example Usage
Basic Usage
resource "alicloud_cloud_connect_network" "default" {
name = "tf-testAccCloudConnectNetworkName"
description = "tf-testAccCloudConnectNetworkDescription"
cidr_block = "192.168.0.0/24"
is_default = true
}

• name - (Optional) The name of the CCN instance. The name can contain 2
to 128 characters including a-z, A-Z, 0-9, periods, underlines, and hyphens.
The name must start with an English letter, but cannot start with http://
or https://.
125
• description - (Optional) The description of the CCN instance. The
description can contain 2 to 256 characters. The description must start
with English letters, but cannot start with http:// or https://.
• cidr_block - (Optional) The CidrBlock of the CCN instance. Defaults
to null.
• is_default - (Required) Created by default. If the client does not have
ccn in the binding, it will create a ccn for the user to replace.

• id - The CcnId of the CCN instance. For example ”ccn-xxx”.
» Import
The cloud connect network instance can be imported using the id, e.g.
$ terraform import alicloud_cloud_connect_network.example ccn-abc123456
» alicloud_cloud_connect_network_attachment
Provides a Cloud Connect Network Attachment resource. This topic describes
how to associate a Smart Access Gateway (SAG) instance with a network in-
stance. You must associate an SAG instance with a network instance if you want
to connect the SAG to Alibaba Cloud. You can connect an SAG to Alibaba
Cloud through a leased line, the Internet, or the active and standby links.
For information about Cloud Connect Network Attachment and how to use it,
see What is Cloud Connect Network Attachment.
NOTE: Only the following regions support. [cn-shanghai, cn-shanghai-finance-1,
cn-hongkong, ap-southeast-1, ap-southeast-2, ap-southeast-3, ap-southeast-5,
ap-northeast-1, eu-central-1]
» Example Usage
Basic Usage
resource "alicloud_cloud_connect_network" "ccn" {
name = "tf-testAccCloudConnectNetworkAttachment-xxx"
is_default = "true"
126
}
resource "alicloud_cloud_connect_network_attachment" "default" {

ccn_id = "${alicloud_cloud_connect_network.ccn.id}"
sag_id = "sag-xxxxx"
depends_on = ["alicloud_cloud_connect_network.ccn"]
}

• ccn_id - (Required,ForceNew) The ID of the CCN instance.
• sag_id - (Required,ForceNew) The ID of the Smart Access Gateway in-
stance.

• id - The ID of the Cloud Connect Network Attachment Id and formates
as <ccn_id>:<sag_id>.
» Import
The Cloud Connect Network Attachment can be imported using the instance_id,
e.g.
$ terraform import alicloud_cloud_connect_network_attachment.example ccn-abc123456:sag-abc12
» alicloud_cloud_connect_network_grant
Provides a Cloud Connect Network Grant resource. If the CEN instance to
be attached belongs to another account, authorization by the CEN instance is
required.
For information about Cloud Connect Network Grant and how to use it, see
What is Cloud Connect Network Grant.
NOTE: Only the following regions support create Cloud Connect Net-
work Grant. [cn-shanghai, cn-shanghai-finance-1, cn-hongkong,
ap-southeast-1, ap-southeast-2, ap-southeast-3, ap-southeast-5,
127
» Example Usage
Basic Usage
alias = "ccn_account"
}
region = "cn-hangzhou"
access_key = "xxxxxx"
secret_key = "xxxxxx"
alias = "cen_account"
}

provider = "alicloud.cen_account"
name = "tf-testAccCenInstance-xxx"
}
resource "alicloud_cloud_connect_network" "ccn" {

provider = "alicloud.ccn_account"
name = "tf-testAccCloudConnectNetwork-xxx"
is_default = "true"
}
resource "alicloud_cloud_connect_network_grant" "default" {

ccn_id = "${alicloud_cloud_connect_network.ccn.id}"
cen_id = "${alicloud_cen_instance.cen.id}"
cen_uid = "xxxxxx"
depends_on = [
"alicloud_cloud_connect_network.ccn",
"alicloud_cen_instance.cen"]
}

• ccn_id - (Required,ForceNew) The ID of the CCN instance.
• cen_id - (Required,ForceNew) The ID of the CEN instance.
• cen_uid - (Required,ForceNew) The ID of the account to which the CEN
instance belongs.
128

• id - The ID of the Cloud Connect Network grant Id and formates as
<ccn_id>:<cen_id>.
» Import
The Cloud Connect Network Grant can be imported using the instance_id, e.g.
$ terraform import alicloud_cloud_connect_network_grant.example ccn-abc123456:cen-abc123456
» alicloud_yundun_dbaudit_instances
This data source provides a list of cloud DBAudit instances in an Alibaba Cloud
» Example Usage
data "alicloud_yundun_dbaudit_instances" "instance" {

description_regex = "^dbaudit"
}
output "instance" {
value = "${alicloud_yundun_dbaudit_instances.instance.*.id}"
}

• description_regex - (Optional) A regex string to filter results by the
instance description.
• ids - (Optional) Matched instance IDs to filter data source result.
• output_file - (Optional) File name to persist data source output.
• descriptions - (Optional) Descriptions to filter data source result.
• tags - (Optional, Available in v1.67.0+) A map of tags assigned to the
dbaudit instance. It must be in the format: data "alicloud_yundun_dbaudit_instances"
"instance" { tags = { tagKey1 = "tagValue1" } }
129

above: * instances - A list of apis. Each element contains the following
attributes: * id - The instance’s id. * description - The instance’s remark.
* user_vswitch_id - The instance’s vSwitch ID. * private_domain - The in-
stance’s private domain name. * public_domain - The instance’s public domain
name. * instance_status - The instance’s status. * public_network_access
- The instance’s public network access configuration. * tags - A map of tags
assigned to the dbaudit instance.
» alicloud_yundun_dbaudit_instance
Cloud DBaudit instance resource (”Yundun_dbaudit” is the short term of this
product).
at present.
NOTE: In order to destroy Cloud DBaudit instance , users are required to
apply for white list first
» Example Usage
Basic Usage
endpoints {
}
}
resource "alicloud_yundun_dbaudit_instance" "default" {

description = "Terraform-test"
plan_code = "alpha.professional"
period = "1"
vswitch_id = "v-testVswitch"
}
130
• plan_code - (Required) Plan code of the Cloud DBAudit to produce. (al-
pha.professional, alpha.basic, alpha.premium)
• description - (Required) Description of the instance. This name can
• period - (Required, ForceNew) Duration for initially producing the in-
stance. Valid values: [1~9], 12, 24, 36. Default to 12. At present, the
provider does not support modify ”period”.
• vswitch_id - (Required, ForceNew) vSwtich ID configured to audit
the resource.

• id - The ID of the instance resource of Yundun_dbaudit.
» Import
Yundun_dbaudit instance can be imported using the id, e.g.

$ terraform import alicloud_yundun_dbaudit_instance.example dbaudit-exampe123456
» alicloud_cms_alarm
This resource provides a alarm rule resource and it can be used to monitor
several cloud services according different metrics. Details for alarm rule.
» Example Usage
Basic Usage
resource "alicloud_cms_alarm" "basic" {
name = "tf-testAccCmsAlarm_basic"
project = "acs_ecs_dashboard"
metric = "disk_writebytes"
dimensions = {
instanceId = "i-bp1247,i-bp11gd"
device = "/dev/vda1,/dev/vdb1"
}
statistics = "Average"
period = 900
operator = "<="
131
threshold = 35
triggered_count = 2
contact_groups = ["test-group"]
effective_interval = "0:00-2:00"
notify_type = 1
webhook = "https://${data.alicloud_account.current.id}.eu-central-1.fc.aliyuncs.co
}

• name - (Required) The alarm rule name.
• project - (Required, ForceNew) Monitor project name, such as
”acs_ecs_dashboard” and ”acs_rds_dashboard”. For more information,
see Metrics Reference.
• metric - (Required, ForceNew) Name of the monitoring metrics corre-
sponding to a project, such as ”CPUUtilization” and ”networkin_rate”.
For more information, see Metrics Reference.
• dimensions - (Required, ForceNew) Map of the resources associated with
the alarm rule, such as ”instanceId”, ”device” and ”port”. Each key’s
value is a string and it uses comma to split multiple items. For more
information, see Metrics Reference.
• period - Index query cycle, which must be consistent with that defined
for metrics. Default to 300, in seconds.
• statistics - Statistical method. It must be consistent with that defined
for metrics. Valid values: [”Average”, ”Minimum”, ”Maximum”]. Default
to ”Average”.
• operator - Alarm comparison operator. Valid values: [”<=”, ”<”, ”>”,
”>=”, ”==”, ”!=”]. Default to ”==”.
• threshold - (Required) Alarm threshold value, which must be a numeric
value currently.
• triggered_count - Number of consecutive times it has been detected that
the values exceed the threshold. Default to 3.
• contact_groups - (Required) List contact groups of the alarm rule, which
must have been created on the console.
• effective_interval - (Available in 1.50.0+) The interval of effecting
alarm rule. It foramt as ”hh:mm-hh:mm”, like ”0:00-4:00”. Default to
”00:00-23:59”.
• start_time - It has been deprecated from provider version 1.50.0 and
’effective_interval’ instead.
• end_time - It has been deprecated from provider version 1.50.0 and ’effec-
tive_interval’ instead.
• silence_time - Notification silence period in the alarm state, in seconds.
Valid value range: [300, 86400]. Default to 86400
132
• notify_type - Notification type. Valid value [0, 1]. The value 0 indi-
cates TradeManager+email, and the value 1 indicates that TradeMan-
ager+email+SMS
• enabled - Whether to enable alarm rule. Default to true.
• webhook- (Optional, Available in 1.46.0+) The webhook that should be
called when the alarm is triggered. Currently, only http protocol is sup-
ported. Default is empty string.

• id - The ID of the alarm rule.
• status - The current alarm rule status.
» Import
Alarm rule can be imported using the id, e.g.

$ terraform import alicloud_cms_alarm.alarm abc12345
» alicloud_cms_sitemonitor
This resource provides a sitemonitor resource and it can be used to monitor
public endpoints and websites. Details at https://www.alibabacloud.com/help/
doc-detail/67907.htm
Available in 1.72.0+
» Example Usage
Basic Usage
resource "alicloud_cms_sitemonitor" "basic" {
address = "http://www.alibabacloud.com"
task_name = "tf-testAccCmsSiteMonitor_basic"
task_type = "HTTP"
interval = 5
isp_cities {
city = "546"
isp = "465"
}
}
}
133

• address - (Required) The URL or IP address monitored by the site mon-
itoring task.
• task_name - (Required) The name of the site monitoring task. The name
must be 4 to 100 characters in length. The name can contain the following
types of characters: letters, digits, and underscores.
• task_type - (Required, ForceNew) The protocol of the site monitoring
task. Currently, site monitoring supports the following protocols: HTTP,
Ping, TCP, UDP, DNS, SMTP, POP3, and FTP.
• alert_ids - The IDs of existing alert rules to be associated with the site
monitoring task.
• interval - The monitoring interval of the site monitoring task. Unit:
minutes. Valid values: 1, 5, and 15. Default value: 1.
• isp_cities - The detection points in a JSON array. For example,
[{"city":"546","isp":"465"},{"city":"572","isp":"465"},{"city":"738","isp":"465"}]
indicates the detection points in Beijing, Hangzhou, and Qingdao re-
spectively. You can call the DescribeISPAreaCity operation to query
detection point information. If this parameter is not specified, three
detection points will be chosen randomly for monitoring.
• options_json - The extended options of the protocol of the site monitor-
ing task. The options vary according to the protocol.

• id - The ID of the site monitor rule.
» Import
Alarm rule can be imported using the id, e.g.

$ terraform import alicloud_cms_sitemonitor.alarm abc12345
» alicloud_cs_kubernetes_clusters
This data source provides a list Container Service Kubernetes Clusters on Al-
ibaba Cloud.
134
» Example Usage

data "alicloud_cs_kubernetes_clusters" "k8s_clusters" {
name_regex = "my-first-k8s"
output_file = "my-first-k8s-json"
}
output "output" {
value = "${data.alicloud_cs_kubernetes_clusters.k8s_clusters.clusters}"
}

• ids - (Optional) Cluster IDs to filter.
• name_regex - (Optional) A regex string to filter results by cluster name.
• enabled_details - (Optional) Boolean, false by default, only id
and name are exported. Set to true if more details are needed, e.g.,
master_disk_category, slb_internet_enabled, connections. See full
list in attributes.
• ids - A list of matched Kubernetes clusters’ ids.
• names - A list of matched Kubernetes clusters’ names.
• clusters - A list of matched Kubernetes clusters. Each element contains
– id - The ID of the container cluster.
– name - The name of the container cluster.
– availability_zone - The ID of availability zone.
– key_name - The keypair of ssh login cluster node, you have to create
it first.
– worker_numbers - The ECS instance node number in the current
container cluster.
– vswitch_ids - The ID of VSwitches where the current cluster is
located.
– vpc_id - The ID of VPC where the current cluster is located.
– slb_internet_enabled - Whether internet load balancer for API
Server is created
135
– security_group_id - The ID of security group where the current
cluster worker node is located.
– image_id - The ID of node image.
– nat_gateway_id - The ID of nat gateway used to launch kubernetes
cluster.
– master_instance_types - The instance type of master node.
– worker_instance_types - The instance type of worker node.
– master_disk_category - The system disk category of master node.
– master_disk_size - The system disk size of master node.
– worker_disk_category - The system disk category of worker node.
– worker_disk_size - The system disk size of worker node.
– worker_data_disk_category - The data disk size of worker node.
– worker_data_disk_size - The data disk category of worker node.
– master_nodes - List of cluster master nodes. It contains several
attributes to Block Nodes.
– worker_nodes - List of cluster worker nodes. It contains several
– connections - Map of kubernetes cluster connection information. It
contains several attributes to Block Connections.
– node_cidr_mask - The network mask used on pods for each node.
– log_config - A list of one element containing information about the
associated log store. It contains the following attributes:
– type - Type of collecting logs.
– project - Log Service project name.
» Block Nodes
• id - ID of the node.
• name - Node name.
• private_ip - The private IP address of node.
• role - (Deprecated from version 1.9.4)
» Block Connections
• api_server_internet - API Server Internet endpoint.

• api_server_intranet - API Server Intranet endpoint.
• master_public_ip - Master node SSH IP address.
• service_domain - Service Access Domain.
» alicloud_cs_managed_kubernetes_clusters
This data source provides a list Container Service Managed Kubernetes Clusters
on Alibaba Cloud.
136
NOTE: Available in v1.35.0+
» Example Usage

data "alicloud_cs_managed_kubernetes_clusters" "k8s_clusters" {
}
output "output" {
value = "${data.alicloud_cs_managed_kubernetes_clusters.k8s_clusters.clusters}"
}

master_disk_category, slb_internet_enabled, connections. See full
list in attributes.
– availability_zone - The ID of availability zone.
– key_name - The keypair of ssh login cluster node, you have to create
it first.
– worker_numbers - The ECS instance node number in the current
container cluster.
– vswitch_ids - The ID of VSwitches where the current cluster is
located.
137
cluster worker node is located.
cluster.
– worker_nodes - List of cluster worker nodes. It contains several
– connections - Map of kubernetes cluster connection information. It
– type - Type of collecting logs.
» Block Nodes

» alicloud_cs_serverless_kubernetes_clusters
This data source provides a list Container Service Serverless Kubernetes Clusters
on Alibaba Cloud.
» Example Usage

data "alicloud_cs_serverless_kubernetes_clusters" "k8s_clusters" {
}
138
output "output" {
value = "${data.alicloud_cs_serverless_kubernetes_clusters.k8s_clusters.clusters}"
}

deletion_protection, connections. See full list in attributes.
– vswitch_id - The ID of VSwitch where the current cluster is located.
cluster is located.
cluster.
– deletion_protection - Whether the cluster support delete protec-
tion.
– connections - Map of serverless cluster connection information. It


139
» alicloud_container_cluster
NOTE: This resource name has been replaced by alicloud_cs_swarm from
version 1.8.2. Please update it.
» alicloud_cs_application
DEPRECATED: This resource manages applications in swarm cluster only,
which is being deprecated and will be replaced by Kubernetes cluster.
This resource use an orchestration template to define and deploy a multi-
container application. An application is created by using an orchestration
template. Each application can contain one or more services.
NOTE: Application orchestration template must be a valid Docker Compose
YAML template.
NOTE: At present, this resource only support swarm cluster.
» Example Usage
Basic Usage
resource "alicloud_cs_application" "app" {
cluster_name = "my-first-swarm"
name = "wordpress"
version = "1.2"
template = "${file("wordpress.yml")}"
latest_image = true
environment = {
EXTERNAL_URL = "123.123.123.123:8080"
}
}

• cluster_name - (Required, ForceNew) The swarm cluster’s name.
• name - (Required, ForceNew) The application name. It should be 1-64
characters long, and can contain numbers, English letters and hyphens,
but cannot start with hyphens.
• description - The description of application.
140
• version - The application deploying version. Each updating, it must be
different with current. Default to ”1.0”
• template - (Required) The application deployment template and it must
be Docker Compose format.
• environment - A key/value map used to replace the variable parameter
in the Compose template.
• latest_image - Whether to use latest docker image while each updating
application. Default to false.
• blue_green - Wherther to use ”Blue Green” method when release a new
version. Default to false.
• blue_green_confirm - Whether to confirm a ”Blue Green” application.
Default to false. It will be ignored when blue_green is false.
NOTE: Each update of template, environment, latest_image and
blue_green, it requires a new version. Otherwise, the update will be ignored.
NOTE: If you want to rollback a ”Blue Green” application, just set blue_green
as false.

• id - The ID of the container application. It’s formate is <cluster_name>:<name>.
• cluster_name - The name of the container cluster.
• name - The application name.
• description - The application description.
• template - The application deploying template.
• environment - The application environment variables.
• services - List of services in the application. It contains several attributes
to Block Nodes.
• default_domain - The application default domain and it can be used to
configure routing service.
» Block Nodes
• id - ID of the service.
• name - Service name.
• status - The current status of service.
• version - The current version of service.
» Import
Swarm application can be imported using the id, e.g.
141
$ terraform import alicloud_cs_application.app my-first-swarm:wordpress
» alicloud_cs_kubernetes
This resource will help you to manage a Kubernetes Cluster in Alibaba Cloud
Kubernetes Service.
NOTE: Kubernetes cluster only supports VPC network and it can access inter-
net while creating kubernetes cluster. A Nat Gateway and configuring a SNAT
for it can ensure one VPC network access internet. If there is no nat gateway in
the VPC, you can set new_nat_gateway to ”true” to create one automatically.
NOTE: Each kubernetes cluster contains 3 master nodes and those number
cannot be changed at now.
NOTE: Creating kubernetes cluster need to install several packages and it will
cost about 15 minutes. Please be patient.
NOTE: From version 1.9.4, the provider supports to download kube config,
client certificate, client key and cluster ca certificate after creating cluster suc-
cessfully, and you can put them into the specified location, like ’~/.kube/config’.
NOTE: From version 1.16.0, the provider supports Multiple Availability Zones
Kubernetes Cluster. To create a cluster of this kind, you must specify 3 or 5
items in master_vswitch_ids and master_instance_types.
NOTE: From version 1.20.0, the provider supports disabling internet load bal-
ancer for API Server by setting false to slb_internet_enabled.
NOTE: If you want to manage Kubernetes, you can use Kubernetes Provider.
NOTE: You need to activate several other products and confirm Authoriza-
tion Policy used by Container Service before using this resource. Please refer
to the Authorization management and Cluster management sections in the
Document Center.
NOTE: From version 1.75.0, Some parameters have been removed from re-
source,You can check them below and re-import the cluster if necessary.
» Example Usage
// If there is not specifying vpc_id, the module will launch a new vpc
count = var.vpc_id == "" ? 1 : 0
cidr_block = var.vpc_cidr
}
// According to the vswitch cidr blocks to launch several vswitches
142
resource "alicloud_vswitch" "vswitches" {
count = length(var.vswitch_ids) > 0 ? 0 : length(var.vswitch_cidrs)
vpc_id = var.vpc_id == "" ? join("", alicloud_vpc.vpc.*.id) : var.vpc_id
cidr_block = element(var.vswitch_cidrs, count.index)
availability_zone = element(var.availability_zone, count.index)
}
resource "alicloud_cs_kubernetes" "k8s" {

count = 1
master_vswitch_ids = length(var.vswitch_ids) > 0 ? split(",", join(",", var.vswitch_ids
worker_vswitch_ids = length(var.vswitch_ids) > 0 ? split(",", join(",", var.vswitch_ids
master_instance_types = var.master_instance_types
worker_instance_types = var.worker_instance_types
worker_number = var.worker_number
node_cidr_mask = var.node_cidr_mask
enable_ssh = var.enable_ssh
install_cloud_monitor = var.install_cloud_monitor
cpu_policy = var.cpu_policy
proxy_mode = var.proxy_mode
password = var.password
pod_cidr = var.pod_cidr
service_cidr = var.service_cidr
# version can not be defined in variables.tf. Options: 1.16.6-aliyun.1|1.14.8-aliyun.1
version = "1.16.6-aliyun.1"
dynamic "addons" {
for_each = var.cluster_addons
content {
name = lookup(addons.value, "name", var.cluster_addons)
config = lookup(addons.value, "config", var.cluster_addons)
}
}
}
» Global params
• name - (Optional) The kubernetes cluster’s name. It is unique in one
Alicloud account.
• name_prefix - (Optional) The kubernetes cluster name’s prefix. It is
conflict with name. If it is specified, terraform will using it to build the
only cluster name. Default to ”Terraform-Creation”.
143
• version - (Optional, Available since 1.70.1) Desired Kubernetes version. If
you do not specify a value, the latest available version at resource creation
is used and no upgrades will occur except you set a higher version number.
The value must be configured and increased to upgrade the version when
desired. Downgrades are not supported by ACK.
• password - (Required, Sensitive) The password of ssh login cluster node.
You have to specify one of password key_name kms_encrypted_password
fields.
• key_name - (Required) The keypair of ssh login cluster node, you have
to create it first. You have to specify one of password key_name
• kms_encrypted_password - (Required, Available in 1.57.1+) An KMS
encrypts password used to a cs kubernetes. You have to specify one of
password key_name kms_encrypted_password fields.
before creating or updating a cs kubernetes with kms_encrypted_password.
set.
• user_ca - (Optional, ForceNew) The path of customized CA cert, you can
use this CA to sign client certs to connect your cluster.
• enable_ssh - (Optional) Enable login to the node through SSH. default:
false
• install_cloud_monitor - (Optional) Install cloud monitor agent on ECS.
default: true
• cpu_policy - kubelet cpu policy. options: static|none. default: none.
• proxy_mode - Proxy mode is option of kube-proxy. options: iptables|ipvs.
default: ipvs.
• image_id - Custom Image support. Must based on CentOS7 or Aliyun-
Linux2.
» Addons
It is a new field since 1.75.0. You can specific network plugin,log compo-
nent,ingress component and so on.
main.tf
dynamic "addons" {
content {
}
}
144
varibales.tf
// Flannel
variable "cluster_addons" {
description = "Addon components in kubernetes cluster"
type = list(object({
name = string
config = string
}))
default = [
{
"name" = "flannel",
"config" = "",
},
{
"name" = "flexvolume",
"config" = "",
},
{
"name" = "alicloud-disk-controller",
"config" = "",
},
{
"name" = "logtail-ds",
"config" = "{\"IngressDashboardEnabled\":\"true\"}",
},
{
"name" = "nginx-ingress-controller",
"config" = "{\"IngressSlbNetworkType\":\"internet\"}",
},
]
}
// Terway
name = string
config = string
}))
default = [
{
"name" = "terway-eniip",
145
"config" = "",
},
{
"config" = "",
},
{
"config" = "",
},
{
},
{
}
]
}
• logtail-ds - You can specific IngressDashboardEnabled and
sls_project_name in config. If you switch on IngressDashboardEnabled
and sls_project_name,then logtail-ds would use sls_project_name as
default log store.
• nginx-ingress-controller - You can specific IngressSlbNetworkType
in config. Options: internet|intranet.
You can get more information about addons on ACK web console. When
you create a ACK cluster. You can get openapi-spec before creating the
cluster on submission page.
» Network
• pod_cidr - (Required) [Flannel Specific] The CIDR block for the pod
network when using Flannel.
• pod_vswitch_ids - (Required) [Terway Specific] The vswitches for the
pod network when using Terway.Be careful the pod_vswitch_ids can not
equal to worker_vswtich_ids or master_vswtich_ids but must be in
same availability zones.
• new_nat_gateway - (Optional) Whether to create a new nat gateway while
creating kubernetes cluster. Default to true. Then openapi in Alibaba
Cloud are not all on intranet, So turn this option on is a good choice.
• service_cidr - (Optional) The CIDR block for the service network. It
cannot be duplicated with the VPC CIDR and CIDR used by Kubernetes
cluster in VPC, cannot be modified after creation.
• node_cidr_mask - (Optional) The node cidr block to specific how many
146
pods can run on single node. 24-28 is allowed. 24 means 232-24 -1=255 and
the node can run at most 255 pods. default: 24
• slb_internet_enabled - (Optional) Whether to create internet load bal-
ancer for API Server. Default to true.
If you want to use Terway as CNI network plugin, You need to specific the
pod_vswitch_ids field and addons with terway-eniip.
If you want to use Flannel as CNI network plugin, You need to specific the
pod_cidr field and addons with flannel.
» Master params
• master_vswtich_ids - (Required) The vswitches used by master, you can
specific 3 or 5 vswitches because of the amount of masters. You can also
specific
• master_instance_types - (Required) The instance type of master node.
Specify one type for single AZ Cluster, three types for MultiAZ Cluster.
• master_instance_charge_type - (Optional) Master payment type.
PrePaid or PostPaid, defaults to PostPaid.
• master_period_unit - (Optional) Master payment period unit. Month or
Week, defaults to Month.
• master_period - (Optional) Master payment period. When period unit
is Month, it can be one of { “1”, “2”, “3”, “4”, “5”, “6”, “7”, “8”, “9”, “12”,
“24”, “36”,”48”,”60”}. When period unit is Week, it can be one of {“1”,
“2”, “3”, “4”}.
• master_auto_renew - (Optional) Enable master payment auto-renew, de-
faults to false.
• master_auto_renew_period - (Optional) Master payment auto-renew pe-
riod. When period unit is Month, it can be one of {“1”, “2”, “3”, “6”, “12”}.
When period unit is Week, it can be one of {“1”, “2”, “3”}.
• master_disk_category - (Optional) The system disk category of master
node. Its valid value are cloud_ssd and cloud_efficiency. Default to
cloud_efficiency.
• master_disk_size - (Optional) The system disk size of master node. Its
valid value range [20~500] in GB. Default to 20.
» Worker params
• worker_number - (Required) The worker node number of the kubernetes
cluster. Default to 3. It is limited up to 50 and if you want to enlarge it,
please apply white list or contact with us.
• worker_vswtich_ids - (Required) The vswitches used by workers.
• worker_instance_types - (Required, ForceNew) The instance type of
worker node. Specify one type for single AZ Cluster, three types for Mul-
tiAZ Cluster.
147
• worker_instance_charge_type - (Optional, Force new resource) Worker
payment type. PrePaid or PostPaid, defaults to PostPaid.
• worker_period_unit - (Optional) Worker payment period unit. Month or
• worker_period - (Optional) Worker payment period. When period unit
“2”, “3”, “4”}.
• worker_auto_renew - (Optional) Enable worker payment auto-renew, de-
faults to false.
• worker_auto_renew_period - (Optional) Worker payment auto-renew pe-
• worker_disk_category - (Optional) The system disk category of worker
cloud_efficiency.
• worker_disk_size - (Optional) The system disk size of worker node. Its
» Computed params (No need to configure)

• kube_config - (Optional) The path of kube config, like ~/.kube/config.
• client_cert - (Optional) The path of client certificate, like ~/.kube/client-cert.pem.
• client_key - (Optional) The path of client key, like ~/.kube/client-key.pem.
• cluster_ca_cert - (Optional) The path of cluster ca certificate, like
~/.kube/cluster-ca-cert.pem
• availability_zone - (Optional) The Zone where new kubernetes cluster
will be located. If it is not be specified, the vswitch_ids should be set,
its value will be vswitch’s zone.
» Removed params (Never Supported)

• master_instance_type - (Deprecated from version 1.16.0)(Required,
Force new resource) The instance type of master node.
• worker_instance_type - (Deprecated from version 1.16.0)(Required,
Force new resource) The instance type of worker node.
• vswitch_id - (Deprecated from version 1.16.0)(Force new resource) The
vswitch where new kubernetes cluster will be located. If it is not specified,
a new VPC and VSwicth will be built. It must be in the zone which
availability_zone specified.
• vswitch_ids - (Required, ForceNew) The vswitch where new kubernetes
cluster will be located. Specify one or more vswitch’s id. It must be in
the zone which availability_zone specified.
• force_update - (Optional, Available in 1.50.0+) Whether to force the
update of kubernetes cluster arguments. Default to false.
148
to false.
• log_config - (Optional, ForceNew) A list of one element containing infor-
mation about the associated log store. It contains the following attributes:
– type - Type of collecting logs, only SLS are supported currently.
– project - Log Service project name, cluster logs will output to this
project.
• cluster_network_type - (Optional) The network that cluster uses, use
flannel or terway.
» Timeouts
NOTE: Available in 1.58.0+. The timeouts block allows you to specify time-
outs for certain actions:
• create - (Defaults to 90 mins) Used when creating the kubernetes cluster
(until it reaches the initial running status).
• update - (Defaults to 60 mins) Used when activating the kubernetes clus-
ter when necessary during update.
• delete - (Defaults to 60 mins) Used when terminating the kubernetes
cluster.

• id - The ID of the container cluster.
• name - The name of the container cluster.
• availability_zone - The ID of availability zone.
• vpc_id - The ID of VPC where the current cluster is located.
• slb_intranet - The ID of private load balancer where the current cluster
master node is located.
• security_group_id - The ID of security group where the current cluster
worker node is located.
• nat_gateway_id - The ID of nat gateway used to launch kubernetes clus-
ter.
• master_nodes - List of cluster master nodes. It contains several attributes
to Block Nodes.
• worker_nodes - List of cluster worker nodes. It contains several attributes
to Block Nodes.
• connections - Map of kubernetes cluster connection information. It con-
tains several attributes to Block Connections.
• version - The Kubernetes server version for the cluster.
149
» Block Nodes

» Import
Kubernetes cluster can be imported using the id, e.g. Then complete the main.tf
accords to the result of terraform plan
$ terraform import alicloud_cs_kubernetes.main cluster-id
» alicloud_cs_kubernetes_autoscaler
This resource will help you to manager cluster-autoscaler in Kubernetes Cluster.
NOTE: The scaling group must use CentOS7 or AliyunLinux2 as base image.
NOTE: The cluster-autoscaler can only use the same size of instanceTypes in
one scaling group.
NOTE: Add Policy to RAM role of the node to deploy cluster-autoscaler if you
need.
» Example Usage
cluster-autoscaler in Kubernetes Cluster

resource "alicloud_cs_kubernetes_autoscaler" "default" {
cluster_id = "${var.cluster_id}"
nodepools {
id = "scaling_group_id"
taints = "c=d:NoSchedule"
150
labels = "a=b"
}
utilization = "${var.utilization}"
cool_down_duration = "${var.cool_down_duration}"
defer_scale_in_duration = "${var.defer_scale_in_duration}"
}

• cluster_id - (Required) The id of kubernetes cluster.
• nodepools - (Required)
• nodepools.id - (Required) The scaling group id of the groups configured
for cluster-autoscaler.
• nodepools.taints - (Required) The taints for the nodes in scaling group.
• nodepools.labels - (Required) The labels for the nodes in scaling group.
• utilization - (Required) The utilization option of cluster-autoscaler.
• cool_down_duration (Required) The cool_down_duration option of
cluster-autoscaler.
• defer_scale_in_duration (Required) The defer_scale_in_duration op-

tion of cluster-autoscaler.
» Timeouts
• create - (Defaults to 90 mins) Used when creating cluster-autoscaler in
the kubernetes cluster (until it reaches the initial running status).
• update - (Defaults to 60 mins) Used when activating the cluster-autoscaler
in the kubernetes cluster when necessary during update.
• delete - (Defaults to 60 mins) Used when deleting cluster-autoscaler in
kubernetes cluster.
» alicloud_cs_managed_kubernetes
This resource will help you to manage a ManagedKubernetes Cluster in Alibaba
Cloud Kubernetes Service.
NOTE: Kubernetes cluster only supports VPC network and it can access inter-
net while creating kubernetes cluster. A Nat Gateway and configuring a SNAT
for it can ensure one VPC network access internet. If there is no nat gateway in
the VPC, you can set new_nat_gateway to ”true” to create one automatically.
151
NOTE: Creating kubernetes cluster need to install several packages and it will
cost about 15 minutes. Please be patient.
NOTE: From version 1.9.4, the provider supports to download kube config,
client certificate, client key and cluster ca certificate after creating cluster suc-
cessfully, and you can put them into the specified location, like ’~/.kube/config’.
NOTE: From version 1.20.0, the provider supports disabling internet load bal-
ancer for API Server by setting false to slb_internet_enabled.
NOTE: If you want to manage Kubernetes, you can use Kubernetes Provider.
Document Center.
NOTE: From version 1.72.0, Some parameters have been removed from re-
source,You can check them below and re-import the cluster if necessary.
» Example Usage
// If there is not specifying vpc_id, the module will launch a new vpc
}

resource "alicloud_vswitch" "vswitches" {
count = length(var.vswitch_ids) > 0 ? 0 : length(var.vswitch_cidrs)
cidr_block = element(var.vswitch_cidrs, count.index)
}

resource "alicloud_vswitch" "terway_vswitches" {
count = length(var.terway_vswitch_ids) > 0 ? 0 : length(var.terway_vswitch_cir
cidr_block = element(var.terway_vswitch_cirds, count.index)
}
resource "alicloud_cs_managed_kubernetes" "k8s" {

count = var.k8s_number
152
worker_vswitch_ids = length(var.vswitch_ids) > 0 ? split(",", join(",", var.vswitch_ids
pod_vswitch_ids = length(var.terway_vswitch_ids) > 0 ? split(",", join(",", var.terw
worker_instance_types = var.worker_instance_types
worker_number = var.worker_number
node_cidr_mask = var.node_cidr_mask
enable_ssh = var.enable_ssh
install_cloud_monitor = var.install_cloud_monitor
cpu_policy = var.cpu_policy
proxy_mode = var.proxy_mode
password = var.password
service_cidr = var.service_cidr
# version can not be defined in variables.tf. Options: 1.16.6-aliyun.1|1.14.8-aliyun.1
version = "1.16.6-aliyun.1"
dynamic "addons" {
content {
}
}
}
» Global params
• name - (Optional) The kubernetes cluster’s name. It is unique in one
Alicloud account.
• version - (Optional, Available since 1.70.1) Desired Kubernetes version. If
you do not specify a value, the latest available version at resource creation
is used and no upgrades will occur except you set a higher version number.
The value must be configured and increased to upgrade the version when
desired. Downgrades are not supported by ACK.
• password - (Required, Sensitive) The password of ssh login cluster node.
You have to specify one of password key_name kms_encrypted_password
fields.
• key_name - (Required) The keypair of ssh login cluster node, you have
to create it first. You have to specify one of password key_name
153
• kms_encrypted_password - (Required, Available in 1.57.1+) An KMS
encrypts password used to a cs kubernetes. You have to specify one of
password key_name kms_encrypted_password fields.
before creating or updating a cs kubernetes with kms_encrypted_password.
set.
• user_ca - (Optional, ForceNew) The path of customized CA cert, you can
use this CA to sign client certs to connect your cluster.
• enable_ssh - (Optional) Enable login to the node through SSH. default:
false
• install_cloud_monitor - (Optional) Install cloud monitor agent on ECS.
default: true
• cpu_policy - kubelet cpu policy. options: static|none. default: none.
• proxy_mode - Proxy mode is option of kube-proxy. options: iptables|ipvs.
default: ipvs.
• image_id - Custom Image support. Must based on CentOS7 or Aliyun-
Linux2.
» Addons
It is a new field since 1.75.0. You can specific network plugin,log compo-
nent,ingress component and so on.
main.tf
dynamic "addons" {
content {
}
}
varibales.tf
// Flannel
description = "Addon components in kubernetes cluster"
name = string
config = string
}))
154
default = [
{
"name" = "flannel",
"config" = "",
},
{
"config" = "",
},
{
"config" = "",
},
{
},
{
},
]
}
// Terway
name = string
config = string
}))
default = [
{
"name" = "terway-eniip",
"config" = "",
},
{
"config" = "",
},
{
"config" = "",
},
{
155
},
{
}
]
}
• logtail-ds - You can specific IngressDashboardEnabled and
sls_project_name in config. If you switch on IngressDashboardEnabled
and sls_project_name,then logtail-ds would use sls_project_name as
default log store.
• nginx-ingress-controller - You can specific IngressSlbNetworkType
in config. Options: internet|intranet.
You can get more information about addons on ACK web console. When
you create a ACK cluster. You can get openapi-spec before creating the
cluster on submission page.
» Network
• pod_cidr - (Required) [Flannel Specific] The CIDR block for the pod
network when using Flannel.
• pod_vswitch_ids - (Required) [Terway Specific] The vswitches for the
pod network when using Terway.Be careful the pod_vswitch_ids can not
equal to worker_vswtich_ids.but must be in same availability zones.
creating kubernetes cluster. Default to true. Then openapi in Alibaba
Cloud are not all on intranet, So turn this option on is a good choice.
• service_cidr - (Optional) The CIDR block for the service network. It
cannot be duplicated with the VPC CIDR and CIDR used by Kubernetes
cluster in VPC, cannot be modified after creation.
• node_cidr_mask - (Optional) The node cidr block to specific how many
pods can run on single node. 24-28 is allowed. 24 means 232-24 -1=255 and
the node can run at most 255 pods. default: 24
• slb_internet_enabled - (Optional) Whether to create internet load bal-
ancer for API Server. Default to true.
If you want to use Terway as CNI network plugin, You need to specific the
pod_vswitch_ids field and addons with terway-eniip.
If you want to use Flannel as CNI network plugin, You need to specific the
pod_cidr field and addons with flannel.
» Worker params
156
• worker_number - (Required) The worker node number of the kubernetes
cluster. Default to 3. It is limited up to 50 and if you want to enlarge it,
please apply white list or contact with us.
• worker_vswtich_ids - (Required) The vswitches used by workers.
• worker_instance_types - (Required, ForceNew) The instance type of
worker node. Specify one type for single AZ Cluster, three types for Mul-
tiAZ Cluster.
• worker_instance_charge_type - (Optional, Force new resource) Worker
payment type. PrePaid or PostPaid, defaults to PostPaid.
• worker_period_unit - (Optional) Worker payment period unit. Month or
• worker_period - (Optional) Worker payment period. When period unit
“2”, “3”, “4”}.
• worker_auto_renew - (Optional) Enable worker payment auto-renew, de-
faults to false.
• worker_auto_renew_period - (Optional) Worker payment auto-renew pe-
• worker_disk_category - (Optional) The system disk category of worker
cloud_efficiency.
• worker_disk_size - (Optional) The system disk size of worker node. Its
» Computed params (No need to configure)

• availability_zone - (Optional) The Zone where new kubernetes cluster
will be located. If it is not be specified, the vswitch_ids should be set,
its value will be vswitch’s zone.
» Removed params (Never Supported)

• worker_instance_type - (Deprecated from version 1.16.0)(Required,
Force new resource) The instance type of worker node.
• vswitch_id - (Deprecated from version 1.16.0)(Force new resource) The
vswitch where new kubernetes cluster will be located. If it is not specified,
157
• vswitch_ids - (Required, ForceNew) The vswitch where new kubernetes
cluster will be located. Specify one or more vswitch’s id. It must be in
the zone which availability_zone specified.
• force_update - (Optional, Available in 1.50.0+) Whether to force the
update of kubernetes cluster arguments. Default to false.
to false.
• log_config - (Optional, ForceNew) A list of one element containing infor-
mation about the associated log store. It contains the following attributes:
– type - Type of collecting logs, only SLS are supported currently.
– project - Log Service project name, cluster logs will output to this
project.
• cluster_network_type - (Optional) The network that cluster uses, use
flannel or terway.
» Timeouts
NOTE: Available in 1.58.0+. The timeouts block allows you to specify time-
outs for certain actions:
• update - (Defaults to 60 mins) Used when activating the kubernetes clus-
ter when necessary during update.
cluster.

• availability_zone - The ID of availability zone.
• slb_intranet - The ID of private load balancer where the current cluster
master node is located.
• nat_gateway_id - The ID of nat gateway used to launch kubernetes clus-
ter.
• worker_nodes - List of cluster worker nodes. It contains several attributes
to Block Nodes.
• connections - Map of kubernetes cluster connection information. It con-
tains several attributes to Block Connections.
158
• version - The Kubernetes server version for the cluster.
» Block Nodes

» Import
Kubernetes cluster can be imported using the id, e.g. Then complete the main.tf
accords to the result of terraform plan
$ terraform import alicloud_cs_managed_kubernetes.main cluster-id
» alicloud_cs_serverless_kubernetes
This resource will help you to manager a Serverless Kubernetes Cluster. The
cluster is same as container service created by web console.
NOTE: Serverless Kubernetes cluster only supports VPC network and it can
access internet while creating kubernetes cluster. A Nat Gateway and configur-
ing a SNAT for it can ensure one VPC network access internet. If there is no
nat gateway in the VPC, you can set new_nat_gateway to ”true” to create one
automatically.
NOTE: Creating serverless kubernetes cluster need to install several packages
and it will cost about 5 minutes. Please be patient.
NOTE: The provider supports to download kube config, client certificate, client
key and cluster ca certificate after creating cluster successfully, and you can put
them into the specified location, like ’~/.kube/config’.
NOTE: If you want to manage serverless Kubernetes, you can use Kubernetes
Provider.
159
Document Center.
» Example Usage
Basic Usage
variable "name" {
default = "my-first-k8s"
}
data "alicloud_zones" main {
}

cidr_block = "10.1.0.0/21"
}

cidr_block = "10.1.1.0/24"
}
resource "alicloud_cs_serverless_kubernetes" "serverless" {

name_prefix = "${var.name}"
new_nat_gateway = true
endpoint_public_access_enabled = true
private_zone = false
deletion_protection = false
tags = {
"k-aa":"v-aa"
"k-bb":"v-aa",
}
}
160
• name - (Optional) The kubernetes cluster’s name. It is the only in one
Alicloud account.
• vpc_id - (Required, ForceNew) The vpc where new kubernetes cluster
will be located. Specify one vpc’s id, if it is not specified, a new VPC will
be built.
• vswitch_id - (Required, ForceNew) The vswitch where new kubernetes
cluster will be located. Specify one vswitch’s id, if it is not specified,
creating kubernetes cluster. Default to true.
• endpoint_public_access_enabled - (Optional, ForceNew) Whether to
create internet eip for API Server. Default to false.
• private_zone - (Optional, ForceNew) Whether to create internet eip for
API Server. Default to false.
• deletion_protection - (Optional, ForceNew) Whether enable the dele-
tion protection or not.
– true: Enable deletion protection.
– false: Disable deletion protection.
• force_update - (Optional) Default false, when you want to change vpc_id
and vswitch_id, you have to set this field to true, then the cluster will
be recreated.
• tags - (Optional) Default nil, A map of tags assigned to the kubernetes
cluster .
» Timeouts

cluster.
161

• vswitch_id - The ID of VSwicth where the current cluster is located.
• deletion_protection - Whether enable the deletion protection or not.
» Import
Serverless Kubernetes cluster can be imported using the id, e.g.

$ terraform import alicloud_cs_serverless_kubernetes.main ce4273f9156874b46bb
» alicloud_cs_swarm
DEPRECATED: This resource manages swarm cluster, which is being depre-
cated and will be replaced by Kubernetes cluster.
This resource will help you to manager a Swarm Cluster.
NOTE: Swarm cluster only supports VPC network and you can specify a VPC
network by filed vswitch_id.
» Example Usage
Basic Usage
resource "alicloud_cs_swarm" "my_cluster" {
password = "Yourpassword1234"
instance_type = "ecs.n4.small"
name = "ClusterFromAlicloud"
node_number = 2
disk_category = "cloud_efficiency"
disk_size = 20
cidr_block = "172.18.0.0/24"
image_id = "${var.image_id}"
vswitch_id = "${var.vswitch_id}"
}
162

• name - The container cluster’s name. It is the only in one Alicloud account.
• name_prefix - The container cluster name’s prefix. It is conflict with
name. If it is specified, terraform will using it to build the only cluster
name. Default to ’Terraform-Creation’.
• size - Field ’size’ has been deprecated from provider version 1.9.1. New
field ’node_number’ replaces it.
• node_number - The ECS node number of the container cluster. Its value
choices are 1~50, and default to 1.
• cidr_block - (Required, ForceNew) The CIDR block for the Container.
It can not be same as the CIDR used by the VPC. Valid value:
– 192.168.0.0/16
– 172.19-30.0.0/16
– 10.0.0.0/16
System reserved private network address: 172.16/17/18/31.0.0/16. Maximum
number of hosts allowed in the cluster: 256.
• image_id - (ForceNew) The image ID of ECS instance node used. Default
to System automate allocated.
• instance_type - (Required, ForceNew) The type of ECS instance node.
to false.
• password - (Required, ForceNew, Sensitive) The password of ECS instance
node.
• disk_category - (ForceNew) The data disk category of ECS instance
node. Its valid value are cloud, cloud_ssd, cloud_essd, ephemeral_essd
and cloud_efficiency. Default to cloud_efficiency.
• disk_size - (ForceNew) The data disk size of ECS instance node. Its
valid value is 20~32768 GB. Default to 20.
• vswitch_id - (Required, ForceNew) The password of ECS instance node.
If it is not specified, the container cluster’s network mode will be Classic.
• release_eip - Whether to release EIP after creating swarm cluster suc-
cessfully. Default to false.
• need_slb- (ForceNew) Whether to create the default simple routing Server
Load Balancer instance for the cluster. The default value is true.

163
• size - It has been deprecated from provider version 1.9.1. New field
’node_number’ replaces it.
• node_number - The node number.
• vswitch_id - The ID of VSwitch where the current cluster is located.
• slb_id - The ID of load balancer where the current cluster worker node
is located.
• agent_version - The nodes agent version.
• instance_type - The instance type of nodes.
• disk_category - The data disk category of nodes.
• disk_size - The data disk size of nodes.
• nodes - List of cluster nodes. It contains several attributes to Block
Nodes.
» Block Nodes
• eip - The Elastic IP address of node.
• status - The node current status. It is different with instance status.
» Import
Swarm cluster can be imported using the id, e.g.

$ terraform import alicloud_cs_swarm.foo cf123456789
» alicloud_cr_namespaces
This data source provides a list Container Registry namespaces on Alibaba
Cloud.
» Example Usage

data "alicloud_cr_namespaces" "my_namespaces" {
name_regex = "my-namespace"
output_file = "my-namespace-json"
164
}
output "output" {
value = "${data.alicloud_cr_namespaces.my_namespaces.namespaces}"
}

• name_regex - (Optional) A regex string to filter results by namespace
name.
• ids - A list of matched Container Registry namespaces. Its element is a
namespace name.
• names - A list of namespace names.
• namespaces - A list of matched Container Registry namespaces. Each
– name - Name of Container Registry namespace.
– auto_create - Boolean, when it set to true, repositories are auto-
matically created when pushing new images. If it set to false, you
create repository for images before pushing.
– default_visibility - PUBLIC or PRIVATE, default repository visi-
bility in this namespace.
» alicloud_cr_repos
This data source provides a list Container Registry repositories on Alibaba
Cloud.
» Example Usage

data "alicloud_cr_repos" "my_repos" {
name_regex = "my-repos"
165
output_file = "my-repo-json"
}
output "output" {
value = "${data.alicloud_cr_repos.my_repos.repos}"
}

• namespace - (Optional) Name of container registry namespace where the
repositories are located in.
• name_regex - (Optional) A regex string to filter results by repository
name.
• enable_details - (Optional) Boolean, false by default, only repository
attributes are exported. Set to true if domain list and tags belong to this
repository are needed. See tags in attributes.
• ids - A list of matched Container Registry Repositories. Its element is set
to names.
• names - A list of repository names.
• repos - A list of matched Container Registry Namespaces. Each element
contains the following attributes:
– namespace - Name of container registry namespace where repo is
located.
– name - Name of container registry namespace.
– summary - The repository general information.
– repo_type - PUBLIC or PRIVATE, repository’s visibility.
– domain_list - The repository domain list.
– public - Domain of public endpoint.
– internal - Domain of internal endpoint, only in some regions.
– vpc - Domain of vpc endpoint.
– tags - A list of image tags belong to this repository. Each contains
several attributes, see Block Tag.
166
» Block Tag
• tag - Tag of this image.

• image_id - Id of this image.
• digest - Digest of this image.
• status - Status of this image.
• image_size - Status of this image, in bytes.
• image_update - Last update time of this image, unix time in nanoseconds.
• image_create - Create time of this image, unix time in nanoseconds.
» alicloud_cr_namespace
This resource will help you to manager Container Registry namespaces.
NOTE: You need to set your registry password in Container Registry console
before use this resource.
» Example Usage
Basic Usage
resource "alicloud_cr_namespace" "my-namespace" {
name = "my-namespace"
auto_create = false
default_visibility = "PUBLIC"
}

• name - (Required, ForceNew) Name of Container Registry namespace.
• auto_create - (Required) Boolean, when it set to true, repositories are
automatically created when pushing new images. If it set to false, you
create repository for images before pushing.
• default_visibility - (Required) PUBLIC or PRIVATE, default repository
visibility in this namespace.
167
• id - The id of Container Registry namespace. The value is same as its
name.
» Import
Container Registry namespace can be imported using the namespace, e.g.

$ terraform import alicloud_cr_namespace.default my-namespace
» alicloud_cr_repo
This resource will help you to manager Container Registry repositories.
NOTE: You need to set your registry password in Container Registry console
before use this resource.
» Example Usage
Basic Usage
resource "alicloud_cr_namespace" "my-namespace" {
name = "my-namespace"
auto_create = false
default_visibility = "PUBLIC"
}
resource "alicloud_cr_repo" "my-repo" {

namespace = "${alicloud_cr_namespace.my-namespace.name}"
name = "my-repo"
summary = "this is summary of my new repo"
repo_type = "PUBLIC"
detail = "this is a public repo"
}

• namespace - (Required, ForceNew) Name of container registry namespace
where repository is located.
• name - (Required, ForceNew) Name of container registry repository.
168
• summary - (Required) The repository general information. It can contain
1 to 80 characters.
• repo_type - (Required) PUBLIC or PRIVATE, repo’s visibility.
• detail - (Optional) The repository specific information. MarkDown for-
mat is supported, and the length limit is 2000.

• id - The id of Container Registry repository. The value is in format
namespace/repository.
• domain_list - The repository domain list.
– public - Domain of public endpoint.
– internal - Domain of internal endpoint, only in some regions.
– vpc - Domain of vpc endpoint.
» Import
Container Registry repository can be imported using the namespace/repository,

e.g.
$ terraform import alicloud_cr_repo.default `my-namespace/my-repo`
» alicloud_datahub_project
The project is the basic unit of resource management in Datahub Service and
is used to isolate and control resources. It contains a set of Topics. You can
manage the datahub sources of an application by using projects. Refer to details.
NOTE: Currently Datahub service only can be supported in the regions: cn-
beijing, cn-hangzhou, cn-shanghai, cn-shenzhen, ap-southeast-1.
» Example Usage
Basic Usage
resource "alicloud_datahub_project" "example" {
name = "tf_datahub_project"
comment = "created by terraform"
}
169

• name - (Required, ForceNew) The name of the datahub project. Its length
is limited to 3-32 and only characters such as letters, digits and ’_’ are
allowed. It is case-insensitive.
• comment - (Optional) Comment of the datahub project. It cannot be
longer than 255 characters.

• id - The ID of the datahub project. It is the same as its name.
• create_time - Create time of the datahub project. It is a human-readable
string rather than 64-bits UTC.
• last_modify_time - Last modify time of the datahub project. It is the
same as create_time at the beginning. It is also a human-readable string
rather than 64-bits UTC.
» Import
Datahub project can be imported using the name or ID, e.g.

$ terraform import alicloud_datahub_project.example tf_datahub_project
» alicloud_datahub_subscription
The subscription is the basic unit of resource usage in Datahub Service under
Publish/Subscribe model. You can manage the relationships between user and
topics by using subscriptions. Refer to details.
» Example Usage
Basic Usage
resource "alicloud_datahub_subscription" "example" {
project_name = "tf_datahub_project"
topic_name = "tf_datahub_topic"
}
170

• project_name - (Required, ForceNew) The name of the datahub project
that the subscription belongs to. Its length is limited to 3-32 and only
characters such as letters, digits and ’_’ are allowed. It is case-insensitive.
• topic_name - (Required, ForceNew) The name of the datahub topic that
the subscription belongs to. Its length is limited to 1-128 and only char-
acters such as letters, digits and ’_’ are allowed. It is case-insensitive.
• comment - (Optional) Comment of the datahub subscription. It cannot be
longer than 255 characters.

• id - The ID of the datahub subscritpion as terraform resource. It was com-
posed of project name, topic name and practical subscription ID generated
from server side. Format to <project_name>:<topic_name>:<sub_id>.
• sub_id - The identidy of the subscritpion, generate from server side.
• create_time - Create time of the datahub subscription. It is a human-
readable string rather than 64-bits UTC.
• last_modify_time - Last modify time of the datahub subscription. It is
the same as create_time at the beginning. It is also a human-readable
» Import
Datahub subscription can be imported using the ID, e.g.

$ terraform import alicloud_datahub_subscription.example tf_datahub_project:tf_datahub_topic
» alicloud_datahub_topic
The topic is the basic unit of Datahub data source and is used to define one
kind of data or stream. It contains a set of subscriptions. You can manage the
datahub source of an application by using topics. Refer to details.
» Example Usage
Basic Usage
171
• BLob Topic
resource "alicloud_datahub_topic" "example" {
name = "tf_datahub_topic"
record_type = "BLOB"
shard_count = 3
life_cycle = 7
}
• Tuple Topic
resource "alicloud_datahub_topic" "example" {
name = "tf_datahub_topic"
record_type = "TUPLE"
record_schema = {
bigint_field = "BIGINT"
timestamp_field = "TIMESTAMP"
string_field = "STRING"
double_field = "DOUBLE"
boolean_field = "BOOLEAN"
}
shard_count = 3
life_cycle = 7
}

• name - (Required, ForceNew) The name of the datahub topic. Its length
is limited to 1-128 and only characters such as letters, digits and ’_’ are
allowed. It is case-insensitive.
• project_name - (Required, ForceNew) The name of the datahub project
that this topic belongs to. It is case-insensitive.
• shard_count - (Optional, ForceNew) The number of shards this topic
contains. The permitted range of values is [1, 10]. The default value is 1.
• life_cycle - (Optional) How many days this topic lives. The permitted
range of values is [1, 7]. The default value is 3.
• record_type - (Optional, ForceNew) The type of this topic. Its value must
be one of {BLOB, TUPLE}. For BLOB topic, data will be organized as
binary and encoded by BASE64. For TUPLE topic, data has fixed schema.
The default value is ”TUPLE” with a schema {STRING}.
172
• record_schema - (Optional, ForceNew) Schema of this topic, required
only for TUPLE topic. Supported data types (case-insensitive) are:
– BIGINT
– STRING
– BOOLEAN
– DOUBLE
– TIMESTAMP
• comment - (Optional) Comment of the datahub topic. It cannot be longer
than 255 characters.
Notes: Currently life_cycle can not be modified and it will be supported in
the next future.

• id - The ID of the datahub topic. It was composed of project name and
its name, and formats to <project_name>:<name>.
• create_time - Create time of the datahub topic. It is a human-readable
• last_modify_time - Last modify time of the datahub topic. It is the
same as create_time at the beginning. It is also a human-readable string
rather than 64-bits UTC.
» Import
Datahub topic can be imported using the ID, e.g.

$ terraform import alicloud_datahub_topic.example tf_datahub_project:tf_datahub_topic
» alicloud_drds_instance
The alicloud_drds_instance data source provides a collection of DRDS in-
stances available in Alibaba Cloud account. Filters support regular expression
for the instance name, searches by tags, and other filters which are listed below.
» Example Usage
data "alicloud_drds_instances" "drds_instances_ds" {

name_regex = "drds-\\d+"
173
ids = "drdsfacbz68g3299test"
}
output "first_db_instance_id" {
value = "${data.alicloud_drds_instances.drds_instances_ds.instances.0.drdsInstanceId}"
}

• name_regex - A regex string to filter results by instance name.
• ids - (Optional) A list of DRDS instance IDs.
• ids - A list of DRDS instance IDs.
• descriptions - A list of DRDS descriptions.
• instances - A list of DRDS instances.
– id - The ID of the DRDS instance.
– description - The DRDS instance description.
– name - The name of the RDS instance.
– type - The DRDS Instance type.
– create_time - Creation time of the instance.
– network_type - Classic for public classic network or VPC for private
network.
– zone_id - Zone ID the instance belongs to.
– version - The DRDS Instance version.
– ids - A list of DRDS instance IDs.
» alicloud_drds_instance
Distributed Relational Database Service (DRDS) is a lightweight (stateless),
flexible, stable, and efficient middleware product independently developed by
Alibaba Group to resolve scalability issues with single-host relational databases.
With its compatibility with MySQL protocols and syntaxes, DRDS enables
database/table sharding, smooth scaling, configuration upgrade/downgrade,
transparent read/write splitting, and distributed transactions, providing O&M
capabilities for distributed databases throughout their entire lifecycle.
For information about DRDS and how to use it, see What is DRDS.
174
NOTE: At present, DRDS instance only can be supported in the regions: cn-
shenzhen, cn-beijing, cn-hangzhou, cn-hongkong, cn-qingdao.
NOTE: Currently, this resource only support Domestic Site Account.
» Example Usage
resource "alicloud_drds_instance" "default" {

description = "drds instance"
zone_id = "cn-hangzhou-e"
vswitch_id = "vsw-bp1jlu3swk8rq2yoi40ey"
instance_series = "drds.sn1.4c8g"
specification = "drds.sn1.4c8g.8C16G"
}

• description - (Required) Description of the DRDS instance, This de-
scription can have a string of 2 to 256 characters.
• zone_id - (Optional, ForceNew) The Zone to launch the DRDS instance.
PostPaid, Default to PostPaid.
• vswitch_id - (Optional, ForceNew) The VSwitch ID to launch in.
• instance_series - (Required, ForceNew) User-defined DRDS instance
node spec. Value range:
– drds.sn1.4c8g for DRDS instance Starter version;
– drds.sn1.8c16g for DRDS instance Standard edition;
– drds.sn1.16c32g for DRDS instance Enterprise Edition;
– drds.sn1.32c64g for DRDS instance Extreme Edition;
• specification - (Required, ForceNew) User-defined DRDS instance spec-
ification. Value range:
– drds.sn1.4c8g for DRDS instance Starter version;
∗ value range : drds.sn1.4c8g.8c16g, drds.sn1.4c8g.16c32g,
drds.sn1.4c8g.32c64g, drds.sn1.4c8g.64c128g
– drds.sn1.8c16g for DRDS instance Standard edition;
∗ value range : drds.sn1.8c16g.16c32g, drds.sn1.8c16g.32c64g,
drds.sn1.8c16g.64c128g
– drds.sn1.16c32g for DRDS instance Enterprise Edition;
∗ value range : drds.sn1.16c32g.32c64g, drds.sn1.16c32g.64c128g
– drds.sn1.32c64g for DRDS instance Extreme Edition;
∗ value range : drds.sn1.32c64g.128c256g
175
» Timeouts

• create - (Defaults to 10 mins) Used when creating the drds instance (until
it reaches running status).
• delete - (Defaults to 10 mins) Used when terminating the drds instance.

• id - The DRDS instance ID.
» Import
Distributed Relational Database Service (DRDS) can be imported using the id,
e.g.
$ terraform import alicloud_drds_instance.example drds-abc123456
» alicloud_dns_domain_groups
NOTE: This datasource has been deprecated from v1.3.2. Please use the data-
source alicloud_dns_groups instead.
» alicloud_dns_domain_records
NOTE: This resource has been deprecated from v1.3.2. Please use the data-
source alicloud_dns_records instead.
» alicloud_dns_domains
This data source provides a list of DNS Domains in an Alibaba Cloud account
according to the specified filters.
176
» Example Usage
data "alicloud_dns_domains" "domains_ds" {

domain_name_regex = "^hegu"
output_file = "domains.txt"
}
output "first_domain_id" {
value = "${data.alicloud_dns_domains.domains_ds.domains.0.domain_id}"
}

• domain_name_regex - (Optional) A regex string to filter results by the
domain name.
• group_name_regex - (Optional) A regex string to filter results by the
group name.
• ali_domain - (Optional, type: bool) Specifies whether the domain is from
Alibaba Cloud or not.
• instance_id - (Optional) Cloud analysis product ID.
• version_code - (Optional) Cloud analysis version code.
• ids (Optional, Available in 1.53.0+) - A list of domain IDs.
• resource_group_id - (Optional, ForceNew, Available in 1.59.0+) The Id
of resource group which the dns belongs.
• ids - A list of domain IDs.
• names - A list of domain names.
• domains - A list of domains. Each element contains the following at-
tributes:
– domain_id - ID of the domain.
– domain_name - Name of the domain.
– ali_domain - Indicates whether the domain is an Alibaba Cloud
domain.
– group_id - Id of group that contains the domain.
– group_name - Name of group that contains the domain.
– instance_id - Cloud analysis product ID of the domain.
– version_code - Cloud analysis version code of the domain.
177
– puny_code - Punycode of the Chinese domain.
– dns_servers - DNS list of the domain in the analysis system.
– resource_group_id - The Id of resource group which the dns be-
longs.
» alicloud_dns_groups
This data source provides a list of DNS Domain Groups in an Alibaba Cloud
» Example Usage
data "alicloud_dns_groups" "groups_ds" {

name_regex = "^y[A-Za-z]+"
output_file = "groups.txt"
}
value = "${data.alicloud_dns_groups.groups_ds.groups.0.group_name}"
}

• name_regex - (Optional) A regex string to filter results by group name.
• ids - (Optional, Available 1.52.2+) A list of group IDs.
• ids - A list of group IDs.
• names - A list of group names.
• groups - A list of groups. Each element contains the following attributes:
– group_id - Id of the group.
– group_name - Name of the group.
178
» alicloud_dns_records
This data source provides a list of DNS Domain Records in an Alibaba Cloud
» Example Usage
data "alicloud_dns_records" "records_ds" {

domain_name = "xiaozhu.top"
is_locked = false
type = "A"
host_record_regex = "^@"
output_file = "records.txt"
}
output "first_record_id" {
value = "${data.alicloud_dns_records.records_ds.records.0.record_id}"
}

• domain_name - (Required) The domain name associated to the records.
• host_record_regex - (Optional) Host record regex.
• value_regex - (Optional) Host record value regex.
• type - (Optional) Record type. Valid items are A, NS, MX, TXT, CNAME, SRV,
AAAA, REDIRECT_URL, FORWORD_URL .
• line - (Optional) ISP line. Valid items are default, telecom, unicom,
mobile, oversea, edu, drpeng, btvn, .etc. For checking all resolution
lines enumeration please visit Alibaba Cloud DNS doc
• status - (Optional) Record status. Valid items are ENABLE and DISABLE.
• is_locked - (Optional, type: bool) Whether the record is locked or not.
• ids - (Optional, Available 1.52.2+) A list of record IDs.
• ids - A list of record IDs.
• urls - A list of entire URLs. Each item format as <host_record>.<domain_name>.
• records - A list of records. Each element contains the following attributes:
179
– record_id - ID of the record.
– domain_name - Name of the domain the record belongs to.
– host_record - Host record of the domain.
– value - Host record value of the domain.
– type - Type of the record.
– ttl - TTL of the record.
– priority - Priority of the MX record.
– line - ISP line of the record.
– status - Status of the record.
– locked - Indicates whether the record is locked.
» alicloud_dns_resolution_lines
This data source provides a list of DNS Resolution Lines in an Alibaba Cloud
NOTE: Available in 1.60.0.
» Example Usage
data "alicloud_dns_resolution_lines" "resolution_lines_ds" {

line_codes = [ "cn_unicom_shanxi" ]
output_file = "support_lines.txt"
}
output "first_line_code" {
value = "${data.alicloud_dns_resolution_lines.resolution_lines_ds.lines.0.line_code}"
}

• domain_name - (Optional) Domain Name.
• line_codes - (Optional) A list of lines codes.
• line_display_names - (Optional) A list of line display names.
• user_client_ip - (Optional) The ip of user client.
• lang - (Optional) language.
180
• line_codes - A list of lines codes.
• line_display_names - A list of line display names.
• lines - A list of cloud resolution line. Each element contains the following
attributes:
– line_codes - Line code.
– line_display_name - Line display name.
– line_name - Line name.
» alicloud_dns
Provides a DNS resource.
NOTE: The domain name which you want to add must be already registered
and had not added by another account. Every domain name can only exist in
a unique group.
» Example Usage
# Add a new Domain.

resource "alicloud_dns" "dns" {
name = "starmove.com"
group_id = "85ab8713-4a30-4de4-9d20-155ff830f651"
}

• name - (Required, ForceNew) Name of the domain. This name without
suffix can have a string of 1 to 63 characters, must contain only alphanu-
meric characters or ”-”, and must not begin or end with ”-”, and ”-” must
not in the 3th and 4th character positions at the same time. Suffix .sh
and .tel are not supported.
• group_id - (Optional) Id of the group in which the domain will add. If
not supplied, then use default group.
of resource group which the dns belongs.
181

• id - This ID of this resource. The value is set to domain_name.
• domain_id - The domain ID.
• name - The domain name.
• group_id - The group id of domain.
• dns_server - A list of the dns server name.
» Import
DNS can be imported using the id or domain name, e.g.

$ terraform import alicloud_dns.example "aliyun.com"
» alicloud_dns_group
Provides a DNS Group resource.
» Example Usage
# Add a new Domain group.

resource "alicloud_dns_group" "group" {
name = "testgroup"
}

• name - (Required) Name of the domain group.

• id - The group id.
• name - The group name.
182
» alicloud_dns_record
Provides a DNS Record resource.
NOTE: When the site is an international site, the type neither supports
REDIRECT_URL nor REDIRECT_URL
» Example Usage
# Create a new Domain record

resource "alicloud_dns_record" "record" {
name = "domainname"
host_record = "@"
type = "A"
value = "192.168.99.99"
}

• name - (Required) Name of the domain. This name without suffix can have
a string of 1 to 63 characters, must contain only alphanumeric characters
or ”-”, and must not begin or end with ”-”, and ”-” must not in the 3th
and 4th character positions at the same time. Suffix .sh and .tel are not
supported.
• host_record - (Required) Host record for the domain record. This
host_record can have at most 253 characters, and each part split with
”.” can have at most 63 characters, and must contain only alphanumeric
characters or hyphens, such as ”-”,”.”,”*”,”@”, and must not begin or end
with ”-”.
• type - (Required) The type of domain record. Valid values are
A,NS,MX,TXT,CNAME,SRV,AAAA,CAA, REDIRECT_URL and FORWORD_URL.
• value - (Required) The value of domain record, When the type is
MX,NS,CNAME,SRV, the server will treat the value as a fully qualified
domain name, so it’s no need to add a . at the end.
• ttl - (Optional) The effective time of domain record. Its scope depends on
the edition of the cloud resolution. Free is [600, 86400], Basic is [120,
86400], Standard is [60, 86400], Ultimate is [10, 86400], Exclusive is
[1, 86400]. Default value is 600.
• priority - (Optional) The priority of domain record. Valid values are
[1-10]. When the type is MX, this parameter is required.
• routing - (Optional) The resolution line of domain record. Valid values
are default, telecom, unicom, mobile, oversea, edu, drpeng, btvn, .etc.
183
When the type is FORWORD_URL, this parameter must be default. Default
value is default. For checking all resolution lines enumeration please visit
Alibaba Cloud DNS doc or using alicloud_dns_resolution_lines in data
source to get the value.

• id - The record id.
• name - (Required) The record domain name.
• type - (Required) The record type.
• host_record - The host record of record.
• value - The record value.
• ttl - The record effective time.
• priority - The record priority.
• routing - The record resolution line.
• status - The record status. Enable or Disable.
• Locked - The record locked state. true or false.
» Import
RDS record can be imported using the id, e.g.

$ terraform import alicloud_dns_record.example abc123456
» alicloud_disks
This data source provides the disks of the current Alibaba Cloud user.
» Example Usage
data "alicloud_disks" "disks_ds" {

name_regex = "sample_disk"
}
output "first_disk_id" {
value = "${data.alicloud_disks.disks_ds.disks.0.id}"
}
184

• ids - (Optional) A list of disks IDs.
• name_regex - (Optional) A regex string to filter results by disk name.
• type - (Optional) Disk type. Possible values: system and data.
• category - (Optional) Disk category. Possible values: cloud (basic cloud
disk), cloud_efficiency (ultra cloud disk), ephemeral_ssd (local SSD
cloud disk), cloud_ssd (SSD cloud disk), and cloud_essd (ESSD cloud
disk).
• encrypted - (Optional) Indicate whether the disk is encrypted or not.
Possible values: on and off.
• instance_id - (Optional) Filter the results by the specified ECS instance
ID.
of resource group which the disk belongs.
• tags - (Optional) A map of tags assigned to the disks. It must be in the
format: data "alicloud_disks" "disks_ds" { tags = { tagKey1
= "tagValue1", tagKey2 = "tagValue2" } }
• disks - A list of disks. Each element contains the following attributes:
– id - ID of the disk.
– name - Disk name.
– description - Disk description.
– region_id - Region ID the disk belongs to.
– availability_zone - Availability zone of the disk.
– status - Current status. Possible values: In_use, Available,
Attaching, Detaching, Creating and ReIniting.
– type - Disk type. Possible values: system and data.
– category - Disk category. Possible values: cloud (basic cloud disk),
cloud_efficiency (ultra cloud disk), ephemeral_ssd (local SSD
cloud disk), cloud_ssd (SSD cloud disk), and cloud_essd (ESSD
cloud disk).
– encrypted - Indicate whether the disk is encrypted or not. Possible
values: on and off.
– size - Disk size in GiB.
– image_id - ID of the image from which the disk is created. It is null
unless the disk is created using an image.
185
– snapshot_id - Snapshot used to create the disk. It is null if no
snapshot is used to create the disk.
– instance_id - ID of the related instance. It is null unless the
status is In_use.
– creation_time - Disk creation time.
– attached_time - Disk attachment time.
– detached_time - Disk detachment time.
– expiration_time - Disk expiration time.
– tags - A map of tags assigned to the disk.
– resource_group_id - The Id of resource group.
» alicloud_images
This data source provides available image resources. It contains user’s private
images, system images provided by Alibaba Cloud, other public images and the
ones available on the image market.
» Example Usage
data "alicloud_images" "images_ds" {

owners = "system"
name_regex = "^centos_6"
}
output "first_image_id" {
value = "${data.alicloud_images.images_ds.images.0.id}"
}

• name_regex - (Optional) A regex string to filter resulting images by name.
• most_recent - (Optional, type: bool) If more than one result are returned,
select the most recent one.
• owners - (Optional) Filter results by a specific image owner. Valid items
are system, self, others, marketplace.
NOTE: At least one of the name_regex, most_recent and owners must be set.
186
• ids - A list of image IDs.
• images - A list of images. Each element contains the following attributes:
– id - ID of the image.
– architecture - Platform type of the image system: i386 or x86_64.
– creation_time - Time of creation.
– description - Description of the image.
– image_owner_alias - Alias of the image owner.
– os_name - Display Chinese name of the OS.
– os_name_en - Display English name of the OS.
– status - Status of the image. Possible values: UnAvailable,
Available, Creating and CreateFailed.
– size - Size of the image.
– disk_device_mappings - Description of the system with disks and
snapshots under the image.
– device - Device information of the created disk: such as /dev/xvdb.
– size - Size of the created disk.
– snapshot_id - Snapshot ID.
– product_code - Product code of the image on the image market.
– is_subscribed - Whether the user has subscribed to the terms of
service for the image product corresponding to the ProductCode.
– image_version - Version of the image.
– progress - Progress of image creation, presented in percentages.
» alicloud_instance_type_families
This data source provides the ECS instance type families of Alibaba Cloud.
» Example Usage
data "alicloud_instance_type_families" "default" {

instance_charge_type = "PrePaid"
}
output "first_instance_type_family_id" {
value = "${data.alicloud_instance_type_families.default.instance_type_families.0.id}"
}
output "instance_ids" {
187
value = "${data.alicloud_instance_type_families.default.ids}"
}

• zone_id - (Optional, ForceNew) The Zone to launch the instance.
• generation - (Optional) The generation of the instance type family, Valid
values: ecs-1, ecs-2, ecs-3 and ecs-4. For more information, see In-
stance type families.
PostPaid, Default to PostPaid.
• spot_strategy - (Optional, ForceNew) Filter the results by ECS spot
type. Valid values: NoSpot, SpotWithPriceLimit and SpotAsPriceGo.
Default to NoSpot.
• ids - A list of instance type family IDs.
• instance_types - A list of image type families. Each element contains
– id - ID of the instance type family.
– generation - The generation of the instance type family.
– zone_ids - A list of Zone to launch the instance.
» alicloud_instance_types
This data source provides the ECS instance types of Alibaba Cloud.
NOTE: By default, only the upgraded instance types are returned. If you want
to get outdated instance types, you must set is_outdated to true.
NOTE: If one instance type is sold out, it will not be exported.
» Example Usage

data "alicloud_instance_types" "types_ds" {
188
cpu_core_count = 1
memory_size = 2
}
# Create ECS instance with the first matched instance_type

instance_type = "${data.alicloud_instance_types.types_ds.instance_types.0.id}"
}

• availability_zone - (Optional) The zone where instance types are sup-
ported.
• cpu_core_count - (Optional) Filter the results to a specific number of
cpu cores.
• memory_size - (Optional) Filter the results to a specific memory size in
GB.
• gpu_amount - (Optional, Available in 1.69.0+) The GPU amount of an
instance type.
• gpu_spec - (Optional, Available in 1.69.0+) The GPU spec of an instance
type.
• instance_type_family - (Optional) Filter the results based on their fam-
ily name. For example: ’ecs.n4’.
• instance_charge_type - (Optional) Filter the results by charge type.
Valid values: PrePaid and PostPaid. Default to PostPaid.
• network_type - (Optional) Filter the results by network type. Valid val-
ues: Classic and Vpc.
• spot_strategy - (Optional) Filter the results by ECS spot type. Valid
values: NoSpot, SpotWithPriceLimit and SpotAsPriceGo. Default to
NoSpot.
• eni_amount - (Optional) Filter the result whose network interface number
is no more than eni_amount.
• kubernetes_node_role - (Optional) Filter the result which is used to
create a kubernetes cluster and managed kubernetes cluster. Optional
Values: Master and Worker.
• is_outdated - (Optional, type: bool) If true, outdated instance types are
included in the results. Default to false.
189
• ids - A list of instance type IDs.
• instance_types - A list of image types. Each element contains the fol-
lowing attributes:
– id - ID of the instance type.
– cpu_core_count - Number of CPU cores.
– memory_size - Size of memory, measured in GB.
– family - The instance type family.
– availability_zones - List of availability zones that support the
instance type.
– gpu - The GPU attribution of an instance type:
– amount - The amount of GPU of an instance type.
– category - The category of GPU of an instance type.
– burstable_instance - The burstable instance attribution:
– initial_credit - The initial CPU credit of a burstable instance.
– baseline_credit - The compute performance benchmark CPU
credit of a burstable instance.
– eni_amount - The maximum number of network interfaces that an
instance type can be attached to.
– local_storage - Local storage of an instance type:
– capacity - The capacity of a local storage in GB.
– amount - The number of local storage devices that an instance has
been attached to.
– category - The category of local storage that an instance has been
attached to.
» alicloud_instances
The Instances data source list ECS instance resources according to their ID,
name regex, image id, status and other fields.
» Example Usage
data "alicloud_instances" "instances_ds" {

name_regex = "web_server"
status = "Running"
}
output "first_instance_id" {
value = "${data.alicloud_instances.instances_ds.instances.0.id}"
}
190
output "instance_ids" {
value = "${data.alicloud_instances.instances_ds.ids}"
}

• ids - (Optional) A list of ECS instance IDs.
• name_regex - (Optional) A regex string to filter results by instance name.
• image_id - (Optional) The image ID of some ECS instance used.
• status - (Optional) Instance status. Valid values: ”Creating”, ”Start-
ing”, ”Running”, ”Stopping” and ”Stopped”. If undefined, all statuses are
considered.
• vpc_id - (Optional) ID of the VPC linked to the instances.
• vswitch_id - (Optional) ID of the VSwitch linked to the instances.
• availability_zone - (Optional) Availability zone where instances are
located.
of resource group which the instance belongs.
• ram_role_name - (Optional, ForceNew, Available in 1.69.0+) The RAM
role name which the instance attaches.
• tags - (Optional) A map of tags assigned to the ECS instances. It must
be in the format: data "alicloud_instances" "taggedInstances" {
tags = { tagKey1 = "tagValue1", tagKey2 = "tagValue2" }
}
• ids - A list of ECS instance IDs.
• names - A list of instances names.
attributes:
– availability_zone - Availability zone the instance belongs to.
– status - Instance current status.
– name - Instance name.
– description - Instance description.
– instance_type - Instance type.
191
– vpc_id - ID of the VPC the instance belongs to.
– vswitch_id - ID of the VSwitch the instance belongs to.
– image_id - Image ID the instance is using.
– private_ip - Instance private IP address.
– public_ip - Instance public IP address.
– eip - EIP address the VPC instance is using.
– security_groups - List of security group IDs the instance belongs
to.
– key_name - Key pair the instance is using.
– creation_time - Instance creation time.
– instance_charge_type - Instance charge type.
– internet_charge_type - Instance network charge type.
– internet_max_bandwidth_out - Max output bandwidth for internet.
– spot_strategy - Spot strategy the instance is using.
– disk_device_mappings - Description of the attached disks.
– device - Device information of the created disk: such as /dev/xvdb.
– size - Size of the created disk.
– category - Cloud disk category.
– type - Cloud disk type: system disk or data disk.
– tags - A map of tags assigned to the ECS instance.
– ram_role_name - The Ram role name.
» alicloud_key_pairs
This data source provides a list of key pairs in an Alibaba Cloud account ac-
cording to the specified filters.
» Example Usage

resource "alicloud_key_pair" "default" {
key_name = "keyPairDatasource"
}
data "alicloud_key_pairs" "default" {
name_regex = "${alicloud_key_pair.default.key_name}"
}

• name_regex - (Optional) A regex string to apply to the resulting key pairs.
192
• ids - (Optional, Available 1.52.1+) A list of key pair IDs.
• finger_print - (Optional) A finger print used to retrieve specified key
pair.
of resource group which the key pair belongs.
the resource. ## Attributes Reference
• names - A list of key pair names.
• key_pairs - A list of key pairs. Each element contains the following
attributes:
– id - ID of the key pair.
– key_name - Name of the key pair.
– finger_print - Finger print of the key pair.
– instances - A list of ECS instances that has been bound this key
pair.
– availability_zone - The ID of the availability zone where the ECS
instance is located.
– instance_id - The ID of the ECS instance.
– instance_name - The name of the ECS instance.
– vswitch_id - The ID of the VSwitch attached to the ECS instance.
– public_ip - The public IP address or EIP of the ECS instance.
– private_ip - The private IP address of the ECS instance.
– tags - (Optional, Available in v1.66.0+) A mapping of tags to assign
to the resource.
» alicloud_network_interfaces
Use this data source to get a list of elastic network interfaces according to the
specified filters in an Alibaba Cloud account.
For information about elastic network interface and how to use it, see Elastic
Network Interface
» Example Usage
variable "name" {
default = "networkInterfacesName"
}
193
cidr_block = "192.168.0.0/24"
}

}
resource "alicloud_vswitch" "vswitch" {

cidr_block = "192.168.0.0/24"
}
resource "alicloud_security_group" "group" {

}
resource "alicloud_network_interface" "interface" {

name = "${var.name}%d"
vswitch_id = "${alicloud_vswitch.vswitch.id}"
security_groups = [
"${alicloud_security_group.group.id}"]
description = "Basic test"
private_ip = "192.168.0.2"
tags = {
TF-VER = "0.11.3"
}
}

security_groups = [
"${alicloud_security_group.group.id}"]
instance_type = "ecs.e3.xlarge"
image_id = "centos_7_04_64_20G_alibase_201701015.vhd"
}
resource "alicloud_network_interface_attachment" "attachment" {
194
instance_id = "${alicloud_instance.instance.id}"
network_interface_id = "${alicloud_network_interface.interface.id}"
}
data "alicloud_network_interfaces" "default" {

ids = [
"${alicloud_network_interface_attachment.attachment.network_interface_id}"],
name_regex = "tf-testAccNetworkInterfacesBasic%d",
tags = {
TF-VER = "0.11.3"
},
vpc_id = "${alicloud_vpc.vpc.id}",
vswitch_id = "${alicloud_vswitch.vswitch.id}",
private_ip = "192.168.0.2",
security_group_id = "${alicloud_security_group.group.id}",
type = "Secondary",
instance_id = "${alicloud_instance.instance.id}",
}
output "eni0_name" {
value = "${data.alicloud_network_interfaces.default.interfaces.0.name}"
}

• ids - (Optional) A list of ENI IDs.
• name_regex - (Optional) A regex string to filter results by ENI name.
• vpc_id - (Optional) The VPC ID linked to ENIs.
• vswitch_id - (Optional) The VSwitch ID linked to ENIs.
• private_ip - (Optional) The primary private IP address of the ENI.
• security_group_id - (Optional) The security group ID linked to ENIs.
• name - (Optional) The name of the ENIs.
• type - (Optional) The type of ENIs, Only support for ”Primary” or ”Sec-
ondary”.
• instance_id - (Optional) The ECS instance ID that the ENI is attached
to.
• tags - (Optional) A map of tags assigned to ENIs.
• output_file - (Optional) The name of output file that saves the filter
results.
of resource group which the network interface belongs.
195
• interfaces - A list of ENIs. Each element contains the following at-
tributes:
– id - ID of the ENI.
– status - Current status of the ENI.
– vpc_id - ID of the VPC that the ENI belongs to.
– vswitch_id - ID of the VSwitch that the ENI is linked to.
– zone_id - ID of the availability zone that the ENI belongs to.
– public_ip - Public IP of the ENI.
– private_ip - Primary private IP of the ENI.
– private_ips - A list of secondary private IP address that is assigned
to the ENI.
– mac - MAC address of the ENI.
– security_groups - A list of security group that the ENI belongs to.
– name - Name of the ENI.
– description - Description of the ENI.
– instance_id - ID of the instance that the ENI is attached to.
– creation_time - Creation time of the ENI.
– tags - A map of tags assigned to the ENI.
» alicloud_security_group_rules
The alicloud_security_group_rules data source provides a collection of se-
curity permissions of a specific security group. Each collection item repre-
sents a single ingress or egress permission rule. The ID of the security
group can be provided via a variable or the result from the other data source
alicloud_security_groups.
» Example Usage
The following example shows how to obtain details about a security group rule
and how to pass its data to an instance at launch time.
# Get the security group id from a variable
variable "security_group_id" {}
# Or get it from the alicloud_security_groups data source.

# Please note that the data source arguments must be enough to filter results to one securit
data "alicloud_security_groups" "groups_ds" {
name_regex = "api"
196
}
# Filter the security group rule by group

data "alicloud_security_group_rules" "ingress_rules_ds" {
group_id = "${data.alicloud_security_groups.groups_ds.groups.0.id}" # or ${var.security
nic_type = "internet"
direction = "ingress"
ip_protocol = "TCP"
}
# Pass port_range to the backend service

resource "alicloud_instance" "backend" {
# ...
user_data = "config_service.sh --portrange=${data.alicloud_security_group_rules.ingress_ru
}

• group_id - (Required) The ID of the security group that owns the rules.
• nic_type - (Optional) Refers to the network type. Can be either internet
or intranet. The default value is internet.
• direction - (Optional) Authorization direction. Valid values are:
ingress or egress.
• ip_protocol - (Optional) The IP protocol. Valid values are: tcp, udp,
icmp, gre and all.
• policy - (Optional) Authorization policy. Can be either accept or drop.
The default value is accept.
• rules - A list of rules. Each element contains the following attributes:
– group_name - The name of the security group that owns the rules.
– group_desc - The description of the security group that owns the
rules.
– rules - A list of security group rules. Each element contains the
– ip_protocol - The protocol. Can be tcp, udp, icmp, gre or all.
– port_range - The range of port numbers.
197
– source_cidr_ip - Source IP address segment for ingress authoriza-
tion.
– source_security_group_id - Source security group ID for ingress
authorization.
– source_group_owner_account - Alibaba Cloud account of the
source security group.
– dest_cidr_ip - Target IP address segment for egress authorization.
– dest_security_group_id - Target security group id for ingress au-
thorization.
– dest_group_owner_account - Alibaba Cloud account of the target
security group.
– policy - Authorization policy. Can be either accept or drop.
– nic_type - Network type, internet or intranet.
– priority - Rule priority.
– direction - Authorization direction, ingress or egress.
– description - The description of the rule.
» alicloud_security_groups
This data source provides a list of Security Groups in an Alibaba Cloud account
» Example Usage
# Filter security groups and print the results into a file

data "alicloud_security_groups" "sec_groups_ds" {
name_regex = "^web-"
output_file = "web_access.json"
}
# In conjunction with a VPC

resource "alicloud_vpc" "primary_vpc_ds" {
# ...
}
data "alicloud_security_groups" "primary_sec_groups_ds" {

vpc_id = "${alicloud_vpc.primary_vpc_ds.id}"
}
output "first_group_id" {
value = "${data.alicloud_security_groups.primary_sec_groups_ds.groups.0.id}"
}
198

• ids - (Optional, Available 1.52.0+) A list of Security Group IDs.
• name_regex - (Optional) A regex string to filter the resulting security
groups by their names.
• vpc_id - (Optional) Used to retrieve security groups that belong to the
specified VPC ID.
of resource group which the security_group belongs.
• tags - (Optional) A map of tags assigned to the ECS instances.
It must be in the format: data "alicloud_security_groups"
"taggedSecurityGroups" { tags = { tagKey1 = "tagValue1",
tagKey2 = "tagValue2" } }
• ids - A list of Security Group IDs.
• names - A list of Security Group names.
• groups - A list of Security Groups. Each element contains the following
attributes:
– id - The ID of the security group.
– name - The name of the security group.
– description - The description of the security group.
– vpc_id - The ID of the VPC that owns the security group.
– resource_group_id - The Id of resource group which the secu-
rity_group belongs.
– security_group_type - The type of the security group.
– inner_access - Whether to allow inner network access.
– creation_time - Creation time of the security group.
– tags - A map of tags assigned to the ECS instance.
» alicloud_snapshots
Use this data source to get a list of snapshot according to the specified filters
in an Alibaba Cloud account.
For information about snapshot and how to use it, see Snapshot.
199
» Example Usage
data "alicloud_snapshots" "snapshots" {

ids = ["s-123456890abcdef"]
name_regex = "tf-testAcc-snapshot"
}

• instance_id - (Optional) The specified instance ID.
• disk_id - (Optional) The specified disk ID.
• encrypted - (Optional) Queries the encrypted snapshots. Optional values:
– true: Encrypted snapshots.
– false: No encryption attribute limit.
Default value: false. * ids - (Optional) A list of snapshot IDs. * name_regex
- (Optional) A regex string to filter results by snapshot name. * status - (Op-
tional) The specified snapshot status. * The snapshot status. Optional values:
* progressing: The snapshots are being created. * accomplished: The snapshots
are ready to use. * failed: The snapshot creation failed. * all: All status.
Default value: all.
• type - (Optional) The snapshot category. Optional values:
– auto: Auto snapshots.
– user: Manual snapshots.
– all: Auto and manual snapshots.
Default value: all. * source_disk_type - (Optional) The type of source disk:
* System: The snapshots are created for system disks. * Data: The snapshots
are created for data disks.
• usage - (Optional) The usage of the snapshot:
– image: The snapshots are used to create custom images.
– disk: The snapshots are used to CreateDisk.
– mage_disk: The snapshots are used to create custom images and
data disks.
– none: The snapshots are not used yet.
• tags - (Optional) A map of tags assigned to snapshots.
• output_file - (Optional) The name of output file that saves the filter
results.
200
• ids - A list of snapshot IDs.
• names - A list of snapshots names.
• snapshots - A list of snapshots. Each element contains the following
attributes:
– id - ID of the snapshot.
– name - Name of the snapshot.
– description - Description of the snapshot.
– encrypted - Whether the snapshot is encrypted or not.
– progress - Progress of snapshot creation, presented in percentage.
– source_disk_id - Source disk ID, which is retained after the source
disk of the snapshot is deleted.
– source_disk_size - Size of the source disk, measured in GB.
– source_disk_type - Source disk attribute. Value range:
∗ System
∗ Data
– product_code - Product code on the image market place.
– retention_days - The number of days that an automatic snapshot
retains in the console for your instance.
– remain_time - The remaining time of a snapshot creation task, in
seconds.
– creation_time - Creation time. Time of creation. It is represented
according to ISO8601, and UTC time is used. Format: YYYY-MM-
DDThh:mmZ.
– status - The snapshot status. Value range:
∗ progressing
∗ accomplished
∗ failed
– usage - Whether the snapshots are used to create resources or not.
Value range:
∗ image
∗ disk
∗ image_disk
∗ none
– tags - A map of tags assigned to the snapshot.
» alicloud_disk
Provides a ECS disk resource.
NOTE: One of size or snapshot_id is required when specifying an ECS disk.
If all of them be specified, size must more than the size of snapshot which
snapshot_id represents. Currently, alicloud_disk doesn’t resize disk.
201
» Example Usage
# Create a new ECS disk.

resource "alicloud_disk" "ecs_disk" {
# cn-beijing
availability_zone = "cn-beijing-b"
name = "New-disk"
description = "Hello ecs disk."
category = "cloud_efficiency"
size = "30"
tags = {
Name = "TerraformTest"
}
}

• availability_zone - (Required, ForceNew) The Zone to create the disk
in.
• name - (Optional) Name of the ECS disk. This name can have a string of 2
to 128 characters, must contain only alphanumeric characters or hyphens,
such as ”-”,”.”,”_”, and must not begin or end with a hyphen, and must
not begin with http:// or https://. Default value is null.
• description - (Optional) Description of the disk. This description can
have a string of 2 to 256 characters, It cannot begin with http:// or
https://. Default value is null.
• category - (Optional, ForceNew) Category of the disk. Valid values
are cloud, cloud_efficiency, cloud_ssd, cloud_essd. Default is
cloud_efficiency.
• size - (Required) The size of the disk in GiBs. When resize the disk, the
new size must be greater than the former value, or you would get an error
InvalidDiskSize.TooSmall.
• snapshot_id - (Optional) A snapshot to base the disk off of. If the disk
size required by snapshot is greater than size, the size will be ignored,
conflict with encrypted.
• encrypted - (Optional) If true, the disk will be encrypted, conflict with
snapshot_id.
• delete_auto_snapshot - (Optional Available in 1.53.0+) Indicates
whether the automatic snapshot is deleted when the disk is released.
Default value: false.
• delete_with_instance - (Optional Available in 1.53.0+) Indicates
202
whether the disk is released together with the instance: Default value:
false.
• enable_auto_snapshot - (Optional Available in 1.53.0+) Indicates
whether to apply a created automatic snapshot policy to the disk.
Default value: false.
• resource_group_id - (ForceNew, ForceNew, Available in 1.57.0+) The
Id of resource group which the disk belongs. -> NOTE: Disk category
cloud has been outdated and it only can be used none I/O Optimized
ECS instances. Recommend cloud_efficiency and cloud_ssd disk.

• id - The ID of the disk.
• status - The disk status.
» Import
Cloud disk can be imported using the id, e.g.

$ terraform import alicloud_disk.example d-abc12345678
» alicloud_disk_attachment
Provides an Alicloud ECS Disk Attachment as a resource, to attach and detach
disks from ECS Instances.
» Example Usage
Basic usage
# Create a new ECS disk-attachment and use it attach one disk to a new instance.
resource "alicloud_security_group" "ecs_sg" {

name = "terraform-test-group"
description = "New security group"
}
resource "alicloud_disk" "ecs_disk" {

availability_zone = "cn-beijing-a"
size = "50"
203
tags = {
Name = "TerraformTest-disk"
}
}
resource "alicloud_instance" "ecs_instance" {

image_id = "ubuntu_18_04_64_20G_alibase_20190624.vhd"
instance_type = "ecs.n4.small"
availability_zone = "cn-beijing-a"
security_groups = ["${alicloud_security_group.ecs_sg.id}"]
instance_name = "Hello"
instance_network_type = "classic"
internet_charge_type = "PayByBandwidth"
tags = {
Name = "TerraformTest-instance"
}
}
resource "alicloud_disk_attachment" "ecs_disk_att" {

disk_id = "${alicloud_disk.ecs_disk.id}"
instance_id = "${alicloud_instance.ecs_instance.id}"
}

• instance_id - (Required, Forces new resource) ID of the Instance to
attach to.
• disk_id - (Required, Forces new resource) ID of the Disk to be attached.
• device_name - (Deprecated) The device name has been deprecated, and
when attaching disk, it will be allocated automatically by system according
to default order from /dev/xvdb to /dev/xvdz.

• instance_id - ID of the Instance.
• disk_id - ID of the Disk.
• device_name - The device name exposed to the instance.
204
» alicloud_image
Creates a custom image. You can then use a custom image to create ECS
instances (RunInstances) or change the system disk for an existing instance
(ReplaceSystemDisk).
NOTE: If you want to create a template from an ECS instance, you can specify
the instance ID (InstanceId) to create a custom image. You must make sure that
the status of the specified instance is Running or Stopped. After a successful
invocation, each disk of the specified instance has a new snapshot created.
NOTE: If you want to create a custom image based on the system disk of your
ECS instance, you can specify one of the system disk snapshots (SnapshotId)
to create a custom image. However, the specified snapshot cannot be created
on or before July 15, 2013.
NOTE: If you want to combine snapshots of multiple disks into an image
template, you can specify DiskDeviceMapping to create a custom image.
» Example Usage
resource "alicloud_image" "default" {

instance_id = "i-bp1g6zv0ce8oghu7k***"
image_name = "test-image"
description = "test-image"
architecture = "x86_64"
platform = "CentOS"
resource_group_id = "rg-bp67acfmxazb4ph***"
tags = {
FinanceDept = "FinanceDeptJoshua"
}
}

• instance_id - (Optional, ForceNew, Conflict with snapshot_id and
disk_device_mapping) The instance ID.
• image_name - (Optional) The image name. It must be 2 to 128 characters
in length, and must begin with a letter or Chinese character (beginning
with http:// or https:// is not allowed). It can contain digits, colons (:),
underscores (_), or hyphens (-). Default value: null.
205
• description - (Optional) The description of the image. It must be 2
to 256 characters in length and must not start with http:// or https://.
Default value: null.
• snapshot_id - (Optional, ForceNew, Conflict with instance_id and
disk_device_mapping) Specifies a snapshot that is used to create a
custom image.
• architecture - (Optional, ForceNew) Specifies the architecture of the
system disk after you specify a data disk snapshot as the data source of
the system disk for creating an image. Valid values: i386 , Default is
x86_64.
• platform - (Optional, ForceNew) Specifies the operating system platform
of the system disk after you specify a data disk snapshot as the data
source of the system disk for creating an image. Valid values: CentOS,
Ubuntu, SUSE, OpenSUSE, RedHat, Debian, CoreOS, Aliyun Linux,
Windows Server 2003, Windows Server 2008, Windows Server 2012,
Windows 7, Default is Others Linux, Customized Linux.
• tags - (Optional) The tag value of an image. The value of N ranges from
1 to 20.
• resource_group_id - (Optional, ForceNew) The ID of the enterprise re-
source group to which a custom image belongs
• disk_device_mapping - (Optional, ForceNew, Conflict with snapshot_id
and instance_id) Description of the system with disks and snapshots
under the image.
– disk_type - (Optional, ForceNew) Specifies the type of a disk in the
combined custom image. If you specify this parameter, you can use
a data disk snapshot as the data source of a system disk for creating
an image. If it is not specified, the disk type is determined by the
corresponding snapshot. Valid values: system, data,
– size - (Optional, ForceNew) Specifies the size of a disk in the com-
bined custom image, in GiB. Value range: 5 to 2000.
– snapshot_id - (Optional, ForceNew) Specifies a snapshot that is
used to create a combined custom image.
– device - (Optional, ForceNew)Specifies the name of a disk in the
combined custom image. Value range: /dev/xvda to /dev/xvdz.
• force - (Optional) Indicates whether to force delete the custom image,
Default is false.
– true�Force deletes the custom image, regardless of whether the image
is currently being used by other instances.
– false�Verifies that the image is not currently in use by any other
instances before deleting the image.
» Timeouts
206
• create - (Defaults to 10 mins) Used when creating the image (until it
reaches the initial Available status).
• delete - (Defaults to 10 mins) Used when terminating the image.
## Attributes Reference
• id - ID of the image.
## Import
image can be imported using the id, e.g.
$ terraform import alicloud_image.default m-uf66871ape***yg1q***
» alicloud_image_export
Export a custom image to the OSS bucket in the same region as the custom
image.
NOTE: If you create an ECS instance using a mirror image and create a system
disk snapshot again, exporting a custom image created from the system disk
snapshot is not supported.
NOTE: Support for exporting custom images that include data disk snapshot
information in the image. The number of data disks cannot exceed 4 and the
maximum capacity of a single data disk cannot exceed 500 GiB.
NOTE: Before exporting the image, you must authorize the cloud server ECS
official service account to write OSS permissions through RAM.
» Example Usage
resource "alicloud_image_export" "default" {

image_id = "m-bp1gxy***"
oss_bucket = "ecsimageexportconfig"
oss_prefix = "ecsExport"
}

• image_id - (Required, ForceNew) The source image ID.
• oss_bucket - (Required, ForceNew) Save the exported OSS bucket.
207
• oss_prefix - (Optional, ForceNew) The prefix of your OSS Object. It
can be composed of numbers or letters, and the character length is 1 ~ 30.
» Timeouts
• create - (Defaults to 10 mins) Used when exporting the image (until it
## Attributes Reference0
» alicloud_image_copy
Copies a custom image from one region to another. You can use copied images
to perform operations in the target region, such as creating instances (RunIn-
stances) and replacing system disks (ReplaceSystemDisk).
NOTE: You can only copy the custom image when it is in the Available state.
NOTE: You can only copy the image belonging to your Alibaba Cloud account.
Images cannot be copied from one account to another.
NOTE: If the copying is not completed, you cannot call DeleteImage to delete
the image but you can call CancelCopyImage to cancel the copying.
» Example Usage
resource "alicloud_image_copy" "default" {

source_image_id = "m-bp1gxyhdswlsn18tu***"
source_region_id = "cn-hangzhou"
image_name = "test-image"
description = "test-image"
tags = {
FinanceDept = "FinanceDeptJoshua"
}
}
208

• source_image_id - (Required, ForceNew) The source image ID.
• source_region_id - (Required, ForceNew) The ID of the region to which
the source custom image belongs. You can call DescribeRegions to view
the latest regions of Alibaba Cloud.
• image_name - (Optional) The image name. It must be 2 to 128 characters
in length, and must begin with a letter or Chinese character (beginning
with http:// or https:// is not allowed). It can contain digits, colons (:),
underscores (_), or hyphens (-). Default value: null.
• description - (Optional) The description of the image. It must be 2
to 256 characters in length and must not start with http:// or https://.
Default value: null.
• encrypted - (Optional, ForceNew) Indicates whether to encrypt the im-
age.
• kms_key_id - (Optional, ForceNew) Key ID used to encrypt the image.
• tags - (Optional) The tag value of an image. The value of N ranges from
1 to 20.
• force - (Optional) Indicates whether to force delete the custom image,
Default is false.
– true�Force deletes the custom image, regardless of whether the image
is currently being used by other instances.
– false�Verifies that the image is not currently in use by any other
instances before deleting the image.
» Timeouts
• create - (Defaults to 10 mins) Used when copying the image (until it
## Import
$ terraform import alicloud_image_copy.default m-uf66871ape***yg1q***
209
» alicloud_image_import
Import a copy of your local on-premise file to ECS, and appear as a custom
replacement in the corresponding domain.
NOTE: You must upload the image file to the object storage OSS in advance.
NOTE: The region where the image is imported must be the same region as
the OSS bucket where the image file is uploaded.
» Example Usage
resource "alicloud_image_import" "this" {

description = "test import image"
architecture = "x86_64"
image_name = "test-import-image"
license_type = "Auto"
platform = "Ubuntu"
os_type = "linux"
disk_device_mapping {
disk_image_size = 5
oss_bucket = "testimportimage"
oss_object = "root.img"
}
}

• architecture - (Optional, ForceNew) Specifies the architecture of the
system disk after you specify a data disk snapshot as the data source of
the system disk for creating an image. Valid values: i386 , Default is
x86_64.
• description - (Optional) Description of the image. The length is 2 to
256 English or Chinese characters, and cannot begin with http: // and
https: //.
• image_name - (Optional) The image name. The length is 2 ~ 128 English
or Chinese characters. Must start with a capital letter or Chinese, and
cannot start with http: // and https: //. Can contain numbers, colons
(:), underscores (_), or hyphens (-).
• license_type - (Optional, ForceNew)
210
• platform - (Optional, ForceNew) Specifies the operating system platform
of the system disk after you specify a data disk snapshot as the data
source of the system disk for creating an image. Valid values: CentOS,
Ubuntu, SUSE, OpenSUSE, Debian, CoreOS, Windows Server 2003,
Windows Server 2008, Windows Server 2012, Windows 7, Default is
Others Linux, Customized Linux.
• os_type - (Optional, ForceNew) Operating system platform type. Valid
values: windows, Default is linux.
• disk_device_mapping - (Optional, ForceNew) Description of the system
with disks and snapshots under the image.
– device - (Optional, ForceNew) Specifies the type of a disk in the
combined custom image. If you specify this parameter, you can use
a data disk snapshot as the data source of a system disk for creating
an image. If it is not specified, the disk type is determined by the
corresponding snapshot. Valid values: system, data,
– disk_image_size - (Optional, ForceNew) Resolution size. You must
ensure that the system disk space � file system space. Ranges: When
n = 1, the system disk: 5 ~ 500GiB, When n = 2 ~ 17, that is, data
disk: 5 ~ 1000GiB, When temporary is introduced, the system auto-
matically detects the size, which is subject to the detection result.
– format - (Optional, ForceNew) Image format. Value range: When
the RAW, VHD, qcow2 is imported into the image, the system automat-
ically detects the image format, whichever comes first.
– oss_bucket - (Optional) Save the exported OSS bucket.
– oss_prefix - (Optional, ForceNew) The prefix of your OSS Object.
It can be composed of numbers or letters, and the character length
is 1 ~ 30.
NOTE: The disk_device_mapping is a list and it’s first item will be used to
system disk and other items are used to data disks.
» Timeouts
• create - (Defaults to 20 mins) Used when copying the image (until it
## Import
211
$ terraform import alicloud_image_import.default m-uf66871ape***yg1q***
» alicloud_image_share_permission
Manage image sharing permissions. You can share your custom image to other
Alibaba Cloud users. The user can use the shared custom image to create ECS
instances or replace the system disk of the instance.
NOTE: You can only share your own custom images to other Alibaba Cloud
users.
NOTE: Each custom image can be shared with up to 50 Alibaba Cloud ac-
counts. You can submit a ticket to share with more users.
NOTE: After creating an ECS instance using a shared image, once the custom
image owner releases the image sharing relationship or deletes the custom image,
the instance cannot initialize the system disk.
» Example Usage
resource "alicloud_image_share_permission" "default" {

image_id = "m-bp1gxyh***"
account_id = "1234567890"
}

• image_id - (Required, ForceNew) The source image ID.
• account_id - (Required, ForceNew) Alibaba Cloud Account ID. It is used
to share images.
• id - ID of the image. It formats as <image_id>:<account_id>
## Import
$ terraform import alicloud_image_share_permission.default m-uf66yg1q:123456789
212
» alicloud_instance
Provides a ECS instance resource.
NOTE: You can launch an ECS instance for a VPC network via specifying
parameter vswitch_id. One instance can only belong to one VSwitch.
NOTE: If a VSwitchId is specified for creating an instance, SecurityGroupId
and VSwitchId must belong to one VPC.
NOTE: Several instance types have outdated in some regions and availabil-
ity zones, such as ecs.t1.*, ecs.s2.*, ecs.n1.* and so on. If you want to
keep them, you should set is_outdated to true. For more about the upgraded
instance type, refer to alicloud_instance_types datasource.
NOTE: At present, ’PrePaid’ instance cannot be deleted and must wait it to
be outdated and release it automatically.
NOTE: The resource supports modifying instance charge type from ’PrePaid’
to ’PostPaid’ from version 1.9.6. However, at present, this modification has
some limitation about CPU core count in one month, so strongly recommand
that Don't modify instance charge type frequentlly in one month.
NOTE: There is unsupported ’deletion_protection’ attribute when the instance
is spot
» Example Usage
# Create a new ECS instance for a VPC

description = "foo"
}

# cn-beijing
security_groups = "${alicloud_security_group.group.*.id}"
# series III
instance_type = "ecs.n4.large"
image_id = "ubuntu_18_04_64_20G_alibase_20190624.vhd"
instance_name = "test_foo"
213
}
# Create a new ECS instance for VPC

# Other parameters...
}

# Other parameters...
}
resource "alicloud_slb" "slb" {

name = "test-slb-tf"
}
» Module Support
You can use the existing ecs-instance module to create several ECS instances
one-click.

• image_id - (Required) The Image to use for the instance. ECS instance’s
image can be replaced via changing ’image_id’. When it is changed, the
instance will reboot to make the change take effect.
• instance_type - (Required) The type of instance to start. When it is
changed, the instance will reboot to make the change take effect.
• io_optimized - (Deprecated) It has been deprecated on instance resource.
All the launched alicloud instances will be I/O optimized.
to false.
• security_groups - (Required) A list of security group ids to associate
with.
• availability_zone - (Optional) The Zone to start the instance in. It is
ignored and will be computed when set vswitch_id.
214
• instance_name - (Optional) The name of the ECS. This instance_name
can have a string of 2 to 128 characters, must contain only alphanumeric
characters or hyphens, such as ”-”,”.”,”_”, and must not begin or end with
a hyphen, and must not begin with http:// or https://. If not specified,
Terraform will autogenerate a default name is ECS-Instance.
• allocate_public_ip - (Deprecated) It has been deprecated from version
”1.7.0”. Setting ”internet_max_bandwidth_out” larger than 0 can allo-
cate a public ip address for an instance.
• system_disk_category - (Optional) Valid values are ephemeral_ssd,
cloud_efficiency, cloud_ssd, cloud_essd, cloud. cloud only is used
to some none I/O optimized instance. Default to cloud_efficiency.
• system_disk_size - (Optional) Size of the system disk, measured in GiB.
Value range: [20, 500]. The specified value must be equal to or greater than
max{20, Imagesize}. Default value: max{40, ImageSize}. ECS instance’s
system disk can be reset when replacing system disk. When it is changed,
the instance will reboot to make the change take effect.
• system_disk_auto_snapshot_policy_id - (Optional, ForceNew, Avail-
able in 1.73.0+) The ID of the automatic snapshot policy applied to the
system disk.
• description - (Optional) Description of the instance, This description
can have a string of 2 to 256 characters, It cannot begin with http:// or
• internet_charge_type - (Optional) Internet charge type of the in-
stance, Valid values are PayByBandwidth, PayByTraffic. Default is
PayByTraffic. At present, ’PrePaid’ instance cannot change the value
to ”PayByBandwidth” from ”PayByTraffic”.
• internet_max_bandwidth_in - (Optional) Maximum incoming band-
Value range: [1, 200]. If this value is not specified, then automatically
sets it to 200 Mbps.
• internet_max_bandwidth_out - (Optional) Maximum outgoing band-
width to the public network, measured in Mbps (Mega bit per second).
Value range: [0, 100]. Default to 0 Mbps.
• host_name - (Optional) Host name of the ECS, which is a string of at least
two characters. “hostname” cannot start or end with “.” or “-“. In addition,
two or more consecutive “.” or “-“ symbols are not allowed. On Windows,
the host name can contain a maximum of 15 characters, which can be a
combination of uppercase/lowercase letters, numerals, and “-“. The host
name cannot contain dots (“.”) or contain only numeric characters. When
it is changed, the instance will reboot to make the change take effect.
On other OSs such as Linux, the host name can contain a maximum of
215
30 characters, which can be segments separated by dots (“.”), where each
segment can contain uppercase/lowercase letters, numerals, or “_“. When
• password - (Optional, Sensitive) Password to an instance is a string of 8 to
30 characters. It must contain uppercase/lowercase letters and numerals,
but cannot contain special symbols. When it is changed, the instance will
reboot to make the change take effect.
• kms_encrypted_password - (Optional, Available in 1.57.1+) An KMS en-
crypts password used to an instance. If the password is filled in, this field
will be ignored. When it is changed, the instance will reboot to make the
change take effect.
before creating or updating an instance with kms_encrypted_password.
set. When it is changed, the instance will reboot to make the change take
effect.
• vswitch_id - (Optional) The virtual switch ID to launch in VPC. This
parameter must be set unless you can create classic network instances.
When it is changed, the instance will reboot to make the change take
effect.
• instance_charge_type - (Optional) Valid values are PrePaid, PostPaid,
The default is PostPaid.
Id of resource group which the instance belongs.
• period_unit - (Optional) The duration unit that you will buy the re-
source. It is valid when instance_charge_type is ’PrePaid’. Valid value:
[”Week”, ”Month”]. Default to ”Month”.
• period - (Optional) The duration that you will buy the resource, in month.
It is valid when instance_charge_type is PrePaid. Default to 1. Valid
values:
– [1-9, 12, 24, 36, 48, 60] when period_unit in ”Month”
– [1-3] when period_unit in ”Week”
• renewal_status - (Optional) Whether to renew an ECS instance auto-
matically or not. It is valid when instance_charge_type is PrePaid.
Default to ”Normal”. Valid values:
– AutoRenewal: Enable auto renewal.
– Normal: Disable auto renewal.
– NotRenewal: No renewal any longer. After you specify this value,
Alibaba Cloud stop sending notification of instance expiry, and only
216
gives a brief reminder on the third day before the instance expiry.
• auto_renew_period - (Optional) Auto renewal period of an instance, in
the unit of month. It is valid when instance_charge_type is PrePaid.
Default to 1. Valid value:
– [1, 2, 3, 6, 12] when period_unit in ”Month”
– [1, 2, 3] when period_unit in ”Week”
• volume_tags - (Optional) A mapping of tags to assign to the devices
created by the instance at launch time.
• user_data - (Optional) User-defined data to customize the startup be-
haviors of an ECS instance and to pass data into an ECS instance. From
version 1.60.0, it can be update in-place. If updated, the instance will
reboot to make the change take effect. Note: Not all of changes will take
effect and it depends on cloud-init module type.
• key_name - (Optional, Force new resource) The name of key pair that can
login ECS instance successfully without password. If it is specified, the
password would be invalid.
• role_name - (Optional, Force new resource) Instance RAM role
name. The name is provided and maintained by RAM. You can use
alicloud_ram_role to create a new one.
• include_data_disks - (Optional) Whether to change instance disks
charge type when changing instance charge type.
• dry_run - (Optional) Specifies whether to send a dry-run request. Default
to false.
– true: Only a dry-run request is sent and no instance is created. The
system checks whether the required parameters are set, and validates
the request format, service permissions, and available ECS instances.
If the validation fails, the corresponding error code is returned. If the
validation succeeds, the DryRunOperation error code is returned.
– false: A request is sent. If the validation succeeds, the instance is
created.
217
• private_ip - (Optional) Instance private IP address can be specified when
you creating new instance. It is valid when vswitch_id is specified. When
• credit_specification - (Optional, Available in 1.57.1+) Performance
mode of the t5 burstable instance. Valid values: ’Standard’, ’Unlimited’.
• spot_strategy - (Optional, ForceNew) The spot strategy of a
Pay-As-You-Go instance, and it takes effect only when parameter
instance_charge_type is ’PostPaid’. Value range:
– NoSpot: A regular Pay-As-You-Go instance.
– SpotWithPriceLimit: A price threshold for a spot instance
– SpotAsPriceGo: A price that is based on the highest Pay-As-You-Go
instance
Default to NoSpot. Note: Currently, the spot instance only supports
domestic site account.
• spot_price_limit - (Optional, Float, ForceNew) The hourly price thresh-
old of a instance, and it takes effect only when parameter ’spot_strategy’
is ’SpotWithPriceLimit’. Three decimals is allowed at most.
• deletion_protection - (Optional, true) Whether enable the deletion pro-
tection or not.
– true: Enable deletion protection.
– false: Disable deletion protection.
Default to false.
• force_delete - (Optional, Available in 1.18.0+) If it is true, the ”PrePaid”
instance will be change to ”PostPaid” and then deleted forcibly. However,
because of changing instance charge type has CPU core count quota lim-
itation, so strongly recommand that ”Don’t modify instance charge type
frequentlly in one month”.
• auto_release_time - (Optional, Available in 1.70.0+) The automatic re-
lease time of the PostPaid instance. The time follows the ISO 8601 stan-
dard and is in UTC time. Format: yyyy-MM-ddTHH:mm:ssZ. It must be
at least half an hour later than the current time and less than 3 years since
the current time. Set it to null can cancel automatic release attribute and
the ECS instance will not be released automatically.
• security_enhancement_strategy - (Optional, ForceNew) The security
enhancement strategy.
– Active: Enable security enhancement strategy, it only works on sys-
tem images.
– Deactive: Disable security enhancement strategy, it works on all im-
ages.
218
• data_disks - (Optional, ForceNew, Available 1.23.1+) The list of data
disks created with instance.
– name - (Optional, ForceNew) The name of the data disk.
– size - (Required, ForceNew) The size of the data disk.
∗ cloud�[5, 2000]
∗ cloud_efficiency�[20, 32768]
∗ cloud_ssd�[20, 32768]
∗ cloud_essd�[20, 32768]
∗ ephemeral_ssd: [5, 800]
– category - (Optional, ForceNew) The category of the disk:
∗ cloud: The general cloud disk.
∗ cloud_efficiency: The efficiency cloud disk.
∗ cloud_ssd: The SSD cloud disk.
∗ cloud_essd: The ESSD cloud disk.
∗ ephemeral_ssd: The local SSD disk. Default to cloud_efficiency.
– encrypted -(Optional, Bool, ForceNew) Encrypted the data in this
disk.
Default to false
– snapshot_id - (Optional, ForceNew) The snapshot ID used to ini-
tialize the data disk. If the size specified by snapshot is greater that
the size of the disk, use the size specified by snapshot as the size of
the data disk.
– auto_snapshot_policy_id - (Optional, ForceNew, Available in
1.73.0+) The ID of the automatic snapshot policy applied to the
system disk.
– delete_with_instance - (Optional, ForceNew) Delete this data
disk when the instance is destroyed. It only works on cloud,
cloud_efficiency, cloud_essd, cloud_ssd disk. If the category of this
data disk was ephemeral_ssd, please don’t set this param.
Default to true
– description - (Optional, ForceNew) The description of the data
disk.
NOTE: System disk category cloud has been outdated and it only can be
used none I/O Optimized ECS instances. Recommend cloud_efficiency and
cloud_ssd disk.
NOTE: From version 1.5.0, instance’s charge type can be changed to ”PrePaid”
by specifying period and period_unit, but it is irreversible.
219
NOTE: From version 1.5.0, instance’s private IP address can be specified when
creating VPC network instance.
NOTE: From version 1.5.0, instance’s vswitch and private IP can be changed
in the same availability zone. When they are changed, the instance will reboot
to make the change take effect.
NOTE: From version 1.7.0, setting ”internet_max_bandwidth_out”
larger than 0 can allocate a public IP for an instance. Setting ”inter-
net_max_bandwidth_out” to 0 can release allocated public IP for VPC
instance(For Classic instnace, its public IP cannot be release once it allocated,
even thougth its bandwidth out is 0). However, at present, ’PrePaid’ instance
cannot narrow its max bandwidth out when its ’internet_charge_type’ is
”PayByBandwidth”.
NOTE: From version 1.7.0, instance’s type can be changed. When it is changed,
the instance will reboot to make the change take effect.
» Timeouts

• create - (Defaults to 10 mins) Used when creating the instance (until
it reaches the initial Running status). Note: There are extra at most 2
minutes used to retry to aviod some needless API errors and it is not in
the timeouts configure.
• update - (Defaults to 10 mins) Used when stopping and starting the in-
stance when necessary during update - e.g. when changing instance type,
password, image, vswitch and private IP.
• delete - (Defaults to 20 mins) Used when terminating the instance. Note:
There are extra at most 5 minutes used to retry to aviod some needless
API errors and it is not in the timeouts configure.

• id - The instance ID.
• status - The instance status.
• public_ip - The instance public ip.
» Import
Instance can be imported using the id, e.g.
220
$ terraform import alicloud_instance.example i-abc12345678
» alicloud_key_pair
Provides a key pair resource.
» Example Usage
Basic Usage
resource "alicloud_key_pair" "basic" {
key_name = "terraform-test-key-pair"
}
// Using name prefix to build key pair

resource "alicloud_key_pair" "prefix" {
key_name_prefix = "terraform-test-key-pair-prefix"
}
// Import an existing public key to build a alicloud key pair

resource "alicloud_key_pair" "publickey" {
key_name = "my_public_key"
public_key = "ssh-rsa AAAAB3Nza12345678qwertyuudsfsg"
}

• key_name - (ForceNew) The key pair’s name. It is the only in one Alicloud
account.
• key_name_prefix - (ForceNew) The key pair name’s prefix. It is conflict
with key_name. If it is specified, terraform will using it to build the only
key name.
• public_key - (ForceNew) You can import an existing public key and using
Alicloud key pair to manage it.
• key_file - (ForceNew) The name of file to save your new key pair’s pri-
vate key. Strongly suggest you to specified it when you creating key pair,
otherwise, you wouldn’t get its private key ever.
• resource_group_id - (ForceNew, Available in 1.57.0+) The Id of resource
group which the key pair belongs.
221
the resource. -> NOTE: If key_name and key_name_prefix are not set,
terraform will produce a specified ID to replace.
• key_name - The name of the key pair.

• fingerprint The finger print of the key pair.
» Import
Key pair can be imported using the name, e.g.

$ terraform import alicloud_key_pair.example my_public_key
» alicloud_key_pair_attachment
Provides a key pair attachment resource to bind key pair for several ECS in-
stances.
NOTE: After the key pair is attached with sone instances, there instances must
be rebooted to make the key pair affect.
» Example Usage
Basic Usage
available_disk_category = "cloud_ssd"
}
data "alicloud_instance_types" "type" {
cpu_core_count = 1
memory_size = 2
}
data "alicloud_images" "images" {
most_recent = true
owners = "system"
}
variable "name" {
default = "keyPairAttachmentName"
222
}

cidr_block = "10.1.0.0/21"
}

cidr_block = "10.1.1.0/24"
}
}

instance_name = "${var.name}-${count.index + 1}"
image_id = "${data.alicloud_images.images.images.0.id}"
instance_type = "${data.alicloud_instance_types.type.instance_types.0.id}"
count = 2
security_groups = ["${alicloud_security_group.group.id}"]
password = "Test12345"
system_disk_category = "cloud_ssd"
}
resource "alicloud_key_pair" "pair" {

key_name = "${var.name}"
}
resource "alicloud_key_pair_attachment" "attachment" {

key_name = "${alicloud_key_pair.pair.id}"
instance_ids = ["${alicloud_instance.instance.*.id}"]
}
223

• key_name - (Required, ForceNew) The name of key pair used to bind.
• instance_ids - (Required, ForceNew) The list of ECS instance’s IDs.
• force - (ForceNew) Set it to true and it will reboot instances which at-
tached with the key pair to make key pair affect immediately.
• key_name - The name of the key pair.

• instance_ids The list of ECS instance’s IDs.
» alicloud_network_interface
Provides an ECS Elastic Network Interface resource.
For information about Elastic Network Interface and how to use it, see Elastic
Network Interface.
NOTE Only one of private_ips or private_ips_count can be specified when
assign private IPs.
» Example Usage
variable "name" {
default = "networkInterfaceName"
}

cidr_block = "192.168.0.0/24"
}

}

cidr_block = "192.168.0.0/24"
224
}

}
resource "alicloud_network_interface" "default" {

name = "${var.name}%d"
private_ip = "192.168.0.2"
private_ips_count = 3
}

• vswitch_id - (Required, ForceNew) The VSwitch to create the ENI in.
• security_groups - (Require) A list of security group ids to associate with.
• private_ip - (Optional, ForceNew) The primary private IP of the ENI.
• name - (Optional) Name of the ENI. This name can have a string of 2
to 128 characters, must contain only alphanumeric characters or hyphens,
such as ”-”, ”.”, ”_”, and must not begin or end with a hyphen, and must
not begin with http:// or https://. Default value is null.
• description - (Optional) Description of the ENI. This description can
have a string of 2 to 256 characters, It cannot begin with http:// or
• private_ips - (Optional) List of secondary private IPs to assign to the
ENI. Don’t use both private_ips and private_ips_count in the same ENI
resource block.
• private_ips_count - (Optional) Number of secondary private IPs to as-
sign to the ENI. Don’t use both private_ips and private_ips_count in the
same ENI resource block.
Id of resource group which the network interface belongs.

• id - The ENI ID.
• mac - (Available in 1.54.0+) The MAC address of an ENI.
225
» Import
ENI can be imported using the id, e.g.

$ terraform import alicloud_network_interface.eni eni-abc1234567890000
» alicloud_network_interface_attachment
Provides an Alicloud ECS Elastic Network Interface Attachment as a resource
to attach ENI to or detach ENI from ECS Instances.
For information about Elastic Network Interface and how to use it, see Elastic
Network Interface.
» Example Usage
Bacis Usage
variable "name" {
default = "networkInterfaceAttachment"
}
variable "number" {
default = "2"
}

cidr_block = "192.168.0.0/24"
}

}

cidr_block = "192.168.0.0/24"
}

226
}
data "alicloud_instance_types" "instance_type" {

eni_amount = 2
}

most_recent = true
owners = "system"
}

count = "${var.number}"
instance_type = "${data.alicloud_instance_types.instance_type.instance_types.
}
resource "alicloud_network_interface" "interface" {

}
resource "alicloud_network_interface_attachment" "attachment" {

instance_id = "${element(alicloud_instance.instance.*.id, count.index)}"
network_interface_id = "${element(alicloud_network_interface.interface.*.id, count.index)}
}
The following argument are supported:

• instance_id - (Required, ForceNew) The instance ID to attach.
• network_interface_id - (Required, ForceNew) The ENI ID to attach.
227
In addition to all arguments above, the following attributes are exported:

• id - The ID of the resource, formatted as <network_interface_id>:<instance_id>.
» Import
Network Interfaces Attachment resource can be imported using the id, e.g.
$ terraform import alicloud_network_interface.eni eni-abc123456789000:i-abc123456789000
» alicloud_reserved_instance_offering
Provides an Reserved Instance resource.
» Example Usage
resource "alicloud_reserved_instance" "default" {

instance_type ="ecs.g6.large"
instance_amount ="1"
period_unit ="Year"
offering_type ="All Upfront"
name =name
description ="ReservedInstance"
zone_id ="cn-shanghai-g"
scope ="Zone"
period ="1"
}

• offering_type - (Required, ForceNew) Payment type of the RI. Optional
values: No Upfront: No upfront payment is required., Partial Upfront:
A portion of upfront payment is required.All Upfront: Full upfront pay-
ment is required.
• zone_id - (Optional, ForceNew) ID of the zone to which the RI belongs.
When Scope is set to Zone, this parameter is required. For information
about the zone list, see DescribeZones.
228
• scope - (Optional, ForceNew) Scope of the RI. Optional values: Region:
region-level, Zone: zone-level. Default is Region.
• instance_type - (Optional, ForceNew) Instance type of the RI. For more
information, see Instance type families.
• instance_amount - (Optional, ForceNew) Number of instances allocated
to an RI (An RI is a coupon that includes one or more allocated instances.).
• Period - (Optional, ForceNew) Term of the RI. Unit: years. Optional
values: 1 and 3.
• period_unit - (Optional, ForceNew) Term unit. Optional value: Year.
• resource_group_id - (Optional, ForceNew) Resource group ID.
• description - (Optional) Description of the RI. 2 to 256 English or Chi-
nese characters. It cannot start with http:// or https://.
• name - (Optional) Name of the RI. The name must be a string of 2 to 128
characters in length and can contain letters, numbers, colons (:), under-
scores (_), and hyphens. It must start with a letter. It cannot start with
http:// or https://.
• platform - (Optional, ForceNew) The operating system type of the image
used by the instance. Optional values: Windows, Linux. Default is Linux.
» Removing alicloud_reserved_instance from your configuration
The alicloud_reserved_instance resource allows you to manage your ReservedIn-

stance, but Terraform cannot destroy it. Removing this resource from your
configuration will remove it from your statefile and management, but will not
destroy the ReservedInstance.

• id - ID of the ReservedInstance.
» Import
reservedInstance can be imported using id, e.g.

$ terraform import alicloud_reserved_instance.default ecsri-uf6df4xm0h3licit****
» alicloud_security_group
Provides a security group resource.
229
NOTE: alicloud_security_group is used to build and manage a security
group, and alicloud_security_group_rule can define ingress or egress rules
for it.
NOTE: From version 1.7.2, alicloud_security_group has supported to seg-
regate different ECS instance in which the same security group.
» Example Usage
Basic Usage
}
Basic usage for vpc
name = "new-group"
}

cidr_block = "10.1.0.0/21"
}
» Module Support
You can use the existing security-group module to create a security group and
add several rules one-click.

• name - (Optional) The name of the security group. Defaults to null.
• description - (Optional, Forces new resource) The security group de-
scription. Defaults to null.
• vpc_id - (Optional, ForceNew) The VPC ID.

of resource group which the security_group belongs.
• security_group_type - (Optional, ForceNew, Available in 1.58.0+) The
type of the security group. Valid values: normal: basic security group.
enterprise: advanced security group For more information.
230
• inner_access - (Deprecated) Field ’inner_access’ has been deprecated
from provider version 1.55.3. Use ’inner_access_policy’ replaces it.
• inner_access_policy - (Optional, Available in 1.55.3+) Whether to al-
low both machines to access each other on all ports in the same security
group. Valid values: [”Accept”, ”Drop”]
Combining security group rules, the policy can define multiple application sce-
nario. Default to true. It is valid from verison 1.7.2.

• id - The ID of the security group
» Import
Security Group can be imported using the id, e.g.

$ terraform import alicloud_security_group.example sg-abc123456
» alicloud_security_group_rule
Provides a security group rule resource. Represents a single ingress or egress
group rule, which can be added to external Security Groups.
NOTE: nic_type should set to intranet when security group type is vpc
or specifying the source_security_group_id. In this situation it does not
distinguish between intranet and internet, the rule is effective on them both.
» Example Usage
Basic Usage
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {

type = "ingress"
ip_protocol = "tcp"
nic_type = "internet"
policy = "accept"
231
priority = 1
cidr_ip = "0.0.0.0/0"
}
» Module Support
You can use the existing security-group module to create a security group and
add several rules one-click.

• type - (Required, ForceNew) The type of rule being created. Valid options
are ingress (inbound) or egress (outbound).
• ip_protocol - (Required, ForceNew) The protocol. Can be tcp, udp,
icmp, gre or all.
• port_range - (ForceNew) The range of port numbers relevant to the IP
protocol. Default to ”-1/-1”. When the protocol is tcp or udp, each side
port number range from 1 to 65535 and ’-1/-1’ will be invalid. For example,
1/200 means that the range of the port numbers is 1-200. Other protocols’
’port_range’ can only be ”-1/-1”, and other values will be invalid.
• security_group_id - (Required, ForceNew) The security group to apply
this rule to.
• nic_type - (Optional, ForceNew) Network type, can be either internet
or intranet, the default value is internet.
• policy - (Optional, ForceNew) Authorization policy, can be either accept
or drop, the default value is accept.
• priority - (Optional, ForceNew) Authorization policy priority, with pa-
rameter values: 1-100, default value: 1.
• cidr_ip - (Optional, ForceNew) The target IP address range. The default
value is 0.0.0.0/0 (which means no restriction will be applied). Other
supported formats include 10.159.6.18/12. Only IPv4 is supported.
• source_security_group_id - (Optional, ForceNew) The target security
group ID within the same region. If this field is specified, the nic_type
can only select intranet.
• source_group_owner_account - (Optional, ForceNew) The Alibaba
Cloud user account Id of the target security group when security groups
are authorized across accounts. This parameter is invalid if cidr_ip has
already been set.
• description - (Optional) The description of the security group rule. The
description can be up to 1 to 512 characters in length. Defaults to null.
232
NOTE: Either the source_security_group_id or cidr_ip must be set.

• id - The ID of the security group rule
• type - The type of rule, ingress or egress
• name - The name of the security group
• port_range - The range of port numbers
• ip_protocol - The protocol of the security group rule
» alicloud_snapshot
Provides an ECS snapshot resource.
For information about snapshot and how to use it, see Snapshot.
» Example Usage
resource "alicloud_snapshot" "snapshot" {

disk_id = "${alicloud_disk_attachment.instance-attachment.disk_id}"
name = "test-snapshot"
description = "this snapshot is created for testing"
tags = {
version = "1.2"
}
}

• disk_id - (Required, ForceNew) The source disk ID.
• name - (Optional, ForceNew) Name of the snapshot. This name can have
or hyphens, such as ”-”, ”.”, ”_”, and must not begin or end with a hyphen,
and must not begin with http:// or https://. Default value is null.
• description - (Optional, ForceNew) Description of the snapshot. This
description can have a string of 2 to 256 characters, It cannot begin with
http:// or https://. Default value is null.
233
» Timeouts

• create - (Defaults to 2 mins) Used when creating the snapshot (until it
reaches the initial SnapshotCreatingAccomplished status).
• delete - (Defaults to 2 mins) Used when terminating the snapshot.

• id - The snapshot ID.
» Import
Snapshot can be imported using the id, e.g.

$ terraform import alicloud_snapshot.snapshot s-abc1234567890000
» alicloud_snapshot_policy
Provides an ECS snapshot policy resource.
For information about snapshot policy and how to use it, see Snapshot.
» Example Usage
resource "alicloud_snapshot_policy" "sp" {

name = "tf-testAcc-sp"
repeat_weekdays = ["1", "2", "3"]
retention_days = -1
time_points = ["1", "22", "23"]
}

• name - (Optional) The snapshot policy name.
234
• repeat_weekdays - (Required) The automatic snapshot repetition dates.
The unit of measurement is day and the repeating cycle is a week. Value
range: [1, 7], which represents days starting from Monday to Sunday, for
example 1 indicates Monday. When you want to schedule multiple auto-
matic snapshot tasks for a disk in a week, you can set the RepeatWeekdays
to an array.
– A maximum of seven time points can be selected.
– The format is an JSON array of [”1”, ”2”, … ”7”] and the time points
are separated by commas (,).
• retention_days - (Required) The snapshot retention time, and the unit
of measurement is day. Optional values:
– -1: The automatic snapshots are retained permanently.
– [1, 65536]: The number of days retained.
Default value: -1.
• time_points - (Required) The automatic snapshot creation schedule, and
the unit of measurement is hour. Value range: [0, 23], which represents
from 00:00 to 24:00, for example 1 indicates 01:00. When you want to
schedule multiple automatic snapshot tasks for a disk in a day, you can
set the TimePoints to an array.
– A maximum of 24 time points can be selected.
– The format is an JSON array of [”0”, ”1”, … ”23”] and the time points
are separated by commas (,).

• id - The snapshot policy ID.
» Import
Snapshot can be imported using the id, e.g.

$ terraform import alicloud_snapshot.snapshot s-abc1234567890000
» alicloud_launch_template
Provides an ECS Launch Template resource.
For information about Launch Template and how to use it, see Launch Template.
235
» Example Usage
data "alicloud_images" "images" {

owners = "system"
}
data "alicloud_instances" "instances" {

}
resource "alicloud_launch_template" "template" {

name = "tf-test-template"
description = "test1"
image_id = "${data.alicloud_images.images.images.0.id}"
host_name = "tf-test-host"
instance_name = "tf-instance-name"
instance_type = "${data.alicloud_instances.instances.instances.0.instance_
internet_max_bandwidth_in = 5
io_optimized = "none"
key_pair_name = "test-key-pair"
ram_role_name = "xxxxx"
network_type = "vpc"
security_enhancement_strategy = "Active"
spot_price_limit = 5
spot_strategy = "SpotWithPriceLimit"
security_group_id = "sg-zxcvj0lasdf102350asdf9a"
system_disk_category = "cloud_ssd"
system_disk_description = "test disk"
system_disk_name = "hello"
system_disk_size = 40
resource_group_id = "rg-zkdfjahg9zxncv0"
userdata = "xxxxxxxxxxxxxx"
vswitch_id = "sw-ljkngaksdjfj0nnasdf"
vpc_id = "vpc-asdfnbg0as8dfk1nb2"
zone_id = "beijing-a"
tags = {
tag1 = "hello"
tag2 = "world"
}
network_interfaces {
name = "eth0"
description = "hello1"
236
primary_ip = "10.0.0.2"
security_group_id = "xxxx"
vswitch_id = "xxxxxxx"
}
data_disks {
name = "disk1"
}
data_disks {
name = "disk2"
}
}

• name - (Optional, ForceNew) Instance launch template name. Can con-
tain [2, 128] characters in length. It must start with an English letter
(uppercase or lowercase) and can contain numbers, periods (.), colons
(:), underscores (_), and hyphens (-). It cannot start with ”http://” or
”https://”.
• description - (Optional) Description of instance launch template version
1. It can be [2, 256] characters in length. It cannot start with ”http://”
or ”https://”. The default value is null.
• host_name - (Optional) Instance host name.It cannot start or end with
a period (.) or a hyphen (-) and it cannot have two or more consecutive
periods (.) or hyphens (-).For Windows: The host name can be [2, 15]
characters in length. It can contain A-Z, a-z, numbers, periods (.), and
hyphens (-). It cannot only contain numbers. For other operating systems:
The host name can be [2, 64] characters in length. It can be segments
separated by periods (.). It can contain A-Z, a-z, numbers, and hyphens
(-).
• image_id - (Optional) Image ID.
• instance_name - (Optional) The name of the instance. The name is a
string of 2 to 128 characters. It must begin with an English or a Chinese
character. It can contain A-Z, a-z, Chinese characters, numbers, periods
(.), colons (:), underscores (_), and hyphens (-).
• instance_charge_type - (Optional)Billing methods. Optional values:
– PrePaid: Monthly, or annual subscription. Make sure that your reg-
istered credit card is invalid or you have insufficient balance in your
237
PayPal account. Otherwise, InvalidPayMethod error may occur.
– PostPaid: Pay-As-You-Go.
Default value: PostPaid.
• instance_type - (Optional) Instance type. For more information, call
resource_alicloud_instances to obtain the latest instance type list.
• auto_release_time - (Optional) Instance auto release time. The time is
presented using the ISO8601 standard and in UTC time. The format is
YYYY-MM-DDTHH:MM:SSZ.
• internet_charge_type - (Optional) Internet bandwidth billing method.
Optional values: PayByTraffic.
• internet_max_bandwidth_in - (Optional) The maximum inbound band-
width from the Internet network, measured in Mbit/s. Value range: [1,
200].
• internet_max_bandwidth_out - (Optional) Maximum outbound band-
width from the Internet, its unit of measurement is Mbit/s. Value range:
[0, 100].
• io_optimized - (Optional) Whether it is an I/O-optimized instance or
not. Optional values:
– none
– optimized
• key_pair_name - (Optional) The name of the key pair.
– Ignore this parameter for Windows instances. It is null by default.
Even if you enter this parameter, only the Password content is used.
– The password logon method for Linux instances is set to forbidden
upon initialization.
• network_type - (Optional) Network type of the instance. Value options:
Classic | VPC.
• ram_role_name - (Optional) The RAM role name of the instance. You
can use the RAM API ListRoles to query instance RAM role names.
• security_enhancement_strategy - (Optional) Whether or not to acti-
vate the security enhancement feature and install network security soft-
ware free of charge. Optional values: Active | Deactive.
• security_group_id - (Optional) The security group ID.
• spot_price_limit -(Optional) Sets the maximum hourly instance price.
Supports up to three decimal places.
• spot_strategy - (Optional) The spot strategy for a Pay-As-You-Go in-
stance. This parameter is valid and required only when InstanceChar-
geType is set to PostPaid. Value range:
238
– NoSpot: Normal Pay-As-You-Go instance.
– SpotWithPriceLimit: Sets the maximum price for a spot instance.
– SpotAsPriceGo: The system automatically calculates the price. The
maximum value is the Pay-As-You-Go price.
• system_disk_category - (Optional) The category of the system disk. Sys-
tem disk type. Optional values:
– cloud: Basic cloud disk.
– cloud_efficiency: Ultra cloud disk.
– cloud_ssd: SSD cloud Disks.
– ephemeral_ssd: local SSD Disks
– cloud_essd: ESSD cloud Disks.
• system_disk_description - (Optional) System disk description. It can-
not begin with http:// or https://.
• system_disk_name - (Optional) System disk name. The name is a string
of 2 to 128 characters. It must begin with an English or a Chinese char-
acter. It can contain A-Z, a-z, Chinese characters, numbers, periods (.),
colons (:), underscores (_), and hyphens (-).
• system_disk_size - (Optional) Size of the system disk, measured in GB.
Value range: [20, 500].
• userdata - (Optional) User data of the instance, which is Base64-encoded.
Size of the raw data cannot exceed 16 KB.
• vswitch_id - (Optional) When creating a VPC-Connected instance, you
must specify its VSwitch ID.
• zone_id - (Optional) The zone ID of the instance.
• network_interfaces - (Optional) The list of network interfaces created
with instance.
– name - (Optional) ENI name.
– description - (Optional) The ENI description.
– primary_ip - (Optional) The primary private IP address of the ENI.
– security_group_id - (Optional) The security group ID must be one
in the same VPC.
– vswitch_id - (Optional) The VSwitch ID for ENI. The instance must
be in the same zone of the same VPC network as the ENI, but they
may belong to different VSwitches.
• data_disks - (Optional) The list of data disks created with instance.
– name - (Optional) The name of the data disk.
– size - (Required) The size of the data disk.
∗ cloud�[5, 2000]
∗ cloud_efficiency�[20, 32768]
239
∗ cloud_ssd�[20, 32768]
∗ cloud_essd�[20, 32768]
∗ ephemeral_ssd: [5, 800]
– category - (Optional) The category of the disk:
∗ cloud: Basic cloud disk.
∗ cloud_efficiency: Ultra cloud disk.
∗ cloud_ssd: SSD cloud Disks.
∗ ephemeral_ssd: local SSD Disks
∗ cloud_essd: ESSD cloud Disks.
Default to cloud_efficiency.
– encrypted -(Optional, Bool) Encrypted the data in this disk.
Default to false
– snapshot_id - (Optional) The snapshot ID used to initialize the data
disk. If the size specified by snapshot is greater that the size of the
disk, use the size specified by snapshot as the size of the data disk.
– delete_with_instance - (Optional) Delete this data disk when
the instance is destroyed. It only works on cloud, cloud_efficiency,
cloud_ssd and cloud_essd disk. If the category of this data disk
was ephemeral_ssd, please don’t set this param.
Default to true
– description - (Optional) The description of the data disk.

• id - The Launch Template ID.
» Import
Launch Template can be imported using the id, e.g.

$ terraform import alicloud_launch_template.lt lt-abc1234567890000
240
» alicloud_elasticsearch_instances
The alicloud_elasticsearch_instances data source provides a collection of
Elasticsearch instances available in Alicloud account. Filters support description
regex, searches by tags, and other filters which are listed below.
» Example Usage
data "alicloud_elasticsearch_instances" "instances" {

description_regex = "myes"
version = "5.5.3_with_X-Pack"
}

• description_regex - (Optional) A regex string to apply to the instance
description.
• ids - (Optional, Available 1.52.1+) A list of Elasticsearch instance IDs.
• version - (Optional) Elasticsearch version. Options are 5.5.3_with_X-Pack,
6.3.2_with_X-Pack and 6.7.0_with_X-Pack. If no value is specified, all
versions are returned.
• tags - (Optional, Available 1.74.0+) A map of tags assigned to instances.
• ids - A list of Elasticsearch instance IDs.
• descriptions - A list of Elasticsearch instance descriptions.
• instances - A list of Elasticsearch instances. Its every element contains
– id - The ID of the Elasticsearch instance.
– description - The description of the Elasticsearch instance.
– instance_charge_type - Billing method. Value options: PostPaid
for Pay-As-You-Go and PrePaid for subscription.
– data_node_amount - The Elasticsearch cluster’s data node quantity,
between 2 and 50.
– data_node_spec - The data node specifications of the elasticsearch
instance.
241
– data_node_disk_size - The single data node storage space. Unit:
GB.
– data_node_disk_type - The data node disk type. Included values:
cloud_ssd and cloud_efficiency.
– vswitch_id - VSwitch ID the instance belongs to.
– version - Elasticsearch version includes 5.5.3_with_X-Pack,
6.3.2_with_X-Pack and 6.7.0_with_X-Pack.
– cerated_at - The creation time of the instance. It’s a GTM format,
such as: ”2019-01-08T15:50:50.623Z”.
– updated_at - The last modified time of the instance. It’s a GMT
format, such as: ”2019-01-08T15:50:50.623Z”.
– status - Status of the instance. It includes active, activating,
inactive
– tags - A map of tags assigned to the instance.
» alicloud_elasticsearch_zones
This data source provides availability zones for Elasticsearch that can be ac-
cessed by an Alibaba Cloud account within the region configured in the provider.
» Example Usage

data "alicloud_elasticsearch_zones" "zones_ids" {}

• multi - (Optional) Indicate whether the zones can be used in a multi
AZ configuration. Default to false. Multi AZ is usually used to launch
Elasticsearch instances.
242
attributes:
» alicloud_elasticsearch_instance
Provides a Elasticsearch instance resource. It contains data nodes, dedicated
master node(optional) and etc. It can be associated with private IP whitelists
and kibana IP whitelist.
NOTE: Only one operation is supported in a request. So if data_node_spec
and data_node_disk_size are both changed, system will respond error.
NOTE: At present, version can not be modified once instance has been cre-
ated.
» Example Usage
Basic Usage
resource "alicloud_elasticsearch_instance" "instance" {
data_node_amount = "2"
data_node_spec = "elasticsearch.sn2ne.large"
data_node_disk_size = "20"
data_node_disk_type = "cloud_ssd"
vswitch_id = "some vswitch id"
password = "Your password"
version = "5.5.3_with_X-Pack"
description = "description"
zone_count = "2"
tags = {
"key1":"value1",
"key2":"value2",
}
}

• description - (Optional) The description of instance. It a string of 0 to
30 characters.
243
Default to PostPaid. From version 1.69.0, the Elasticsearch cluster allows
you to update your instance_charge_ype from PostPaid to PrePaid, the
following attributes are required: period. But, updating from PostPaid
to PrePaid is not supported.
• period - (Optional) The duration that you will buy Elasticsearch instance
(in month). It is valid when instance_charge_type is PrePaid. Valid
values: [1~9], 12, 24, 36. Default to 1. From version 1.69.2, when to
modify this value, the resource can renewal a PrePaid instance.
• data_node_amount - (Required) The Elasticsearch cluster’s data node
quantity, between 2 and 50.
• data_node_spec - (Required) The data node specifications of the Elastic-
search instance.
• data_node_disk_size - (Required) The single data node storage space.
– cloud_ssd: An SSD disk, supports a maximum of 2048 GiB (2 TB).
– cloud_efficiency An ultra disk, supports a maximum of 5120 GiB
(5 TB). If the data to be stored is larger than 2048 GiB, an ultra disk
can only support the following data sizes (GiB): [2560, 3072, 3584,
4096, 4608, 5120].
• data_node_disk_type - (Required) The data node disk type. Supported
values: cloud_ssd, cloud_efficiency.
• vswitch_id - (Required, ForceNew) The ID of VSwitch.
• password - (Optional, Sensitive) The password of the instance. The pass-
word can be 8 to 30 characters in length and must contain three of the
following conditions: uppercase letters, lowercase letters, numbers, and
special characters (!@#$%^&*()_+-=).
• kms_encrypted_password - (Optional, Available in 1.57.1+) An KMS
encrypts password used to a instance. If the password is filled in, this
field will be ignored, but you have to specify one of password and
before creating or updating instance with kms_encrypted_password. See
Encryption Context. It is valid when kms_encrypted_password is set.
• version - (Required, ForceNew) Elasticsearch version. Supported values:
5.5.3_with_X-Pack, 6.3_with_X-Pack and 6.7_with_X-Pack.
• private_whitelist - (Optional) Set the instance’s IP whitelist in VPC
network.
• kibana_whitelist - (Optional) Set the Kibana’s IP whitelist in internet
network.
• master_node_spec - (Optional) The dedicated master node spec. If spec-
ified, dedicated master node will be created.
• zone_count - (Optional, Available in 1.44.0+) The Multi-AZ supported
for Elasticsearch, between 1 and 3. The data_node_amount value must
be an integral multiple of the zone_count value.
244
the resource.
– key: It can be up to 128 characters in length. It cannot begin with
”aliyun”, ”acs:”. It cannot contain ”http://” and ”https://”. It cannot
be a null string.
– value: It can be up to 128 characters in length. It cannot contain
”http://” and ”https://”. It can be a null string.
» Timeouts

• create - (Defaults to 120 mins) Used when creating the elasticsearch
instance (until it reaches the initial active status).
• update - (Defaults to 120 mins) Used when activating the elasticsearch
instance when necessary during update - e.g. when changing elasticsearch
instance description, whitelist, data node settings, master node spec and
password.
• delete - (Defaults to 120 mins) Used when terminating the elasticsearch
instance. Note: There are 5 minutes to sleep to eusure the instance is
deleted. It is not in the timeouts configure.

• id - The ID of the Elasticsearch instance.
• domain - Instance connection domain (only VPC network access sup-
ported).
• port - Instance connection port.
• kibana_domain - Kibana console domain (Internet access supported).
• kibana_port - Kibana console port.
• status - The Elasticsearch instance status. Includes active, activating,
inactive. Some operations are denied when status is not active.
» Import
Elasticsearch can be imported using the id, e.g.

$ terraform import alicloud_elasticsearch_instance.example es-cn-abcde123456
245
» alicloud_emr_disk_types
The alicloud_emr_disk_types data source provides a collection of data disk
and system disk types available in Alibaba Cloud account when create a emr
cluster.
» Example Usage
data "alicloud_emr_disk_types" "default" {

destination_resource = "DataDisk"
cluster_type = "HADOOP"
instance_type = "ecs.g5.xlarge"
zone_id = "cn-huhehaote-a"
}
output "data_disk_type" {
value = "${data.alicloud_emr_disk_types.default.types.0.value}"
}

• destination_resource - (Required) The destination resource of emr clus-
ter instance
• instance_charge_type - (Required) Filter the results by charge type.
• cluster_type - (Required) The cluster type of the emr cluster instance.
Possible values: HADOOP, KAFKA, ZOOKEEPER, DRUID.
• instance_type - (Required) The ecs instance type of create emr cluster
instance.
• zone_id - (Optional) The Zone to create emr cluster instance.
• ids - A list of data disk and system disk type IDs.
246
• types - A list of emr instance types. Each element contains the following
attributes:
– value - The value of the data disk or system disk
– min - The mininum value of the data disk to supported the specific
instance type
– max - The maximum value of the data disk to supported the specific
instance type
» alicloud_emr_instance_types
The alicloud_emr_instance_types data source provides a collection of ecs
instance types available in Alibaba Cloud account when create a emr cluster.
» Example Usage
data "alicloud_emr_instance_types" "default" {

destination_resource = "InstanceType"
support_local_storage = false
cluster_type = "HADOOP"
instance_type = "ecs.g5.2xlarge"
support_node_type = ["MASTER", "CORE"]
}
output "first_instance_type" {
value = "${data.alicloud_emr_instance_types.default.types.0.id}"
}

• destination_resource - (Required) The destination resource of emr clus-
ter instance
• instance_charge_type - (Required) Filter the results by charge type.
• cluster_type - (Required) The cluster type of the emr cluster instance.
Possible values: HADOOP, KAFKA, ZOOKEEPER, DRUID.
• instance_type - (Optional, Available in 1.71.2+) Filter the specific ecs
instance type to create emr cluster.
247
• support_local_storage - (Optional, Available in 1.61.0+) Whether the
current storage disk is local or not.
• support_node_type - (Optional, Available in 1.63.0+) The specific sup-
ported node type list. Possible values may be any one or combination of
these: [”MASTER”, ”CORE”, ”TASK”, ”GATEWAY”]
• zone_id - (Optional,Available in 1.69.0+) The supported resources of spe-
cific zoneId.
• ids - A list of emr instance types IDs.
• types - A list of emr instance types. Each element contains the following
attributes:
– id - The ID of the instance type.
– zone_id - The available zone id in Alibaba Cloud account
– local_storage_capacity - Local capacity of the applied ecs in-
stance for emr cluster. Unit: GB.
» alicloud_emr_main_versions
The alicloud_emr_main_versions data source provides a collection of emr
main versions available in Alibaba Cloud account when create a emr cluster.
» Example Usage
data "alicloud_emr_main_versions" "default" {

emr_version = "EMR-3.22.0"
cluster_type = ["HADOOP", "ZOOKEEPER"]
}
output "first_main_version" {
value = "${data.alicloud_emr_main_versions.default.main_versions.0.emr_version}"
}
output "this_cluster_types" {
value = "${data.alicloud_emr_main_versions.default.main_versions.0.cluster_types}"
}
248

• emr_version - (Optional) The version of the emr cluster instance. Possi-
ble values: EMR-4.0.0, EMR-3.23.0, EMR-3.22.0.
• cluster_type - (Optional, Available in 1.70.1+) The supported cluster-
Type of this emr version. Possible values may be any one or combination of
these: [”HADOOP”, ”DRUID”, ”KAFKA”, ”ZOOKEEPER”, ”FLINK”,
”CLICKHOUSE”]
• ids - A list of emr instance types IDs.
• main_versions - A list of versions of the emr cluster instance. Each
– emr_version - The version of the emr cluster instance.
– image_id - The image id of the emr cluster instance.
– cluster_types - A list of cluster types the emr cluster supported.
Possible values: HADOOP, ZOOKEEPER, KAFKA, DRUID.
» alicloud_emr_cluster
Provides a EMR Cluster resource. With this you can create, read, and release
EMR Cluster.
» Example Usage
» 1. Create A Cluster
}

cluster_type = data.alicloud_emr_main_versions.default.main_versions.0.cluster_types.0
249
support_node_type = ["MASTER", "CORE", "TASK"]
}
data "alicloud_emr_disk_types" "data_disk" {

instance_type = data.alicloud_emr_instance_types.default.types.0.id
zone_id = data.alicloud_emr_instance_types.default.types.0.zone_id
}
data "alicloud_emr_disk_types" "system_disk" {

destination_resource = "SystemDisk"
}

name = var.vpc_name
}

count = var.security_group_id == "" ? 1 : 0
name = var.security_group_name
vpc_id = var.vpc_id == "" ? alicloud_vpc.vpc[0].id : var.vpc_id
}
// VSwitch Resource for Module

count = var.vswitch_id == "" ? 1 : 0
availability_zone = var.availability_zone == "" ? data.alicloud_emr_instance_types.defau

name = var.vswitch_name
cidr_block = var.vswitch_cidr
}
// Ram role Resource for Module

resource "alicloud_ram_role" "default" {
name = var.ram_name
250
document = <<EOF
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"emr.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOF
description = "this is a role test."
force = true
}
resource "alicloud_emr_cluster" "default" {

name = "terraform-resize-test-0926"
emr_ver = data.alicloud_emr_main_versions.default.main_versions.0.emr_version
host_group {
host_group_name = "master_group"
host_group_type = "MASTER"
node_count = "2"
disk_type = data.alicloud_emr_disk_types.data_disk.types.0.value
disk_capacity = data.alicloud_emr_disk_types.data_disk.types.0.min > 160 ? data.alic
disk_count = "1"
sys_disk_type = data.alicloud_emr_disk_types.system_disk.types.0.value
sys_disk_capacity = data.alicloud_emr_disk_types.system_disk.types.0.min > 160 ? dat
}
host_group {
host_group_name = "core_group"
host_group_type = "CORE"
node_count = "3"
251
disk_count = "4"
}
host_group {
host_group_name = "task_group"
host_group_type = "TASK"
node_count = "2"
disk_count = "4"
}
high_availability_enable = true
security_group_id = var.security_group_id == "" ? alicloud_security_group.default[0].id
is_open_public_ip = true
charge_type = "PostPaid"
vswitch_id = var.vswitch_id == "" ? alicloud_vswitch.vswitch[0].id : var.vswitch_id
user_defined_emr_ecs_role = alicloud_ram_role.default.name
ssh_enable = true
master_pwd = "ABCtest1234!"
}
» 2. Scale Up
The hosts of EMR Cluster are orginized as host group. Scaling up/down is
operating host group.
In the case of scaling up cluster, we should add the node_count of some host
group.
NOTE: Scaling up is only applicable to CORE and TASK group. Cost time
of scaling up will vary with the number of scaling-up nodes. Scaling down is
only applicable to TASK group. If you want to scale down CORE group, please
submit tickets or contact EMR support team.
As the following case, we scale up the TASK group 2 nodes by increasing
host_group.node_count by 2.
}
252
}

}

}

name = var.vpc_name
}

}


253
}

name = var.ram_name
document = <<EOF
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"emr.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOF
force = true
}

host_group {
node_count = "2"
disk_count = "1"
}
254
host_group {
node_count = "2"
disk_count = "4"
}
host_group {
node_count = "4"
disk_count = "4"
}
ssh_enable = true
}
» 3. Scale Down
In the case of scaling down a cluster, we need to specified the host group and
the instance list.
The following is an example. We scale down the cluster by decreasing the node
count by 2, and specifying the scale-down instance list.
}
255
}

}

}

name = var.vpc_name
}

}


256
}

name = var.ram_name
document = <<EOF
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"emr.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOF
force = true
}

host_group {
node_count = "2"
disk_count = "1"
}
host_group {
257
node_count = "2"
disk_count = "4"
}
host_group {
node_count = "2"
disk_count = "4"
}
ssh_enable = true
}
» 4. Create a emr gateway cluster

}

support_node_type = ["GATEWAY"]
258
}

}

}

name = var.vpc_name
}

}


}

name = var.ram_name
document = <<EOF
259
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"emr.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOF
force = true
}
resource "alicloud_emr_cluster" "gateway" {

name = "terraform-gateway-test-1101"
# supported 'GATEWAY' available in 1.61.0+.

cluster_type = "GATEWAY"
host_group {
host_group_type = "GATEWAY"
node_count = "1"
disk_count = "1"
}
260
ssh_enable = true
// the gateway related emr cluster id, if you want to bind a cluster dynamically, please
related_cluster_id = ${related_cluster_id}
}

• name - (Required) The name of emr cluster. The name length must be
less than 64. Supported characters: chinese character, english character,
number, ”-”, ”_”.
• emr_ver - (Required, ForceNew) EMR Version, e.g. EMR-3.22.0. You
can find the all valid EMR Version in emr web console.
• cluster_type - (Required, ForceNew) EMR Cluster Type, e.g. HADOOP,
KAFKA, DRUID, GATEWAY etc. You can find all valid EMR cluster
type in emr web console. Supported ’GATEWAY’ available in 1.61.0+.
• charge_type - (Required, ForceNew) Charge Type for this cluster. Sup-
ported value: PostPaid or PrePaid. Default value: PostPaid.
• zone_id - (Required, ForceNew) Zone ID, e.g. cn-huhehaote-a
• security_group_id (Optional, ForceNew) Security Group ID for Cluster,
you can also specify this key for each host group.
• vswitch_id (Optional, ForceNew) Global vswitch id, you can also specify
it in host group.
• option_software_list (Optional, ForceNew) Optional software list.
• high_availability_enable (Optional, ForceNew) High Available for
HDFS and YARN. If this is set true, MASTER group must have two
nodes.
• use_local_metadb (Optional, ForceNew) Use local metadb. Default is
false.
• ssh_enable (Optional, ForceNew) If this is set true, we can ssh into clus-
ter. Default value is false.
• master_pwd (Optional, ForceNew) Master ssh password.
• eas_enable (Optional, ForceNew) High security cluster (true) or not. De-
fault value is false.
• user_defined_emr_ecs_role (Optional, ForceNew) Alicloud EMR uses
roles to perform actions on your behalf when provisioning cluster resources,
running applications, dynamically scaling resources. EMR uses the follow-
ing roles when interacting with other Alicloud services. Default value is
AliyunEmrEcsDefaultRole.
• key_pair_name (Optional, ForceNew) Ssh key pair.
• deposit_type (Optional, ForceNew) Cluster deposit type, HALF_MANAGED
261
or FULL_MANAGED.
• related_cluster_id (Optional, ForceNew) This specify the related clus-
ter id, if this cluster is a Gateway.
• host_group - (Optional) Groups of Host, You can specify MASTER as a
group, CORE as a group (just like the above example).
the resource.
» Block host_group
The host_group mapping supports the following:
• host_group_name - (Required, ForceNew) host group name.
• host_group_type - (Required) host group type, supported value: MAS-
TER, CORE or TASK, supported ’GATEWAY’ available in 1.61.0+.
• charge_type - (Optional) Charge Type for this group of hosts: Post-
Paid or PrePaid. If this is not specified, charge type will follow global
charge_type value.
• period - (Optional) If charge type is PrePaid, this should be specified,
unit is month. Supported value: 1�2�3�4�5�6�7�8�9�12�24�36.
• node_count - (Required) Host number in this group.
• instance_type - (Required) Host Ecs instance type.
• disk_type - (Required) Data disk type. Supported value: cloud,cloud_efficiency,cloud_ssd,local_disk,clo
• disk_capacity - (Required) Data disk capacity.
• disk_count - (Required) Data disk count.
• sys_disk_type - (Required) System disk type. Supported value:
cloud,cloud_efficiency,cloud_ssd,cloud_essd.
• sys_disk_capacity - (Required) System disk capacity.
• auto_renew - (Optional) Auto renew for prepaid, true of false. Default is
false.
• instance_list - (Optional) Instance list for cluster scale down. This
value follows the json format, e.g. [”instance_id1”,”instance_id2”]. es-
cape character for ” is \”.
» Block bootstrap_action
The bootstrap_action mapping supports the following:
• name - (Optional, Available in 1.71.2+) bootstrap action name.
• path - (Optional, Available in 1.71.2+) bootstrap action path, e.g.
”oss://bucket/path”.
• arg - (Optional, Available in 1.71.2+) bootstrap action args, e.g. ”--a=b”.
» Timeouts
262
• create - (Defaults to 20 mins) Used when creating the cluster (until it
reaches the initial IDLE status).
• delete - (Defaults to 10 mins) Used when terminating the instance.

• id - The cluster ID.
» alicloud_fc_functions
This data source provides the Function Compute functions of the current Al-
ibaba Cloud user.
» Example Usage
data "alicloud_fc_functions" "functions_ds" {

service_name = "sample_service"
name_regex = "sample_fc_function"
}
output "first_fc_function_name" {
value = "${data.alicloud_fc_functions.functions_ds.functions.0.name}"
}

• service_name - Name of the service that contains the functions to find.
• name_regex - (Optional) A regex string to filter results by function name.
• ids (Optional, Available in 1.53.0+) - A list of functions ids.
• ids - A list of functions ids.
• names - A list of functions names.
263
• functions - A list of functions. Each element contains the following
attributes:
– id - Function ID.
– name - Function name.
– description - Function description.
– runtime - Function runtime. The list of possible values is available
here.
– handler - Function entry point in the code.
– timeout - Maximum amount of time the function can run in seconds.
– memory_size - Amount of memory in MB the function can use at
runtime.
– code_size - Function code size in bytes.
– code_checksum - Checksum (crc64) of the function code.
– creation_time - Function creation time.
– last_modification_time - Function last modification time.
– environment_variables - A map that defines environment variables
for the function.
» alicloud_fc_services
This data source provides the Function Compute services of the current Alibaba
Cloud user.
» Example Usage
data "alicloud_fc_services" "fc_services_ds" {

name_regex = "sample_fc_service"
}
output "first_fc_service_name" {
value = "${data.alicloud_fc_services.fc_services_ds.services.0.name}"
}

• name_regex - (Optional) A regex string to filter results by FC service
name.
• ids (Optional, Available in 1.53.0+) - A list of FC services ids.
264
• ids - A list of FC services ids.
• names - A list of FC services names.
• services - A list of FC services. Each element contains the following
attributes:
– id - FC service ID.
– name - FC service name.
– description - FC service description.
– role - FC service role ARN.
– internet_access - Indicate whether the service can access to inter-
net or not.
– creation_time - FC service creation time.
– last_modification_time - FC service last modification time.
– logstore - Log Service store name.
– vpc_config - A list of one element containing information about
accessible VPC resources. It contains the following attributes:
– vpc_id - Associated VPC ID.
– vswitch_ids - Associated VSwitch IDs.
– security_group_id - Associated security group ID.
» alicloud_fc_triggers
This data source provides the Function Compute triggers of the current Alibaba
Cloud user.
» Example Usage
data "alicloud_fc_triggers" "fc_triggers_ds" {

service_name = "sample_service"
function_name = "sample_function"
name_regex = "sample_fc_trigger"
}
output "first_fc_trigger_name" {
value = "${data.alicloud_fc_triggers.fc_triggers_ds.triggers.0.name}"
}
265

• service_name - FC service name.
• function_name - FC function name.
• name_regex - (Optional) A regex string to filter results by FC trigger
name.
• ids (Optional, Available in 1.53.0+) - A list of FC triggers ids.
• ids - A list of FC triggers ids.
• names - A list of FC triggers names.
• triggers - A list of FC triggers. Each element contains the following
attributes:
– id - FC trigger ID.
– name - FC trigger name.
– source_arn - Event source resource address. See Create a trigger for
more details.
– type - Type of the trigger. Valid values: oss, log, timer, http and
mns_topic.
– invocation_role - RAM role arn attached to the Function Compute
trigger. Role used by the event source to call the function. The
value format is ”acs:ram::$account-id:role/$role-name”. See Create a
trigger for more details.
– config - JSON-encoded trigger configuration. See Configure triggers
and events for more details.
– creation_time - FC trigger creation time.
– last_modification_time - FC trigger last modification time.
» alicloud_fc_zones
This data source provides availability zones for FunctionCompute that can be ac-
cessed by an Alibaba Cloud account within the region configured in the provider.
266
» Example Usage

data "alicloud_fc_zones" "zones_ids" {}

attributes:
» alicloud_fc_function
Provides a Alicloud Function Compute Function resource. Function allows you
to trigger execution of code in response to events in Alibaba Cloud. The Func-
tion itself includes source code and runtime configuration. For information
about Service and how to use it, see What is Function Compute.
NOTE: The resource requires a provider field ’account_id’. See account_id.
» Example Usage
Basic Usage
variable "name" {
default = "alicloudfcfunctionconfig"
}
resource "alicloud_log_project" "default" {
description = "tf unit test"
}
resource "alicloud_log_store" "default" {
267
project = "${alicloud_log_project.default.name}"
retention_period = "3000"
shard_count = 1
}
resource "alicloud_fc_service" "default" {
log_config {
project = "${alicloud_log_project.default.name}"
logstore = "${alicloud_log_store.default.name}"
}
role = "${alicloud_ram_role.default.arn}"
depends_on = ["alicloud_ram_role_policy_attachment.default"]
}
resource "alicloud_oss_bucket" "default" {
bucket = "${var.name}"
}
resource "alicloud_oss_bucket_object" "default" {

bucket = "${alicloud_oss_bucket.default.id}"
key = "fc/hello.zip"
content = <<EOF
# -*- coding: utf-8 -*-
def handler(event, context):
print "hello world"
return 'hello world'
EOF
}

document = <<EOF
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"fc.aliyuncs.com"
]
}
}
],
"Version": "1"
268
}
EOF
description = "this is a test"
force = true
}
resource "alicloud_ram_role_policy_attachment" "default" {

role_name = "${alicloud_ram_role.default.name}"
policy_name = "AliyunLogFullAccess"
policy_type = "System"
}
resource "alicloud_fc_function" "foo" {

service = "${alicloud_fc_service.default.name}"
description = "tf"
oss_bucket = "${alicloud_oss_bucket.default.id}"
oss_key = "${alicloud_oss_bucket_object.default.key}"
memory_size = "512"
runtime = "python2.7"
handler = "hello.handler"
environment_variables = {
prefix = "terraform"
}
}
» Module Support
You can use to the existing fc module to create a function quickly and set several
triggers for it.

• service - (Required, ForceNew) The Function Compute service name.
• name - (Optional, ForceNew) The Function Compute function name. It is
the only in one service and is conflict with ”name_prefix”.
• name_prefix - (Optional, ForceNew) Setting a prefix to get a only function
name. It is conflict with ”name”.
• description - (Optional) The Function Compute function description.
• filename - (Optional) The path to the function’s deployment package
within the local filesystem. It is conflict with the oss_-prefixed options.
269
• oss_bucket - (Optional) The OSS bucket location containing the func-
tion’s deployment package. Conflicts with filename. This bucket must
reside in the same Alibaba Cloud region where you are creating the func-
tion.
• oss_key - (Optional) The OSS key of an object containing the function’s
deployment package. Conflicts with filename.
• handler - (Required) The function entry point in your code.
• memory_size - (Optional) Amount of memory in MB your Function can
use at runtime. Defaults to 128. Limits to [128, 3072].
• runtime - (Required) See [Runtimes][https://www.alibabacloud.com/
help/doc-detail/52077.htm] for valid values.
• timeout - (Optional) The amount of time your Function has to run in
seconds.
• environment_variables - (Optional, Available in 1.36.0+) A map that
defines environment variables for the function.
• code_checksum - (Optional, Available in 1.59.0+) The checksum (crc64)
of the function code.The value can be generated by data source ali-
cloud_file_crc64_checksum. -> NOTE: For more information, see
Limits.
The following arguments are exported:

• id - The ID of the function. The value is formate as <service>:<name>.
• last_modified - The date this resource was last modified.
• function_id - The Function Compute service ID.
• code_checksum - The checksum (crc64) of the function code.
» Import
Function Compute function can be imported using the id, e.g.

$ terraform import alicloud_fc_service.foo my-fc-service:hello-world
» alicloud_fc_service
Provides a Alicloud Function Compute Service resource. The resource is the
base of launching Function and Trigger configuration. For information about
Service and how to use it, see What is Function Compute.
270
NOTE: If you happen the error ”Argument ’internetAccess’ is not supported”,
you need to log on web console and click button ”Apply VPC Function” which
is in the upper of Function Service Web Console page.
NOTE: Currently not all regions support Function Compute Service. For more
details supported regions, see Service endpoints
» Example Usage
Basic Usage
variable "name" {
default = "tf-testaccalicloudfcservice"
}
resource "alicloud_log_project" "foo" {

}
resource "alicloud_log_store" "foo" {

project = "${alicloud_log_project.foo.name}"
}
resource "alicloud_ram_role" "role" {

document = <<DEFINITION
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"fc.aliyuncs.com"
]
}
}
],
"Version": "1"
}
DEFINITION
force = true
}
271
resource "alicloud_ram_role_policy_attachment" "attac" {
role_name = "${alicloud_ram_role.role.name}"
}
resource "alicloud_fc_service" "foo" {

role = "${alicloud_ram_role.role.arn}"
depends_on = ["alicloud_ram_role_policy_attachment.attac"]
}
» Module Support
You can use to the existing fc module to create a service and a function quickly
and then set several triggers for it.

• name - (ForceNew) The Function Compute service name. It is the only in
one Alicloud account and is conflict with ”name_prefix”.
• name_prefix - (ForceNew) Setting a prefix to get a only name. It is
conflict with ”name”.
• description - (Optional) The function compute service description.
• internet_access - (Optional) Whether to allow the service to access
Internet. Default to ”true”.
• role - (Optional) RAM role arn attached to the Function Compute ser-
vice. This governs both who / what can invoke your Function, as well as
what resources our Function has access to. See User Permissions for more
details.
• log_config - (Optional) Provide this to store your FC service logs. Fields
documented below. See Create a Service.
• vpc_config - (Optional) Provide this to allow your FC service to access
your VPC. Fields documented below. See Function Compute Service in
VPC.
log_config requires the following:
• project - (Required) The project name of Logs service.
• logstore - (Required) The log store name of Logs service.
NOTE: If both project and logstore are empty, log_config is considered to
be empty or unset.
272
vpc_config requires the following:
• vswitch_ids - (Required) A list of vswitch IDs associated with the FC
service.
• security_group_id - (Required) A security group ID associated with the
FC service.
NOTE: If both vswitch_ids and security_group_id are empty, vpc_config
is considered to be empty or unset.

• id - The ID of the FC service. The value is same as name.
• service_id - The Function Compute service ID.
» Import
Function Compute Service can be imported using the id or name, e.g.

$ terraform import alicloud_fc_service.foo my-fc-service
» alicloud_fc_trigger
Provides an Alicloud Function Compute Trigger resource. Based on trigger,
execute your code in response to events in Alibaba Cloud. For information
about Service and how to use it, see What is Function Compute.
» Example Usage
Basic Usage
variable "region" {
default = "cn-hangzhou"
}
variable "account" {
default = "12345"
}
273
account_id = "${var.account}"
region = "${var.region}"
}
resource "alicloud_fc_trigger" "foo" {

service = "my-fc-service"
function = "hello-world"
name = "hello-trigger"
role = "${alicloud_ram_role.foo.arn}"
source_arn = "acs:log:${var.region}:${var.account}:project/${alicloud_log_project.foo.name
type = "log"
config = <<EOF
{
"sourceConfig": {
"project": "project-for-fc",
"logstore": "project-for-fc"
},
"jobConfig": {
"maxRetryTime": 3,
"triggerInterval": 60
},
"functionParameter": {
"a": "b",
"c": "d"
},
"logConfig": {
"project": "project-for-fc",
"logstore": "project-for-fc"
},
"enable": true
}
EOF
depends_on = ["alicloud_ram_role_policy_attachment.foo"]
}
resource "alicloud_ram_role" "foo" {

name = "${var.name}-trigger"
document = <<EOF
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"log.aliyuncs.com"
274
]
}
}
],
"Version": "1"
}
EOF
force = true
}
resource "alicloud_ram_role_policy_attachment" "foo" {

role_name = "${alicloud_ram_role.foo.name}"
}
MNS topic trigger: variable "name" { default = "fctriggermnstopic"
} data "alicloud_regions" "current_region" { current = true }
data "alicloud_account" "current" { } resource "alicloud_log_project"
"foo" { name = "${var.name}" description = "tf unit
test" } resource "alicloud_log_store" "bar" { project =
"${alicloud_log_project.foo.name}" name = "${var.name}-source"
retention_period = "3000" shard_count = 1 } resource
"alicloud_log_store" "foo" { project = "${alicloud_log_project.foo.name}"
name = "${var.name}" retention_period = "3000"
shard_count = 1 } resource "alicloud_mns_topic" "foo" {
name = "${var.name}" } resource "alicloud_fc_service" "foo"
{ name = "${var.name}" internet_access = false
} resource "alicloud_oss_bucket" "foo" { bucket = "${var.name}"
} resource "alicloud_oss_bucket_object" "foo" { bucket =
"${alicloud_oss_bucket.foo.id}" key = "fc/hello.zip" content
= <<EOF # -*- coding: utf-8 -*- def handler(event, context):
print "hello world" return 'hello world' EOF } resource
"alicloud_fc_function" "foo" { service = "${alicloud_fc_service.foo.name}"
name = "${var.name}" oss_bucket = "${alicloud_oss_bucket.foo.id}"
oss_key = "${alicloud_oss_bucket_object.foo.key}" memory_size
= 512 runtime = "python2.7" handler = "hello.handler" }
resource "alicloud_ram_role" "foo" { name = "${var.name}-trigger"
document = <<EOF { "Statement": [ { "Action":
"sts:AssumeRole", "Effect": "Allow", "Principal":
{ "Service": [ "mns.aliyuncs.com" ]
} } ], "Version": "1" } EOF description =
"this is a test" force = true } resource "alicloud_ram_policy"
"foo" { name = "${var.name}-trigger" document = <<EOF {
"Version": "1", "Statement": [ { "Action":
275
[ "log:PostLogStoreLogs" ], "Resource":
"*", "Effect": "Allow" } ] } EOF
description = "this is a test" force = true } resource "alicloud_ram_role_policy_attachmen
"foo" { role_name = "${alicloud_ram_role.foo.name}" policy_name
= "${alicloud_ram_policy.foo.name}" policy_type = "Custom" }
resource "alicloud_fc_trigger" "foo" { service = "${alicloud_fc_service.foo.name}"
function = "${alicloud_fc_function.foo.name}" name = "${var.name}"
role = "${alicloud_ram_role.foo.arn}" source_arn = "acs:mns:${data.alicloud_regions.curren
type = "mns_topic" config_mns = <<EOF { "filterTag":"testTag",
"notifyContentFormat":"STREAM", "notifyStrategy":"BACKOFF_RETRY"
} EOF depends_on = ["alicloud_ram_role_policy_attachment.foo"]
}
CDN events trigger: “‘ variable ”name” { default = ”fctriggercdneventsconfig”
}
data ”alicloud_account” ”current” { }
resource ”alicloud_cdn_domain_new” ”domain” { domain_name =
”${var.name}.tf.com” cdn_type = ”web” scope = ”overseas” sources {
content = ”1.1.1.1” type = ”ipaddr” priority = 20 port = 80 weight = 10 } }
resource ”alicloud_fc_service” ”foo” { name = ”${var.name}” inter-
net_access = false } resource ”alicloud_oss_bucket” ”foo” { bucket =
”${var.name}” } resource ”alicloud_oss_bucket_object” ”foo” { bucket =
”${alicloud_oss_bucket.foo.id}” key = ”fc/hello.zip” content = <<EOF
# -- coding: utf-8 -- def handler(event, context): print ”hello world” re-
turn ’hello world’ EOF } resource ”alicloud_fc_function” ”foo” { service =
”${alicloud_fc_service.foo.name}” name = ”${var.name}” oss_bucket = ”${ali-
cloud_oss_bucket.foo.id}” oss_key = ”${alicloud_oss_bucket_object.foo.key}”
memory_size = 512 runtime = ”python2.7” handler = ”hello.handler” } re-
source ”alicloud_ram_role” ”foo” { name = ”${var.name}-trigger” document
= <<EOF { ”Version”: ”1”, ”Statement”: [ { ”Action”: ”cdn:Describe*”, ”Re-
source”: ”*”, ”Effect”: ”Allow”, ”Principal”: { ”Service”: [”log.aliyuncs.com”]
} } ] } EOF description = ”this is a test” force = true }
resource ”alicloud_ram_policy” ”foo” { name = ”${var.name}-trigger”
document = <<EOF { ”Version”: ”1”, ”Statement”: [ { ”Action”: [
”fc:InvokeFunction” ], ”Resource”: [ ”acs:fc:::services/tf_cdnEvents/functions/”,
”acs:fc:::services/tf_cdnEvents./functions/” ], ”Effect”: ”Allow” } ]
} EOF description = ”this is a test” force = true } resource ”ali-
cloud_ram_role_policy_attachment” ”foo” { role_name = ”${alicloud_ram_role.foo.name}”
policy_name = ”${alicloud_ram_policy.foo.name}” policy_type = ”Cus-
tom” } resource ”alicloud_fc_trigger” ”default” { service = ”${ali-
cloud_fc_service.foo.name}” function = ”${alicloud_fc_function.foo.name}”
name = ”${var.name}” role = ”${alicloud_ram_role.foo.arn}” source_arn =
”acs:cdn::${data.alicloud_account.current.id}” type = ”cdn_events” config =
<<EOF {”eventName”:”LogFileCreated”, ”eventVersion”:”1.0.0”, ”notes”:”cdn
276
events trigger”, ”filter”:{ ”domain”: [”${alicloud_cdn_domain_new.domain.domain_name}”]
} }EOF depends_on = [”alicloud_ram_role_policy_attachment.foo”] } “‘
» Module Support
You can use to the existing fc module to create several triggers quickly.

• service - (Required, ForceNew) The Function Compute service name.
• function - (Required, ForceNew) The Function Compute function name.
• name - (ForceNew) The Function Compute trigger name. It is the only in
one service and is conflict with ”name_prefix”.
• name_prefix - (ForceNew) Setting a prefix to get a only trigger name. It
is conflict with ”name”.
• role - (Optional) RAM role arn attached to the Function Compute trigger.
Role used by the event source to call the function. The value format
is ”acs:ram::$account-id:role/$role-name”. See Create a trigger for more
details.
• source_arn - (Optional, ForceNew) Event source resource address. See
Create a trigger for more details.
• config - (Optional) The config of Function Compute trigger.It is valid
when type is not ”mns_topic”.See Configure triggers and events for more
details.
• config_mns - (Optional, ForceNew, Available in 1.41.0) The config of
Function Compute trigger when the type is ”mns_topic”.It is conflict with
config.
• type - (Required, ForceNew) The Type of the trigger. Valid values: [”oss”,
”log”, ”timer”, ”http”, ”mns_topic”, ”cdn_events”].
NOTE: Config does not support modification when type is mns_topic.
NOTE: type = cdn_events, available in 1.47.0+.

• id - The ID of the function. The value is formate as <service>:<function>:<name>.
• trigger_id - The Function Compute trigger ID.
277
» Import
Function Compute trigger can be imported using the id, e.g.

$ terraform import alicloud_fc_service.foo my-fc-service:hello-world:hello-trigger
» alicloud_hbase_instances
The alicloud_hbase_instances data source provides a collection of HBase
instances available in Alicloud account. Filters support regular expression for
the instance name, ids or availability_zone.
» Example Usage
data "alicloud_hbase_instances" "hbase" {

name_regex = "tf_testAccHBase"
availability_zone = "cn-shenzhen-b"
}

• ids - (Optional) The ids list of HBase instances
• tags - (Optional, Available in 1.73.0) A mapping of tags to assign to the
resource.

above: * ids - The ids list of HBase instances * names - The names list
of HBase instances * instances - A list of HBase instances. Its every
element contains the following attributes: * id - The ID of the HBase
instance. * name - The name of the HBase instance. * region_id -
Region ID the instance belongs to. * zone_id - Zone ID the instance
belongs to. * engine - the engine of the instance. * engine_version
278
- the engine_version of the instance. * network_type - Classic net-
work or VPC. * master_instance_type - hbase.sn1.large, hbase.sn1.large,
hbase.n1.2xlarge and so on. * master_node_count - the node count of master
* core_instance_type - hbase.sn1.large, hbase.sn1.large, hbase.n1.2xlarge
and so on. * core_node_count - same with ”core_instance_quantity” *
core_disk_type - cloud_ssd or cloud_efficiency * core_disk_size - core
node disk size, unit:GB. * vpc_id - VPC ID the instance belongs to. *
vswitch_id - VSwitch ID the instance belongs to. * pay_type - Billing
method. Value options are PostPaid for Pay-As-You-Go and PrePaid
for yearly or monthly subscription. * status - Status of the instance. *
backup_status - the Backup Status of the instance. * create_time - the
create time of the instance. * expire_time - the expire time of the instance. *
deletion_protection - the switch of delete protection. * tags - A mapping
of tags to assign to the resource.
» alicloud_kvstore_zones
This data source provides availability zones for HBase that can be accessed by
an Alibaba Cloud account within the region configured in the provider.
» Example Usage

data "alicloud_hbase_zones" "zones_ids" {}
# Create an HBase instance with the first matched zone

resource "alicloud_hbase_instance" "hbase" {
zone_id = data.alicloud_hbase_zones.zones_ids.zones[0].id
}

HBase instances.
279
attributes:
» alicloud_hbase_instance
Provides a HBase instance resource supports replica set instances only. the
HBase provides stable, reliable, and automatic scalable database services. It
offers a full range of database solutions, such as disaster recovery, backup, re-
covery, monitoring, and alarms. You can see detail product introduction here
NOTE: The following regions don’t support create Classic network HBase in-
stance. [cn-hangzhou,cn-shanghai,cn-qingdao,cn-beijing,cn-shenzhen,ap-southeast-1a,.....]
the official website mark more regions. or you can call DescribeRegions
NOTE: Create HBase instance or change instance type and storage would cost
15 minutes. Please make full preparation
» Example Usage
» Create a hbase instance
resource "alicloud_hbase_instance" "default" {

name = "tf_testAccHBase_classic"
zone_id = "cn-shenzhen-b"
master_instance_type = "hbase.sn1.large"
core_instance_type = "hbase.sn1.large"
core_instance_quantity = 2
core_disk_type = "cloud_efficiency"
core_disk_size = 100
cold_storage_size = 0
}
this is a example for class netType instance. you can find more detail with the
examples/hbase dir.
280

• name - (Required) HBase instance name. Length must be 2-128 charac-
ters long. Only Chinese characters, English letters, numbers, period (.),
underline (_), or dash (-) are permitted.
• zone_id - (Optional, ForceNew) The Zone to launch the HBase instance.
if vswitch_id is not empty, this zone_id can be ”” or consistent.
• hbase - (Optional, ForceNew) ”hbase/hbaseue/bds”, The following types
are supported after v1.73.0: hbaseue and bds
• engine_version - (Required, ForceNew) hbase major version.
hbase:1.1/2.0, hbaseue:2.0, bds:1.0, unsupport other engine temporarily.
Value options can refer to the latest docs CreateInstance.
• master_instance_type�core_instance_type - (Required, ForceNew) In-
stance specification. see Instance specifications. or you can call describe-
InstanceType api.
• core_instance_quantity- (Optional. ForceNew) default=2. if
core_instance_quantity > 1,this is cluster’s instance. if core_instance_quantity
= 1,this is a single instance.
• core_disk_type- (Required, ForceNew) Valid values are cloud_ssd,
cloud_efficiency, local_hdd_pro, local_ssd_pro. local_disk size is
fixed.
• core_disk_size - (Optional, ForceNew) User-defined HBase instance one
core node’s storage space.Unit: GB. Value range:
– Custom storage space; value range: [100,2000]
– 10-GB increments.
• pay_type - (Optional, ForceNew) Valid values are PrePaid, PostPaid,System
default to PostPaid.
• duration - (Optional, ForceNew) 1, 2, 3, 4, 5, 6, 7, 8, 9, 12, 24, 36, 60,
valid when pay_type = PrePaid. unit: month.
• auto_renew - (Optional, ForceNew) true, false, System default to false,
valid when pay_type = PrePaid.
• vswitch_id - (Optional, ForceNew) if vswitch_id is not empty, that
mean net_type = vpc and has a same region. if vswitch_id is empty,
net_type_classic
• cold_storage_size - (Optional, ForceNew) 0 or 0+. 0 means
is_cold_storage = false. 0+ means is_cold_storage = true
• maintain_start_time - (Optional, Available in 1.73.0) The start time of
the operation and maintenance time period of the instance, in the format
of HH:mmZ (UTC time).
• maintain_end_time - (Optional, Available in 1.73.0) The end time of the
operation and maintenance time period of the instance, in the format of
HH:mmZ (UTC time).
• deletion_protection - (Optional, Available in 1.73.0) the switch of
delete protection. true: delete protect, false: no delete protect. you must
281
set false when you want to delete cluster.
• tags - (Optional, Available in 1.73.0) A mapping of tags to assign to the
resource.
NOTE: now only instance name can be change. the others(instance_type,
disk_size, core_instance_quantity and so on) will be supported in the furture.

• id - The ID of the HBase.
» Timeouts
• create - (Defaults to 30 mins) Used when creating the HBase instance
(until it reaches the initial ACTIVATION status).
• delete - (Defaults to 30 mins) Used when terminating the HBase instance.
» Import
HBase can be imported using the id, e.g.

$ terraform import alicloud_hbase_instance.example hb-wz96815u13k659fvd
» alicloud_kms_ciphertext
Encrypt a given plaintext with KMS. The plaintext gets re-encrypted on each
apply, resulting in a changed ciphertext. If a stable ciphertext is needed use the
alicloud_kms_ciphertext resource.
NOTE: Using this data provider will allow you to conceal secret data within
your resource definitions but does not take care of protecting that data in all
Terraform logging and state output. Please take care to secure your secret data
beyond just the Terraform configuration.
» Example Usage
resource "alicloud_kms_key" "key" {

description = "example key"
is_enabled = true
282
}
data "alicloud_kms_ciphertext" "encrypted" {

key_id = alicloud_kms_key.key.id
plaintext = "example"
}

• plaintext - The plaintext to be encrypted which must be encoded in
Base64.
• key_id - The globally unique ID of the CMK.
• encryption_context - (Optional) The Encryption context. If you specify
this parameter here, it is also required when you call the Decrypt API
operation. For more information, see Encryption Context.
• ciphertext_blob - The ciphertext of the data key encrypted with the
primary CMK version.
» alicloud_kms_keys
This data source provides a list of KMS keys in an Alibaba Cloud account
» Example Usage

data "alicloud_kms_keys" "kms_keys_ds" {
description_regex = "Hello KMS"
output_file = "kms_keys.json"
}
output "first_key_id" {
value = "${data.alicloud_kms_keys.kms_keys_ds.keys.0.id}"
}
283

• ids - (Optional) A list of KMS key IDs.
• description_regex - (Optional) A regex string to filter the results by the
KMS key description.
• status - (Optional) Filter the results by status of the KMS keys. Valid
values: Enabled, Disabled, PendingDeletion.
• ids - A list of KMS key IDs.
• keys - A list of KMS keys. Each element contains the following attributes:
– id - ID of the key.
– arn - The Alibaba Cloud Resource Name (ARN) of the key.
– description - Description of the key.
– status - Status of the key. Possible values: Enabled, Disabled and
PendingDeletion.
– creation_date - Creation date of key.
– delete_date - Deletion date of key.
– creator - The owner of the key.
» alicloud_kms_plaintext
Decrypt a given ciphertext with KMS to use the resulting plaintext in resources.
» Example Usage

is_enabled = true
}
# Encrypt plaintext 'example'
284
resource "alicloud_kms_ciphertext" "encrypted" {
}
# Decrypt encrypted ciphertext

data "alicloud_kms_plaintext" "plaintext" {
ciphertext_blob = alicloud_kms_ciphertext.encrypted.ciphertext_blob
}
# Output 'example' should match the plaintext encrypted in the beginning

output "decrypted" {
value = data.alicloud_kms_plaintext.plaintext.plaintext
}

• encryption_context - (Optional) The Encryption context. If you spec-
ify this parameter in the Encrypt or GenerateDataKey API operation,
it is also required when you call the Decrypt API operation. For more
information, see Encryption Context.
• ciphertext_blob - The ciphertext to be decrypted.
• plaintext - The decrypted plaintext.
• key_id - The globally unique ID of the CMK. It is the ID of the CMK
used to decrypt ciphertext.
» alicloud_kms_alias
Create an alias for the master key (CMK).
» Example Usage
Basic Usage
285
resource "alicloud_kms_key" "this" {}
resource "alicloud_kms_alias" "this" {

alias_name = "alias/test_kms_alias"
key_id = alicloud_kms_key.this.id
}

• alias_name - (Required, ForceNew) The alias of CMK. Encrypt�GenerateDataKey�DescribeKey
can be called using aliases. Length of characters other than prefixes:
minimum length of 1 character and maximum length of 255 characters.
Must contain prefix alias/.
• key_id - (Required) The id of the key.
NOTE: Each alias represents only one master key(CMK).
NOTE: Within an area of the same user, alias is not reproducible.
NOTE: UpdateAlias can be used to update the mapping relationship between
alias and master key(CMK).
• id - The ID of the alias.
» Import
KMS alias can be imported using the id, e.g.

$ terraform import alicloud_kms_alias.example alias/test_kms_alias
» alicloud_kms_ciphertext
Encrypt a given plaintext with KMS. The produced ciphertext stays stable
across applies. If the plaintext should be re-encrypted on each apply use the
alicloud_kms_ciphertext data source.
286
» Example Usage

is_enabled = true
}
resource "alicloud_kms_ciphertext" "encrypted" {

}

• plaintext - (ForceNew) The plaintext to be encrypted which must be
encoded in Base64.
• key_id - (ForceNew) The globally unique ID of the CMK.
• encryption_context - (Optional, ForceNew) The Encryption context. If
you specify this parameter here, it is also required when you call the
Decrypt API operation. For more information, see Encryption Context.
• ciphertext_blob - The ciphertext of the data key encrypted with the
primary CMK version.
» alicloud_kms_key
A kms key can help user to protect data security in the transmission process.
» Example Usage
Basic Usage
description = "Hello KMS"
deletion_window_in_days = "7"
is_enabled = true
}
287

• description - (Optional, ForceNew) The description of the key as viewed
in Alicloud console. Default to ”From Terraform”.
• key_usage - (Optional) Specifies the usage of CMK. Currently, default to
’ENCRYPT/DECRYPT’, indicating that CMK is used for encryption and
decryption.
• deletion_window_in_days - (Optional) Duration in days after which the
key is deleted after destruction of the resource, must be between 7 and 30
days. Defaults to 30 days.
• is_enabled - (Optional) Specifies whether the key is enabled. Defaults
to true.
NOTE: At present, the resource only supports to modify is_enabled.
NOTE: When the pre-deletion days elapses, the key is permanently deleted
and cannot be recovered.
• id - The ID of the key.

• arn - The Alicloud Resource Name (ARN) of the key.
• description - The description of the key.
• key_usage - (ForceNew) Specifies the usage of CMK.
• deletion_window_in_days - During pre-deletion days.
• is_enabled - Whether the key is enabled.
» Import
KMS key can be imported using the id, e.g.

$ terraform import alicloud_kms_key.example abc123456
» alicloud_kms_key
This resouce used to create a secret and store its initial version.
» Example Usage
Basic Usage
288
resource "alicloud_kms_secret" "default" {
secret_nane = "secret-foo"
description = "from terraform"
secret_data = "Secret data."
version_id = "000000000001"
force_delete_without_recovery = true
}

• description - (Optional) The description of the secret.
• encryption_key_id - (Optional, ForceNew) The ID of the KMS CMK
that is used to encrypt the secret value. If you do not specify this param-
eter, Secrets Manager automatically creates an encryption key to encrypt
the secret.
• force_delete_without_recovery - (Optional) Specifies whether to
forcibly delete the secret. If this parameter is set to true, the secret
cannot be recovered. Valid values: true, false. Default to: false.
• recovery_window_in_days - (Optional) Specifies the recovery period of
the secret if you do not forcibly delete it. Default value: 30. It will be
ignored when force_delete_without_recovery is true.
• secret_data - (Required) The value of the secret that you want to cre-
ate. Secrets Manager encrypts the secret value and stores it in the initial
version.
• secret_data_type - (Optional) The type of the secret value. Valid values:
text, binary. Default to ”text”.
• secret_name - (Required, ForceNew) The name of the secret.
• version_id - (Required) The version number of the initial version. Ver-
sion numbers are unique in each secret object.
• version_stages - (Optional, List(string)) The stage labels that mark the
new secret version. If you do not specify this parameter, Secrets Manager
marks it with ”ACSCurrent”.
• id - The ID of the secret. It same with secret_name.

• arn - The Alicloud Resource Name (ARN) of the secret.
• planned_delete_time - The time when the secret is scheduled to be
deleted.
289
» Import
KMS secret can be imported using the id, e.g.

$ terraform import alicloud_kms_secret.default secret-foo
» alicloud_log_machine_group
Log Service manages all the ECS instances whose logs need to be collected by
using the Logtail client in the form of machine groups. Refer to details
» Example Usage
Basic Usage
resource "alicloud_log_project" "example" {
name = "tf-log"
description = "created by terraform"
}
resource "alicloud_log_machine_group" "example" {
project = "${alicloud_log_project.example.name}"
name = "tf-machine-group"
identify_type = "ip"
topic = "terraform"
identify_list = ["10.0.0.1", "10.0.0.2"]
}
» Module Support
You can use the existing sls-logtail module to create logtail config, machine
group, install logtail on ECS instances and join instances into machine group
one-click.

• project - (Required, ForceNew) The project name to the machine group
belongs.
• name - (Required, ForceNew) The machine group name, which is unique
in the same project.
290
• identify_type - (Optional) The machine identification type, including IP
and user-defined identity. Valid values are ”ip” and ”userdefined”. Default
to ”ip”.
• identify_list- (Required) The specific machine identification, which can
be an IP address or user-defined identity.
• topic - (Optional) The topic of a machine group.

• id - The ID of the log machine group. It formats of <project>:<name>.
• project - The project name.
• name - The machine group name.
• identify_type - The machine identification type.
• identify_list - The machine identification.
• topic - The machine group topic.
» Import
Log machine group can be imported using the id, e.g.

$ terraform import alicloud_log_machine_group.example tf-log:tf-machine-group
» alicloud_log_project
The project is the resource management unit in Log Service and is used to isolate
and control resources. You can manage all the logs and the related log sources
of an application by using projects. Refer to details.
» Example Usage
Basic Usage
name = "tf-log"
}
291
» Module Support
You can use the existing sls module to create SLS project, store and store index
one-click, like ECS instances.

• name - (Required, ForceNew) The name of the log project. It is the only
in one Alicloud account.
• description - (Optional) Description of the log project.

• id - The ID of the log project. It sames as its name.
• name - Log project name.
• description - Log project description.
» Import
Log project can be imported using the id or name, e.g.

$ terraform import alicloud_log_project.example tf-log
» alicloud_log_store
The log store is a unit in Log Service to collect, store, and query the log data.
Each log store belongs to a project, and each project can create multiple Log-
stores. Refer to details
» Example Usage
Basic Usage
name = "tf-log"
}
292
resource "alicloud_log_store" "example" {
name = "tf-log-store"
shard_count = 3
auto_split = true
append_meta = true
}
» Module Support

• project - (Required, ForceNew) The project name to the log store be-
longs.
• name - (Required, ForceNew) The log store, which is unique in the same
project.
• retention_period - (Optional) The data retention time (in days). Valid
values: [1-3650]. Default to 30. Log store data will be stored permanently
when the value is ”3650”.
• shard_count - (Optional) The number of shards in this log store. Default
to 2. You can modify it by ”Split” or ”Merge” operations. Refer to details
• auto_split - (Optional) Determines whether to automatically split a
shard. Default to true.
• max_split_shard_count - (Optional) The maximum number of shards
for automatic split, which is in the range of 1 to 64. You must specify this
parameter when autoSplit is true.
• append_meta - (Optional) Determines whether to append log meta au-
tomatically. The meta includes log receive time and client IP address.
Default to true.
• enable_web_tracking - (Optional) Determines whether to enable Web
Tracking. Default false.

• id - The ID of the log project. It formats of <project>:<name>.
• project - The project name.
293
• name - Log store name.
• retention_period - The data retention time.
• shard_count - The number of shards.
• auto_split - Determines whether to automatically split a shard.
• max_split_shard_count - The maximum number of shards for automatic
split.
• append_meta - Determines whether to append log meta automatically.
• enable_web_tracking - Determines whether to enable Web Tracking.
» Import
Log store can be imported using the id, e.g.

$ terraform import alicloud_log_store.example tf-log:tf-log-store
» alicloud_log_store_index
Log Service provides the LogSearch/Analytics function to query and analyze
large amounts of logs in real time. You can use this function by enabling the
index and field statistics. Refer to details
» Example Usage
Basic Usage
name = "tf-log"
}
name = "tf-log-store"
}
resource "alicloud_log_store_index" "example" {
logstore = "${alicloud_log_store.example.name}"
full_text {
case_sensitive = true
token = " #$%^*\r\n\t"
}
field_search {
name = "terraform"
294
enable_analytics = true
}
}
» Module Support

longs.
• logstore - (Required, ForceNew) The log store name to the query index
belongs.
• full_text - The configuration of full text index. Valid item as follows:
– case_sensitive - (Optional) Whether the case sensitive. Default to
false.
– include_chinese - (Optional) Whether includes the chinese. De-
fault to false.
– token - (Optional) The string of several split words, like ”\r”, ”#”
• field_search - List configurations of field search index. Valid item as
follows:
– name - (Required) The field name, which is unique in the same log
store.
– type - (Optional) The type of one field. Valid values: [”long”, ”text”,
”double”, ”json”]. Default to ”long”.
– alias - (Optional) The alias of one field
– case_sensitive - (Optional) Whether the case sensitive for the field.
Default to false. It is valid when ”type” is ”text” or ”json”.
– include_chinese - (Optional) Whether includes the chinese for the
field. Default to false. It is valid when ”type” is ”text” or ”json”.
– token - (Optional) The string of several split words, like ”\r”, ”#”.
It is valid when ”type” is ”text” or ”json”.
– enable_analytics - (Optional) Whether to enable field analytics.
Default to true.
– json_keys - (Optional, Available in 1.66.0+) Use nested index when
type is json
∗ name - (Required) When using the json_keys field, this field is
required.
295
∗ type - (Optional) The type of one field. Valid values: [”long”,
”text”, ”double”]. Default to ”long”
∗ alias - (Optional) The alias of one field.
∗ doc_value - (Optional) Whether to enable statistics. default to
true.
Note: At least one of the ”full_text” and ”field_search” should be specified.

• id - The ID of the log store index. It formats of <project>:<logstore>.
» Import
Log store index can be imported using the id, e.g.

$ terraform import alicloud_log_store_index.example tf-log:tf-log-store
» alicloud_logtail_attachment
The Logtail access service is a log collection agent provided by Log Service.
You can use Logtail to collect logs from servers such as Alibaba Cloud Elastic
Compute Service (ECS) instances in real time in the Log Service console. Refer
to details
This resource amis to attach one logtail configure to a machine group.
NOTE: One logtail configure can be attached to multiple machine groups and
one machine group can attach several logtail configures.
» Example Usage
Basic Usage
resource "alicloud_log_project" "test" {
name = "test-tf2"
}
resource "alicloud_log_store" "test" {
project = "${alicloud_log_project.test.name}"
name = "tf-test-logstore"
296
shard_count = 3
auto_split = true
append_meta = true
}
resource "alicloud_log_machine_group" "test" {
name = "tf-log-machine-group"
topic = "terraform"
identify_list = ["10.0.0.1", "10.0.0.3", "10.0.0.2"]
}
resource "alicloud_logtail_config" "test" {
logstore = "${alicloud_log_store.test.name}"
input_type = "file"
log_sample = "test"
name = "tf-log-config"
output_type = "LogService"
input_detail = <<DEFINITION
{
"logPath": "/logPath",
"filePattern": "access.log",
"logType": "json_log",
"topicFormat": "default",
"discardUnmatch": false,
"enableRawLog": true,
"fileEncoding": "gbk",
"maxDepth": 10
}
DEFINITION
}
resource "alicloud_logtail_attachment" "test" {
logtail_config_name = "${alicloud_logtail_config.test.name}"
machine_group_name = "${alicloud_log_machine_group.test.name}"
}

longs.
• logtail_config_name - (Required, ForceNew) The Logtail configuration
name, which is unique in the same project.
297
• machine_group_name - (Required, ForceNew) The machine group name,
which is unique in the same project.

• id - The ID of the logtail to machine group. It formats of
<project>:<logtail_config_name>:<machine_group_name>.
» Import
Logtial to machine group can be imported using the id, e.g.

$ terraform import alicloud_logtail_to_machine_group.example tf-log:tf-log-config:tf-log-mac
» alicloud_logtail_config
The Logtail access service is a log collection agent provided by Log Service.
You can use Logtail to collect logs from servers such as Alibaba Cloud Elastic
Compute Service (ECS) instances in real time in the Log Service console. Refer
to details
» Example Usage
Basic Usage
name = "test-tf"
}
name = "tf-test-logstore"
shard_count = 3
auto_split = true
append_meta = true
}
resource "alicloud_logtail_config" "example" {
logstore = "${alicloud_log_store.example.name}"
298
input_type = "file"
log_sample = "test"
name = "tf-log-config"
output_type = "LogService"
input_detail = "${file("config.json")}"
}
» Module Support
You can use the existing sls-logtail module to create logtail config, machine
group, install logtail on ECS instances and join instances into machine group
one-click.

longs.
• logstore - (Required, ForceNew) The log store name to the query index
belongs.
• input_type - (Required) The input type. Currently only two types of
files and plugin are supported.
• log_sample - �Optional�The log sample of the Logtail configuration. The
log size cannot exceed 1,000 bytes.
• name - (Required, ForceNew) The Logtail configuration name, which is
unique in the same project.
• output_type - (Required) The output type. Currently, only LogService
is supported.
• input_detail - (Required) The logtail configure the required JSON files.
(Refer to details)

• id - The ID of the log store index. It formats of <project>:<logstore>:<config_name>.
» Import
Logtial config can be imported using the id, e.g.

$ terraform import alicloud_logtail_config.example tf-log:tf-log-store:tf-log-config
299
» alicloud_market_product
This data source provides the Market product item details of Alibaba Cloud.
» Example Usage
data "alicloud_market_product" "default" {

product_code = "cmapi022206"
}
output "product_name" {
value = "${data.alicloud_market_product.default.product.0.name}"
}
output "first_product_sku_code" {
value = "${data.alicloud_market_product.default.product.0.skus.0.sku_code}"
}
output "first_product_package_version" {
value = "${data.alicloud_market_product.default.product.0.skus.0.package_versions.0.packag
}

• product_code - (Required) The product code of the market product.
• available_region - (Available in 1.71.1+) A available region id used to
filter market place Ecs images.
• product - A product. It contains the following attributes:
– code - The code of the product.
– name - The name of the product.
– description - The description of the product.
– skus - A list of one element containing sku attributes of an object.
Each element contains the following attributes:
– sku_code - The sku code of this product sku.
– sku_name - The sku name of this product sku.
300
– package_versions - The list of package version details of this prod-
uct sku, Each element contains the following attributes:
∗ package_name - The package name of this product sku package.
∗ package_version - The package version of this product sku pack-
age. Currently, the API products can return package_version,
but others can not for ensure.
– images - The list of custom ECS images, Each element contains the
∗ image_id - The Ecs image id.
∗ image_name - The Ecs image display name.
∗ region_id - The Ecs image region.
» alicloud_market_products
This data source provides the Market product items of Alibaba Cloud.
» Example Usage
data "alicloud_market_products" "default" {

sort = "created_on-desc"
category_id = "53690006"
product_type = "SERVICE"
}
output "first_product_code" {
value = "${data.alicloud_market_products.default.product_items.0.code}"
}
output "product_codes" {
value = "${data.alicloud_market_products.default.ids}"
}

• name_regex - (Optional, Available 1.66.0+) A regex string to apply to the
product name.
• ids - (Optional, Available 1.66.0+) A list of product code.
301
• sort - (Optional, ForceNew) This field determines how to sort the filtered
results, Valid values: user_count-desc, created_on-desc, price-desc
and score-desc.
• category_id - (Optional, ForceNew) The Category ID of products. For
more information, see DescribeProducts.
• product_type - (Optional, ForceNew) The type of products, Valid values:
APP, SERVICE, MIRROR, DOWNLOAD and API_SERVICE.
• search_term - (Optional, ForceNew, Available 1.69.0+) Search term in
this query.
• supplier_id - (Optional, ForceNew, Available 1.71.1+) The supplier id
of the product.
• supplier_name_keyword - (Optional, ForceNew, Available 1.71.1+) The
supplier name keyword of the product.
• suggested_price - (Optional, ForceNew, Available 1.71.1+) The sug-
gested price of the product.
• ids - A list of product codes.
• products - A list of products. Each element contains the following at-
tributes:
– code - The code of the product.
– name - The name of the product.
– category_id - The category id of the product.
– supplier_id - The supplier id of the product.
– supplier_name - The supplier name of the product.
– short_description - The short description of the product.
– tags - The tags of the product.
– suggested_price - The suggested price of the product.
– target_url - The detail page URL of the product.
– image_url - The image URL of the product.
– score - The rating information of the product.
– operation_system - The operation system of the product.
– warranty_date - The warranty date of the product.
– delivery_date - The delivery date of the product.
– delivery_way - The delivery way of the product.
» alicloud_market_order
Provides a market order resource.
302
NOTE: Terraform will auto build a market order while it uses alicloud_market_order
to build a market order resource.
» Example Usage
Basic Usage
resource "alicloud_market_order" "order" {
product_code = "cmapi033136"
pay_type = "prepay"
quantity = 1
duration = 1
pricing_cycle = "Month"
package_version = "yuncode2713600001"
coupon_id = ""
}

• product_code - (Required, ForceNew) The product_code of market place
product.
• pay_type - (Optional, ForceNew) Valid values are PrePaid, PostPaid,System
default to PostPaid.
• duration - (Optional, ForceNew) The number of purchase cycles.
• pricing_cycle - (Required, ForceNew) The purchase cycle of the product,
valid values are Day, Month and Year.
• package_version - (Required, ForceNew) The package version of the mar-
ket product.
• quantity - (Optional, ForceNew) The quantity of the market product will
be purchased.
• coupon_id - (Optional, ForceNew) The coupon id of the market product.
• components - (Optional, ForceNew) Service providers customize addi-
tional components.

• id - The ID of the market order.
303
» Import
Market order can be imported using the id, e.g.

$ terraform import alicloud_market_order.order your-order-id
» alicloud_mns_queues
This data source provides a list of MNS queues in an Alibaba Cloud account
according to the specified parameters.
» Example Usage
data "alicloud_mns_queues" "queues" {

name_prefix = "tf-"
}
output "first_queue_id" {
value = "${data.alicloud_mns_queues.queues.queues.0.id}"
}

• name_prefix - (Optional) A string to filter resulting queues by their name
prefixs.
• names - A list of queue names.
• queues - A list of queues. Each element contains the following attributes:
– id - The id of the queue, The value is set to name.
– name - The name of the queue
– delay_seconds - This attribute defines the length of time, in seconds,
after which every message sent to the queue is dequeued.
– maximum_message_size - This indicates the maximum length, in
bytes, of any message body sent to the queue.
304
– message_retention_period - Messages are deleted from the queue
after a specified length of time, whether they have been activated or
not. This attribute defines the viability period, in seconds, for every
message in the queue.
– visibility_timeouts - Dequeued messages change from active (vis-
ible) status to inactive (invisible) status. This attribute defines the
length of time, in seconds, that messages remain invisible. Messages
return to active status after the set period.
– polling_wait_seconds - Long polling is measured in seconds. When
this attribute is set to 0, long polling is disabled. When it is not set
to 0, long polling is enabled and message dequeue requests will be
processed only when valid messages are received or when long polling
times out.
» alicloud_mns_topic_subscriptions
This data source provides a list of MNS topic subscriptions in an Alibaba Cloud
account according to the specified parameters.
» Example Usage
data "alicloud_mns_topic_subscriptions" "subscriptions" {

topic_name = "topic_name"
name_prefix = "tf-"
}
output "first_topic_subscription_id" {
value = "${data.alicloud_mns_topic_subscriptions.subscriptions.subscriptions.0.id}"
}

• topic_name - (Required) Two topics on a single account in the same region
cannot have the same name. A topic name must start with an English
letter or a digit, and can contain English letters, digits, and hyphens, with
the length not exceeding 256 characters.
• name_prefix - (Optional) A string to filter resulting subscriptions of the
topic by their name prefixs.
305
• names - A list of subscription names.
• subscriptions - A list of subscriptions. Each element contains the fol-
lowing attributes:
– id - The ID of the topic subscription. The value is set to name.
– name - The name of the subscription.
– topic_name- The topic which The subscription belongs to was named
with the name.
– notify_strategy - The NotifyStrategy attribute of Subscription.
This attribute specifies the retry strategy when message sending fails.
– notify_content_format - The NotifyContentFormat attribute of
Subscription. This attribute specifies the content format of the mes-
sages pushed to users.
– endpoint - Describe the terminal address of the message received in
this subscription.
– filter_tag- A string to filter resulting messages of the topic by their
message tag.
» alicloud_mns_topics
This data source provides a list of MNS topics in an Alibaba Cloud account
according to the specified parameters.
» Example Usage
data "alicloud_mns_topics" "topics" {

name_prefix = "tf-"
}
output "first_topic_id" {
value = "${data.alicloud_mns_topics.topics.topics.0.id}"
}

• name_prefix - (Optional) A string to filter resulting topics by their name
prefixs.
306
– id - The id of the topic. The value is set to name.
– name - The name of the topic.
– maximum_message_size - This indicates the maximum length, in
bytes, of any message body sent to the topic.
– logging_enabled - Whether to enable logging.
» alicloud_mns_queue
Provides a MNS queue resource.
NOTE: Terraform will auto build a mns queue while it uses alicloud_mns_queue
to build a mns queue resource.
» Example Usage
Basic Usage
resource "alicloud_mns_queue" "queue" {
name = "tf-example-mnsqueue"
delay_seconds = 0
maximum_message_size = 65536
message_retention_period = 345600
visibility_timeout = 30
polling_wait_seconds = 0
}

• name - (Required, ForcesNew)Two queues on a single account in the same
region cannot have the same name. A queue name must start with an En-
glish letter or a digit, and can contain English letters, digits, and hyphens,
with the length not exceeding 256 characters .
307
• delay_seconds - (Optional)This attribute defines the length of time, in
seconds, after which every message sent to the queue is dequeued. Valid
value range: 0-604800 seconds, i.e., 0 to 7 days. Default value to 0.
• maximum_message_size - (Optional)This indicates the maximum length,
in bytes, of any message body sent to the queue. Valid value range: 1024-
65536, i.e., 1K to 64K. Default value to 65536.
• message_retention_period - (Optional) Messages are deleted from the
queue after a specified length of time, whether they have been activated
or not. This attribute defines the viability period, in seconds, for every
message in the queue. Valid value range: 60-604800 seconds, i.e., 1 minutes
to 7 days. Default value to 345600.
• visibility_timeout - (Optional) The VisibilityTimeout attribute of the
queue. A dequeued messages will change from active (visible) status to
inactive (invisible) status, and this attribute defines the length of time, in
seconds, that messages remain invisible. Messages return to active status
after the set period. Valid value range: 1-43200 seconds, i.e., 1 seconds to
12 hours. Default value to 30.
• polling_wait_seconds - (Optional) Long polling is measured in seconds.
When this attribute is set to 0, long polling is disabled. When it is not
set to 0, long polling is enabled and message dequeue requests will be
processed only when valid messages are received or when long polling
times out. Valid value range: 0-30 seconds. Default value to 0.

• id - The ID of the queue is equal to name.
» Import
MNS QUEUE can be imported using the id or name, e.g.

$ terraform import alicloud_mns_queue.queue queuename
» alicloud_mns_topic_subscription
Provides a MNS topic subscription resource.
NOTE: Terraform will auto build a mns topic subscription while it uses
alicloud_mns_topic_subscription to build a mns topic subscription
resource.
308
» Example Usage
Basic Usage
resource "alicloud_mns_topic" "topic" {
name = "tf-example-mnstopic"
logging_enabled = false
}
resource "alicloud_mns_topic_subscription" "subscription" {

topic_name = "tf-example-mnstopic"
name = "tf-example-mnstopic-sub"
filter_tag = "test"
endpoint = "http://www.xxx.com/xxx"
notify_strategy = "BACKOFF_RETRY"
notify_content_format = "XML"
}

• topic_name- (Required, ForceNew) The topic which The subscription be-
longs to was named with the name.A topic name must start with an En-
with the length not exceeding 256 characters.
• name - (Required, ForceNew) Two topics subscription on a single account
in the same topic cannot have the same name. A topic subscription name
must start with an English letter or a digit, and can contain English letters,
digits, and hyphens, with the length not exceeding 256 characters.
• notify_strategy - (Optional) The NotifyStrategy attribute of Subscrip-
tion. This attribute specifies the retry strategy when message sending
fails. the attribute has two value EXPONENTIAL_DECAY_RETR or
BACKOFF_RETRY. Default value to BACKOFF_RETRY .
• notify_content_format - (Optional, ForceNew) The NotifyContentFor-
mat attribute of Subscription. This attribute specifies the content format
of the messages pushed to users. The valid values: ’SIMPLIFIED’, ’XML’
and ’JSON’. Default to ’SIMPLIFIED’.
• endpoint - (Required, ForceNew) The endpoint has three format. Avail-
able values format:
– HTTP Format: http://xxx.com/xxx
– Queue Format: acs:mns:{REGION}:{AccountID}:queues/{QueueName}
309
– Email Format: mail:directmail:{MailAddress}
• filter_tag - (Optional, ForceNew) The length should be shorter than
16.

• id - The ID of the topic subscription.Format to topic_name:name
» Import
MNS Topic subscription can be imported using the id, e.g.

$ terraform import alicloud_mns_topic_subscription.subscription tf-example-mnstopic:tf-examp
» alicloud_mns_topic
Provides a MNS topic resource.
NOTE: Terraform will auto build a mns topic while it uses alicloud_mns_topic
to build a mns topic resource.
» Example Usage
Basic Usage
resource "alicloud_mns_topic" "topic" {
name = "tf-example-mnstopic"
logging_enabled = false
}

• name - (Required, ForceNew)Two topics on a single account in the same
region cannot have the same name. A topic name must start with an En-
with the length not exceeding 256 characters.
310
• maximum_message_size - (Optional)This indicates the maximum length,
in bytes, of any message body sent to the topic. Valid value range: 1024-
65536, i.e., 1K to 64K. Default value to 65536.
• logging_enabled - (Optional) Is logging enabled? true or false. Default
value to false.

• id - The ID of the topic is equal to name.
» Import
MNS Topic can be imported using the id or name, e.g.

$ terraform import alicloud_mns_topic.topic topicName
» alicloud_mongodb_instances
The alicloud_mongodb_instances data source provides a collection of Mon-
goDB instances available in Alicloud account. Filters support regular expression
for the instance name, engine or instance type.
» Example Usage
data "alicloud_mongodb_instances" "mongo" {

name_regex = "dds-.+\\d+"
instance_type = "replicate"
instance_class = "dds.mongo.mid"
availability_zone = "eu-central-1a"
}

• ids - (Optional, Available 1.53.0+) The ids list of MongoDB instances
• instance_type - (Optional) Type of the instance to be queried. If it is
set to sharding, the sharded cluster instances are listed. If it is set to
replicate, replica set instances are listed. Default value replicate.
311
• instance_class - (Optional) Sizing of the instance to be queried.
the resource.
• ids - The ids list of MongoDB instances
• names - The names list of MongoDB instances
• instances - A list of MongoDB instances. Its every element contains the
– id - The ID of the MongoDB instance.
– name - The name of the MongoDB instance.
– instance_type - Instance type. Optional values sharding or
replicate.
– creation_time - Creation time of the instance in RFC3339 format.
– expiration_time - Expiration time in RFC3339 format. Pay-As-
You-Go instances are never expire.
– replication - Replication factor corresponds to number of nodes.
Optional values are 1 for single node and 3 for three nodes replica
set.
– engine - Database engine type. Supported option is MongoDB.
– instance_class - Sizing of the MongoDB instance.
– lock_mode - Lock status of the instance.
– storage - Storage size.
– mongos - Array composed of Mongos.
– node_id - Mongos instance ID.
– description - Mongos instance description.
– class - Mongos instance specification.
– shards - Array composed of shards.
– node_id - Shard instance ID.
– description - Shard instance description.
– class - Shard instance specification.
– storage - Shard disk.
312
This data source provides availability zones for mongoDB that can be accessed
by an Alibaba Cloud account within the region configured in the provider.
» Example Usage

data "alicloud_mongodb_zones" "zones_ids" {}
# Create an mongoDB instance with the first matched zone

resource "alicloud_mongodb_instance" "mongodb" {
zone_id = data.alicloud_mongodb_zones.zones_ids.zones[0].id
}

MongoDB instances.
attributes:
» alicloud_mongodb_instance
Provides a MongoDB instance resource supports replica set instances only. the
MongoDB provides stable, reliable, and automatic scalable database services.
313
It offers a full range of database solutions, such as disaster recovery, backup,
recovery, monitoring, and alarms. You can see detail product introduction here
NOTE: The following regions don’t support create Classic network MongoDB
instance. [cn-zhangjiakou,cn-huhehaote,ap-southeast-2,ap-southeast-3,ap-southeast-5,ap-south-1,me
NOTE: Create MongoDB instance or change instance type and storage would
cost 5~10 minutes. Please make full preparation
» Example Usage
» Create a Mongodb instance

available_resource_creation = "MongoDB"
}

name = "vpc-123456"
cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
name = "vpc-123456"
}
resource "alicloud_mongodb_instance" "example" {

db_instance_class = "dds.mongo.mid"
db_instance_storage = 10
security_ip_list = ["10.168.1.12", "100.69.7.112"]
}
» Module Support
You can use to the existing mongodb module to create a MongoDB instance
resource one-click.
314

• db_instance_class - (Required) Instance specification. see Instance spec-
ifications.
• db_instance_storage - (Required) User-defined DB instance storage
space.Unit: GB. Value range:
– Custom storage space; value range: [10,2000]
– 10-GB increments.
• replication_factor - (Optional) Number of replica set nodes. Valid
values: [3, 5, 7]
• storage_engine (Optional, ForceNew) Storage engine: WiredTiger or
RocksDB. System Default value: WiredTiger.
• name - (Optional) The name of DB instance. It a string of 2 to 256
characters.
System default to PostPaid. It can be modified from PostPaid to PrePaid
after version 1.63.0.
• period - (Optional) The duration that you will buy DB instance (in
month). It is valid when instance_charge_type is PrePaid. Valid val-
ues: [1~9], 12, 24, 36. System default to 1.
• zone_id - (Optional, ForceNew) The Zone to launch the DB instance. it
supports multiple zone. If it is a multi-zone and vswitch_id is specified,
the vswitch must in one of them. The multiple zone ID can be retrieved
by setting multi to ”true” in the data source alicloud_zones.
• account_password - (Optional, Sensitive) Password of the root account.
It is a string of 6 to 32 characters and is composed of letters, numbers,
and underlines.
crypts password used to a instance. If the account_password is filled in,
this field will be ignored.
315
• security_group_id - (Optional, Available in 1.73.0+) The Security
Group ID of ECS.
• backup_period - (Optional, Available in 1.42.0+) MongoDB Instance
backup period. It is required when backup_time was existed. Valid val-
ues: [Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday].
Default to [Monday, Tuesday, Wednesday, Thursday, Friday, Saturday,
Sunday]
• backup_time - (Optional, Available in 1.42.0+) MongoDB instance
backup time. It is required when backup_period was existed. In the
format of HH:mmZ- HH:mmZ. Time setting interval is one hour. If not
set, the system will return a default, like ”23:00Z-24:00Z”.
• tde_status - (Optional, ForceNew, Available in 1.73.0+) The
TDE(Transparent Data Encryption) status.
• maintain_start_time - (Optional, Available in v1.56.0+) The start time
of the operation and maintenance time period of the instance, in the format
• maintain_end_time - (Optional, Available in v1.56.0+) The end time of
the resource.
NOTE: The start time to the end time must be 1 hour. For example, the
MaintainStartTime is 01:00Z, then the MaintainEndTime must be 02:00Z.

• id - The ID of the MongoDB.
• retention_period - Instance log backup retention days. Available in
1.42.0+.
• replica_set_name - The name of the mongo replica set
» Timeouts

• create - (Defaults to 30 mins) Used when creating the MongoDB instance
(until it reaches the initial Running status).
• update - (Defaults to 30 mins) Used when updating the MongoDB in-
stance (until it reaches the initial Running status).
• delete - (Defaults to 30 mins) Used when terminating the MongoDB
instance.
316
» Import
MongoDB can be imported using the id, e.g.

$ terraform import alicloud_mongodb_instance.example dds-bp1291daeda44194
» alicloud_mongodb_sharding_instance
Provides a MongoDB sharding instance resource supports replica set instances
only. the MongoDB provides stable, reliable, and automatic scalable database
services. It offers a full range of database solutions, such as disaster recovery,
backup, recovery, monitoring, and alarms. You can see detail product introduc-
tion here
NOTE: The following regions don’t support create Classic network MongoDB
sharding instance. [cn-zhangjiakou,cn-huhehaote,ap-southeast-2,ap-southeast-3,ap-southeast-5,ap-so
NOTE: Create MongoDB Sharding instance or change instance type and stor-
age would cost 10~20 minutes. Please make full preparation
» Example Usage
» Create a Mongodb Sharding instance
variable "name" {
default = "tf-example"
}
variable "shard" {
default = {
node_class = "dds.shard.mid"
node_storage = 10
}
}
variable "mongo" {
default = {
node_class = "dds.mongos.mid"
}
}

available_resource_creation = "MongoDB"
317
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}
resource "alicloud_mongodb_sharding_instance" "foo" {

zone_id = "${data.alicloud_zones.default.zones.0.id}"
shard_list = ["${var.shard}", "${var.shard}"]
mongo_list = ["${var.mongo}", "${var.mongo}"]
}
» Module Support
You can use to the existing mongodb-sharding module to create a MongoDB

sharding instance resource one-click.

• storage_engine (Optional, ForceNew) Storage engine: WiredTiger or
RocksDB. System Default value: WiredTiger.
• name - (Optional) The name of DB instance. It a string of 2 to 256
characters.
PostPaid,System default to PostPaid.
ues: [1~9], 12, 24, 36. System default to 1.
318
• zone_id - (Optional, ForceNew) The Zone to launch the DB instance.
MongoDB sharding instance does not support multiple-zone. If it is a
multi-zone and vswitch_id is specified, the vswitch must in one of them.
• account_password - (Optional, Sensitive) Password of the root account.
It is a string of 6 to 32 characters and is composed of letters, numbers,
and underlines.
crypts password used to a instance. If the account_password is filled in,
this field will be ignored.
prefix length is [1,32]). System default to ["127.0.0.1"].
Group ID of ECS.
• tde_status - (Optional, ForceNew, Available in 1.76.0+) The
TDE(Transparent Data Encryption) status.
• mongo_list - (Required) The mongo-node count can be purchased is in
range of [2, 32].
– node_class -(Required) Node specification. see Instance specifica-
tions.
• shard_list - (Required) the shard-node count can be purchased is in
range of [2, 32].
– node_class -(Required) Node specification. see Instance specifica-
tions.
– node_storage - (Required)
∗ Custom storage space; value range: [10, 1,000]
∗ 10-GB increments. Unit: GB.
• backup_period - (Optional, Available in 1.42.0+) MongoDB Instance
backup period. It is required when backup_time was existed. Valid val-
ues: [Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday].
Default to [Monday, Tuesday, Wednesday, Thursday, Friday, Saturday,
Sunday]
• backup_time - (Optional, Available in 1.42.0+) MongoDB instance
backup time. It is required when backup_period was existed. In the
format of HH:mmZ- HH:mmZ. Time setting interval is one hour. If not
set, the system will return a default, like ”23:00Z-24:00Z”.
319

• id - The ID of the MongoDB.
• mongo_list
– node_id - The ID of the mongo-node.
– connect_string - Mongo node connection string
– port - Mongo node port
• shard_list
– node_id - The ID of the shard-node.
• retention_period - Instance log backup retention days. Available in
1.42.0+.
» Import
MongoDB can be imported using the id, e.g.

$ terraform import alicloud_mongodb_sharding_instance.example dds-bp1291daeda44195
» alicloud_maxcompute_project
The project is the basic unit of operation in maxcompute. It is similar to the
concept of Database or Schema in traditional databases, and sets the boundary
for maxcompute multi-user isolation and access control. Refer to details.
->NOTE: Available in 1.77.0+.
» Example Usage
Basic Usage
resource "alicloud_maxcompute_project" "example" {
name = "tf_maxcompute_project"
specification_type = "OdpsStandard"
order_type = "PayAsYouGo"
}

• name - (Required, ForceNew) The name of the maxcompute project.
320
• specification_type - (Required) The type of resource Specification, only
OdpsStandard supported currently.
• order_type - (Required) The type of payment, only PayAsYouGo sup-
ported currently.

• id - The ID of the maxcompute project. It is the same as its name.
» Import
MaxCompute project can be imported using the name or ID, e.g.

$ terraform import alicloud_maxcompute_project.example tf_maxcompute_project
» alicloud_nas_access_groups
This data source provides user-available access groups. Use when you can create
mount points
» Example Usage
data "alicloud_nas_access_groups" "ag" {

name_regex = "^foo"
type = "Classic"
description = "tf-testAccAccessGroupsdatasource"
}
output "alicloud_nas_access_groups_id" {
value = "${data.alicloud_nas_access_groups.ag.groups.0.id}"
}

• name_regex - (Required) A regex string to filter AccessGroups by name.
• type - (Optional) Filter results by a specific AccessGroupType.
• description - (Optional) Filter results by a specific Description.
321
• ids - A list of AccessGroup IDs, the value is set to names .
• names - A list of AccessGroup names.
• groups - A list of AccessGroups. Each element contains the following
attributes:
– id - AccessGroupName of the AccessGroup.
– rule_count - RuleCount of the AccessGroup.
– type - AccessGroupType of the AccessGroup.
– mount_target_count - MountTargetCount block of the AccessGroup
– description - Destription of the AccessGroup.
» alicloud_nas_access_rules
This data source provides AccessRule available to the user.
» Example Usage
data "alicloud_nas_access_rules" "foo" {

access_group_name = "tf-testAccAccessGroupsdatasource"
source_cidr_ip = "168.1.1.0/16"
rw_access = "RDWR"
user_access = "no_squash"
}
output "alicloud_nas_access_rules_id" {
value = "${data.alicloud_nas_access_rules.foo.rules.0.id}"
}

• access_group_name - (Required ForceNew) Filter results by a specific
AccessGroupName.
• ids - (Optional, Available in 1.53.0+) A list of rule IDs.
322
• source_cidr_ip - (Optional) Filter results by a specific SourceCidrIp.
• user_access - (Optional) Filter results by a specific UserAccess.
• rw_access - (Optional) Filter results by a specific RWAccess.
• ids - A list of rule IDs, Each element set to access_rule_id (Each
element formats as <access_group_name>:<access rule id> before
1.53.0).
• rules - A list of AccessRules. Each element contains the following at-
tributes:
– source_cidr_ip - SourceCidrIp of the AccessRule.
– priority - Priority of the AccessRule.
– access_rule_id - AccessRuleId of the AccessRule.
– user_access - UserAccess of the AccessRule
– rw_access - RWAccess of the AccessRule.
» alicloud_nas_file_systems
This data source provides FileSystems available to the user.
» Example Usage
data "alicloud_nas_file_systems" "fs" {

protocol_type = "NFS"
description = "${alicloud_nas_file_system.foo.description}"
}
output "alicloud_nas_file_systems_id" {
value = "${data.alicloud_nas_file_systems.fs.systems.0.id}"
}

• ids - (Optional) A list of FileSystemId.
323
• storage_type - (Optional) Filter results by a specific StorageType.
• protocol_type - (Optional) Filter results by a specific ProtocolType.
• description_regex - (Optional) A regex string to filter the results by the
�FileSystem description.
• ids - A list of FileSystem Id.
• descriptions - A list of FileSystem descriptions.
• systems - A list of VPCs. Each element contains the following attributes:
– id - ID of the FileSystem.
– region_id - ID of the region where the FileSystem is located.
– description - Destription of the FileSystem.
– protocol_type - ProtocolType block of the FileSystem
– storage_type - StorageType block of the FileSystem.
– metered_size - MeteredSize of the FileSystem.
» alicloud_nas_mount_targets
This data source provides MountTargets available to the user.
» Example Usage
data "alicloud_nas_mount_targets" "mt" {

file_system_id = "1a2sc4d"
access_group_name = "tf-testAccNasConfig"
}
output "alicloud_nas_mount_targets_id" {
value = "${data.alicloud_nas_mount_targets.mt.targets.0.id}"
}
324
• file_system_id - (Required ForceNew) The ID of the FileSystem that
owns the MountTarget.
• access_group_name - (Optional) Filter results by a specific AccessGroup-
Name.
• type - (Optional) Filter results by a specific NetworkType.
• mount_target_domain - (Deprecated, Optional) Filter results by a specific
MountTargetDomain.
• vpc_id - (Optional) Filter results by a specific VpcId.
• vswitch_id - (Optional) Filter results by a specific VSwitchId.
• ids - (Optional, Available 1.53.0+) A list of MountTargetDomain.
• ids - A list of MountTargetDomain.
• targets - A list of MountTargetDomains. Each element contains the
– id - ID of the MountTargetDomain.
– mount_target_domain - MountTargetDomain of the MountTarget.
– type- NetworkType of The MountTarget.
– vpc_id - VpcId of The MountTarget.
– vswitch_id - VSwitchId of The MountTarget.
– access_group_name - AccessGroup of The MountTarget.
» alicloud_nas_protocols
Provide a data source to retrieve the type of protocol used to create NAS file
system.
NOTE: Available in 1.42.0
» Example Usage
data "alicloud_nas_protocols" "default" {

type = "Performance"
zone_id = "cn-beijing-e"
output_file = "protocols.txt"
}
output "nas_protocols_protocol" {
325
value = "${data.alicloud_nas_protocols.default.protocols.0}"
}

• type - (Required) The file system type. Valid Values: Performance and
Capacity.
• zone_id - (Optional) String to filter results by zone id.

• protocols - A list of supported protocol type..
» alicloud_nas_access_group
Provides a Nas Access Group resource.
In NAS, the permission group acts as a whitelist that allows you to restrict file
system access. You can allow specified IP addresses or CIDR blocks to access
the file system, and assign different levels of access permission to different IP
addresses or CIDR blocks by adding rules to the permission group.
» Example Usage
Basic Usage
resource "alicloud_nas_access_group" "foo" {
name = "CreateAccessGroup"
type = "Classic"
description = "test_AccessG"
326

• name - (Required, ForceNew) A Name of one Access Group.
• type - (Required, ForceNew) A Type of one Access Group. Valid values:
Vpc and Classic.
• description - (Optional) The Access Group description.

• id - The ID of the Access Group.
» Import
Nas Access Group can be imported using the id, e.g.

$ terraform import alicloud_nas_access_group.foo tf_testAccNasConfig
» alicloud_nas_access_rule
Provides a Nas Access Rule resource.
When NAS is activated, the Default VPC Permission Group is automatically
generated. It allows all IP addresses in a VPC to access the mount point with full
permissions. Full permissions include Read/Write permission with no restriction
on root users.
» Example Usage
Basic Usage
name = "tf-NasConfigName-%d"
type = "Vpc"
description = "tf-testAccNasConfig"
}
resource "alicloud_nas_access_rule" "foo" {
access_group_name = "${alicloud_nas_access_group.foo.id}"
source_cidr_ip = "168.1.1.0/16"
327
rw_access_type = "RDWR"
user_access_type = "no_squash"
priority = 2
}

• access_group_name - (Required, ForceNew) Permission group name.
• source_cidr_ip - (Required) Address or address segment.
• rw_access_type - (Optional) Read-write permission type: RDWR (de-
fault), RDONLY.
• user_access_type - (Optional) User permission type: no_squash (de-
fault), root_squash, all_squash.
• priority - (Optional) Priority level. Range: 1-100. Default value: 1.

• id - This ID of this resource. The value is formate as <access_group_name>:<access
rule id>.
• access_rule_id - The nas access rule ID.
» Import
Nas Access Rule can be imported using the id, e.g.

$ terraform import alicloud_nas_access_rule.foo tf-testAccNasConfigName:1
» alicloud_nas_file_system
Provides a Nas File System resource.
After activating NAS, you can create a file system and purchase a storage pack-
age for it in the NAS console. The NAS console also enables you to view the
file system details and remove unnecessary file systems.
For information about NAS file system and how to use it, see Manage file systems
328
» Example Usage
Basic Usage
resource "alicloud_nas_file_system" "foo" {
storage_type = "Performance"

• protocol_type - (Required, ForceNew) The Protocol Type of a File Sys-
tem. Valid values: NFS and SMB.
• storage_type - (Required, ForceNew) The Storage Type of a File System.
Valid values: Capacity and Performance.
• description - (Optional) The File System description.

• id - The ID of the File System.
» Import
Nas File System can be imported using the id, e.g.

$ terraform import alicloud_nas_file_system.foo 1337849c59
» alicloud_nas_mount_target
Provides a Nas Mount Target resource.
NOTE: Currently this resource support create a mount point in a classic network
only when current region is China mainland regions.
NOTE: You must grant NAS with specific RAM permissions when creating a
classic mount targets, and it only can be achieved by creating a classic mount
329
target mannually. See Add a mount point and Why do I need RAM permissions
to create a mount point in a classic network.
» Example Usage
Basic Usage
resource "alicloud_nas_file_system" "foo" {
storage_type = "Performance"
description = "tf-testAccNasConfigFs"
}
name = "tf-NasConfig-%d"
type = "Classic"
}
resource "alicloud_nas_access_group" "bar" {
name = "tf-cNasConfig-2-%d"
type = "Classic"
description = "tf-testAccNasConfig-2"
}
resource "alicloud_nas_mount_target" "foo" {
file_system_id = "${alicloud_nas_file_system.foo.id}"
access_group_name = "${alicloud_nas_access_group.foo.id}"
}

• file_system_id - (Required, ForceNew) File system ID.
• access_group_name - (Required) Permission group name.
• vswitch_id - (Optional, ForceNew) VSwitch ID.
• status - (Optional) Whether the MountTarget is active. An inactive
MountTarget is inusable. Valid values are Active(default) and Inactive.

• id - This ID of this resource. The value is a mount target domain.
330
» Import
Nas MountTarget can be imported using the id, e.g.

$ terraform import alicloud_nas_mount_target.foo 192094b415-luw38.cn-beijing.nas.aliyuncs.co
» alicloud_polardb_accounts
The alicloud_polardb_accounts data source provides a collection of PolarDB
cluster database account available in Alibaba Cloud account. Filters support
regular expression for the account name, searches by clusterId.
» Example Usage
data "alicloud_polardb_clusters" "polardb_clusters_ds" {

description_regex = "pc-\\w+"
status = "Running"
}
data "alicloud_polardb_accounts" "default" {

db_cluster_id = "${data.alicloud_polardb_clusters.polardb_clusters_ds.clusters.0.id}"
}
output "ends" {
value = "${data.alicloud_polardb_accounts.default.accounts[0].account_name}"
}

• db_cluster_id - (Required) The polarDB cluster ID.
• name_regex - (Optional) A regex string to filter results by account name.
• names - Account name of the cluster.
• accounts - A list of PolarDB cluster accounts. Each element contains the
331
– account_description - Account description.
– account_lock_state - Account lock state, Valid values are Lock,
UnLock.
– account_name - Account name.
– account_status - Cluster address type.Cluster: the default address
of the Cluster.Primary: Primary address.Custom: Custom cluster
addresses.
– account_type - Account type, Valid values are Normal, Super.
– database_privileges - A list of database privilege. Each element
contains the following attributes.
∗ account_privilege - Account privilege of database
∗ db_name - The account owned database name
» alicloud_polardb_clusters
The alicloud_polardb_clusters data source provides a collection of PolarDB
clusters available in Alibaba Cloud account. Filters support regular expression
for the cluster description, searches by tags, and other filters which are listed
below.
» Example Usage

status = "Running"
}
output "first_polardb_cluster_id" {
value = "${data.alicloud_polardb_clusters.polardb_clusters_ds.clusters.0.id}"
}

• description_regex - (Optional) A regex string to filter results by cluster
description.
• ids - (Optional) A list of PolarDB cluster IDs.
• status - (Optional) status of the cluster.
332
• db_type - (Optional) Database type. Options are MySQL, Oracle and
PostgreSQL. If no value is specified, all types are returned.
the resource.
• ids - A list of RDS cluster IDs.
• descriptions - A list of RDS cluster descriptions.
• clusters - A list of PolarDB clusters. Each element contains the following
attributes:
– id - The ID of the PolarDB cluster.
– description - The description of the PolarDB cluster.
– network_type - The DBClusterNetworkType of the PolarDB cluster.
– region_id - Region ID the cluster belongs to.
– zone_id - The ZoneId of the PolarDB cluster.
– expire_time - Expiration time. Pay-As-You-Go clusters never ex-
pire.
– expired - The expired of the PolarDB cluster.
– status - Status of the cluster.
– engine - Database type. Options are MySQL, Oracle and PostgreSQL.
If no value is specified, all types are returned.
– db_type - Primary for primary cluster, ReadOnly for read-only clus-
ter, Guard for disaster recovery cluster, and Temp for temporary clus-
ter.
– db_version - The DBVersion of the PolarDB cluster.
– lock_mode - The LockMode of the PolarDB cluster.
– delete_lock - The DeleteLock of the PolarDB cluster.
– create_time - The CreateTime of the PolarDB cluster.
– vpc_id - ID of the VPC the cluster belongs to.
– db_node_number - The DBNodeNumber of the PolarDB cluster.
– db_node_class - The DBNodeClass of the PolarDB cluster.
– storage_used - The StorageUsed of the PolarDB cluster.
– db_nodes - The DBNodes of the PolarDB cluster.
333
– db_node_class - The db_node_class of the db_nodes.
– max_iops - The max_iops of the db_nodes.
– region_id - The region_id of the db_nodes.
– db_node_role - The db_node_role of the db_nodes.
– max_connections - The max_connections of the db_nodes.
– zone_id - The zone_id of the db_nodes.
– db_node_status - The db_node_status of the db_nodes.
– db_node_id - The db_node_id of the db_nodes.
– create_time - The create_time of the db_nodes.
» alicloud_polardb_databases
The alicloud_polardb_databases data source provides a collection of Po-
larDB cluster database available in Alibaba Cloud account. Filters support
regular expression for the database name, searches by clusterId.
» Example Usage

status = "Running"
}
data "alicloud_polardb_databases" "default" {

}
output "ends" {
value = "${data.alicloud_polardb_databases.default.databases[0].db_name}"
}

• db_cluster_id - (Required) The polarDB cluster ID.
• name_regex - (Optional) A regex string to filter results by database name.
334
• names - database name of the cluster.
• databases - A list of PolarDB cluster databases. Each element contains
– character_set_name - The character set name of database.
– db_description - Database description.
– db_name - Database name.
– db_status - The status of database.
– engine - The engine of database.
– accounts - A list of accounts of database. Each element contains the
following attributes.
∗ account_name - Account name.
∗ account_status - Account status.
∗ privilege_status - The privilege status of account.
» alicloud_polardb_endpoints
The alicloud_polardb_endpoints data source provides a collection of Po-
larDB endpoints available in Alibaba Cloud account. Filters support regular
expression for the cluster name, searches by clusterId, and other filters which
are listed below.
» Example Usage

status = "Running"
}
data "alicloud_polardb_endpoints" "default" {

}
output "ends" {
value = "${data.alicloud_polardb_endpoints.default.endpoints[0].db_endpoint_id}"
}

• db_cluster_id - (Required, ForceNew) PolarDB cluster ID.
335
• db_endpoint_id - (Optional) endpoint of the cluster.
• endpoints - A list of PolarDB cluster endpoints. Each element contains
– db_endpoint_id - The endpoint ID.
– auto_add_new_nodes - Whether the new node is automatically
added to the default cluster address.Options are Enable and
Disable.
– endpoint_config - The Endpoint configuration. ConsistLevel: ses-
sion consistency level, value:0: final consistency,1: session consis-
tency;LoadBalanceStrategy: load balancing strategy. Based on the
automatic scheduling of load, the value is: load.
– endpoint_type - Cluster address type.Cluster: the default address
of the Cluster.Primary: Primary address.Custom: Custom cluster
addresses.
– nodes - A list of nodes that connect to the address configuration.
– read_write_mode - Read-write mode:ReadWrite: readable and
writable (automatic read-write separation).ReadOnly: ReadOnly.
– address_items - A list of endpoint addresses. Each element contains
the following attributes.
∗ net_type - IP network type:Public or Private.
∗ connection_string - Connection instance string.
∗ port - Intranet connection port.
∗ vpc_id - ID of the VPC the instance belongs to.
∗ vswitch_id - ID of the VSwitch the cluster belongs to.
∗ ip_address - The ip address of connection string.
» alicloud_polardb_zones
This data source provides availability zones for PolarDB that can be accessed
» Example Usage

data "alicloud_polardb_zones" "zones_ids" {}
336

PolarDB instances.
attributes:
» alicloud_polardb_account
Provides a PolarDB account resource and used to manage databases.
» Example Usage
default = "PolarDB"
}
variable "name" {
default = "polardbaccountmysql"
}

}

cidr_block = "172.16.0.0/16"
}
337
cidr_block = "172.16.0.0/24"
}
resource "alicloud_polardb_cluster" "cluster" {

db_type = "MySQL"
db_version = "8.0"
db_node_class = "polar.mysql.x4.large"
}

db_cluster_id = "${alicloud_db_instance.cluster.id}"
account_description = "${var.name}"
}

belongs.
characters.
• account_password - (Required) Operation password. It may consist of
letters, digits, or underlines, with a length of 6 to 32 characters.
to a db account. If the account_password is filled in, this field will be
ignored.
to decrypt kms_encrypted_password before creating or updating a db
account with kms_encrypted_password. See Encryption Context. It is
valid when kms_encrypted_password is set.
• account_description - (Optional) Account description. It cannot begin
with https://. It must start with a Chinese character or English letter. It
338
can include Chinese and English characters, underlines (_), hyphens (-),
and numbers. The length may be 2-256 characters.
• account_type - (Optional, ForceNew) Account type, Valid values are
Normal, Super, Default to Normal.

» Import
PolarDB account can be imported using the id, e.g.

$ terraform import alicloud_polardb_account.example "pc-12345:tf_account"
» alicloud_polardb_account_privilege
Provides a PolarDB account privilege resource and used to grant several
database some access privilege. A database can be granted by multiple
account.
» Example Usage
default = "PolarDB"
}
variable "name" {
default = "dbaccountprivilegebasic"
}

}

cidr_block = "172.16.0.0/16"
339
}

cidr_block = "172.16.0.0/24"
}
resource "alicloud_polardb_cluster" "default" {

db_type = "MySQL"
db_version = "8.0"
}
resource "alicloud_polardb_database" "db" {

count = 2
instance_id = "${alicloud_polardb_instance.cluster.id}"
name = "tfaccountpri_${count.index}"
}
resource "alicloud_polardb_account" "account" {

instance_id = "${alicloud_polardb_instance.cluster.id}"
name = "tftestprivilege"
}
resource "alicloud_polardb_account_privilege" "privilege" {

cluster_id = "${alicloud_polardb_instance.cluster.id}"
account_name = "${alicloud_polardb_account.account.name}"
privilege = "ReadOnly"
db_names = "${alicloud_polardb_database.db.*.name}"
}

belongs.
340
• account_name - (Required, ForceNew) A specified account name.
• account_privilege - (Optional, ForceNew) The privilege of one account
access database. Valid values: [”ReadOnly”, ”ReadWrite”]. Default to
”ReadOnly”.
• db_names - (Required) List of specified database name.

• id - The current account resource ID. Composed of instance ID, account
name and privilege with format <db_cluster_id>:<account_name>:<account_privilege>.
» Import
PolarDB account privilege can be imported using the id, e.g.

$ terraform import alicloud_polardb_account_privilege.example "pc-12345:tf_account:ReadOnly"
» alicloud_polardb_backup_policy
Provides a PolarDB cluster backup policy resource and used to configure cluster
backup policy.
NOTE: Available in v1.66.0+. Each DB cluster has a backup policy and it will
be set default values when destroying the resource.
» Example Usage
variable "name" {
default = "polardbClusterconfig"
}
default = "PolarDB"
}

}

341
cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

db_type = "MySQL"
db_version = "8.0"
vswitch_id = "vsw-t4nq4tr8wcuj7397rbws2"
}
resource "alicloud_polardb_backup_policy" "policy" {

db_cluster_id = "${alicloud_polardb_cluster.default.id}"
preferred_backup_period = "Tuesday,Wednesday"
preferred_backup_time = "10:00Z-11:00Z"
}
» Removing alicloud_polardb_cluster from your configuration
The alicloud_polardb_backup_policy resource allows you to manage your po-

lardb cluster policy, but Terraform cannot destroy it. Removing this resource
from your configuration will remove it from your statefile and management, but
will not destroy the cluster policy. You can resume managing the cluster via
the polardb Console.

database.
• preferred_backup_period - (Optional) PolarDB Cluster backup period.
Valid values: [Monday, Tuesday, Wednesday, Thursday, Friday, Saturday,
Sunday]. Default to [”Tuesday”, ”Thursday”, ”Saturday”].
342
• preferred_backup_time - (Optional) PolarDB Cluster backup time, in
the format of HH:mmZ- HH:mmZ. Time setting interval is one hour. De-
fault to ”02:00Z-03:00Z”. China time is 8 hours behind it.

• id - The current backup policy resource ID. It is same as ’db_cluster_id’.
• backup_retention_period - Cluster backup retention days, Fixed for 7
days, not modified.
» Import
PolarDB backup policy can be imported using the id or cluster id, e.g.
$ terraform import alicloud_polardb_backup_policy.example "rm-12345678"
» alicloud_polardb_cluster
Provides a PolarDB cluster resource. A PolarDB cluster is an isolated database
environment in the cloud. A PolarDB cluster can contain multiple user-created
databases.
» Example Usage
» Create a PolarDB MySQL cluster
variable "name" {
default = "polardbClusterconfig"
}
default = "PolarDB"
}
}
cidr_block = "172.16.0.0/16"
}
343
cidr_block = "172.16.0.0/24"
}
db_type = "MySQL"
db_version = "5.6"
db_node_class = "rds.mysql.s2.large"
}

• db_type - (Required,ForceNew) Database type. Value options: MySQL,
Oracle, PostgreSQL.
• db_version - (Required,ForceNew) Database version. Value options can
refer to the latest docs CreateDBCluster DBVersion.
• db_node_class - (Required) The db_node_class of cluster node.
• modify_type - (Optional, Available in 1.71.2+) Use as db_node_class
change class , define upgrade or downgrade. Valid values are Upgrade,
Downgrade, Default to Upgrade.
• zone_id - (Optional) The Zone to launch the DB cluster. it supports
multiple zone.
• pay_type - (Optional,ForceNew) Valid values are PrePaid, PostPaid, De-
fault to PostPaid. Currently, the resource can not supports change pay
type.
• renewal_status - (Optional) Valid values are AutoRenewal, Normal,
NotRenewal, Default to NotRenewal.
• auto_renew_period - (Optional) Auto-renewal period of an cluster, in the
unit of the month. It is valid when pay_type is PrePaid. Valid value:1,
2, 3, 6, 12, 24, 36, Default to 1.
• period - (Optional) The duration that you will buy DB cluster (in month).
It is valid when pay_type is PrePaid. Valid values: [1~9], 12, 24, 36.
Default to 1.
databases of an cluster. The list contains up to 1,000 IP addresses, sepa-
rated by commas. Supported formats include 0.0.0.0/0, 10.23.12.24 (IP),
and 10.23.12.24/24 (Classless Inter-Domain Routing (CIDR) mode. /24
represents the length of the prefix in an IP address. The range of the
344
• vswitch_id - (Optional) The virtual switch ID to launch DB instances in
one VPC.
• maintain_time - (Optional) Maintainable time period format of the in-
stance: HH:MMZ-HH:MMZ (UTC time)
• description - (Optional) The description of cluster.
• parameters - (Optional) Set of parameters needs to be set after DB cluster
was launched. Available parameters can refer to the latest docs View
database parameter templates .
the resource.
NOTE: Because of data backup and migration, change DB cluster type and
them.
» Removing alicloud_polardb_cluster from your configuration
The alicloud_polardb_cluster resource allows you to manage your polardb clus-

ter, but Terraform cannot destroy it if your cluster type is pre paid(post paid
type can destroy normally). Removing this resource from your configuration
will remove it from your statefile and management, but will not destroy the
cluster. You can resume managing the cluster via the polardb Console.

• id - The PolarDB cluster ID.
» Timeouts
• create - (Defaults to 30 mins) Used when creating the polardb cluster
• update - (Defaults to 30 mins) Used when updating the polardb cluster
• delete - (Defaults to 10 mins) Used when terminating the polardb cluster.
345
» Import
PolarDB cluster can be imported using the id, e.g.

$ terraform import alicloud_polardb_cluster.example pc-abc12345678
» alicloud_db_database
Provides a PolarDB database resource. A DB database deployed in a DB cluster.
A DB cluster can own multiple databases.
» Example Usage
resource "alicloud_polardb_cluster" "cluster" {

db_type = "MySQL"
db_version = "8.0"
db_node_class = "${var.clusterclass}"
vswitch_id = "polar.mysql.x4.large"
description = "testDB"
}
resource "alicloud_polardb_database" "default" {

db_cluster_id = "${alicloud_polardb_cluster.cluster.id}"
db_name = "tftestdatabase"
}

database.
• db_name - (Required, ForceNew) Name of the database requiring a unique-
ness check. It may consist of lower case letters, numbers, and underlines,
and must start with a letterand have no more than 64 characters.
• character_set_name - (Optional,ForceNew) Character set. The
value range is limited to the following: [ utf8, gbk, latin1, utf8mb4, Chi-
nese_PRC_CI_AS, Chinese_PRC_CS_AS, SQL_Latin1_General_CP1_CI_AS,
SQL_Latin1_General_CP1_CS_AS, Chinese_PRC_BIN ], default is
”utf8” (utf8mb4 only supports versions 5.5 and 5.6).
346
• db_description - (Optional) Database description. It cannot begin with
https://. It must start with a Chinese character or English letter. It can
include Chinese and English characters, underlines (_), hyphens (-), and
numbers. The length may be 2-256 characters.

• id - The current database resource ID. Composed of cluster ID and
database name with format <cluster_id>:<name>.
» Import
PolarDB database can be imported using the id, e.g.

$ terraform import alicloud_polardb_database.example "pc-12345:tf_database"
» alicloud_polardb_endpoint_address
Provides a PolarDB endpoint address resource to allocate an Internet endpoint
address string for PolarDB instance.
NOTE: Available in v1.68.0+. Each PolarDB instance will allocate a intranet
connection string automatically and its prefix is Cluster ID. To avoid unneces-
sary conflict, please specified a internet connection prefix before applying the
resource.
» Example Usage
default = "PolarDB"
}
variable "name" {
default = "polardbconnectionbasic"
}

}
347
cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

db_type = "MySQL"
db_version = "8.0"
}
data "alicloud_polardb_endpoints" "default" {

}
resource "alicloud_polardb_endpoint_address" "endpoint" {

db_endpoint_id = "${data.alicloud_polardb_endpoints.default.endpoints[0].db_endpoint_id}"
connection_prefix = "testpolardbconn"
net_type = "Public"
}

database.
• db_endpoint_id - (Required, ForceNew) The Id of endpoint that can run
database.
• connection_prefix - (Optional) Prefix of an Internet connection string.
than 30 characters. Default to + ’tf’.
• net_type - (Optional, ForceNew) Internet connection net type. Valid
value: Public. Default to Public. Currently supported only Public.
348

and connection string with format <db_cluster_id>:<db_endpoint_id>.
• port - Connection cluster or endpoint port.
• connection_string - Connection cluster or endpoint string.
» Import
PolarDB endpoint address can be imported using the id, e.g.

$ terraform import alicloud_polardb_endpoint_address.example pc-abc123456:pe-abc123456
» alicloud_kvstore_instances
The alicloud_kvstore_instances data source provides a collection of kvstore
instances available in Alicloud account. Filters support regular expression for
the instance name, searches by tags, and other filters which are listed below.
» Example Usage
data "alicloud_kvstore_instances" "default" {

name_regex: "checkalicloudkvinstancesdatasoource`
}
output "first_instance_name" {
value = "${data.alicloud_kvstore_instances.default.instances.name}"
}

• ids - (Optional, Available 1.52.2+) A list of RKV instance IDs.
• instance_type - (Optional) Database type. Options are Memcache, and
Redis. If no value is specified, all types are returned.
• status - (Optional) Status of the instance.
• instance_class- (Optional) Type of the applied ApsaraDB for Redis
instance. For more information, see Instance type table.
• vpc_id - (Optional) Used to retrieve instances belong to specified VPC.
349
vswitch resources.
• tags - (Optional) Query the instance bound to the tag. The format
of the incoming value is json string, including TagKey and TagValue.
TagKey cannot be null, and TagValue can be empty. Format example
{"key1":"value1"}.
• ids - A list of RKV instance IDs.
• instances - A list of RKV instances. Its every element contains the
– id - The ID of the RKV instance.
– name - The name of the RKV instance.
– expire_time - Expiration time. Pay-As-You-Go instances are never
expire.
– instance_type - (Optional) Database type. Options are Memcache,
and Redis. If no value is specified, all types are returned.
– instance_class- (Optional) Type of the applied ApsaraDB for Re-
dis instance. For more information, see Instance type table.
– availability_zone - Availability zone.
– vpc_id - VPC ID the instance belongs to.
– vswitch_id - VSwitch ID the instance belongs to.
– private_ip - Private IP address of the instance.
– username - The username of the instance.
– capacity - Capacity of the applied ApsaraDB for Redis instance.
Unit: MB.
– bandwidth - Instance bandwidth limit. Unit: Mbit/s.
– connections - Instance connection quantity limit. Unit: count.
– connections_domain - Instance connection domain (only Intranet
access supported).
– port - Connection port of the instance.
350
» alicloud_kvstore_instances_classes
This data source provides the KVStore instance classes resource available info
of Alibaba Cloud.
» Example Usage
data "alicloud_zones" "resources" {

available_resource_creation = "KVStore"
}
data "alicloud_kvstore_instance_classes" "resources" {

zone_id = "${data.alicloud_zones.resources.zones.0.id}"
engine = "Redis"
output_file = "./classes.txt"
}
output "first_kvstore_instance_class" {
value = "${data.alicloud_kvstore_instance_classes.resources.instance_classes}"
}

• zone_id - (Required) The Zone to launch the KVStore instance.
Valid values: PrePaid and PostPaid. Default to PrePaid.
• engine - (Optional) Database type. Options are Redis, Memcache. De-
fault to Redis.
• engine_version - (Optional) Database version required by the
user. Value options of Redis can refer to the latest docs detail info
EngineVersion. Value of Memcache should be empty.
• architecture - (Optional) The KVStore instance system architecture
required by the user. Valid values: standard, cluster and rwsplit.
• performance_type - (Optional, Deprecated) It has been deprecated from
1.68.0.
• storage_type - (Optional, Deprecated) It has been deprecated from
1.68.0.
• node_type - (Optional) The KVStore instance node type required by the
user. Valid values: double, single, readone, readthree and readfive.
351
• package_type - (Optional, Deprecated) It has been deprecated from
1.68.0.
(after running terraform apply).
• edition_type - (Optional, Available in 1.68.0+) The KVStore in-
stance edition type required by the user. Valid values: Community and
Enterprise.
• series_type - (Optional, Available in 1.68.0+) The KVStore instance se-
ries type required by the user. Valid values: enhanced_performance_type
and hybrid_storage.
• shard_number - (Optional, Available in 1.68.0+) The number of
shard.Valid values: 1, 2, 4, 8, 16, 32, 64, 128, 256.
• instance_classes - A list of KVStore available instance classes.
• classes - A list of KVStore available instance classes when the sorted_by
is ”Price”. include:
– instance_class - KVStore available instance class.
» alicloud_kvstore_instances_engines
This data source provides the KVStore instance engines resource available info
of Alibaba Cloud.
» Example Usage
data "alicloud_zones" "resources" {

available_resource_creation = "KVStore"
}
data "alicloud_kvstore_instance_engines" "resources" {

zone_id = "${data.alicloud_zones.resources.zones.0.id}"
engine = "Redis"
output_file = "./engines.txt"
}
352
output "first_kvstore_instance_class" {
value = "${data.alicloud_kvstore_instance_engines.resources.instance_engines.0.engine}"
}

• zone_id - (Required) The Zone to launch the KVStore instance.
Valid values: PrePaid and PostPaid. Default to PrePaid.
• engine - (Optional) Database type. Options are Redis, Memcache. De-
fault to Redis.
• engine_version - (Optional) Database version required by the
user. Value options of Redis can refer to the latest docs detail info
EngineVersion. Value of Memcache should be empty.
• instance_engines - A list of KVStore available instance engines. Each
– zone_id - The Zone to launch the KVStore instance.
– engine - Database type.
– engine_version - KVStore Instance version.
This data source provides availability zones for KVStore that can be accessed
» Example Usage

data "alicloud_kvstore_zones" "zones_ids" {}
# Create an KVStore instance with the first matched zone

resource "alicloud_kvstore_instance" "kvstore" {
353
availability_zone = data.alicloud_kvstore_zones.zones_ids.zones.0.id
}

KVStore instances.
• instance_charge_type - (Optional) Filter the results by a specific in-
stance charge type. Valid values: PrePaid and PostPaid. Default to
PostPaid.
attributes:
» alicloud_kvstore_account
Provides a kvstore account resource and used to manage databases.
» Example Usage
default = "KVStore"
}
variable "name" {
default = "kvstoreinstancevpc"
}
354
}
cidr_block = "172.16.0.0/16"
}
cidr_block = "172.16.0.0/24"
}
resource "alicloud_kvstore_instance" "default" {
instance_class = "redis.master.small.default"
private_ip = "172.16.0.10"
security_ips = ["10.0.0.1"]
instance_type = "Redis"
}
resource "alicloud_kvstore_account" "account" {

instance_id = "${alicloud_kvstore_instance.default.id}"
}

• instance_id - (Required, ForceNew) The Id of instance in which account
belongs. (The engine version of instance must be 4.0 or 4.0+)
characters.
• account_password - (Optional, Sensitive) Operation password. It
may consist of letters, digits, or underlines, with a length of 6 to
32 characters. You have to specify one of account_password and
to a KVStore account. If the account_password is filled in, this field will
be ignored.
355
to decrypt kms_encrypted_password before creating or updating a KVS-
tore account with kms_encrypted_password. See Encryption Context. It
is valid when kms_encrypted_password is set.
• description - (Optional) Database description. It cannot begin with
• account_type - (Optional, ForceNew)Privilege type of account.
– Normal: Common privilege. Default to Normal.
• account_privilege - (Optional) The privilege of account access database.
Valid values:
– RoleReadOnly: This value is only for Redis and Memcache
– RoleReadWrite: This value is only for Redis and Memcache
– RoleRepl: This value supports instance to read, write, and open
SYNC / PSYNC commands. Only for Redis which engine version is
4.0 and architecture type is standard
Default to ”RoleReadWrite”.

» Import
kvstore account can be imported using the id, e.g.

$ terraform import alicloud_KVStore_account.example "rm-12345:tf_account"
» alicloud_kvstore_backup_policy
Provides a backup policy for ApsaraDB Redis / Memcache instance resource.
» Example Usage
Basic Usage
default = "KVStore"
356
}
variable "multi_az" {
default = "false"
}
variable "name" {
default = "kvstorebackuppolicyvpc"
}
}
cidr_block = "172.16.0.0/16"
}
cidr_block = "172.16.0.0/24"
}
instance_class = "Memcache"
private_ip = "172.16.0.10"
instance_type = "memcache.master.small.default"
}
resource "alicloud_kvstore_backup_policy" "default" {
instance_id = "${alicloud_kvstore_instance.default.id}"
backup_period = ["Tuesday", "Wednesday"]
backup_time = "10:00Z-11:00Z"
}

• instance_id - (Required, ForceNew) The id of ApsaraDB for Redis or
Memcache intance.
• backup_time - (Optional) Backup time, in the format of HH:mmZ-
HH:mm Z
• backup_period - (Optional) Backup Cycle. Allowed values: Monday,
Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday
357

• id - The id of the backup policy.
• instance_id - The id of ApsaraDB for Redis or Memcache intance.
• backup_time - Backup time, in the format of HH:mmZ- HH:mm Z
• backup_period - Backup Cycle. Allowed values: Monday, Tuesday,
Wednesday, Thursday, Friday, Saturday, Sunday
» Import
KVStore backup policy can be imported using the id, e.g.

$ terraform import alicloud_kvstore_backup_policy.example r-abc12345678
» alicloud_kvstore_instance
Provides an ApsaraDB Redis / Memcache instance resource. A DB instance
is an isolated database environment in the cloud. It can be associated with IP
whitelists and backup configuration which are separate resource providers.
» Example Usage
Basic Usage
default = "KVStore"
}
variable "name" {
default = "kvstoreinstancevpc"
}
}
cidr_block = "172.16.0.0/16"
}
cidr_block = "172.16.0.0/24"
358
}
instance_class = "redis.master.small.default"
private_ip = "172.16.0.10"
instance_type = "Redis"
}

• instance_name - (Optional) The name of DB instance. It a string of 2 to
256 characters.
• password- (Optional, Sensitive) The password of the DB instance. The
password is a string of 8 to 30 characters and must contain uppercase
letters, lowercase letters, and numbers.
crypts password used to a instance. If the password is filled in, this field
will be ignored.
• instance_class - (Required) Type of the applied ApsaraDB for Redis in-
stance. It can be retrieved by data source alicloud_kvstore_instance_classes
or referring to help-docs Instance type table.
• availability_zone - (Optional, ForceNew) The Zone to launch the DB
instance.
Default to PostPaid.
ues: [1~9], 12, 24, 36. Default to 1.
• auto_renew - (Optional, Available in 1.36.0+) Whether to renewal a DB
instance automatically or not. It is valid when instance_charge_type is
PrePaid. Default to false.
• auto_renew_period - (Optional, Available in 1.36.0+) Auto-renewal
period of an instance, in the unit of the month. It is valid when
instance_charge_type is PrePaid. Valid value:[1~12], Default to 1.
• instance_type - (Optional, ForceNew) The engine to use: Redis or
Memcache. Defaults to Redis.
359
• vswitch_id - (Optional, ForceNew) The ID of VSwitch.
• engine_version- (Optional, ForceNew) Engine version. Supported val-
ues: 2.8, 4.0 and 5.0. Default value: 2.8. Only 2.8 can be supported for
Memcache Instance.
• security_ips- (Optional) Set the instance’s IP whitelist of the default
security group.
Group ID of ECS.
• private_ip- (Optional) Set the instance’s private IP.
• backup_id- (Optional) If an instance created based on a backup set gen-
erated by another instance is valid, this parameter indicates the ID of the
generated backup set.
• vpc_auth_mode- (Optional) Only meaningful if instance_type is Redis
and network type is VPC. Valid values are Close, Open. Defaults to Open.
Close means the redis instance can be accessed without authentication.
Open means authentication is required.
• parameters - (Optional) Set of parameters needs to be set after instance
was launched. Available parameters can refer to the latest docs Instance
configurations table .
the resource.
• maintain_start_time - (Optional, Available in v1.56.0+) The start time
of the operation and maintenance time period of the instance, in the format
• maintain_end_time - (Optional, Available in v1.56.0+) The end time of
NOTE: The start time to the end time must be 1 hour. For example, the
MaintainStartTime is 01:00Z, then the MaintainEndTime must be 02:00Z.

• id - The KVStore instance ID.
• connection_domain - Instance connection domain (only Intranet access
supported).
» Timeouts

360
• create - (Defaults to 20 mins) Used when creating the KVStore instance
(until it reaches the initial Normal status).
• update - (Defaults to 30 mins) Used when updating the KVStore instance
(until it reaches the initial Normal status).
• delete - (Defaults to 20 mins) Used when terminating the KVStore in-
stance.
» Import
KVStore instance can be imported using the id, e.g.

$ terraform import alicloud_kvstore_instance.example r-abc12345678
» alicloud_ons_groups
This data source provides a list of ONS Groups in an Alibaba Cloud account
» Example Usage
variable "name" {
default = "onsInstanceName"
}
variable "group_id" {
default = "GID-onsGroupDatasourceName"
}
resource "alicloud_ons_instance" "default" {

remark = "default_ons_instance_remark"
}
resource "alicloud_ons_group" "default" {

group_id = "${var.group_id}"
instance_id = "${alicloud_ons_instance.default.id}"
remark = "dafault_ons_group_remark"
}
data "alicloud_ons_groups" "groups_ds" {

instance_id = "${alicloud_ons_group.default.instance_id}"
361
group_id_regex = "${var.group_id}"
}
value = "${data.alicloud_ons_groups.groups_ds.groups.0.group_id}"
}

• instance_id - (Required) ID of the ONS Instance that owns the groups.
• group_id_regex - (Optional) A regex string to filter results by the group
name.
• ids - A list of group names.
– id - The name of the group.
– owner - The ID of the group owner, which is the Alibaba Cloud UID.
– independent_naming - Indicates whether namespaces are available.
Read Fields in SubscribeInfoDo for further details.
– remark - Remark of the group.
» alicloud_ons_instances
This data source provides a list of ONS Instances in an Alibaba Cloud account
» Example Usage
variable "name" {
default = "onsInstanceDatasourceName"
}
362
}
data "alicloud_ons_instances" "instances_ds" {

ids = ["${alicloud_ons_instance.default.id}"]
name_regex = "${alicloud_ons_instance.default.name}"
}
value = "${data.alicloud_ons_instances.instances_ds.instances.0.instance_id}"
}

• ids - (Optional) A list of instance IDs to filter results.
name.
attributes:
– instance_id - ID of the instance.
– instance_name - Name of the instance.
– instance_type - The type of the instance. Read Fields in
InstanceVO for further details.
– instance_status - The status of the instance. Read Fields in In-
stanceVO for further details.
– release_time - The automatic release time of an Enterprise Plat-
inum Edition instance.
363
» alicloud_ons_topics
This data source provides a list of ONS Topics in an Alibaba Cloud account
» Example Usage
variable "name" {
}
variable "topic" {
default = "onsTopicDatasourceName"
}

}
resource "alicloud_ons_topic" "default" {

message_type = 0
remark = "dafault_ons_topic_remark"
}
data "alicloud_ons_topics" "topics_ds" {

instance_id = "${alicloud_ons_topic.default.instance_id}"
name_regex = "${var.topic}"
output_file = "topics.txt"
}
output "first_topic_name" {
value = "${data.alicloud_ons_topics.topics_ds.topics.0.topic}"
}

• instance_id - (Required) ID of the ONS Instance that owns the topics.
364
• name_regex - (Optional) A regex string to filter results by the topic name.
– topic - The name of the topic.
– owner - The ID of the topic owner, which is the Alibaba Cloud UID.
– relation - The relation ID. Read Fields in PublishInfoDo for further
details.
– relation_name - The name of the relation, for example, owner, pub-
lishable, subscribable, and publishable and subscribable.
– message_type - The type of the message. Read Fields in PublishIn-
foDo for further details.
– independent_naming - Indicates whether namespaces are available.
Read Fields in PublishInfoDo for further details.
– remark - Remark of the topic.
» alicloud_ons_group
Provides an ONS group resource.
For more information about how to use it, see RocketMQ Group Management
API.
» Example Usage
Basic Usage
variable "name" {
}
variable "group_id" {
default = "GID-onsGroupDatasourceName"
}
365
}
resource "alicloud_ons_group" "default" {

group_id = "${var.group_id}"
remark = "dafault_ons_group_remark"
}

• instance_id - (Required) ID of the ONS Instance that owns the groups.
• group_id - (Required) Name of the group. Two groups on a single instance
cannot have the same name. A group_id starts with ”GID_” or ”GID-”,
and contains letters, numbers, hyphens (-), and underscores (_).
• remark - (Optional) This attribute is a concise description of group. The
• read_enable - (Optional) This attribute is used to set the message reading
enabled or disabled. It can only be set after the group is used by the client.

<instance_id>:<group_id>.
» Import
ONS GROUP can be imported using the id, e.g.

$ terraform import alicloud_ons_group.group MQ_INST_1234567890_Baso1234567:GID-onsGroupDemo
» alicloud_ons_instance
Provides an ONS instance resource.
For more information about how to use it, see RocketMQ Instance Management
API.
366
NOTE: The number of instances in the same region cannot exceed 8. At
present, the resource does not support region ”mq-internet-access” and ”ap-
southeast-5”.
» Example Usage
Basic Usage
resource "alicloud_ons_instance" "example" {
name = "tf-example-ons-instance"
remark = "tf-example-ons-instance-remark"
}

• name - (Required)Two instances on a single account in the same region
cannot have the same name. The length must be 3 to 64 characters.
Chinese characters, English letters digits and hyphen are allowed.
• remark - (Optional)This attribute is a concise description of instance. The

• id - The key of the resource supplied above.
• instance_type - The edition of instance. 1 represents the postPaid edi-
tion, and 2 represents the platinum edition.
• instance_status - The status of instance. 1 represents the platinum edi-
tion instance is in deployment. 2 represents the postpaid edition instance
are overdue. 5 represents the postpaid or platinum edition instance is in
service. 7 represents the platinum version instance is in upgrade and the
service is available.
• release_time - Platinum edition instance expiration time.
» Import
ONS INSTANCE can be imported using the id, e.g.

$ terraform import alicloud_ons_instance.instance MQ_INST_1234567890_Baso1234567
367
» alicloud_ons_topic
Provides an ONS topic resource.
For more information about how to use it, see RocketMQ Topic Management
API.
» Example Usage
Basic Usage
variable "name" {
}
variable "topic" {
default = "onsTopicName"
}

}
resource "alicloud_ons_topic" "default" {

message_type = 0
remark = "dafault_ons_topic_remark"
}

• instance_id - (Required) ID of the ONS Instance that owns the topics.
• topic - (Required) Name of the topic. Two topics on a single instance
cannot have the same name and the name cannot start with ’GID’ or ’CID’.
The length cannot exceed 64 characters.
• message_type - (Required) The type of the message. Read Ons Topic
Create for further details.
• remark - (Optional) This attribute is a concise description of topic. The
368
• perm - (Optional) This attribute is used to set the read-write mode for
the topic. Read Request parameters for further details.

<instance_id>:<topic>.
» Import
ONS TOPIC can be imported using the id, e.g.

$ terraform import alicloud_ons_topic.topic MQ_INST_1234567890_Baso1234567:onsTopicDemo
» alicloud_oss_bucket_objects
This data source provides the objects of an OSS bucket.
» Example Usage
data "alicloud_oss_bucket_objects" "bucket_objects_ds" {

bucket_name = "sample_bucket"
key_regex = "sample/sample_object.txt"
}
output "first_object_key" {
value = "${data.alicloud_oss_bucket_objects.bucket_objects_ds.objects.0.key}"
}

• bucket_name - Name of the bucket that contains the objects to find.
• key_regex - (Optional) A regex string to filter results by key.
• key_prefix - (Optional) Filter results by the given key prefix (such as
”path/to/folder/logs-”).
369
• objects - A list of bucket objects. Each element contains the following
attributes:
– key - Object key.
– acl - Object access control list. Possible values: default, private,
public-read and public-read-write.
– content_type - Standard MIME type describing the format of the
object data, e.g. ”application/octet-stream”.
– content_length - Size of the object in bytes.
– cache_control - Caching behavior along the request/reply chain.
Read RFC2616 Cache-Control for further details.
– content_disposition - Presentational information for the object.
Read RFC2616 Content-Disposition for further details.
– content_encoding - Content encodings that have been applied to
the object and thus what decoding mechanisms must be applied to
obtain the media-type referenced by the Content-Type header field.
Read RFC2616 Content-Encoding for further details.
– content_md5 - MD5 value of the content. Read MD5 for computing
method.
– expires - Expiration date for the the request/response. Read
RFC2616 Expires for further details.
– server_side_encryption - Server-side encryption of the object in
OSS. It can be empty or AES256.
– sse_kms_key_id - If present, specifies the ID of the Key Management
Service(KMS) master encryption key that was used for the object.
– etag - ETag generated for the object (MD5 sum of the object con-
tent).
– storage_class - Object storage type. Possible values: Standard, IA
and Archive.
– last_modification_time - Last modification time of the object.
» alicloud_oss_buckets
This data source provides the OSS buckets of the current Alibaba Cloud user.
» Example Usage
data "alicloud_oss_buckets" "oss_buckets_ds" {

name_regex = "sample_oss_bucket"
}
370
output "first_oss_bucket_name" {
value = "${data.alicloud_oss_buckets.oss_buckets_ds.buckets.0.name}"
}

• name_regex - (Optional) A regex string to filter results by bucket name.
• names - A list of bucket names.
• buckets - A list of buckets. Each element contains the following at-
tributes:
– name - Bucket name.
– acl - Bucket access control list. Possible values: private,
public-read and public-read-write.
– extranet_endpoint - Internet domain name for accessing the bucket
from outside.
– intranet_endpoint - Intranet domain name for accessing the bucket
from an ECS instance in the same region.
– location - Region of the data center where the bucket is located.
– owner - Bucket owner.
– storage_class - Object storage type. Possible values: Standard, IA
and Archive.
– creation_date - Bucket creation date.
– cors_rules - A list of CORS rule configurations. Each element con-
tains the following attributes:
– allowed_origins - The origins allowed for cross-domain requests.
Multiple elements can be used to specify multiple allowed origins.
Each rule allows up to one wildcard ”*”. If ”*” is specified, cross-
domain requests of all origins are allowed.
– allowed_methods - Specify the allowed methods for cross-domain
requests. Possible values: GET, PUT, DELETE, POST and HEAD.
– allowed_headers - Control whether the headers specified by Access-
Control-Request-Headers in the OPTIONS prefetch command are
allowed. Each header specified by Access-Control-Request-Headers
must match a value in AllowedHeader. Each rule allows up to one
wildcard “*” .
371
– expose_headers - Specify the response headers allowing users to ac-
cess from an application (for example, a Javascript XMLHttpRequest
object). The wildcard ”*” is not allowed.
– max_age_seconds - Specify the cache time for the returned result of
a browser prefetch (OPTIONS) request to a specific resource.
– website - A list of one element containing configuration parameters
used when the bucket is used as a website. It contains the following
attributes:
– index_document - Key of the HTML document containing the home
page.
– error_document - Key of the HTML document containing the error
page.
– logging - A list of one element containing configuration parameters
used for storing access log information. It contains the following
attributes:
– target_bucket - Bucket for storing access logs.
– target_prefix - Prefix of the saved access log file paths.
– referer_config - A list of one element containing referer configura-
tion. It contains the following attributes:
– allow_empty - Indicate whether the access request referer field can
be empty.
– referers - Referer access whitelist.
– lifecycle_rule - A list CORS of lifecycle configurations. When Life-
cycle is enabled, OSS automatically deletes the objects or transitions
the objects (to another storage class) corresponding the lifecycle rules
on a regular basis. Each element contains the following attributes:
– id - Unique ID of the rule.
– prefix - Prefix applicable to a rule. Only those objects with a match-
ing prefix can be affected by the rule.
– enabled - Indicate whether the rule is enabled or not.
– expiration - A list of one element containing expiration attributes
of an object. It contains the following attributes:
∗ date - Date after which the rule to take effect. The format is
like 2017-03-09.
∗ days - Indicate the number of days after the last object update
until the rules take effect.
– server_side_encryption_rule - A configuration of default encryp-
tion for a bucket. It contains the following attributes:
– sse_algorithm - The server-side encryption algorithm to use.
– tags - A mapping of tags.
– versioning - If present , the versioning state has been set on the
bucket. It contains the following attribute.
∗ status - A bucket versioning state. Possible values:Enabled and
Suspended.
372
» alicloud_oss_bucket
Provides a resource to create a oss bucket and set its attribution.
NOTE: The bucket namespace is shared by all users of the OSS system. Please
set bucket name as unique as possible.
» Example Usage
Private Bucket
resource "alicloud_oss_bucket" "bucket-acl" {
bucket = "bucket-170309-acl"
acl = "private"
}
Static Website
resource "alicloud_oss_bucket" "bucket-website" {
bucket = "bucket-170309-website"
website {
index_document = "index.html"
error_document = "error.html"
}
}
Enable Logging
resource "alicloud_oss_bucket" "bucket-target" {
bucket = "bucket-170309-acl"
acl = "public-read"
}
resource "alicloud_oss_bucket" "bucket-logging" {

bucket = "bucket-170309-logging"
logging {
target_bucket = "${alicloud_oss_bucket.bucket-target.id}"
target_prefix = "log/"
}
}
Referer configuration
resource "alicloud_oss_bucket" "bucket-referer" {
bucket = "bucket-170309-referer"
acl = "private"
373
referer_config {
allow_empty = false
referers = ["http://www.aliyun.com", "https://www.aliyun.com"]
}
}
Set lifecycle rule
resource "alicloud_oss_bucket" "bucket-lifecycle" {
bucket = "bucket-170309-lifecycle"
acl = "public-read"
lifecycle_rule {
id = "rule-days"
prefix = "path1/"
enabled = true
expiration {
days = 365
}
}
lifecycle_rule {
id = "rule-date"
prefix = "path2/"
enabled = true
expiration {
date = "2018-01-12"
}
}
}

acl = "public-read"
lifecycle_rule {
id = "rule-days-transition"
prefix = "path3/"
enabled = true
transitions {
days = "3"
storage_class= "IA"
}
transitions {
374
days= "30"
storage_class= "Archive"
}
}
}

acl = "public-read"
lifecycle_rule {
id = "rule-days-transition"
prefix = "path3/"
enabled = true
transitions {
created_before_date = "2020-11-11"
storage_class = "IA"
}
transitions {
created_before_date = "2021-11-11"
storage_class = "Archive"
}
}
}
Set bucket policy
resource "alicloud_oss_bucket" "bucket-policy" {
bucket = "bucket-170309-policy"
acl = "private"
policy = <<POLICY
{"Statement":
[{"Action":
["oss:PutObject", "oss:GetObject", "oss:DeleteBucket"],
"Effect":"Allow",
"Resource":
["acs:oss:*:*:*"]}],
"Version":"1"}
POLICY
}
IA Bucket
resource "alicloud_oss_bucket" "bucket-storageclass" {
bucket = "bucket-170309-storageclass"
storage_class = "IA"
375
}
Set bucket server-side encryption rule
resource "alicloud_oss_bucket" "bucket-sserule" {
bucket = "bucket-170309-sserule"
acl = "private"
server_side_encryption_rule {
sse_algorithm = "AES256"
}
}
Set bucket tags
resource "alicloud_oss_bucket" "bucket-tags" {
bucket = "bucket-170309-tags"
acl = "private"
tags = {
key1 = "value1"
key2 = "value2"
}
}
Enable bucket versioning
resource "alicloud_oss_bucket" "bucket-versioning" {
bucket = "bucket-170309-versioning"
acl = "private"
versioning {
status = "Enabled"
}
}

• bucket - (Optional, ForceNew) The name of the bucket. If omitted, Ter-
raform will assign a random and unique name.
• acl - (Optional) The canned ACL to apply. Defaults to ”private”.
• cors_rule - (Optional) A rule of Cross-Origin Resource Sharing (docu-
mented below). The items of core rule are no more than 10 for every OSS
bucket.
• website - (Optional) A website object(documented below).
• logging - (Optional) A Settings of bucket logging (documented below).
376
• logging_isenable - (Optional) The flag of using logging enable container.
Defaults true.
• referer_config - (Optional) The configuration of referer (documented
below).
• lifecycle_rule - (Optional) A configuration of object lifecycle manage-
ment (documented below).
• policy - (Optional, Available in 1.41.0) Json format text of bucket policy
bucket policy management (documented below).
• storage_class - (Optional, ForceNew) The storage class to apply. Can
be ”Standard”, ”IA” and ”Archive”. Defaults to ”Standard”.
• server_side_encryption_rule - (Optional, Available in 1.45.0+) A con-
figuration of server-side encryption (documented below).
• tags - (Optional, Available in 1.45.0+) A mapping of tags to assign to the
bucket. The items are no more than 10 for a bucket.
• versioning - (Optional, Available in 1.45.0+) A state of versioning (doc-
umented below).
• force_destroy - (Optional, Available in 1.45.0+) A boolean that indicates
all objects should be deleted from the bucket so that the bucket can be
destroyed without error. These objects are not recoverable. Defaults to
”false”.
» Block cors_rule
The cors_rule mapping supports the following:
• allowed_headers - (Optional) Specifies which headers are allowed.
• allowed_methods - (Required) Specifies which methods are allowed. Can
be GET, PUT, POST, DELETE or HEAD.
• allowed_origins - (Required) Specifies which origins are allowed.
• expose_headers - (Optional) Specifies expose header in the response.
• max_age_seconds - (Optional) Specifies time in seconds that browser can
cache the response for a preflight request.
» Block website
The website mapping supports the following:
• index_document - (Required) Alicloud OSS returns this index document
when requests are made to the root domain or any of the subfolders.
• error_document - (Optional) An absolute path to the document to return
in case of a 4XX error.
» Block logging
The logging object supports the following:
377
• target_bucket - (Required) The name of the bucket that will receive the
log objects.
• target_prefix - (Optional) To specify a key prefix for log objects.
» Block referer configuration

The referer configuration supports the following:
• allow_empty - (Optional, Type: bool) Allows referer to be empty. De-
faults true.
• referers - (Required, Type: list) The list of referer.
» Block lifecycle_rule
The lifecycle_rule object supports the following:
• id - (Optional) Unique identifier for the rule. If omitted, OSS bucket will
assign a unique name.
• prefix - (Required) Object key prefix identifying one or more objects to
which the rule applies.
• enabled - (Required, Type: bool) Specifies lifecycle rule status.
• expiration - (Optional, Type: set) Specifies a period in the object’s
expire (documented below).
• transitions - (Optional, Type: set, Available in 1.62.1+) Specifies the
time when an object is converted to the IA or archive storage class during
a valid life cycle. (documented below).
» Block expiration
The lifecycle_rule expiration object supports the following:
• date - (Optional) Specifies the date after which you want the corre-
sponding action to take effect. The value obeys ISO8601 format like
2017-03-09.
• days - (Optional, Type: int) Specifies the number of days after object
creation when the specific rule action takes effect.
NOTE: One and only one of ”date” and ”days” can be specified in one expiration
configuration.
» Block transitions
The lifecycle_rule transitions object supports the following:
• created_before_date - (Optional) Specifies the time before which the
rules take effect. The date must conform to the ISO8601 format and always
be UTC 00:00. For example: 2002-10-11T00:00:00.000Z indicates that
378
objects updated before 2002-10-11T00:00:00.000Z are deleted or converted
to another storage class, and objects updated after this time (including
this time) are not deleted or converted.
• days - (Optional, Type: int) Specifies the number of days after object
creation when the specific rule action takes effect.
• storage_class - (Required) Specifies the storage class that objects that
conform to the rule are converted into. The storage class of the objects in
a bucket of the IA storage class can be converted into Archive but cannot
be converted into Standard. Values: IA, Archive, Standard.
NOTE: One and only one of ”created_before_date” and ”days” can be specified
in one transition configuration.
» Block server-side encryption rule

The server-side encryption rule supports the following:
• sse_algorithm - (Required) The server-side encryption algorithm to use.
Possible values: AES256 and KMS.
» Block versioning
The versioning supports the following:
• status - (Required) Specifies the versioning state of a bucket. Valid values:
Enabled and Suspended.
NOTE: Currently, the versioning feature is only available in ap-south-1 and
with white list. If you want to use it, please contact us.

• id - The name of the bucket.
• acl - The acl of the bucket.
• creation_date - The creation date of the bucket.
• extranet_endpoint - The extranet access endpoint of the bucket.
• intranet_endpoint - The intranet access endpoint of the bucket.
• location - The location of the bucket.
• owner - The bucket owner.
» Import
OSS bucket can be imported using the bucket name, e.g.

$ terraform import alicloud_oss_bucket.bucket bucket-12345678
379
» alicloud_oss_bucket_object
Provides a resource to put a object(content or file) to a oss bucket.
» Example Usage
» Uploading a file to a bucket
resource "alicloud_oss_bucket_object" "object-source" {

bucket = "your_bucket_name"
key = "new_object_key"
source = "path/to/file"
}
» Uploading a content to a bucket
resource "alicloud_oss_bucket" "example" {

bucket = "your_bucket_name"
acl = "public-read"
}
resource "alicloud_oss_bucket_object" "object-content" {

bucket = "${alicloud_oss_bucket.example.bucket}"
key = "new_object_key"
content = "the content that you want to upload."
}
Note: If you specify content_encoding you are responsible for encoding

the body appropriately (i.e. source and content both expect already
encoded/compressed bytes)
• bucket - (Required) The name of the bucket to put the file in.
• key - (Required) The name of the object once it is in the bucket.
• source - (Optional) The path to the source file being uploaded to the
bucket.
• content - (Optional unless source given) The literal content being up-
loaded to the bucket.
• acl - (Optional) The canned ACL to apply. Defaults to ”private”.
380
• content_type - (Optional) A standard MIME type describing the format
of the object data, e.g. application/octet-stream. All Valid MIME Types
are valid for this input.
• cache_control - (Optional) Specifies caching behavior along the
request/reply chain. Read RFC2616 Cache-Control for further details.
• content_disposition - (Optional) Specifies presentational information
for the object. Read RFC2616 Content-Disposition for further details.
• content_encoding - (Optional) Specifies what content encodings have
been applied to the object and thus what decoding mechanisms must be
applied to obtain the media-type referenced by the Content-Type header
field. Read RFC2616 Content-Encoding for further details.
• content_md5 - (Optional) The MD5 value of the content. Read MD5 for
computing method.
• expires - (Optional) Specifies expire date for the the request/response.
Read RFC2616 Expires for further details.
• server_side_encryption - (Optional) Specifies server-side encryption of
the object in OSS. Valid values are AES256, KMS. Default value is AES256.
• kms_key_id - (Optional, Available in 1.62.1+) Specifies the primary
key managed by KMS. This parameter is valid when the value of
server_side_encryption is set to KMS.
Either source or content must be provided to specify the bucket content. These
two arguments are mutually-exclusive.
The following attributes are exported

• id - the key of the resource supplied above.
• content_length - the content length of request.
• etag - the ETag generated for the object (an MD5 sum of the object
content).
• version_id - A unique version ID value for the object, if bucket versioning
is enabled.
» alicloud_ots_instance_attachments
This data source provides the ots instance attachments of the current Alibaba
Cloud user.
» Example Usage
data "alicloud_ots_instance_attachments" "attachments_ds" {
381
instance_name = "sample-instance"
name_regex = "testvpc"
output_file = "attachments.txt"
}
output "first_ots_attachment_id" {
value = "${data.alicloud_ots_instance_attachments.attachments_ds.attachments.0.id}"
}

• instance_name - (Required) The name of OTS instance.
• name_regex - (Optional) A regex string to filter results by vpc name.
• names - A list of vpc names.
• vpc_ids - A list of vpc ids.
• attachments - A list of instance attachments. Each element contains the
– id - The resource ID, the value is same as ”instance_name”.
– domain - The domain of the instance attachment.
– endpoint - The access endpoint of the instance attachment.
– region - The region of the instance attachment.
– instance_name - The instance name.
– vpc_name - The name of attaching VPC to instance.
– vpc_id - The ID of attaching VPC to instance.
» alicloud_ots_instances
This data source provides the ots instances of the current Alibaba Cloud user.
» Example Usage
data "alicloud_ots_instances" "instances_ds" {

name_regex = "sample-instance"
382
}
value = "${data.alicloud_ots_instances.instances_ds.instances.0.id}"
}

• tags - (Optional) A map of tags assigned to the instance. It must be in the
format: data "alicloud_ots_instances" "instances_ds" { tags =
{ tagKey1 = "tagValue1", tagKey2 = "tagValue2" } }
attributes:
– name - Instance name.
– status - Instance status. Possible values: Running, Disabled,
Deleting.
– write_capacity - The maximum adjustable write capacity unit of
the instance.
– read_capacity - The maximum adjustable read capacity unit of the
instance.
– cluster_type - The cluster type of the instance. Possible values:
SSD, HYBRID.
– create_time - The create time of the instance.
– user_id - The user id of the instance.
– network - The network type of the instance. Possible values: NORMAL,
VPC, VPC_CONSOLE.
– description - The description of the instance.
– entity_quota - The instance quota which indicating the maximum
number of tables.
– tags - The tags of the instance.
383
» alicloud_ots_tables
This data source provides the ots tables of the current Alibaba Cloud user.
» Example Usage
data "alicloud_ots_tables" "tables_ds" {

instance_name = "sample-instance"
name_regex = "sample-table"
output_file = "tables.txt"
}
output "first_table_id" {
value = "${data.alicloud_ots_tables.tables_ds.tables.0.id}"
}

• instance_name - The name of OTS instance.
• ids - (Optional) A list of table IDs.
• name_regex - (Optional) A regex string to filter results by table name.
• ids - A list of table IDs.
• names - A list of table names.
• tables - A list of tables. Each element contains the following attributes:
– id - ID of the table. The value is <instance_name>:<table_name>.
– instance_name - The OTS instance name.
– table_name - The table name of the OTS which could not be
changed.
– primary_key - The property of TableMeta which indicates the struc-
ture information of a table.
– time_to_live - The retention time of data stored in this table.
– max_version - The maximum number of versions stored in this table.
384
» alicloud_ots_instance
This resource will help you to manager a Table Store Instance. It is foundation
of creating data table.
» Example Usage
# Create an OTS instance

resource "alicloud_ots_instance" "foo" {
name = "my-ots-instance"
description = "for table"
accessed_by = "Vpc"
tags = {
Created = "TF"
For = "Building table"
}
}

• name - (Required, ForceNew) The name of the instance.
• accessed_by - The network limitation of accessing instance. Valid values:
– Any - Allow all network to access the instance.
– Vpc - Only can the attached VPC allow to access the instance.
– ConsoleOrVpc - Allow web console or the attached VPC to access
the instance.
Default to ”Any”.
• instance_type - (ForceNew) The type of instance. Valid values are ”Ca-
pacity” and ”HighPerformance”. Default to ”HighPerformance”.
• description - (Optional, ForceNew) The description of the instance. Cur-
rently, it does not support modifying.
• tags - A mapping of tags to assign to the instance.

• id - The resource ID. The value is same as the ”name”.
• name - The instance name.
385
• description - The instance description.
• accessed_by - TThe network limitation of accessing instance.
• instance_type - The instance type.
• tags - The instance tags.
» Import
OTS instance can be imported using instance id or name, e.g.

$ terraform import alicloud_ots_instance.foo "my-ots-instance"
» alicloud_ots_instance_attachment
This resource will help you to bind a VPC to an OTS instance.
» Example Usage
# Create an OTS instance

name = "my-ots-instance"
description = "for table"
accessed_by = "Vpc"
tags = {
Created = "TF"
For = "Building table"
}
}
data "alicloud_zones" "foo" {

}
cidr_block = "172.16.0.0/16"
name = "for-ots-instance"
}

name = "for-ots-instance"
cidr_block = "172.16.1.0/24"
availability_zone = "${data.alicloud_zones.foo.zones.0.id}"
}
resource "alicloud_ots_instance_attachment" "foo" {
386
instance_name = "${alicloud_ots_instance.foo.name}"
vpc_name = "attachment1"
vswitch_id = "${alicloud_vswitch.foo.id}"
}

• instance_name - (Required, ForceNew) The name of the OTS instance.
• vpc_name - (Required, ForceNew) The name of attaching VPC to instance.
• vswitch_id - (Required, ForceNew) The ID of attaching VSwitch to in-
stance.

• id - The resource ID. The value is same as ”instance_name”.
• instance_name - The instance name.
• vpc_name - The name of attaching VPC to instance.
• vswitch_id - The ID of attaching VSwitch to instance.
• vpc_id - The ID of attaching VPC to instance.
» alicloud_ots_table
Provides an OTS table resource.
NOTE: From Provider version 1.10.0, the provider field ’ots_instance_name’
has been deprecated and you should use resource alicloud_ots_table’s new field
’instance_name’ and ’table_name’ to re-import this resource.
» Example Usage
variable "name" {
default = "terraformtest"
}
accessed_by = "Any"
tags = {
Created = "TF"
387
For = "acceptance test"
}
}
resource "alicloud_ots_table" "basic" {

instance_name = "${alicloud_ots_instance.foo.name}"
table_name = "${var.name}"
primary_key {
name = "pk1"
type = "Integer"
}
primary_key {
name = "pk2"
type = "String"
}
primary_key {
name = "pk3"
type = "Binary"
}
time_to_live = -1
max_version = 1
deviation_cell_version_in_sec = 1
}

• instance_name - (Required, ForceNew) The name of the OTS instance in
which table will located.
• table_name - (Required, ForceNew) The table name of the OTS instance.
If changed, a new table would be created.
• primary_key - (Required, ForceNew) The property of TableMeta which
indicates the structure information of a table. It describes the attribute
value of primary key. The number of primary_key should not be less than
one and not be more than four.
– name - (Required, ForceNew) Name for primary key.
– type - (Required, ForceNew) Type for primary key. Only Integer,
String or Binary is allowed.
• time_to_live - (Required) The retention time of data stored in this table
(unit: second). The value maximum is 2147483647 and -1 means never
expired.
• max_version - (Required) The maximum number of versions stored in
this table. The valid value is 1-2147483647.
388
• deviation_cell_version_in_sec - (Optional, Available in 1.42.0+) The
max version offset of the table. The valid value is 1-9223372036854775807.
Defaults to 86400.

• id - The resource ID. The value is <instance_name>:<table_name>.
• instance_name - The OTS instance name.
• table_name - The table name of the OTS which could not be changed.
• primary_key - The property of TableMeta which indicates the structure
information of a table.
• time_to_live - The retention time of data stored in this table.
• max_version - The maximum number of versions stored in this table.
• deviation_cell_version_in_sec - The max version offset of the table.
» Import
OTS table can be imported using id, e.g.

$ terraform import alicloud_ots_table.table "my-ots:ots_table"
» alicloud_pvtz_zone_records
This data source provides Private Zone Records resource information owned by
an Alibaba Cloud account.
» Example Usage
data "alicloud_pvtz_zone_records" "records_ds" {

zone_id = "${alicloud_pvtz_zone.basic.id}"
keyword = "${alicloud_pvtz_zone_record.foo.value}"
}
output "first_record_id" {
value = "${data.alicloud_pvtz_zone_records.records_ds.records.0.id}"
}
389
• keyword - (Optional) Keyword for record rr and value.
• zone_id - (Required) ID of the Private Zone.
• ids - (Optional, Available in 1.53.0+) A list of Private Zone Record IDs.
• ids - A list of Private Zone Record IDs.
• records - A list of zone records. Each element contains the following
attributes:
– id - ID of the Private Zone Record.
– resource_record - Resource record of the Private Zone Record.
– type - Type of the Private Zone Record.
– value - Value of the Private Zone Record.
– ttl - Ttl of the Private Zone Record.
– priority - Priority of the Private Zone Record.
» alicloud_pvtz_zones
This data source lists a number of Private Zones resource information owned by
an Alibaba Cloud account.
» Example Usage
data "alicloud_pvtz_zones" "pvtz_zones_ds" {

keyword = "${alicloud_pvtz_zone.basic.zone_name}"
}
output "first_zone_id" {
value = "${data.alicloud_pvtz_zones.pvtz_zones_ds.zones.0.id}"
}

• keyword - (Optional) keyword for zone name.
• ids - (Optional, Available 1.53.0+) A list of zone IDs.
390
• names - A list of zone names.
• zones - A list of zones. Each element contains the following attributes:
– id - ID of the Private Zone.
– remark - Remark of the Private Zone.
– record_count - Count of the Private Zone Record.
– name - Name of the Private Zone.
– is_ptr - Whether the Private Zone is ptr
– creation_time - Time of creation of the Private Zone.
– update_time - Time of update of the Private Zone.
– bind_vpcs - List of the VPCs is bound to the Private Zone.
» alicloud_pvtz_zone
Provides a Private Zone resource.
NOTE: Terraform will auto Create a Private Zone while it uses alicloud_pvtz_zone
to build a Private Zone resource.
» Example Usage
Basic Usage
resource "alicloud_pvtz_zone" "foo" {
name = "foo.test.com"
}

• name - (Optional, ForceNew) The name of the Private Zone.
• remark - (Optional) The remark of the Private Zone.
• proxy_pattern - (Optional, Available in 1.69.0+) The recursive DNS
proxy. Valid values:
391
– ZONE: indicates that the recursive DNS proxy is disabled.
– RECORD: indicates that the recursive DNS proxy is enabled.
Default to ”ZONE”
• user_client_ip - (Optional, Available in 1.69.0+) The IP address of the
client.
• lang - (Optional, Available in 1.69.0+) The language. Valid values: ”zh”,
”en”, ”jp”.

• id - The ID of the Private Zone.
• record_count - The count of the Private Zone Record.
» Import
Private Zone can be imported using the id, e.g.

$ terraform import alicloud_pvtz_zone.example abc123456
» alicloud_pvtz_zone_attachment
Provides vpcs bound to Alicloud Private Zone resource.
NOTE: Terraform will auto bind vpc to a Private Zone while it uses
alicloud_pvtz_zone_attachment to build a Private Zone and VPC binding
resource.
» Example Usage
Using vpc_ids to attach being in same region several vpc instances to a private
zone
resource "alicloud_pvtz_zone" "zone" {
}
resource "alicloud_vpc" "first" {

name = "the-first-vpc"
cidr_block = "172.16.0.0/12"
}
392
resource "alicloud_vpc" "second" {
name = "the-second-vpc"
cidr_block = "172.16.0.0/16"
}
resource "alicloud_pvtz_zone_attachment" "zone-attachment" {

zone_id = alicloud_pvtz_zone.zone.id
vpc_ids = [alicloud_vpc.first.id, alicloud_vpc.second.id]
}
Using vpcs to attach being in same region several vpc instances to a private
zone
}

cidr_block = "172.16.0.0/12"
}
cidr_block = "172.16.0.0/16"
}

zone_id = "${alicloud_pvtz_zone.zone.id}"
vpcs {
vpc_id = alicloud_vpc.first.id
}
vpcs {
vpc_id = alicloud_vpc.second.id
}
}
Using vpcs to attach being in different regions several vpc instances to a private
zone
}

cidr_block = "172.16.0.0/12"
}
393
cidr_block = "172.16.0.0/16"
}
alias = "eu"
region = "eu-central-1"
}
resource "alicloud_vpc" "third" {

provider = alicloud.eu
name = "the-thrid-vpc"
cidr_block = "172.16.0.0/16"
}

vpcs {
vpc_id = alicloud_vpc.first.id
}
vpcs {
vpc_id = alicloud_vpc.second.id
}
vpcs {
region_id = "eu-central-1"
vpc_id = alicloud_vpc.third.id
}
}

• zone_id - (Required, ForceNew) The name of the Private Zone Record.
• vpc_ids - (Optional, Conflict with vpcs) The id List of the VPC with the
same region, for example:[”vpc-1”,”vpc-2”].
• vpcs - (Optional, Conflict with vpc_ids, Available in 1.62.1+) The List
of the VPC:
– vpc_id - (Required) The Id of the vpc.
– region_id - (Option) The region of the vpc. If not set, the current
region will instead of.
Recommend to use vpcs.
• lang - (Optional, Available in 1.62.1+) The language of code.
394
• user_client_ip - (Optional, Available in 1.62.1+) The user custom IP
address.

• id - The ID of the Private Zone VPC Attachment. It sames with zone_id.
» Import
Private Zone attachment can be imported using the id(same with zone_id), e.g.
$ terraform import alicloud_pvtz_zone_attachment.example abc123456
» alicloud_pvtz_zone_record
Provides a Private Zone Record resource.
NOTE: Terraform will auto Create a Private Zone Record while it uses
alicloud_pvtz_zone_record to build a Private Zone Record resource.
» Example Usage
Basic Usage
}
resource "alicloud_pvtz_zone_record" "foo" {

resource_record = "www"
type = "CNAME"
value = "bbb.test.com"
ttl = 60
}

• zone_id - (Required, ForceNew) The name of the Private Zone Record.
395
• resource_record - (Required, ForceNew) The resource record of the Pri-
vate Zone Record.
• type - (Required) The type of the Private Zone Record. Valid values: A,
CNAME, TXT, MX, PTR.
• value - (Required) The value of the Private Zone Record.
• ttl - (Optional) The ttl of the Private Zone Record.
• priority - (Optional) The priority of the Private Zone Record. At present,
only can ”MX” record support it. Valid values: [1-50]. Default to 1.

• id - This ID of this resource. The value is formate as <record_id>:<zone_id>.
• record_id - The Private Zone Record ID.
» Import
Private Zone Record can be imported using the id, e.g.

$ terraform import alicloud_pvtz_zone_record.example abc123456
» alicloud_ram_account_alias
NOTE: This datasource has been deprecated from v1.3.2. Please use
alicloud_ram_account_aliases instead.
» alicloud_ram_account_aliases
This data source provides an alias for the Alibaba Cloud account.
» Example Usage
data "alicloud_ram_account_aliases" "alias_ds" {

output_file = "alias.txt"
}
output "account_alias" {
value = "${data.alicloud_ram_account_aliases.alias_ds.account_alias}"
}
396

• account_alias - Alias of the account.
» alicloud_ram_groups
This data source provides a list of RAM Groups in an Alibaba Cloud account
» Example Usage
data "alicloud_ram_groups" "groups_ds" {

user_name = "user1"
name_regex = "^group[0-9]*"
}
value = "${data.alicloud_ram_groups.groups_ds.groups.0.name}"
}

• name_regex - (Optional) A regex string to filter the returned groups by
their names.
• user_name - (Optional) Filter the results by a specific the user name.
• policy_type - (Optional) Filter the results by a specific policy type. Valid
items are Custom and System. If you set this parameter, you must set
policy_name as well.
• policy_name - (Optional) Filter the results by a specific policy name. If
you set this parameter without setting policy_type, it will be automati-
cally set to System.
397
• names - A list of ram group names.
– name - Name of the group.
– comments - Comments of the group.
» alicloud_ram_policies
This data source provides a list of RAM policies in an Alibaba Cloud account
» Example Usage
data "alicloud_ram_policies" "policies_ds" {

output_file = "policies.txt"
user_name = "user1"
group_name = "group1"
type = "System"
}
output "first_policy_name" {
value = "${data.alicloud_ram_policies.policies_ds.policies.0.name}"
}

• name_regex - (Optional) A regex string to filter resulting policies by name.
• type - (Optional) Filter results by a specific policy type. Valid values are
Custom and System.
• user_name - (Optional) Filter results by a specific user name. Returned
policies are attached to the specified user.
• group_name - (Optional) Filter results by a specific group name. Returned
policies are attached to the specified group.
398
• role_name - (Optional) Filter results by a specific role name. Returned
policies are attached to the specified role.
• names - A list of ram group names.
• policies - A list of policies. Each element contains the following at-
tributes:
– name - Name of the policy.
– type - Type of the policy.
– description - Description of the policy.
– default_version - Default version of the policy.
– create_date - Creation date of the policy.
– update_date - Update date of the policy.
– attachment_count - Attachment count of the policy.
– document - Policy document of the policy.
» alicloud_ram_roles
This data source provides a list of RAM Roles in an Alibaba Cloud account
» Example Usage
data "alicloud_ram_roles" "roles_ds" {

output_file = "roles.txt"
name_regex = ".*test.*"
policy_name = "AliyunACSDefaultAccess"
policy_type = "Custom"
}
output "first_role_id" {
value = "${data.alicloud_ram_roles.roles_ds.roles.0.id}"
}
399
• name_regex - (Optional) A regex string to filter results by the role name.
• ids (Optional, Available 1.53.0+) - A list of ram role IDs.
• policy_type - (Optional) Filter results by a specific policy type. Valid
values are Custom and System. If you set this parameter, you must set
• policy_name - (Optional) Filter results by a specific policy name. If
you set this parameter without setting policy_type, the later will be
automatically set to System. The resulting roles will be attached to the
specified policy.
• ids - A list of ram role IDs.
• names - A list of ram role names.
• roles - A list of roles. Each element contains the following attributes:
– id - Id of the role.
– name - Name of the role.
– arn - Resource descriptor of the role.
– description - Description of the role.
– assume_role_policy_document - Authorization strategy of the role.
This parameter is deprecated and replaced by document.
– document - Authorization strategy of the role.
– create_date - Creation date of the role.
– update_date - Update date of the role.
» alicloud_ram_users
This data source provides a list of RAM users in an Alibaba Cloud account
» Example Usage
data "alicloud_ram_users" "users_ds" {

output_file = "users.txt"
group_name = "group1"
policy_name = "AliyunACSDefaultAccess"
policy_type = "Custom"
name_regex = "^user"
}
400
output "first_user_id" {
value = "${data.alicloud_ram_users.users_ds.users.0.id}"
}

• name_regex - (Optional) A regex string to filter resulting users by their
names.
• ids (Optional, Available 1.53.0+) - A list of ram user IDs.
• group_name - (Optional) Filter results by a specific group name. Returned
users are in the specified group.
• policy_type - (Optional) Filter results by a specific policy type. Valid
values are Custom and System. If you set this parameter, you must set
• policy_name - (Optional) Filter results by a specific policy name. If
you set this parameter without setting policy_type, the later will be
automatically set to System. Returned users are attached to the specified
policy.
• ids - A list of ram user IDs.
• names - A list of ram user names.
• users - A list of users. Each element contains the following attributes:
– id - The original id is user name, but it is user id in 1.37.0+.
– name - Name of the user.
– create_date - Creation date of the user.
– last_login_date - Last login date of the user.
» alicloud_ram_access_key
Provides a RAM User access key resource.
NOTE: You should set the secret_file if you want to get the access key.
401
» Example Usage
# Create a new RAM access key for user.

resource "alicloud_ram_user" "user" {
name = "user_test"
display_name = "user_display_name"
mobile = "86-18688888888"
email = "[email protected]"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_access_key" "ak" {

user_name = "${alicloud_ram_user.user.name}"
secret_file = "/xxx/xxx/xxx.txt"
}

• user_name - (Optional, ForceNew) Name of the RAM user. This name
characters or hyphens, such as ”-”,”.”,”_”, and must not begin with a
hyphen.
• secret_file - (Optional, ForceNew) The name of file that can save access
key id and access key secret. Strongly suggest you to specified it when
you creating access key, otherwise, you wouldn’t get its secret ever.
• status - (Optional) Status of access key. It must be Active or Inactive.
Default value is Active.
• pgp_key - (Optional, Available in 1.47.0+) Either a base-64 encoded PGP
public key, or a keybase username in the form keybase:some_person_that_exists

• id - The access key ID.
• status - The access key status.
• key_fingerprint - The fingerprint of the PGP key used to encrypt the
secret
• encrypted_secret - The encrypted secret, base64 encoded. ~> NOTE:
The encrypted secret may be decrypted using the command line, for
example: terraform output encrypted_secret | base64 --decode
| keybase pgp decrypt.
402
» alicloud_ram_account_alias
Provides a RAM cloud account alias.
» Example Usage
# Create a alias for cloud account.

resource "alicloud_ram_account_alias" "alias" {
account_alias = "hallo"
}

• account_alias - (Required, ForceNew) Alias of cloud account. This name
characters or hyphens, such as ”-”, and must not begin with a hyphen.

• id - The account alias ID, it’s set to account_alias.
• account_alias - The account alias.
» Import
RAM account alias can be imported using the id, e.g. $ terraform import
alicloud_ram_account_alias.example my-alias
» alicloud_ram_account_password_policy
Provides a RAM password policy configuration for entire account. Only one
resource per account.
NOTE: This resource overwrites an existing configuration. During action
terraform destroy it sets values the same as defaults for this resource (it
does not preserve any preexisted configuration).
403
» Example Usage
Empty resource sets defaults values for every property.

resource "alicloud_ram_account_password_policy" "default" {
}
resource "alicloud_ram_account_password_policy" "corporate" {
minimum_password_length = 9
require_lowercase_characters = false
require_uppercase_characters = false
require_numbers = false
require_symbols = false
hard_expiry = true
max_password_age = 12
password_reuse_prevention = 5
max_login_attempts = 3
}
For not specified values sets defaults.

• minimum_password_length - (Optional) Minimal required length of pass-
word for a user. Valid value range: [8-32]. Default to 12.
• require_lowercase_characters - (Optional) Specifies if the occurrence
of a lowercase character in the password is mandatory. Default to true.
• require_uppercase_characters - (Optional) Specifies if the occurrence
of an uppercase character in the password is mandatory. Default to true.
• require_numbers - (Optional) Specifies if the occurrence of a number in
the password is mandatory. Default to true.
• require_symbols - (Optional Specifies if the occurrence of a special char-
acter in the password is mandatory. Default to true.
• hard_expiry - (Optional) Specifies if a password can expire in a hard way.
Default to false.
• max_password_age - (Optional) The number of days after which password
expires. A value of 0 indicates that the password never expires. Valid value
range: [0-1095]. Default to 0.
• password_reuse_prevention - (Optional) User is not allowed to use the
latest number of passwords specified in this parameter. A value of 0 in-
dicates the password history check policy is disabled. Valid value range:
[0-24]. Default to 0.
404
• max_login_attempts - (Optional, Type: int) Maximum logon attempts
with an incorrect password within an hour. Valid value range: [0-32].
Default to 5.
» Import
RAM account password policy can be imported using the id, e.g.
$ terraform import alicloud_ram_account_password_policy.example ram-account-password-policy
» alicloud_ram_alias
NOTE: This resource has been deprecated from v1.3.2. New resource
alicloud_ram_account_alias will replace.
» alicloud_ram_group
Provides a RAM Group resource.
NOTE: When you want to destroy this resource forcefully(means remove all
the relationships associated with it automatically and then destroy it) without
set force with true at beginning, you need add force = true to configuration
file and run terraform plan, then you can delete resource forcefully.
» Example Usage
# Create a new RAM Group.

resource "alicloud_ram_group" "group" {
name = "groupName"
comments = "this is a group comments."
force = true
}

• name - (Required, ForceNew) Name of the RAM group. This name can
have a string of 1 to 128 characters, must contain only alphanumeric char-
acters or hyphen ”-”, and must not begin with a hyphen.
405
• comments - (Optional) Comment of the RAM group. This parameter can
• force - (Optional) This parameter is used for resource destroy. Default
value is false.

• id - The group ID.
• name - The group name.
• comments - The group comments.
» Import
RAM group can be imported using the id or name, e.g.

$ terraform import alicloud_ram_group.example my-group
» alicloud_ram_group_membership
Provides a RAM Group membership resource.
» Example Usage
# Create a RAM Group membership.

name = "groupName"
force = true
}

name = "user_test"
mobile = "86-18688888888"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_user" "user1" {
406
name = "user_test1"
display_name = "user_display_name1"
mobile = "86-18688888889"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_group_membership" "membership" {

group_name = "${alicloud_ram_group.group.name}"
user_names = ["${alicloud_ram_user.user.name}", "${alicloud_ram_user.user1.name}"]
}

• group_name - (Required, ForceNew) Name of the RAM group. This name
characters or hyphen ”-”, and must not begin with a hyphen.
• user_names - (Required) Set of user name which will be added to group.
Each name can have a string of 1 to 64 characters, must contain only
alphanumeric characters or hyphens, such as ”-”,”.”,”_”, and must not
begin with a hyphen.

• id - The membership ID, it’s set to group_name
• group_name - The group name.
• user_names - The list of names of users which in the group.
» Import
RAM Group membership can be imported using the id, e.g.

$ terraform import alicloud_ram_group_membership.example my-group
» alicloud_ram_group_policy_attachment
Provides a RAM Group Policy attachment resource.
407
» Example Usage
# Create a RAM Group Policy attachment.

name = "groupName"
force = true
}
resource "alicloud_ram_policy" "policy" {

name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
force = true
}
resource "alicloud_ram_group_policy_attachment" "attach" {

policy_name = "${alicloud_ram_policy.policy.name}"
policy_type = "${alicloud_ram_policy.policy.type}"
group_name = "${alicloud_ram_group.group.name}"
}

• group_name - (Required, ForceNew) Name of the RAM group. This name
408
characters or hyphen ”-”, and must not begin with a hyphen.
• policy_name - (Required, ForceNew) Name of the RAM policy. This
name can have a string of 1 to 128 characters, must contain only alphanu-
meric characters or hyphen ”-”, and must not begin with a hyphen.
• policy_type - (Required, ForceNew) Type of the RAM policy. It must
be Custom or System.

• id - The attachment ID. Composed of policy name, policy type and group
name with format group:<policy_name>:<policy_type>:<group_name>.
» Import
RAM Group Policy attachment can be imported using the id, e.g.
$ terraform import alicloud_ram_group_policy_attachment.example group:my-policy:Custom:my-gr
» alicloud_ram_login_profile
Provides a RAM User Login Profile resource.
» Example Usage
# Create a RAM login profile.

name = "user_test"
mobile = "86-18688888888"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_login_profile" "profile" {

password = "Yourpassword1234"
}
409

• user_name - (Required, ForceNew) Name of the RAM user. This name
hyphen.
• password - (Required, Sensitive) Password of the RAM user.
• mfa_bind_required - (Optional) This parameter indicates whether the
MFA needs to be bind when the user first logs in. Default value is false.
• password_reset_required - (Optional) This parameter indicates
whether the password needs to be reset when the user first logs in.
Default value is false.

• id - The login profile ID.
• user_name - The user name.
• mfa_bind_required - The parameter which indicates whether the MFA
needs to be bind when the user first logs in.
• password_reset_required - The parameter which indicates whether the
password needs to be reset when the user first logs in.
» Import
RAM login profile can be imported using the id or user name, e.g.
$ terraform import alicloud_ram_login_profile.example my-login
» alicloud_ram_policy
Provides a RAM Policy resource.
file and run terraform plan, then you can delete resource forcefully. NOTE:
Each policy can own at most 5 versions and the oldest version will be removed
after its version achieves 5.
410
» Example Usage
# Create a new RAM Policy.

name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
]
}
],
"Version": "1"
}
EOF
force = true
}

• name - (Required, ForceNew) Name of the RAM policy. This name can
have a string of 1 to 128 characters, must contain only alphanumeric char-
acters or hyphen ”-”, and must not begin with a hyphen.
• statement - (Deprecated, Optional, Type: list, Conflicts with document)
(It has been deprecated from version 1.49.0, and use field ’document’ to
replace.) Statements of the RAM policy document. It is required when
the document is not specified.
– resource - (Deprecated, Required, Type: list) (It has been depre-
cated from version 1.49.0, and use field ’document’ to replace.) List of
specific objects which will be authorized. The format of each item in
this list is acs:${service}:${region}:${account_id}:${relative_id},
such as acs:ecs:*:*:instance/inst-002 and acs:oss:*:1234567890000:mybucket.
The ${service} can be ecs, oss, ots and so on, the ${region} is
the region info which can use * replace when it is not supplied, the
411
${account_id} refers to someone’s Alicloud account id or you can
use * to replace, the ${relative_id} is the resource description
section which related to the ${service}.
– action - (Deprecated, Required, Type: list) (It has been depre-
cated from version 1.49.0, and use field ’document’ to replace.) List
of operations for the resource. The format of each item in this
list is ${service}:${action_name}, such as oss:ListBuckets and
ecs:Describe*. The ${service} can be ecs, oss, ots and so on,
the ${action_name} refers to the name of an api interface which
related to the ${service}.
– effect - (Deprecated, Required) (It has been deprecated from ver-
sion 1.49.0, and use field ’document’ to replace.) This parameter
indicates whether or not the action is allowed. Valid values are
Allow and Deny.
• version - (Deprecated, Optional, Conflicts with document) (It has been
deprecated from version 1.49.0, and use field ’document’ to replace.) Ver-
sion of the RAM policy document. Valid value is 1. Default value is
1.
• document - (Optional, Conflicts with statement and version) Document
of the RAM policy. It is required when the statement is not specified.
• description - (Optional, ForceNew) Description of the RAM policy. This
name can have a string of 1 to 1024 characters.
value is false.

• id - The policy ID.
• name - The policy name.
• type - The policy type.
• description - The policy description.
• statement - List of statement of the policy document.
• document - The policy document.
• version - The policy document version.
• attachment_count - The policy attachment count.
» Import
RAM policy can be imported using the id or name, e.g.

$ terraform import alicloud_ram_policy.example my-policy
412
» alicloud_ram_role
Provides a RAM Role resource.
» Example Usage
# Create a new RAM Role.

name = "testrole"
document = <<EOF
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOF
force = true
}

• name - (Required, ForceNew) Name of the RAM role. This name can have
or hyphens, such as ”-”, ”_”, and must not begin with a hyphen.
• services - (Deprecated, Optional, Type: list, Conflicts with document)
(It has been deprecated from version 1.49.0, and use field ’document’
413
to replace.) List of services which can assume the RAM role. The
format of each item in this list is ${service}.aliyuncs.com or
${account_id}@${service}.aliyuncs.com, such as ecs.aliyuncs.com
and [email protected]. The ${service} can be ecs,
log, apigateway and so on, the ${account_id} refers to someone’s
Alicloud account id.
• ram_users - (Deprecated, Optional, Type: list, Conflicts with document)
(It has been deprecated from version 1.49.0, and use field ’document’
to replace.) List of ram users who can assume the RAM role. The
format of each item in this list is acs:ram::${account_id}:root or
acs:ram::${account_id}:user/${user_name}, such as acs:ram::1234567890000:root
and acs:ram::1234567890001:user/Mary. The ${user_name} is the
name of a RAM user which must exists in the Alicloud account indicated
by the ${account_id}.
• version - (Deprecated, Optional, Conflicts with document) (It has been
deprecated from version 1.49.0, and use field ’document’ to replace.) Ver-
sion of the RAM role policy document. Valid value is 1. Default value is
1.
• document - (Optional, Conflicts with services, ram_users and version)
Authorization strategy of the RAM role. It is required when the services
and ram_users are not specified.
• description - (Optional, Forces new resource) Description of the RAM
role. This name can have a string of 1 to 1024 characters.
value is false.

• id - This ID of this resource. The value is set to role_name.
• role_id - The role ID.
• name - The role name.
• arn - The role arn.
• description - The role description.
• version - The role policy document version.
• document - Authorization strategy of the role.
• ram_users - List of services which can assume the RAM role.
• services - List of services which can assume the RAM role.
» Import
RAM role can be imported using the id or name, e.g.

$ terraform import alicloud_ram_role.example my-role
414
» alicloud_ram_role_attachment
Provides a RAM role attachment resource to bind role for several ECS instances.
» Example Usage

}

cpu_core_count = 2
memory_size = 4
}

most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

}

type = "ingress"
ip_protocol = "tcp"
415
policy = "accept"
priority = 1
cidr_ip = "172.16.0.0/24"
}
variable "name" {
default = "ecsInstanceVPCExample"
}
resource "alicloud_instance" "foo" {
}
name = "testrole"
document = <<EOF
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOF
force = true
}
resource "alicloud_ram_role_attachment" "attach" {

instance_ids = ["${alicloud_instance.foo.*.id}"]
416
}

• role_name - (Required, ForceNew) The name of role used to bind. This
meric characters or hyphens, such as ”-”, ”_”, and must not begin with a
hyphen.
• instance_ids - (Required, ForceNew) The list of ECS instance’s IDs.

• role_name - The name of the role.
• instance_ids The list of ECS instance’s IDs.
» alicloud_ram_role_policy_attachment
Provides a RAM Role attachment resource.
» Example Usage
# Create a RAM Role Policy attachment.

name = "roleName"
document = <<EOF
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
417
"Version": "1"
}
EOF
force = true
}

name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
]
}
],
"Version": "1"
}
EOF
force = true
}
resource "alicloud_ram_role_policy_attachment" "attach" {

}

• role_name - (Required, ForceNew) Name of the RAM Role. This name
characters or hyphens, such as ”-”, ”_”, and must not begin with a hyphen.
418

• id - The attachment ID. Composed of policy name, policy type and role
name with format role:<policy_name>:<policy_type>:<role_name>.
» Import
RAM Role Policy attachment can be imported using the id, e.g.
$ terraform import alicloud_ram_role_policy_attachment.example role:my-policy:Custom:my-role
» alicloud_ram_user
Provides a RAM User resource.
NOTE: When you want to destroy this resource forcefully(means release all
» Example Usage
# Create a new RAM user.

name = "user_test"
mobile = "86-18688888888"
comments = "yoyoyo"
force = true
}
419
• name - (Required) Name of the RAM user. This name can have a string of
1 to 64 characters, must contain only alphanumeric characters or hyphens,
such as ”-”,”.”,”_”, and must not begin with a hyphen.
• display_name - (Optional) Name of the RAM user which for display. This
name can have a string of 1 to 128 characters or Chinese characters, must
contain only alphanumeric characters or Chinese characters or hyphens,
such as ”-”,”.”, and must not end with a hyphen.
• mobile - (Optional) Phone number of the RAM user. This number
must contain an international area code prefix, just look like this: 86-
18600008888.
• email - (Optional) Email of the RAM user.
• comments - (Optional) Comment of the RAM user. This parameter can
value is false.

• id - The ram user id.
» Import
RAM user can be imported using the id, e.g.

$ terraform import alicloud_ram_user.example 123456789xxx
» alicloud_ram_user_policy_attachment
Provides a RAM User Policy attachment resource.
» Example Usage
# Create a RAM User Policy attachment.

name = "userName"
mobile = "86-18688888888"
comments = "yoyoyo"
force = true
420
}

name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
]
}
],
"Version": "1"
}
EOF
force = true
}
resource "alicloud_ram_user_policy_attachment" "attach" {

}

• user_name - (Required, ForceNew) Name of the RAM user. This name
hyphen.
421

• id - The attachment ID. Composed of policy name, policy type and user
name with format user:<policy_name>:<policy_type>:<user_name>.
» Import
RAM User Policy attachment can be imported using the id, e.g.
$ terraform import alicloud_ram_user_policy_attachment.example user:my-policy:Custom:my-user
» alicloud_db_instances_classes
This data source provides the RDS instance classes resource available info of
Alibaba Cloud.
» Example Usage
data "alicloud_db_instance_classes" "resources" {

engine = "MySQL"
output_file = "./classes.txt"
}
output "first_db_instance_class" {
value = "${data.alicloud_db_instance_classes.resources.instance_classes.0.instance_class}"
}

• zone_id - (Optional) The Zone to launch the DB instance.
• engine - (Optional) Database type. Options are MySQL, SQLServer,
PostgreSQL and PPAS. If no value is specified, all types are returned.
422
• category - (Optional) DB Instance category. the value like [Basic,
HighAvailability, Finance], detail info.
• engine_version - (Optional) Database version required by the user.
Value options can refer to the latest docs detail info EngineVersion.
• db_instance_class - (Optional, Available in 1.51.0+) The DB instance
class type by the user.
• storage_type - (Optional) The DB instance storage space required by
the user. Valid values: cloud_ssd and local_ssd.
• multi_zone - (Optional, Available in v1.48.0+) Whether to show multi
available zone. Default false to not show multi availability zone.
• ids - (Available in 1.60.0+) A list of Rds instance class codes.
• instance_classes - A list of Rds available resource. Each element con-
– zone_ids - A list of Zone to launch the DB instance.
– id - The Zone to launch the DB instance
– sub_zone_ids - A list of sub zone ids which in the id - e.g If id is
cn-beijing-MAZ5(a,b), sub_zone_ids will be ["cn-beijing-a",
"cn-beijing-b"].
– instance_class - DB Instance available class.
– storage_range - DB Instance available storage range.
– min - DB Instance available storage min value.
– max - DB Instance available storage max value.
– step - DB Instance available storage increase step.
» alicloud_db_instances_engines
This data source provides the RDS instance engines resource available info of
Alibaba Cloud.
» Example Usage
data "alicloud_db_instance_engines" "resources" {

engine = "MySQL"
423
output_file = "./engines.txt"
}
output "first_db_category" {
value = "${data.alicloud_db_instance_engines.resources.instance_engines.0.category}"
}

• zone_id - (Optional) The Zone to launch the DB instance.
• engine_version - (Optional) Database version required by the user.
Value options can refer to the latest docs detail info EngineVersion.
• multi_zone - (Optional, Available in v1.48.0+) Whether to show multi
available zone. Default false to not show multi availability zone.
• instance_engines - A list of Rds available resource. Each element con-
– zone_ids - A list of Zone to launch the DB instance.
– id - The Zone to launch the DB instance
– sub_zone_ids - A list of sub zone ids which in the id - e.g If id is
cn-beijing-MAZ5(a,b), sub_zone_ids will be ["cn-beijing-a",
"cn-beijing-b"].
– engine - Database type.
– engine_version - DB Instance version.
– category - DB Instance category.
» alicloud_db_instances
The alicloud_db_instances data source provides a collection of RDS instances
available in Alibaba Cloud account. Filters support regular expression for the
424
instance name, searches by tags, and other filters which are listed below.
» Example Usage
data "alicloud_db_instances" "db_instances_ds" {

name_regex = "data-\\d+"
status = "Running"
tags = {
"type" = "database",
"size" = "tiny"
}
output "first_db_instance_id" {
value = "${data.alicloud_db_instances.db_instances_ds.instances.0.id}"
}

• ids - (Optional, Available 1.52.0+) A list of RDS instance IDs.
• status - (Optional) Status of the instance.
• db_type - (Optional) Primary for primary instance, Readonly for read-
only instance, Guard for disaster recovery instance, and Temp for tempo-
rary instance.
• vpc_id - (Optional) Used to retrieve instances belong to specified VPC.
vswitch resources.
• connection_mode - (Optional) Standard for standard access mode and
Safe for high security access mode.
• tags - (Optional) A map of tags assigned to the DB instances. Note: Be-
fore 1.60.0, the value’s format is a json string which including TagKey and
TagValue. TagKey cannot be null, and TagValue can be empty. Format
example "{\"key1\":\"value1\"}"
425
• ids - A list of RDS instance IDs.
• names - A list of RDS instance names.
• instances - A list of RDS instances. Each element contains the following
attributes:
– id - The ID of the RDS instance.
– name - The name of the RDS instance.
– charge_type - Billing method. Value options: Postpaid for Pay-As-
You-Go and Prepaid for subscription.
– db_type - Primary for primary instance, Readonly for read-only in-
stance, Guard for disaster recovery instance, and Temp for temporary
instance.
– expire_time - Expiration time. Pay-As-You-Go instances never ex-
pire.
– engine - Database type. Options are MySQL, SQLServer, PostgreSQL
and PPAS. If no value is specified, all types are returned.
– engine_version - Database version.
– net_type - Internet for public network or Intranet for private
network.
– connection_mode - Standard for standard access mode and Safe for
high security access mode.
– instance_type - Sizing of the RDS instance.
– availability_zone - Availability zone.
– master_instance_id - ID of the primary instance. If this parameter
is not returned, the current instance is a primary instance.
– guard_instance_id - If a disaster recovery instance is attached to
the current instance, the ID of the disaster recovery instance applies.
– temp_instance_id - If a temporary instance is attached to the cur-
rent instance, the ID of the temporary instance applies.
– readonly_instance_ids - A list of IDs of read-only instances at-
tached to the primary instance.
– vpc_id - ID of the VPC the instance belongs to.
– vswitch_id - ID of the VSwitch the instance belongs to.
– port - (Available in 1.70.3+) RDS database connection port.
– connection_string - (Available in 1.70.3+) RDS database connec-
tion string.
– instance_storage - (Available in 1.70.3+) User-defined DB instance
storage space.
– db_instance_storage_type - (Available in 1.70.3+) The storage
type of the instance.
426
» alicloud_db_zones
This data source provides availability zones for RDS that can be accessed by an
Alibaba Cloud account within the region configured in the provider.
» Example Usage

data "alicloud_db_zones" "zones_ids" {}
# Create an RDS instance with the first matched zone

resource "alicloud_db_instance" "db" {
zone_id = data.alicloud_db_zones.zones_ids.zones[0]
}

• multi - (Optional) Indicate whether the zones can be used in a multi AZ
configuration. Default to false. Multi AZ is usually used to launch RDS
instances.
• instance_charge_type - (Optional) Filter the results by a specific in-
stance charge type. Valid values: PrePaid and PostPaid. Default to
PostPaid.
attributes:
427
» alicloud_db_account
Provides an RDS account resource and used to manage databases.
» Example Usage
default = "Rds"
}
variable "name" {
default = "dbaccountmysql"
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}
resource "alicloud_db_instance" "instance" {

engine = "MySQL"
instance_type = "rds.mysql.s1.small"
instance_storage = "10"
}

instance_id = "${alicloud_db_instance.instance.id}"
name = "tftestnormal"
}
428

belongs.
• name - (Required, ForceNew) Operation account requiring a uniqueness
check. It may consist of lower case letters, numbers, and underlines, and
must start with a letter and have no more than 16 characters.
• password - (Optional, Sensitive) Operation password. It may consist of
letters, digits, or underlines, with a length of 6 to 32 characters. You have
to specify one of password and kms_encrypted_password fields.
crypts password used to a db account. If the password is filled in, this
field will be ignored.
before creating or updating a db account with kms_encrypted_password.
set.
• description - (Optional) Database description. It cannot begin with
• type - (Optional, ForceNew)Privilege type of account.
– Normal: Common privilege.
– Super: High privilege.
Default to Normal.

» Import
RDS account can be imported using the id, e.g.

$ terraform import alicloud_db_account.example "rm-12345:tf_account"
429
» alicloud_db_account_privilege
Provides an RDS account privilege resource and used to grant several database
some access privilege. A database can be granted by multiple account.
» Example Usage
default = "Rds"
}
variable "name" {
default = "dbaccountprivilegebasic"
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

engine = "MySQL"
}
resource "alicloud_db_database" "db" {

count = 2
name = "tfaccountpri_${count.index}"
430
}

name = "tftestprivilege"
}
resource "alicloud_db_account_privilege" "privilege" {

account_name = "${alicloud_db_account.account.name}"
privilege = "ReadOnly"
db_names = "${alicloud_db_database.db.*.name}"
}

belongs.
• account_name - (Required, ForceNew) A specified account name.
• privilege - The privilege of one account access database. Valid values:
– ReadOnly: This value is only for MySQL, MariaDB and SQL Server
– ReadWrite: This value is only for MySQL, MariaDB and SQL Server
– DDLOnly: (Available in 1.64.0+) This value is only for MySQL and
MariaDB
– DMLOnly: (Available in 1.64.0+) This value is only for MySQL and
MariaDB
– DBOwner: (Available in 1.64.0+) This value is only for SQL Server
and PostgreSQL.
Default to ”ReadOnly”. * db_names - (Required) List of specified database
name.

• id - The current account resource ID. Composed of instance ID, account
name and privilege with format <instance_id>:<name>:<privilege>.
431
» Import
RDS account privilege can be imported using the id, e.g.

$ terraform import alicloud_db_account_privilege.example "rm-12345:tf_account:ReadOnly"
» alicloud_db_backup_policy
Provides an RDS instance backup policy resource and used to configure instance
backup policy.
NOTE: Each DB instance has a backup policy and it will be set default values
when destroying the resource.
» Example Usage
default = "Rds"
}
variable "name" {
default = "dbbackuppolicybasic"
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

engine = "MySQL"
432
}
resource "alicloud_db_backup_policy" "policy" {

}

database.
• backup_period - (Deprecated) It has been deprecated from version 1.69.0,
and use field ’preferred_backup_period’ instead.
• preferred_backup_period - (Optional, available in 1.69.0+) DB Instance
backup period. Please set at least two days to ensure backing up at least
twice a week. Valid values: [Monday, Tuesday, Wednesday, Thursday, Fri-
day, Saturday, Sunday]. Default to [”Monday”, ”Tuesday”, ”Wednesday”,
”Thursday”, ”Friday”, ”Saturday”, ”Sunday”].
• backup_time - (Deprecated) It has been deprecated from version 1.69.0,
and use field ’preferred_backup_time’ instead.
• preferred_backup_time - (Optional, available in 1.69.0+) DB instance
backup time, in the format of HH:mmZ- HH:mmZ. Time setting interval
is one hour. Default to ”02:00Z-03:00Z”. China time is 8 hours behind it.
• retention_period - (Deprecated) It has been deprecated from version
1.69.0, and use field ’backup_retention_period’ instead.
• backup_retention_period - (Optional, available in 1.69.0+) Instance
backup retention days. Valid values: [7-730]. Default to 7. But mysql
local disk is unlimited.
• log_backup - (Deprecated) It has been deprecated from version 1.68.0,
and use field ’enable_backup_log’ instead.
• enable_backup_log - (Optional, available in 1.68.0+) Whether to backup
instance log. Valid values are true, false, Default to true. Note: The
’Basic Edition’ category Rds instance does not support setting log backup.
What is Basic Edition.
• log_retention_period - (Deprecated) It has been deprecated from ver-
sion 1.69.0, and use field ’log_backup_retention_period’ instead.
• log_backup_retention_period - (Optional, available in 1.69.0+) In-
stance log backup retention days. Valid when the enable_backup_log
is 1. Valid values: [7-730]. Default to 7. It cannot be larger than
backup_retention_period.
• local_log_retention_hours - (Optional, available in 1.69.0+) Instance
433
log backup local retention hours. Valid when the enable_backup_log is
true. Valid values: [0-7*24].
• local_log_retention_space - (Optional, available in 1.69.0+) Instance
log backup local retention space. Valid when the enable_backup_log is
true. Valid values: [5-50].
• high_space_usage_protection - (Optional, available in 1.69.0+)
Instance high space usage protection policy. Valid when the
enable_backup_log is true. Valid values are Enable, Disable.
• log_backup_frequency - (Optional, available in 1.69.0+) Instance log
backup frequency. Valid when the instance engine is SQLServer. Valid
values are LogInterval.
• compress_type - (Optional, available in 1.69.0+) The compress type of
instance policy. Valid values are 1, 4, 8.
• archive_backup_retention_period - (Optional, available in 1.69.0+) In-
stance archive backup retention days. Valid when the enable_backup_log
is true and instance is mysql local disk. Valid values: [30-1095], and
archive_backup_retention_period must larger than backup_retention_period
730.
• archive_backup_keep_count - (Optional, available in 1.69.0+) Instance
archive backup keep count. Valid when the enable_backup_log is true
and instance is mysql local disk. When archive_backup_keep_policy
is ByMonth Valid values: [1-31]. When archive_backup_keep_policy is
ByWeek Valid values: [1-7].
• archive_backup_keep_policy - (Optional, available in 1.69.0+) Instance
archive backup keep policy. Valid when the enable_backup_log is true
and instance is mysql local disk. Valid values are ByMonth, Disable,
KeepAll.
NOTE: Currently, the SQLServer instance does not support to modify
log_backup_retention_period.

• id - The current backup policy resource ID. It is same as ’instance_id’.
» Import
RDS backup policy can be imported using the id or instance id, e.g.
$ terraform import alicloud_db_backup_policy.example "rm-12345678"
434
» alicloud_db_connection
Provides an RDS connection resource to allocate an Internet connection string
for RDS instance.
NOTE: Each RDS instance will allocate a intranet connnection string automat-
ically and its prifix is RDS instance ID. To avoid unnecessary conflict, please
specified a internet connection prefix before applying the resource.
» Example Usage
default = "Rds"
}
variable "name" {
default = "dbconnectionbasic"
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

engine = "MySQL"
instance_type = "rds.mysql.t1.small"
}
resource "alicloud_db_connection" "foo" {
435
connection_prefix = "testabc"
}

database.
• connection_prefix - (ForceNew) Prefix of an Internet connection string.
than 30 characters. Default to + ’tf’.
• port - (Optional) Internet connection port. Valid value: [3001-3999]. De-
fault to 3306.

and connection string with format <instance_id>:<connection_prefix>.
• connection_prefix - Prefix of a connection string.
• port - Connection instance port.
» Import
RDS connection can be imported using the id, e.g.

$ terraform import alicloud_db_connection.example abc12345678
» alicloud_db_database
Provides an RDS database resource. A DB database deployed in a DB instance.
A DB instance can own multiple databases.
NOTE: This resource does not support creating ’PPAS’ database. You have
to login RDS instance to create manually.
436
» Example Usage
default = "Rds"
}
variable "name" {
default = "dbdatabasebasic"
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

engine = "MySQL"
}
resource "alicloud_db_database" "default" {

name = "tftestdatabase"
}

437
database.
• name - (Required, ForceNew) Name of the database requiring a uniqueness
check. It may consist of lower case letters, numbers, and underlines, and
must start with a letter and have no more than 64 characters.
• character_set - (Required) Character set. The value range is limited to
the following:
– MySQL: [ utf8, gbk, latin1, utf8mb4 ] (utf8mb4 only supports ver-
sions 5.5 and 5.6).
– SQLServer: [ Chinese_PRC_CI_AS, Chinese_PRC_CS_AS,
SQL_Latin1_General_CP1_CI_AS, SQL_Latin1_General_CP1_CS_AS,
Chinese_PRC_BIN ]
– PostgreSQL: [ KOI8U�UTF8�WIN866�WIN874�WIN1250�WIN1251�WIN1252�WIN1253�WIN1254�W
]
More details refer to API Docs
• description - (ForceNew) Database description. It cannot begin with
NOTE: The value of ”name” or ”character_set” does not support modification.

• id - The current database resource ID. Composed of instance ID and
database name with format <instance_id>:<name>.
» Import
RDS database can be imported using the id, e.g.

$ terraform import alicloud_db_database.example "rm-12345:tf_database"
» alicloud_db_instance
Provides an RDS instance resource. A DB instance is an isolated database
environment in the cloud. A DB instance can contain multiple user-created
databases.
438
» Example Usage
» Create a RDS MySQL instance
variable "name" {
default = "dbInstanceconfig"
}
default = "Rds"
}
}
cidr_block = "172.16.0.0/16"
}
cidr_block = "172.16.0.0/24"
}
resource "alicloud_db_instance" "default" {
engine = "MySQL"
instance_type = "rds.mysql.s2.large"
instance_charge_type = "Postpaid"
monitoring_period = "60"
}
» Create a RDS MySQL instance with specific parameters

name = "vpc-123456"
cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
439
name = "vpc-123456"
}

engine = "MySQL"
db_instance_class = "rds.mysql.t1.small"
db_instance_storage = "10"
}

engine = "MySQL"
db_instance_class = "rds.mysql.t1.small"
db_instance_storage = "10"
parameters {
name = "innodb_large_prefix"
value = "ON"
}
parameters {
name = "connect_timeout"
value = "50"
}
}

• engine - (Required,ForceNew) Database type. Value options: MySQL,
SQLServer, PostgreSQL, and PPAS.
• engine_version - (Required,ForceNew) Database version. Value options
• instance_type - (Required) DB Instance type. For details, see Instance
type table.
• instance_storage - (Required) User-defined DB instance storage space.
Value range:
– [5, 2000] for MySQL/PostgreSQL/PPAS HA dual node edition;
– [20,1000] for MySQL 5.7 basic single node edition;
– [10, 2000] for SQL Server 2008R2;
– [20,2000] for SQL Server 2012 basic single node edition Increase pro-
gressively at a rate of 5 GB. For details, see Instance type table. Note:
440
There is extra 5 GB storage for SQL Server Instance and it is not in
specified instance_storage.
• db_instance_storage_type - (Optional, Available in 1.68.0+) The stor-
age type of the instance. Valid values:
– local_ssd: specifies to use local SSDs. This value is recommended.
– cloud_ssd: specifies to use standard SSDs.
– cloud_essd: specifies to use enhanced SSDs (ESSDs).
– cloud_essd2: specifies to use enhanced SSDs (ESSDs).
– cloud_essd3: specifies to use enhanced SSDs (ESSDs).
• sql_collector_status - (Optional, Available in 1.70.0+) The sql collec-
tor status of the instance. Valid values are Enabled, Disabled, Default
to Disabled.
• sql_collector_config_value - (Optional, Available in 1.70.0+) The sql
collector keep time of the instance. Valid values are 1, 30, 180, 365, 1095,
1825, 1 is the initial value, and can’t change it to 1.
256 characters.
• instance_charge_type - (Optional) Valid values are Prepaid, Postpaid,
Default to Postpaid. Currently, the resource only supports PostPaid to
PrePaid.
ues: [1~9], 12, 24, 36. Default to 1.
• monitoring_period - (Optional) The monitoring frequency in seconds.
Valid values are 5, 60, 300. Defaults to 300.
• auto_renew - (Optional, Available in 1.34.0+) Whether to renewal a DB
instance automatically or not. It is valid when instance_charge_type is
PrePaid. Default to false.
• auto_renew_period - (Optional, Available in 1.34.0+) Auto-renewal
period of an instance, in the unit of the month. It is valid when
instance_charge_type is PrePaid. Valid value:[1~12], Default to 1.
• zone_id - (ForceNew) The Zone to launch the DB instance. From version
1.8.1, it supports multiple zone. If it is a multi-zone and vswitch_id
is specified, the vswitch must in the one of them. The multiple zone
ID can be retrieved by setting multi to ”true” in the data source
alicloud_zones.
• vswitch_id - (ForceNew) The virtual switch ID to launch DB instances
in one VPC.
441
databases of an instance. The list contains up to 1,000 IP addresses,
• security_ip_mode - (Optional, Available in 1.62.1+) Valid values are
normal, safety, Default to normal. support safety switch to high secu-
rity access mode
• parameters - (Optional) Set of parameters needs to be set after DB in-
stance was launched. Available parameters can refer to the latest docs
View database parameter templates .
• force_restart - (Optional, Available in 1.75.0+) Set it to true to make
some parameter efficient when modifying them. Default to false.
Note: From 1.63.0, the tag key and value are case sensitive. Before that, they
are not case sensitive.
• security_group_id - (Deprecated) It has been deprecated from 1.69.0
and use security_group_ids instead.
• security_group_ids - (Optional, List(string), Available in 1.69.0+) The
list IDs to join ECS Security Group. At most supports three security
groups.
• maintain_time - (Optional, Available in 1.56.0+) Maintainable time pe-
riod format of the instance: HH:MMZ-HH:MMZ (UTC time)
• auto_upgrade_minor_version - (Optional, Available in 1.62.1+) The up-
grade method to use. Valid values:
– Auto: Instances are automatically upgraded to a higher minor ver-
sion.
– Manual: Instances are forcibly upgraded to a higher minor version
when the current version is unpublished.
Default to ”Manual”. See more details and limitation.
NOTE: Because of data backup and migration, change DB instance type and
them.
442

• id - The RDS instance ID.
• port - RDS database connection port.
• connection_string - RDS database connection string.
» Timeouts

• create - (Defaults to 20 mins) Used when creating the db instance (until
• update - (Defaults to 30 mins) Used when updating the db instance (until
• delete - (Defaults to 20 mins) Used when terminating the db instance.
» Import
RDS instance can be imported using the id, e.g.

$ terraform import alicloud_db_instance.example rm-abc12345678
» alicloud_db_read_write_splitting_connection
Provides an RDS read write splitting connection resource to allocate an Intranet
connection string for RDS instance.
» Example Usage
default = "Rds"
}
variable "name" {
default = "dbInstancevpc"
}

443
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

engine = "MySQL"
security_ips = ["10.168.1.12", "100.69.7.112"]
}
resource "alicloud_db_readonly_instance" "default" {

master_db_instance_id = "${alicloud_db_instance.default.id}"
zone_id = "${alicloud_db_instance.default.zone_id}"
engine_version = "${alicloud_db_instance.default.engine_version}"
instance_type = "${alicloud_db_instance.default.instance_type}"
instance_name = "${var.name}ro"
}
resource "alicloud_db_read_write_splitting_connection" "default" {

instance_id = "${alicloud_db_instance.default.id}"
connection_prefix = "t-con-123"
distribution_type = "Standard"
depends_on = ["alicloud_db_readonly_instance.default"]
}
NOTE: Resource alicloud_db_read_write_splitting_connection should
be created after alicloud_db_readonly_instance, so the depends_on state-
ment is necessary.
444

database.
• distribution_type - (Required) Read weight distribution mode. Values
are as follows: Standard indicates automatic weight distribution based on
types, Custom indicates custom weight distribution.
• connection_prefix - (Optional, ForceNew) Prefix of an Internet connec-
tion string. It must be checked for uniqueness. It may consist of lowercase
letters, numbers, and underlines, and must start with a letter and have
no more than 30 characters. Default to + ’rw’.
• port - (Optional) Intranet connection port. Valid value: [3001-3999]. De-
fault to 3306.
• max_delay_time - (Optional) Delay threshold, in seconds. The value
range is 0 to 7200. Default to 30. Read requests are not routed to the
read-only instances with a delay greater than the threshold.
• weight - (Optional) Read weight distribution. Read weights increase at

a step of 100 up to 10,000. Enter weights in the following format: {”In-
stanceid”:”Weight”,”Instanceid”:”Weight”}. This parameter must be set
when distribution_type is set to Custom.

• id - The Id of DB instance.
» Import
RDS read write splitting connection can be imported using the id, e.g.
$ terraform import alicloud_db_read_write_splitting_connection.example abc12345678
» alicloud_db_readonly_instance
Provides an RDS readonly instance resource.
445
» Example Usage
default = "Rds"
}
variable "name" {
default = "dbInstancevpc"
}

}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}

engine = "MySQL"
security_ips = ["10.168.1.12", "100.69.7.112"]
}
resource "alicloud_db_readonly_instance" "default" {

master_db_instance_id = "${alicloud_db_instance.default.id}"
zone_id = "${alicloud_db_instance.default.zone_id}"
engine_version = "${alicloud_db_instance.default.engine_version}"
instance_type = "${alicloud_db_instance.default.instance_type}"
instance_name = "${var.name}ro"
446
}

• master_db_instance_id - (Required) ID of the master instance.
• instance_type - (Required) DB Instance type. For details, see Instance
type table.
• instance_storage - (Required) User-defined DB instance storage space.
Value range: [5, 2000] for MySQL/SQL Server HA dual node edition.
Increase progressively at a rate of 5 GB. For details, see Instance type
table.
256 characters.
• parameters - (Optional) Set of parameters needs to be set after DB in-
stance was launched. Available parameters can refer to the latest docs
View database parameter templates.
• zone_id - (Optional, ForceNew) The Zone to launch the DB instance.
• tags - (Optional, Available in 1.68.0+) A mapping of tags to assign to the
resource.
NOTE: Because of data backup and migration, change DB instance type and
them.

• id - The RDS instance ID.
• engine - Database type.
• port - RDS database connection port.
• connection_string - RDS database connection string.
447
» Timeouts

• create - (Defaults to 20 mins) Used when creating the db instance (until
• update - (Defaults to 30 mins) Used when updating the db instance (until
• delete - (Defaults to 20 mins) Used when terminating the db instance.
» Import
RDS readonly instance can be imported using the id, e.g.

$ terraform import alicloud_db_readonly_instance.example rm-abc12345678
» alicloud_slb_acls
This data source provides the acls in the region.
» Example Usage
data "alicloud_slb_acls" "sample_ds" {

}
output "first_slb_acl_id" {
value = "${data.alicloud_slb_acls.sample_ds.acls.0.id}"
}

• ids - (Optional) A list of acls IDs to filter results.
• name_regex - (Optional) A regex string to filter results by acl name.
of resource group which acl belongs.
the resource.
448
• ids - A list of SLB acls IDs.
• names - A list of SLB acls names.
• acls - A list of SLB acls. Each element contains the following attributes:
– id - Acl ID.
– name - Acl name.
– entry_list - A list of entry (IP addresses or CIDR blocks). Each
entry contains two sub-fields as Entry Block follows.
– related_listeners - A list of listener are attached by the acl. Each
listener contains four sub-fields as Listener Block follows.
– tags - A mapping of tags to assign to the resource.
– resource_group_id - Resource group ID. ## Entry Block
The entry mapping supports the following:
• entry - An IP addresses or CIDR blocks.
• comment - the comment of the entry.
» Listener Block
The Listener mapping supports the following:

• load_balancer_id - the id of load balancer instance, the listener belongs
to.
• frontend_port - the listener port.
• protocol - the listener protocol (such as tcp/udp/http/https, etc).
• acl_type - the type of acl (such as white/black).
» alicloud_slb_attachments
This data source provides the server load balancer attachments of the current
Alibaba Cloud user.
» Example Usage
data "alicloud_slb_attachments" "sample_ds" {

load_balancer_id = "${alicloud_slb.sample_slb.id}"
}
output "first_slb_attachment_instance_id" {
value = "${data.alicloud_slb_attachments.sample_ds.slb_attachments.0.instance_id}"
449
}

• load_balancer_id - ID of the SLB with attachments.
• instance_ids - (Optional) List of attached ECS instance IDs.
• slb_attachments - A list of SLB attachments. Each element contains the
– instance_id - ID of the attached ECS instance.
– weight - Weight associated to the ECS instance.
» alicloud_slb_backend_servers
This data source provides the server load balancer backend servers related to a
server load balancer..
» Example Usage
data "alicloud_slb_beckend_servers" "sample_ds" {

}
output "first_slb_backend_server_id" {
value = "${data.alicloud_slb_beckend_servers.sample_ds.backend_servers.0.id}"
}

• load_balancer_id - ID of the SLB with attachments.
• ids - (Optional) List of attached ECS instance IDs.
450
• backend_servers -
– id - backend server ID.
– server_type - Type of the backend server.
» alicloud_slb_ca_certificates
This data source provides the CA certificate list.
» Example Usage
data "alicloud_slb_ca_certificates" "sample_ds" {

}
output "first_slb_ca_certificate_id" {
value = "${data.alicloud_slb_ca_certificates.sample_ds.certificates.0.id}"
}

• ids - (Optional) A list of ca certificates IDs to filter results.
• name_regex - (Optional) A regex string to filter results by ca certificate
name.
of resource group which ca certificates belongs.
• ids - A list of SLB ca certificates IDs.
• names - A list of SLB ca certificates names.
451
• certificates - A list of SLB ca certificates. Each element contains the
– id - CA certificate ID.
– name - CA certificate name.
– fingerprint - CA certificate fingerprint.
– common_name - CA certificate common name.
– expired_time - CA certificate expired time.
– expired_timestamp - CA certificate expired timestamp.
– created_time - CA certificate created time.
– created_timestamp - CA certificate created timestamp.
– resource_group_id - The resource group Id of CA certificate.
– region_id - The region Id of CA certificate.
– tags - (Available in v1.66.0+) A mapping of tags to assign to the
resource.
» alicloud_slb_listeners
This data source provides the listeners related to a server load balancer of the
current Alibaba Cloud user.
» Example Usage
data "alicloud_slb_listeners" "sample_ds" {

}
output "first_slb_listener_protocol" {
value = "${data.alicloud_slb_listeners.sample_ds.slb_listeners.0.protocol}"
}

• load_balancer_id - (Required) ID of the SLB with listeners.
• protocol - (Optional) Filter listeners by the specified protocol. Valid
values: http, https, tcp and udp.
• frontend_port - (Optional) Filter listeners by the specified frontend port.
• description_regex - (Optional, Available in 1.69.0+) A regex string to
filter results by SLB listener description.
452
• slb_listeners - A list of SLB listeners. Each element contains the fol-
lowing attributes:
– frontend_port - Frontend port used to receive incoming traffic and
distribute it to the backend servers.
– backend_port - Port opened on the backend server to receive re-
quests.
– protocol - Listener protocol. Possible values: http, https, tcp and
udp.
– status - Listener status.
– security_status - Security status. Only available when the protocol
is https.
– bandwidth - Peak bandwidth. If the value is set to -1, the listener is
not limited by bandwidth.
– scheduler - Algorithm used to distribute traffic. Possible values:
wrr (weighted round robin), wlc (weighted least connection) and rr
(round robin).
– server_group_id - ID of the linked VServer group.
– master_slave_server_group_id - ID of the active/standby server
group.
– persistence_timeout - Timeout value of the TCP connection in
seconds. If the value is 0, the session persistence function is disabled.
Only available when the protocol is tcp.
– established_timeout - Connection timeout in seconds for the Layer
4 TCP listener. Only available when the protocol is tcp.
– sticky_session - Indicate whether session persistence is enabled or
not. If enabled, all session requests from the same client are sent
to the same backend server. Possible values are on and off. Only
available when the protocol is http or https.
– sticky_session_type - Method used to handle the cookie. Possible
values are insert (cookie added to the response) and server (cookie
set by the backend server). Only available when the protocol is http
or https and sticky_session is on.
– cookie_timeout - Cookie timeout in seconds. Only available when
the sticky_session_type is insert.
– cookie - Cookie configured by the backend server. Only available
when the sticky_session_type is server.
– health_check - Indicate whether health check is enabled of not. Pos-
sible values are on and off.
– health_check_type - Health check method. Possible values are tcp
and http. Only available when the protocol is tcp.
– health_check_domain - Domain name used for health check. The
SLB sends HTTP head requests to the backend server, the domain is
453
useful when the backend server verifies the host field in the requests.
Only available when the protocol is http, https or tcp (in this case
health_check_type must be http).
– health_check_uri - URI used for health check. Only available when
the protocol is http, https or tcp (in this case health_check_type
must be http).
– health_check_connect_port - Port used for health check.
– health_check_connect_timeout - Amount of time in seconds to
wait for the response for a health check.
– healthy_threshold - Number of consecutive successes of health
check performed on the same ECS instance (from failure to success).
– unhealthy_threshold - Number of consecutive failures of health
check performed on the same ECS instance (from success to failure).
– health_check_timeout - Amount of time in seconds to wait for the
response from a health check. If an ECS instance sends no response
within the specified timeout period, the health check fails. Only
– health_check_interval - Time interval between two consecutive
health checks.
– health_check_http_code - HTTP status codes indicating that the
health check is normal. It can contain several comma-separated val-
ues such as ”http_2xx,http_3xx”. Only available when the protocol
is http, https or tcp (in this case health_check_type must be http).
– gzip - Indicate whether Gzip compression is enabled or not. Possible
values are on and off. Only available when the protocol is http or
https.
– ssl_certificate_id - ID of the server certificate. Only available
when the protocol is https.
– ca_certificate_id - ID of the CA certificate (only required when
two-way authentication is used). Only available when the protocol is
https.
– x_forwarded_for - Indicate whether the HTTP header field ”X-
Forwarded-For” is added or not; it allows the backend server to know
about the user’s IP address. Possible values are on and off. Only
– x_forwarded_for_slb_ip - Indicate whether the HTTP header field
”X-Forwarded-For_SLBIP” is added or not; it allows the backend
server to know about the SLB IP address. Possible values are on and
off. Only available when the protocol is http or https.
– x_forwarded_for_slb_id - Indicate whether the HTTP header field
”X-Forwarded-For_SLBID” is added or not; it allows the backend
server to know about the SLB ID. Possible values are on and off.
Only available when the protocol is http or https.
– x_forwarded_for_slb_proto - Indicate whether the HTTP header
field ”X-Forwarded-For_proto” is added or not; it allows the backend
server to know about the user’s protocol. Possible values are on and
454
off. Only available when the protocol is http or https.
– idle_timeout - Timeout of http or https listener established connec-
tion idle timeout. Valid value range: [1-60] in seconds. Default to
15.
– request_timeout - Timeout of http or https listener request (which
does not get response from backend) timeout. Valid value range:
[1-180] in seconds. Default to 60.
– enable_http2 - Whether to enable https listener support http2 or
not. Valid values are on and off. Default to on.
– tls_cipher_policy - Https listener TLS cipher policy. Valid
values are tls_cipher_policy_1_0, tls_cipher_policy_1_1,
tls_cipher_policy_1_2, tls_cipher_policy_1_2_strict. De-
fault to tls_cipher_policy_1_0.
– description - The description of slb listener.
» alicloud_slb_master_slave_server_groups
This data source provides the master slave server groups related to a server load
balancer.
» Example Usage
data "alicloud_slb_master_slave_server_groups" "sample_ds" {

}
output "first_slb_server_group_id" {
value = "${data.alicloud_slb_master_slave_server_groups.sample_ds.groups.0.id}"
}

• load_balancer_id - ID of the SLB.
• ids - (Optional) A list of master slave server group IDs to filter results.
• name_regex - (Optional) A regex string to filter results by master slave
server group name.
455
• ids - A list of SLB master slave server groups IDs.
• names - A list of SLB master slave server groups names.
• groups - A list of SLB master slave server groups. Each element contains
– id - master slave server group ID.
– name - master slave server group name.
– servers - ECS instances associated to the group. Each element
– port - The port used by the master slave server group.
– server_type - The server type of the attached ECS instance.
– is_backup - (Removed from v1.63.0) Determine if the server is exe-
cuting.
» alicloud_slb_rules
This data source provides the rules associated with a server load balancer lis-
tener.
» Example Usage
data "alicloud_slb_rules" "sample_ds" {

frontend_port = 80
}
output "first_slb_rule_id" {
value = "${data.alicloud_slb_rules.sample_ds.slb_rules.0.id}"
}

• load_balancer_id - ID of the SLB with listener rules.
• frontend_port - SLB listener port.
• ids - (Optional) A list of rules IDs to filter results.
• name_regex - (Optional) A regex string to filter results by rule name.
456
• ids - A list of SLB listener rules IDs.
• names - A list of SLB listener rules names.
• slb_rules - A list of SLB listener rules. Each element contains the fol-
lowing attributes:
– id - Rule ID.
– name - Rule name.
– domain - Domain name in the HTTP request where the rule applies
(e.g. ”*.aliyun.com”).
– url - Path in the HTTP request where the rule applies (e.g. ”/im-
age”).
– server_group_id - ID of the linked VServer group.
» alicloud_slb_server_certificates
This data source provides the server certificate list.
» Example Usage
data "alicloud_slb_server_certificates" "sample_ds" {

}
output "first_slb_server_certificate_id" {
value = "${data.alicloud_slb_server_certificates.sample_ds.certificates.0.id}"
}

• ids - (Optional) A list of server certificates IDs to filter results.
• name_regex - (Optional) A regex string to filter results by server certificate
name.
457
of resource group which the slb server certificates belongs.
• ids - A list of SLB server certificates IDs.
• names - A list of SLB server certificates names.
• certificates - A list of SLB server certificates. Each element contains
– id - Server certificate ID.
– name - Server certificate name.
– fingerprint - Server certificate fingerprint.
– common_name - Server certificate common name.
– subject_alternative_names - Server certificate subject alternative
name list.
– expired_time - Server certificate expired time.
– expired_timestamp - Server certificate expired timestamp.
– created_time - Server certificate created time.
– created_timestamp - Server certificate created timestamp.
– alicloud_certificate_id - Id of server certificate issued by alibaba
cloud.
– alicloud_certificate_name- Name of server certificate issued by
alibaba cloud.
– is_alicloud_certificate- Is server certificate issued by alibaba
cloud or not.
– resource_group_id - The Id of resource group which the slb server
certificates belongs.
– tags - (Available in v1.66.0+) A mapping of tags to assign to the
resource.
» alicloud_slb_server_groups
This data source provides the VServer groups related to a server load balancer.
» Example Usage
data "alicloud_slb_server_groups" "sample_ds" {

}
output "first_slb_server_group_id" {
value = "${data.alicloud_slb_server_groups.sample_ds.slb_server_groups.0.id}"
458
}

• load_balancer_id - ID of the SLB.
• ids - (Optional) A list of VServer group IDs to filter results.
• name_regex - (Optional) A regex string to filter results by VServer group
name.
• ids - A list of SLB VServer groups IDs.
• names - A list of SLB VServer groups names.
• slb_server_groups - A list of SLB VServer groups. Each element con-
– id - VServer group ID.
– name - VServer group name.
– servers - ECS instances associated to the group. Each element
» alicloud_slbs
This data source provides the server load balancers of the current Alibaba Cloud
user.
» Example Usage
data "alicloud_slbs" "slbs_ds" {

name_regex = "sample_slb"
}
output "first_slb_id" {
value = "${data.alicloud_slbs.slbs_ds.slbs.0.id}"
}
459

• ids - (Optional) A list of SLBs IDs.
• name_regex - (Optional) A regex string to filter results by SLB name.
• master_availability_zone - (Optional) Master availability zone of the
SLBs.
• slave_availability_zone - (Optional) Slave availability zone of the
SLBs.
• network_type - (Optional) Network type of the SLBs. Valid values: vpc
and classic.
• vpc_id - (Optional) ID of the VPC linked to the SLBs.
• vswitch_id - (Optional) ID of the VSwitch linked to the SLBs.
• address - (Optional) Service address of the SLBs.
• tags - (Optional) A map of tags assigned to the SLB instances. The
tags can have a maximum of 5 tag. It must be in the format: data
"alicloud_slbs" "taggedInstances" { tags = { tagKey1 =
"tagValue1", tagKey2 = "tagValue2" } }
of resource group which SLB belongs.
• ids - A list of slb IDs.
• names - A list of slb names.
• slbs - A list of SLBs. Each element contains the following attributes:
– id - ID of the SLB.
– region_id - Region ID the SLB belongs to.
– master_availability_zone - Master availability zone of the SLBs.
– slave_availability_zone - Slave availability zone of the SLBs.
– status - SLB current status. Possible values: inactive, active and
locked.
– name - SLB name.
– network_type - Network type of the SLB. Possible values: vpc and
classic.
– vpc_id - ID of the VPC the SLB belongs to.
– vswitch_id - ID of the VSwitch the SLB belongs to.
– address - Service address of the SLB.
– internet - SLB addressType: internet if true, intranet if false.
Must be false when network_type is vpc.
– creation_time - SLB creation time.
460
– tags - A map of tags assigned to the SLB instance.
» alicloud_slb_domain_extensions
This data source provides the domain extensions associated with a server load
balancer listener.
» Example Usage
data "alicloud_slb_domain_extensions" "foo" {

ids = ["fake-de-id"]
load_balancer_id = "fake-lb-id"
frontend_port = "fake-port"
}

• ids - (Optional) IDs of the SLB domain extensions.
• load_balancer_id - (Required) The ID of the SLB instance.
• frontend_port - (Required) The frontend port used by the HTTPS lis-
tener of the SLB instance. Valid values: 1–65535.
• extensions - A list of SLB domain extension. Each element contains the
– id - The ID of the domain extension.
– domain - The domain name.
– server_certificate_id - The ID of the certificate used by the do-
main name.
» alicloud_slb_zones
This data source provides availability zones for SLB that can be accessed by an
Alibaba Cloud account within the region configured in the provider.
461
» Example Usage

data "alicloud_slb_zones" "zones_ids" {}

• enable_details - (Optional) Default to false and only output id in the
zones block. Set it to true can output more details.
• available_slb_address_type - (Optional) Filter the results by a
slb instance address type. Can be either Vpc, classic_internet or
classic_intranet
• available_slb_address_ip_version - (Optional) Filter the results by a
slb instance address version. Can be either ipv4, or ipv6.
attributes:
– slb_slave_zone_ids - A list of slb slave zone ids in which the slb
master zone.
» alicloud_slb
Provides an Application Load Balancer resource.
NOTE: At present, to avoid some unnecessary regulation confusion, SLB can
not support alicloud international account to create ”paybybandwidth” instance.
NOTE: The supported specifications vary by region. Currently not all regions
support guaranteed-performance instances. For more details about guaranteed-
performance instance, see Guaranteed-performance instances.
462
» Example Usage
variable "name" {
default = "terraformtestslbconfig"
}
}

cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/21"
}

specification = "slb.s2.small"
tags = {
tag_a = 1
tag_b = 2
tag_c = 3
tag_d = 4
tag_e = 5
tag_f = 6
tag_g = 7
tag_h = 8
tag_i = 9
tag_j = 10
}
}

• name - (Optional) The name of the SLB. This name must be unique within
your AliCloud account, can have a maximum of 80 characters, must con-
463
tain only alphanumeric characters or hyphens, such as ”-”,”/”,”.”,”_”, and
must not begin or end with a hyphen. If not specified, Terraform will au-
togenerate a name beginning with tf-lb.
• internet - (Deprecated) Field ’internet’ has been deprecated from
provider version 1.55.3. Use ’address_type’ replaces it.
• address_type - (Optional, ForceNew, Available in 1.55.3+) The network
type of the SLB instance. Valid values: [”internet”, ”intranet”]. If load
balancer launched in VPC, this value must be ”intranet”.
– internet: After an Internet SLB instance is created, the system allo-
cates a public IP address so that the instance can forward requests
from the Internet.
– intranet: After an intranet SLB instance is created, the system allo-
cates an intranet IP address so that the instance can only forward
intranet requests.
• internet_charge_type - (Optional, ForceNew) Valid values are
PayByBandwidth, PayByTraffic. If this value is ”PayByBandwidth”,
then argument ”internet” must be ”true”. Default is ”PayByTraffic”. If
load balancer launched in VPC, this value must be ”PayByTraffic”. Before
version 1.10.1, the valid values are ”paybybandwidth” and ”paybytraffic”.
• bandwidth - (Optional) Valid value is between 1 and 1000, If argument
”internet_charge_type” is ”paybytraffic”, then this value will be ignore.
• vswitch_id - (Required for a VPC SLB, Forces New Resource) The
VSwitch ID to launch in. If address_type is internet, it will be ignore.
• specification - (Optional) The specification of the Server Load Balancer
instance. Default to empty string indicating it is ”Shared-Performance” in-
stance. Launching ”Performance-guaranteed” instance, it is must be speci-
fied and it valid values are: ”slb.s1.small”, ”slb.s2.small”, ”slb.s2.medium”,
”slb.s3.small”, ”slb.s3.medium”, ”slb.s3.large” and ”slb.s4.large”.
• tags - (Optional) A mapping of tags to assign to the resource. The tags
can have a maximum of 10 tag for every load balancer instance.
• instance_charge_type - (Optional, Available in v1.34.0+) The billing
method of the load balancer. Valid values are ”PrePaid” and ”PostPaid”.
Default to ”PostPaid”.
• period - (Optional, Available in v1.34.0+) The duration that you will
buy the resource, in month. It is valid when instance_charge_type is
PrePaid. Default to 1. Valid values: [1-9, 12, 24, 36].
• master_zone_id - (Optional, ForceNew, Available in v1.36.0+) The pri-
mary zone ID of the SLB instance. If not specified, the system will be
randomly assigned. You can query the primary and standby zones in a
region by calling the DescribeZone API.
• slave_zone_id - (Optional, ForceNew, Available in v1.36.0+) The
standby zone ID of the SLB instance. If not specified, the system will be
randomly assigned. You can query the primary and standby zones in a
region by calling the DescribeZone API.
• delete_protection - (Optional, Available in v1.51.0+) Whether enable
the deletion protection or not. on: Enable deletion protection. off:
464
Disable deletion protection. Default to off. Only postpaid instance
support this function.
• address_ip_version - (Optional, Available in v1.55.2+) The IP version

of the SLB instance to be created, which can be set to ipv4 or ipv6 .
Default to ”ipv4”. Now, only internet instance support ipv6 address.
• address - (Optional, Available in v1.55.2+) Specify the IP address of the
private network for the SLB instance, which must be in the destination
CIDR block of the correspond ing switch.
• resource_group_id - (Optional, ForceNew, Available in v1.55.3+) The
Id of resource group which the SLB belongs.
NOTE: A ”Shared-Performance” instance can be changed to ”Performance-
guaranteed”, but the change is irreversible.
NOTE: To change a ”Shared-Performance” instance to a ”Performance-
guaranteed” instance, the SLB will have a short probability of business
interruption (10 seconds-30 seconds). Advise to change it during the business
downturn, or migrate business to other SLB Instances by using GSLB before
changing.
NOTE: Currently, the alibaba cloud international account does not support
creating a PrePaid SLB instance.

• id - The ID of the load balancer.
• address - The IP address of the load balancer.
» Import
Load balancer can be imported using the id, e.g.

$ terraform import alicloud_slb.example lb-abc123456
» alicloud_slb_acl
An access control list contains multiple IP addresses or CIDR blocks. The access
control list can help you to define multiple instance listening dimension, and to
meet the multiple usage for single access control list.
Server Load Balancer allows you to configure access control for listeners. You
can configure different whitelists or blacklists for different listeners.
465
You can configure access control when you create a listener or change access
control configuration after a listener is created.
NOTE: One access control list can be attached to many Listeners in different
load balancer as whitelists or blacklists.
NOTE: The maximum number of access control lists per region is 50.
NOTE: The maximum number of IP addresses added each time is 50.
NOTE: The maximum number of entries per access control list is 300.
NOTE: The maximum number of listeners that an access control list can be
added to is 50.
For information about slb and how to use it, see What is Server Load Balancer.
For information about acl and how to use it, see Configure an access control
list.
» Example Usage
variable "name" {
default = "terraformslbaclconfig"
}
variable "ip_version" {
default = "ipv4"
}
resource "alicloud_slb_acl" "default" {

ip_version = "${var.ip_version}"
entry_list {
entry = "10.10.10.0/24"
comment = "first"
}
entry_list {
entry = "168.10.10.0/24"
comment = "second"
}
}

• name - (Required) Name of the access control list.
466
• ip_version - (Optional, ForceNew) The IP Version of access control list
is the type of its entry (IP addresses or CIDR blocks). It values ipv4/ipv6.
Our plugin provides a default ip_version: ”ipv4”.
• entry_list - (Optional) A list of entry (IP addresses or CIDR blocks) to
be added. At most 50 etnry can be supported in one resource. It contains
two sub-fields as Entry Block follows.
the resource.
• resource_group_id - (Optional, ForceNew, Available in v1.67.0+) Re-
source group ID.
» Entry Block
The entry mapping supports the following:

• entry - (Required) An IP addresses or CIDR blocks.
• comment - (Optional) the comment of the entry.

• id - The Id of the access control list.
» Import
Server Load balancer access control list can be imported using the id, e.g.
$ terraform import alicloud_slb_acl.example acl-abc123456
» alicloud_slb_attachment
Warnings: This resource has been deprecated and please use ali-
cloud_backend_serverhttps.
Add a group of backend servers (ECS instance) to the Server Load Balancer or
remove them from it.
» Example Usage
variable "name" {
default = "slbattachmenttest"
}
467
}
cpu_core_count = 1
memory_size = 2
}
most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/16"
}

}

}

468
}
resource "alicloud_slb_attachment" "default" {

instance_ids = ["${alicloud_instance.default.id}"]
weight = 90
}

• load_balancer_id - (Required) ID of the load balancer.
• instance_ids - (Required) A list of instance ids to added backend server
in the SLB.
• weight - (Optional) Weight of the instances. Valid value range: [0-100].
Default to 100.
• server_type - (Optional, Available in 1.60.0+) Type of the instances.
Valid value ecs, eni. Default to ecs.
• delete_protection_validation - (Optional, Available in 1.63.0+)
Checking DeleteProtection of SLB instance before deleting. If true,
this resource will not be deleted when its SLB instance enabled
DeleteProtection. Default to false.

• id - ID of the resource.
• load_balancer_id - ID of the load balancer.
• instance_ids - A list of instance ids that have been added in the SLB.
• weight - Weight of the instances.
• backend_servers - The backend servers of the load balancer.
• server_type - Type of the instances.
» Import
Load balancer attachment can be imported using the id or load balancer id, e.g.
$ terraform import alicloud_slb_attachment.example lb-abc123456
469
» alicloud_slb_backend_server
Add a group of backend servers (ECS or ENI instance) to the Server Load
Balancer or remove them from it.
» Example Usage
variable "name" {
default = "slbbackendservertest"
}
}
cpu_core_count = 1
memory_size = 2
}
most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/16"
}

}
470
count = "2"
security_groups = "${alicloud_security_group.default.*.id}"
}

}
resource "alicloud_slb_backend_server" "default" {

backend_servers {
server_id = "${alicloud_instance.default.0.id}"
weight = 100
}
backend_servers {
server_id = "${alicloud_instance.default.1.id}"
weight = 100
}
}

• load_balancer_id - (Required) ID of the load balancer.
• backend_servers - (Required) A list of instances to added backend server
in the SLB. It contains three sub-fields as Block server follows.
471
» Block servers
The servers mapping supports the following:

• server_id - (Required) A list backend server ID (ECS instance ID).
• weight - (Optional) Weight of the backend server. Valid value range:
[0-100].
• type - (Optional) Type of the backend server. Valid value ecs, eni. Default
to eni.

• id - The ID of the resource and the value same as load balancer id.
» Import
Load balancer backend server can be imported using the load balancer id.
$ terraform import alicloud_slb_backend_server.example lb-abc123456
» alicloud_slb_ca_certificate
A Load Balancer CA Certificate is used by the listener of the protocol https.
For information about CA Certificate and how to use it, see Configure CA
Certificate.
» Example Usage
• using CA certificate content

# create a CA certificate
resource "alicloud_slb_ca_certificate" "foo" {
name = "tf-testAccSlbCACertificate"
ca_certificate = "-----BEGIN CERTIFICATE-----\nMIIDRjCCAq+gAwIBAgIJAJnI******90EAxEG/bJJyO
}
• using CA certificate file
472
resource "alicloud_slb_ca_certificate" "foo-file" {
name = "tf-testAccSlbCACertificate"
ca_certificate = "${file("${path.module}/ca_certificate.pem")}"
}

• name - (Optional) Name of the CA Certificate.
• ca_certificate - (Required, ForceNew) the content of the CA certificate.
of resource group which the slb_ca certificate belongs.
• id - The Id of CA Certificate .
» Import
Server Load balancer CA Certificate can be imported using the id, e.g.
$ terraform import alicloud_slb_ca_certificate.example abc123456
» alicloud_slb_listener
Provides an Application Load Balancer Listener resource.
For information about listener and how to use it, to see the following:
• Configure a HTTP Listener.
• Configure a HTTPS Listener.
• Configure a TCP Listener.
• Configure a UDP Listener.
» Example Usage
variable "name" {
default = "testcreatehttplistener"
}
variable "ip_version" {
473
default = "ipv4"
}
name = "tf-testAccSlbListenerHttp"
internet = true
}
backend_port = 80
frontend_port = 80
protocol = "http"
bandwidth = 10
sticky_session = "on"
sticky_session_type = "insert"
cookie_timeout = 86400
cookie = "testslblistenercookie"
health_check = "on"
health_check_domain = "ali.com"
health_check_uri = "/cons"
health_check_connect_port = 20
healthy_threshold = 8
unhealthy_threshold = 8
health_check_timeout = 8
health_check_interval = 5
health_check_http_code = "http_2xx,http_3xx"
x_forwarded_for {
retrive_slb_ip = true
retrive_slb_id = true
}
acl_status = "on"
acl_type = "white"
acl_id = "${alicloud_slb_acl.default.id}"
request_timeout = 80
idle_timeout = 30
}
resource "alicloud_slb_acl" "default" {
ip_version = "${var.ip_version}"
entry_list {
entry = "10.10.10.0/24"
comment = "first"
}
entry_list {
entry = "168.10.10.0/24"
comment = "second"
474
}
}

• load_balancer_id - (Required, ForceNew) The Load Balancer ID which
is used to launch a new listener.
• frontend_port - (Required, ForceNew) Port used by the Server Load
Balancer instance frontend. Valid value range: [1-65535].
• backend_port - (Optional, ForceNew) Port used by the Server Load Bal-
ancer instance backend. Valid value range: [1-65535].
• protocol - (Required, ForceNew) The protocol to listen on. Valid values
are [http, https, tcp, udp].
• bandwidth - (Optional) Bandwidth peak of Listener. For the public net-
work instance charged per traffic consumed, the Bandwidth on Listener
can be set to -1, indicating the bandwidth peak is unlimited. Valid values
are [-1, 1-1000] in Mbps.
• description - (Optional, Available in 1.69.0+) The description of slb
listener. This description can have a string of 1 to 80 characters. Default
value: null.
• scheduler - (Optional) Scheduling algorithm, Valid values are wrr, rr
and wlc. Default to ”wrr”.
• sticky_session - (Optional) Whether to enable session persistence, Valid
values are on and off. Default to off.
• sticky_session_type - (Optional) Mode for handling the cookie. If
sticky_session is ”on”, it is mandatory. Otherwise, it will be ignored.
Valid values are insert and server. insert means it is inserted from
Server Load Balancer; server means the Server Load Balancer learns
from the backend server.
• cookie_timeout - (Optional) Cookie timeout. It is mandatory when
sticky_session is ”on” and sticky_session_type is ”insert”. Other-
wise, it will be ignored. Valid value range: [1-86400] in seconds.
• cookie - (Optional) The cookie configured on the server. It is manda-
tory when sticky_session is ”on” and sticky_session_type is ”server”.
Otherwise, it will be ignored. Valid value�String in line with RFC 2965,
with length being 1- 200. It only contains characters such as ASCII codes,
English letters and digits instead of the comma, semicolon or spacing, and
it cannot start with $.
• persistence_timeout - (Optional) Timeout of connection persistence.
Valid value range: [0-3600] in seconds. Default to 0 and means closing
it.
• health_check - (Optional) Whether to enable health check. Valid values
areon and off. TCP and UDP listener’s HealthCheck is always on, so it
475
will be ignore when launching TCP or UDP listener.
• health_check_type - (Optional) Type of health check. Valid values are:
tcp and http. Default to tcp . TCP supports TCP and HTTP health
check mode, you can select the particular mode depending on your appli-
cation.
• health_check_domain - (Optional) Domain name used for health check.
When it used to launch TCP listener, health_check_type must be ”http”.
Its length is limited to 1-80 and only characters such as letters, digits, ‘-‘
and ‘.’ are allowed. When it is not set or empty, Server Load Balancer uses
the private network IP address of each backend server as Domain used for
health check.
• health_check_uri - (Optional) URI used for health check. When it used
to launch TCP listener, health_check_type must be ”http”. Its length is
limited to 1-80 and it must start with /. Only characters such as letters,
digits, ‘-’, ‘/’, ‘.’, ‘%’, ‘?’, #’ and ‘&’ are allowed.
• health_check_connect_port - (Optional) Port used for health check.
Valid value range: [1-65535]. Default to ”None” means the backend server
port is used.
• healthy_threshold - (Optional) Threshold determining the result of the
health check is success. It is required when health_check is on. Valid
value range: [1-10] in seconds. Default to 3.
• unhealthy_threshold - (Optional) Threshold determining the result of
the health check is fail. It is required when health_check is on. Valid
value range: [1-10] in seconds. Default to 3.
• health_check_timeout - (Optional) Maximum timeout of each
health check response. It is required when health_check is on.
Valid value range: [1-300] in seconds. Default to 5. Note: If
health_check_timeout < health_check_interval, its will be re-
placed by health_check_interval.
• health_check_interval - (Optional) Time interval of health checks. It
is required when health_check is on. Valid value range: [1-50] in seconds.
Default to 2.
• health_check_http_code - (Optional) Regular health check HTTP sta-
tus code. Multiple codes are segmented by “,”. It is required when
health_check is on. Default to http_2xx. Valid values are: http_2xx,
http_3xx, http_4xx and http_5xx.
• health_check_method - (Optional, Available in 1.70.0+) HealthCheck-
Method used for health check.http and https support regions ap-
northeast-1, ap-southeast-1, ap-southeast-2, ap-southeast-3, us-east-1, us-
west-1, eu-central-1, ap-south-1, me-east-1, cn-huhehaote, cn-zhangjiakou,
ap-southeast-5, cn-shenzhen, cn-hongkong, cn-qingdao, cn-chengdu,
eu-west-1, cn-hangzhou”, cn-beijing, cn-shanghai.This function does not
support the TCP protocol .
• ssl_certificate_id - (Deprecated) It has been deprecated from 1.59.0
and using server_certificate_id instead.
• server_certificate_id - (Optional, Available in 1.59.0+) SLB Server
476
certificate ID. It is required when protocol is https.
• gzip - (Optional) Whether to enable ”Gzip Compression”. If enabled,
files of specific file types will be compressed, otherwise, no files will be
compressed. Default to true. Available in v1.13.0+.
• x_forwarded_for - (Optional) Whether to set additional HTTP Header
field ”X-Forwarded-For” (documented below). Available in v1.13.0+.
• acl_status - (Optional) Whether to enable ”acl(access control list)”, the
acl is specified by acl_id. Valid values are on and off. Default to off.
• acl_type - (Optional) Mode for handling the acl specified by acl_id. If
acl_status is ”on”, it is mandatory. Otherwise, it will be ignored. Valid
values are white and black. white means the Listener can only be ac-
cessed by client ip belongs to the acl; black means the Listener can not
be accessed by client ip belongs to the acl.
• acl_id - (Optional) the id of access control list to be apply on the lis-
tener, is the id of resource alicloud_slb_acl. If acl_status is ”on”, it is
mandatory. Otherwise, it will be ignored.
• established_timeout - (Optional) Timeout of tcp listener established
connection idle timeout. Valid value range: [10-900] in seconds. Default
to 900.
• idle_timeout - (Optional) Timeout of http or https listener established
connection idle timeout. Valid value range: [1-60] in seconds. Default to
15.
• request_timeout - (Optional) Timeout of http or https listener request
(which does not get response from backend) timeout. Valid value range:
[1-180] in seconds. Default to 60.
• enable_http2 - (Optional) Whether to enable https listener support http2
or not. Valid values are on and off. Default to on.
• tls_cipher_policy - (Optional) Https listener TLS cipher policy.
Valid values are tls_cipher_policy_1_0, tls_cipher_policy_1_1,
tls_cipher_policy_1_2, tls_cipher_policy_1_2_strict. Default to
tls_cipher_policy_1_0. Currently the tls_cipher_policy can not be
updated when load balancer instance is ”Shared-Performance”.
• server_group_id - (Optional) the id of server group to be apply on the
listener, is the id of resource alicloud_slb_server_group.
• listener_forward - (Optional, ForceNew, Available in 1.40.0+) Whether
to enable http redirect to https, Valid values are on and off. Default to
off.
• forward_port - (Optional, ForceNew, Available in 1.40.0+) The port that
http redirect to https.
• health_check_method - (Optional, ForceNew, Available in 1.70.0+) The
method of health check. Valid values: [”head”, ”get”].
477
NOTE: Once enable the http redirect to https function, any parameters ex-
cepted forward_port,listener_forward,load_balancer_id,frontend_port,protocol
will be ignored. More info, please refer to Redirect http to https.
NOTE: Advantanced feature such as tls_cipher_policy, can not be updated
when load balancer instance is ”Shared-Performance”. More info, please refer
to Configure a HTTPS Listener.
» Block x_forwarded_for
The x_forwarded_for mapping supports the following:

• retrive_slb_ip - (Optional) Whether to use the XForwardedFor_SLBIP
header to obtain the public IP address of the SLB instance. Default to
false.
• retrive_slb_id - (Optional) Whether to use the XForwardedFor header
to obtain the ID of the SLB instance. Default to false.
• retrive_slb_proto - (Optional) Whether to use the XForwarded-
For_proto header to obtain the protocol used by the listener. Default to
false.
» Listener fields and protocol mapping
load balance support 4 protocal to listen on, they are http,https,tcp,udp, the
every listener support which portocal following:
listener parameter support protocol value range

backend_port http & https & tcp & udp 1-65535
frontend_port http & https & tcp & udp 1-65535
protocol http & https & tcp & udp
bandwidth http & https & tcp & udp -1 / 1-1000
scheduler http & https & tcp & udp wrr rr or wlc
sticky_session http & https on or off
sticky_session_type http & https insert or server
cookie_timeout http & https 1-86400
cookie http & https
persistence_timeout tcp & udp 0-3600
health_check http & https on or off
health_check_type tcp tcp or http
health_check_domain http & https & tcp
health_check_method http & https & tcp
health_check_uri http & https & tcp
health_check_connect_port http & https & tcp & udp 1-65535 or -520
healthy_threshold http & https & tcp & udp 1-10
unhealthy_threshold http & https & tcp & udp 1-10
478
listener parameter support protocol value range
health_check_timeout http & https & tcp & udp 1-300
health_check_interval http & https & tcp & udp 1-50
health_check_http_code http & https & tcp http_2xx,http_3xx,http_4xx,http_5xx
server_certificate_id https
gzip http & https true or false
x_forwarded_for http & https
acl_status http & https & tcp & udp on or off
acl_type http & https & tcp & udp white or black
acl_id http & https & tcp & udp the id of resource alicloud_slb_acl
established_timeout tcp 10-900
idle_timeout http & https 1-60
request_timeout http & https 1-180
enable_http2 https on or off
tls_cipher_policy https tls_cipher_policy_1_0, tls_cipher_policy_1_1,
server_group_id http & https & tcp & udp the id of resource alicloud_slb_server_group
The listener mapping supports the following:

• id - The ID of the load balancer listener. Its format as <load_balancer_id>:<protocol>:<frontend_por
Before verson 1.57.1, the foramt as <load_balancer_id>:<frontend_port>.
• load_balancer_id - The Load Balancer ID which is used to launch a new
listener.
• frontend_port - Port used by the Server Load Balancer instance frontend.
• backend_port - Port used by the Server Load Balancer instance backend.
• protocol - The protocol to listen on.
• bandwidth - Bandwidth peak of Listener.
• scheduler - Scheduling algorithm.
• sticky_session - Whether to enable session persistence.
• sticky_session_type - Mode for handling the cookie.
• cookie_timeout - Cookie timeout.
• cookie - The cookie configured on the server.
• persistence_timeout - Timeout of connection persistence.
• health_check - Whether to enable health check.
• health_check_type - Type of health check.
• health_check_domain - Domain name used for health check.
• health_check_method - HealthCheckMethod used for health check.
• health_check_uri - URI used for health check.
• health_check_connect_port - Port used for health check.
479
• healthy_threshold - Threshold determining the result of the health check
is success.
• unhealthy_threshold - Threshold determining the result of the health
check is fail.
• health_check_timeout - Maximum timeout of each health check
response.
• health_check_interval - Time interval of health checks.
• health_check_http_code - Regular health check HTTP status code.
• server_certificate_id - (Optional) Security certificate ID.
» Import
Load balancer listener can be imported using the id, e.g.

$ terraform import alicloud_slb_listener.example "lb-abc123456:22"
» alicloud_slb_master_slave_server_group
A master slave server group contains two ECS instances. The master slave
server group can help you to define multiple listening dimension.
NOTE: One ECS instance can be added into multiple master slave server
groups.
NOTE: One master slave server group can only add two ECS instances, which
are master server and slave server.
NOTE: One master slave server group can be attached with tcp/udp listeners
in one load balancer.
NOTE: One Classic and Internet load balancer, its master slave server group
can add Classic and VPC ECS instances.
NOTE: One Classic and Intranet load balancer, its master slave server group
can only add Classic ECS instances.
NOTE: One VPC load balancer, its master slave server group can only add
the same VPC ECS instances.
» Example Usage

480
}

eni_amount = 2
}
data "alicloud_images" "image" {

most_recent = true
owners = "system"
}
variable "name" {
default = "tf-testAccSlbMasterSlaveServerGroupVpc"
}
variable "number" {
default = "1"
}
resource "alicloud_vpc" "main" {

cidr_block = "172.16.0.0/16"
}
resource "alicloud_vswitch" "main" {

vpc_id = "${alicloud_vpc.main.id}"
cidr_block = "172.16.0.0/16"
}

vpc_id = "${alicloud_vpc.main.id}"
}

image_id = "${data.alicloud_images.image.images.0.id}"
count = "2"
481
vswitch_id = "${alicloud_vswitch.main.id}"
}
resource "alicloud_slb" "instance" {

specification = "slb.s2.small"
}
resource "alicloud_network_interface" "default" {

}
resource "alicloud_network_interface_attachment" "default" {

instance_id = "${alicloud_instance.instance.0.id}"
network_interface_id = "${element(alicloud_network_interface.default.*.id, count.index)}"
}
resource "alicloud_slb_master_slave_server_group" "group" {

load_balancer_id = "${alicloud_slb.instance.id}"
servers {
server_id = "${alicloud_instance.instance.0.id}"
port = 100
weight = 100
server_type = "Master"
}
servers {
server_id = "${alicloud_instance.instance.1.id}"
port = 100
weight = 100
server_type = "Slave"
}
}
resource "alicloud_slb_listener" "tcp" {

482
master_slave_server_group_id = "${alicloud_slb_master_slave_server_group.group.id}"
frontend_port = "22"
protocol = "tcp"
bandwidth = "10"
health_check_type = "tcp"
persistence_timeout = 3600
health_check_http_code = "http_2xx"
health_check_uri = "/console"
established_timeout = 600
}

is used to launch a new master slave server group.
• name - (Required, ForceNew) Name of the master slave server group.
• servers - (Optional, ForceNew) A list of ECS instances to be added.
Only two ECS instances can be supported in one resource. It contains six
sub-fields as Block server follows.
» Block servers

• server_ids - (Required) A list backend server ID (ECS instance ID).
• port - (Required) The port used by the backend server. Valid value range:
[1-65535].
[0-100]. Default to 100.
• type - (Optional, Available in 1.51.0+) Type of the backend server. Valid
value ecs, eni. Default to eni.
• server_type - (Optional) The server type of the backend server. Valid
value Master, Slave.
483
• is_backup - (Removed from v1.63.0) Determine if the server is executing.
Valid value 0, 1.

• id - The ID of the master slave server group.
» Import
Load balancer master slave server group can be imported using the id, e.g.
$ terraform import alicloud_slb_master_slave_server_group.example abc123456
» alicloud_slb_rule
A forwarding rule is configured in HTTP/HTTPS listener and it used to listen a
list of backend servers which in one specified virtual backend server group. You
can add forwarding rules to a listener to forward requests based on the domain
names or the URL in the request.
NOTE: One virtual backend server group can be attached in multiple forward-
ing rules.
NOTE: At least one ”Domain” or ”Url” must be specified when creating a new
rule.
NOTE: Having the same ’Domain’ and ’Url’ rule can not be created repeatedly
in the one listener.
NOTE: Rule only be created in the HTTP or HTTPS listener.
NOTE: Only rule’s virtual server group can be modified.
» Example Usage
variable "name" {
default = "slbrulebasicconfig"
}

}
484
cpu_core_count = 1
memory_size = 2
}
most_recent = true
owners = "system"
}

cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/16"
}
}

}

}
485
backend_port = 22
frontend_port = 22
protocol = "http"
bandwidth = 5
health_check_connect_port = "20"
}

servers {
server_ids = "${alicloud_instance.default.*.id}"
port = 80
weight = 100
}
}
resource "alicloud_slb_rule" "default" {

frontend_port = "${alicloud_slb_listener.default.frontend_port}"
domain = "*.aliyun.com"
url = "/image"
server_group_id = "${alicloud_slb_server_group.default.id}"
cookie = "23ffsa"
health_check_http_code = "http_2xx"
health_check_uri = "/test"
sticky_session_type = "server"
listener_sync = "off"
scheduler = "rr"
health_check_domain = "test"
health_check = "on"
}
486
is used to launch the new forwarding rule.
• name - (Optional) Name of the forwarding rule. Our plugin provides a
default name: ”tf-slb-rule”.
• frontend_port - (Required, ForceNew) The listener frontend port which
is used to launch the new forwarding rule. Valid range: [1-65535].
• domain - (Optional, ForceNew) Domain name of the forwarding rule. It
can contain letters a-z, numbers 0-9, hyphens (-), and periods (.), and wild-
card characters. The following two domain name formats are supported:
– Standard domain name: www.test.com
– Wildcard domain name: .test.com. wildcard ( ) must be the first
character in the format of (*.)
• url - (Optional, ForceNew) Domain of the forwarding rule. It must be
2-80 characters in length. Only letters a-z, numbers 0-9, and characters
’-’ ’/’ ’?’ ’%’ ’#’ and ’&’ are allowed. URLs must be started with the
character ’/’, but cannot be ’/’ alone.
• server_group_id - (Required) ID of a virtual server group that will be
forwarded.
• scheduler - (Optional, Available in v1.51.0+) Scheduling algorithm, Valid
values are wrr, rr and wlc. Default to ”wrr”. This parameter is required
and takes effect only when ListenerSync is set to off.
• sticky_session - (Optional, Available in v1.51.0+) Whether to enable
session persistence, Valid values are on and off. Default to off. This
parameter is required and takes effect only when ListenerSync is set to off.
• sticky_session_type - (Optional, Available in v1.51.0+) Mode for han-

dling the cookie. If sticky_session is ”on”, it is mandatory. Otherwise,
it will be ignored. Valid values are insert and server. insert means
it is inserted from Server Load Balancer; server means the Server Load
Balancer learns from the backend server.
• cookie_timeout - (Optional, Available in v1.51.0+) Cookie timeout. It
is mandatory when sticky_session is ”on” and sticky_session_type
is ”insert”. Otherwise, it will be ignored. Valid value range: [1-86400] in
seconds.
• cookie - (Optional, Available in v1.51.0+) The cookie configured
on the server. It is mandatory when sticky_session is ”on” and
sticky_session_type is ”server”. Otherwise, it will be ignored. Valid
value�String in line with RFC 2965, with length being 1- 200. It only
contains characters such as ASCII codes, English letters and digits
instead of the comma, semicolon or spacing, and it cannot start with $.
• health_check - (Optional, Available in v1.51.0+) Whether to enable
health check. Valid values areon and off. TCP and UDP listener’s
HealthCheck is always on, so it will be ignore when launching TCP or
UDP listener. This parameter is required and takes effect only when Lis-
tenerSync is set to off.
• health_check_domain - (Optional, Available in v1.51.0+) Domain
487
name used for health check. When it used to launch TCP listener,
health_check_type must be ”http”. Its length is limited to 1-80 and
only characters such as letters, digits, ‘-‘ and ‘.’ are allowed. When it
is not set or empty, Server Load Balancer uses the private network IP
address of each backend server as Domain used for health check.
• health_check_uri - (Optional, Available in v1.51.0+) URI used for
health check. When it used to launch TCP listener, health_check_type
must be ”http”. Its length is limited to 1-80 and it must start with /.
Only characters such as letters, digits, ‘-’, ‘/’, ‘.’, ‘%’, ‘?’, #’ and ‘&’ are
allowed.
• health_check_connect_port - (Optional, Available in v1.51.0+) Port
used for health check. Valid value range: [1-65535]. Default to ”None”
means the backend server port is used.
• healthy_threshold - (Optional, Available in v1.51.0+) Threshold deter-
mining the result of the health check is success. It is required when
health_check is on. Valid value range: [1-10] in seconds. Default to
3.
• unhealthy_threshold - (Optional, Available in v1.51.0+) Threshold
determining the result of the health check is fail. It is required when
health_check is on. Valid value range: [1-10] in seconds. Default to 3.
• health_check_timeout - (Optional, Available in v1.51.0+) Maximum
timeout of each health check response. It is required when health_check
is on. Valid value range: [1-300] in seconds. Default to 5. Note: If
health_check_timeout < health_check_interval, its will be replaced
by health_check_interval.
• health_check_interval - (Optional, Available in v1.51.0+) Time inter-
val of health checks. It is required when health_check is on. Valid value
range: [1-50] in seconds. Default to 2.
• health_check_http_code - (Optional, Available in v1.51.0+) Regular
health check HTTP status code. Multiple codes are segmented by “,”.
It is required when health_check is on. Default to http_2xx. Valid
values are: http_2xx, http_3xx, http_4xx and http_5xx.
• listener_sync - (Optional, Available in v1.51.0+) Indicates whether a
forwarding rule inherits the settings of a health check , session persistence,
and scheduling algorithm from a listener. Default to on.

• id - The ID of the forwarding rule.
488
» Import
Load balancer forwarding rule can be imported using the id, e.g.
$ terraform import alicloud_slb_rule.example rule-abc123456
» alicloud_slb_server_certificate
A Load Balancer Server Certificate is an ssl Certificate used by the listener of
the protocol https.
For information about Server Certificate and how to use it, see Configure Server
Certificate.
» Example Usage
• using server_certificate/private content as string example

# create a server certificate
resource "alicloud_slb_server_certificate" "foo" {
name = "slbservercertificate"
server_certificate = "-----BEGIN CERTIFICATE-----\nMIIDRjCCAq+gAwIBAgI+OuMs******XTtI90EAx
private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQDO0knDrlNdiys******Er
}
• using server_certificate/private file example
# create a server certificate
name = "slbservercertificate"
server_certificate = "${file("${path.module}/server_certificate.pem")}"
private_key = "${file("${path.module}/private_key.pem")}"
}

• name - (Optional) Name of the Server Certificate.
• server_certificate - (Optional, ForceNew) the content of the ssl certifi-
cate. where alicloud_certificate_id is null, it is required, otherwise
it is ignored.
489
• private_key - (Optional, ForceNew) the content of privat key
of the ssl certificate specified by server_certificate. where
alicloud_certificate_id is null, it is required, otherwise it is
ignored.
• alicloud_certificate_id - (Optional, ForceNew) an id of server cer-
tificate ssued/proxied by alibaba cloud. but it is not supported on the
international site of alibaba cloud now.
• alicloud_certificate_name - (Optional, ForceNew) the name of the
certificate specified by alicloud_certificate_id.but it is not supported
on the international site of alibaba cloud now.
• alicloud_certificate_region_id - (Optional, ForceNew, Available in
1.69.0+) the region of the certificate specified by alicloud_certificate_id.
but it is not supported on the international site of alibaba cloud now.
of resource group which the slb server certificate belongs.
• id - The Id of Server Certificate (SSL Certificate).
» Import
Server Load balancer Server Certificate can be imported using the id, e.g.
$ terraform import alicloud_slb_server_certificate.example abc123456
» alicloud_slb_server_group
A virtual server group contains several ECS instances. The virtual server group
can help you to define multiple listening dimension, and to meet the personalized
requirements of domain name and URL forwarding.
NOTE: One ECS instance can be added into multiple virtual server groups.
NOTE: One virtual server group can be attached with multiple listeners in one
load balancer.
NOTE: One Classic and Internet load balancer, its virtual server group can
add Classic and VPC ECS instances.
NOTE: One Classic and Intranet load balancer, its virtual server group can
only add Classic ECS instances.
NOTE: One VPC load balancer, its virtual server group can only add the same
VPC ECS instances.
490
» Example Usage
variable "name" {
default = "slbservergroupvpc"
}
}
cpu_core_count = 1
memory_size = 2
}
most_recent = true
owners = "system"
}
cidr_block = "172.16.0.0/16"
}
cidr_block = "172.16.0.0/16"
}
}
count = "2"
491
}
}
servers {
server_ids = ["${alicloud_instance.instance.0.id}", "${alicloud_instance.instance.1.id}"
port = 100
weight = 10
}
servers {
server_ids = ["${alicloud_instance.instance.*.id}"]
port = 80
weight = 100
}
}

is used to launch a new virtual server group.
• name - (Optional) Name of the virtual server group. Our plugin provides
a default name: ”tf-server-group”.
• servers - A list of ECS instances to be added. At most 20 ECS instances
can be supported in one resource. It contains three sub-fields as Block
server follows.
» Block servers

• server_ids - (Required) A list backend server ID (ECS instance ID).
• port - (Required) The port used by the backend server. Valid value range:
[1-65535].
[0-100]. Default to 100.
492
• type - (Optional, Available in 1.51.0+) Type of the backend server. Valid
value ecs, eni. Default to eni.

• id - The ID of the virtual server group.
• load_balancer_id - The Load Balancer ID which is used to launch a new
virtual server group.
• name - The name of the virtual server group.
• servers - A list of ECS instances that have be added.
» Import
Load balancer backend server group can be imported using the id, e.g.
$ terraform import alicloud_slb_server_group.example abc123456
» alicloud_slb_domain_extension
HTTPS listeners of guaranteed-performance SLB support configuring multiple
certificates, allowing you to forward requests with different domain names to
different backend servers. Please refer to the documentation for details.
NOTE: The instance with shared loadBalancerSpec doesn’t support domainEx-
tension.
» Example Usage
# Create a new load balancer and domain extension
resource "alicloud_slb" "instance" {

name = "tffTestDomainExtension"
internet = "true"
}

name = "tf-testAccSlbServerCertificate"
server_certificate = "-----BEGIN CERTIFICATE-----\nMIIDdjCCAl4CCQCcm+erkcKN7DANBgkqhkiG9w0
493
private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAyjCheapjf7qDI3R9w/G
}
resource "alicloud_slb_listener" "https" {

backend_port = 80
frontend_port = 443
protocol = "https"
sticky_session_type = "insert"
cookie = "testslblistenercookie"
health_check = "on"
health_check_uri = "/cons"
health_check_http_code = "http_2xx,http_3xx"
bandwidth = 10
ssl_certificate_id = "${alicloud_slb_server_certificate.foo.id}"
}
resource "alicloud_slb_domain_extension" "example1" {

frontend_port = "${alicloud_slb_listener.https.frontend_port}"
domain = "www.test.com"
server_certificate_id = "${alicloud_slb_server_certificate.foo.id}"
}

• load_balancer_id - (Required, ForceNew) The ID of the SLB instance.
• frontend_port - (Required, ForceNew) The frontend port used by the
HTTPS listener of the SLB instance. Valid values: 1–65535.
• domain - (Optional, ForceNew) The domain name,
• server_certificate_id - (Required) The ID of the certificate used by
the domain name.
494

• id - The ID of the domain extension.
» Import
Load balancer domain_extension can be imported using the id, e.g.

$ terraform import alicloud_slb_domain_extension.example de-abc123456
» alicloud_sag_acls
This data source provides Sag Acls available to the user.
eu-central-1]
» Example Usage
Basic Usage
data "alicloud_sag_acls" "default" {
ids = ["${alicloud_sag_acls.default.id}"]
}
resource "alicloud_sag_acl" "default" {
name = "tf-testAccSagAclName"
}

• ids - (Optional) A list of Sag Acl IDs.
• name_regex - (Optional) A regex string to filter Sag Acl instances by
name.
495
• ids - A list of Sag Acl IDs.
• names - A list of Sag Acls names.
• acls - A list of Sag Acls. Each element contains the following attributes:
– id - The ID of the ACL. For example ”acl-xxx”.
– name - The name of the Acl.
» alicloud_sag_acl
Provides a Sag Acl resource. Smart Access Gateway (SAG) provides the access
control list (ACL) function in the form of whitelists and blacklists for different
SAG instances.
For information about Sag Acl and how to use it, see What is access control list
(ACL).
eu-central-1]
» Example Usage
Basic Usage
}

• name - (Required) The name of the ACL instance. The name can contain 2
to 128 characters including a-z, A-Z, 0-9, periods, underlines, and hyphens.
The name must start with an English letter, but cannot start with http://
or https://.
496

• id - The ID of the ACL. For example ”acl-xxx”.
» Import
The Sag Acl can be imported using the id, e.g.

$ terraform import alicloud_sag_acl.example acl-abc123456
» alicloud_sag_acl_rule
Provides a Sag Acl Rule resource. This topic describes how to configure an
access control list (ACL) rule for a target Smart Access Gateway instance to
permit or deny access to or from specified IP addresses in the ACL rule.
For information about Sag Acl Rule and how to use it, see What is access control
list (ACL) rule.
eu-central-1]
» Example Usage
Basic Usage
sag_count = "0"
}
resource "alicloud_sag_acl_rule" "default" {
acl_id = "${alicloud_sag_acl.default.id}"
description = "tf-testSagAclRule"
policy = "accept"
ip_protocol = "ALL"
direction = "in"
source_cidr = "10.10.1.0/24"
source_port_range = "-1/-1"
dest_cidr = "192.168.1.0/24"
497
dest_port_range = "-1/-1"
priority = "1"
}

• acl_id - (Required) The ID of the ACL.
• description - (Optional) The description of the ACL rule. It must be 1
to 512 characters in length.
• policy - (Required) The policy used by the ACL rule. Valid values: ac-
cept|drop.
• ip_protocol - (Required) The protocol used by the ACL rule. The value
is not case sensitive.
• direction - (Required) The direction of the ACL rule. Valid values:
in|out.
• source_cidr - (Required) The source address. It is an IPv4 address range
in the CIDR format. Default value: 0.0.0.0/0.
• source_port_range - (Required) The range of the source port. Valid
value: 80/80.
• dest_cidr - (Required) The destination address. It is an IPv4 address
range in CIDR format. Default value: 0.0.0.0/0.
• dest_port_range - (Required) The range of the destination port. Valid
value: 80/80.
• priority - (Optional) The priority of the ACL rule. Value range: 1 to
100.

• id - The ID of the ACL rule. For example ”acr-xxx”.
» Import
The Sag Acl Rule can be imported using the id, e.g.
$ terraform import alicloud_sag_acl_rule.example acr-abc123456
498
» alicloud_sag_client_user
Provides a Sag ClientUser resource. This topic describes how to manage ac-
counts as an administrator. After you configure the network, you can create
multiple accounts and distribute them to end users so that clients can access
Alibaba Cloud.
For information about Sag ClientUser and how to use it, see What is Sag Clien-
tUser.
» Example Usage
Basic Usage
resource "alicloud_sag_client_user" "default" {
sag_id = "sag-xxxxx"
bandwidth = "20"
user_mail = "[email protected]"
user_name = "th-username-xxxxx"
password = "xxxxxxx"
client_ip = "192.1.10.0"
}

• sag_id - (Required,ForceNew) The ID of the SAG instance created for
the SAG APP.
• bandwidth - (Required) The SAG APP bandwidth that the user can use.
Unit: Kbit/s. Maximum value: 2000 Kbit/s.
• user_mail - (Required,ForceNew) The email address of the user. The
administrator uses this address to send the account information for logging
on to the APP to the user.
• user_name - (Optional,ForceNew) The user name. User names in the same
SAG APP must be unique.Both the user name and the password must be
specified. If you specify the user name, the password must be specified,
too.
499
• password - (Optional,ForceNew) The password used to log on to the SAG
APP.Both the user name and the password must be specified. If you
specify the user name, the password must be specified, too.
• client_ip - (Optional,ForceNew) The IP address of the SAG APP. If you
specify this parameter, the current account always uses the specified IP
address.Note The IP address must be in the private CIDR block of the
SAG client.If you do not specify this parameter, the system automatically
allocates an IP address from the private CIDR block of the SAG client.
In this case, each re-connection uses a different IP address.

• id - The ID of the Sag Id and formates as <sag_id>:<user_name>.
» Import
The Sag ClientUser can be imported using the name, e.g.

$ terraform import alicloud_sag_client_user.example sag-abc123456:tf-username-abc123456
» alicloud_sag_dnat_entry
Provides a Sag DnatEntry resource. This topic describes how to add a DNAT
entry to a Smart Access Gateway (SAG) instance to enable the DNAT function.
By using the DNAT function, you can forward requests received by public IP
addresses to Alibaba Cloud instances according to custom mapping rules.
For information about Sag DnatEntry and how to use it, see What is Sag Dna-
tEntry.
NOTE: Only the following regions suppor. [cn-shanghai, cn-shanghai-finance-1,
» Example Usage
Basic Usage
resource "alicloud_sag_dnat_entry" "default" {
sag_id = "sag-3rb1t3iagy3w0zgwy9"
500
type = "Intranet"
ip_protocol = "tcp"
external_ip = "1.0.0.2"
external_port = "1"
internal_ip = "10.0.0.2"
internal_port = "20"
}

• sag_id - (Required) The ID of the SAG instance.
• type - (Required) The DNAT type. Valid values: Intranet: DNAT of
private IP addresses. Internet: DNAT of public IP addresses
• ip_protocol - (Required) The protocol type. Valid values: TCP: For-
wards packets of the TCP protocol. UDP: Forwards packets of the UDP
protocol. Any: Forwards packets of all protocols.
• external_ip - (Optional) The external public IP address.when ”type” is
”Internet”,automatically identify the external ip.
• external_port - (Required) The public port.Value range: 1 to 65535 or
”any”.
• internal_ip - (Required) The destination private IP address.
• internal_port - (Required) The destination private port.Value range: 1
to 65535 or ”any”.

• id - The ID of the DNAT entry Id and formates as <sag_id>:<dnat_id>.
» Import
The Sag DnatEntry can be imported using the id, e.g.

$ terraform import alicloud_sag_dnat_entry.example sag-abc123456:dnat-abc123456
» alicloud_sag_qos
Provides a Sag Qos resource. Smart Access Gateway (SAG) supports quintuple-
based QoS functions to differentiate traffic of different services and ensure high-
priority traffic bandwidth.
501
For information about Sag Qos and how to use it, see What is Qos.
» Example Usage
Basic Usage
resource "alicloud_sag_qos" "default" {
name = "tf-testAccSagQosName"
}

• name - (Required) The name of the QoS policy to be created. The name
can contain 2 to 128 characters including a-z, A-Z, 0-9, periods, underlines,
and hyphens. The name must start with an English letter, but cannot start
with http:// or https://.

• id - The ID of the Qos. For example ”qos-xxx”.
» Import
The Sag Qos can be imported using the id, e.g.

$ terraform import alicloud_sag_qos.example qos-abc123456
» alicloud_sag_qos_car
Provides a Sag qos car resource. You need to create a QoS car to set priorities,
rate limits, and quintuple rules for different messages.
For information about Sag Qos Car and how to use it, see What is Qos Car.
502
» Example Usage
Basic Usage
}
resource "alicloud_sag_qos_car" "default" {
qos_id = "${alicloud_sag_qos.default.id}"
name = "tf-testSagQosCarName"
description = "tf-testSagQosCarDescription"
priority = "1"
limit_type = "Absolute"
min_bandwidth_abs = "10"
max_bandwidth_abs = "20"
min_bandwidth_percent = "10"
max_bandwidth_percent = "20"
percent_source_type = "InternetUpBandwidth"
}

• qos_id - (Required) The instance ID of the QoS.
• name - (Optional) The name of the QoS speed limiting rule..
• description - (Optional) The description of the QoS speed limiting rule.
• priority - (Required) The priority of the specified stream.
• limit_type - (Required) The speed limiting method. Valid values: Abso-
lute, Percent.
• min_bandwidth_abs - (Optional) The minimum bandwidth allowed for
the stream specified in the quintuple rule. This parameter is required
when the value of the LimitType parameter is Absolute.
• max_bandwidth_abs - (Optional) The maximum bandwidth allowed for
the stream specified in the quintuple rule. This parameter is required
when the value of the LimitType is Absolute.
• min_bandwidth_percent - (Optional) The minimum bandwidth percent-
age allowed for the stream specified in the quintuple rule. It is based
on the maximum upstream bandwidth you set for the associated SAG
instance.This parameter is required when the value of the LimitType pa-
rameter is Percent.
503
• max_bandwidth_percent - (Optional) The maximum bandwidth percent-
age allowed for the stream specified in the quintuple rule. It is based on
the maximum upstream bandwidth you set for the associated Smart Ac-
cess Gateway (SAG) instance.This parameter is required when the value
of the LimitType parameter is Percent.
• percent_source_type - (Optional) The bandwidth type when the speed
is limited based on percentage. Valid values: CcnBandwidth, InternetUp-
Bandwidth.The default value is InternetUpBandwidth.

• id - The ID of the Qos Car id and formates as <qos_id>:<qos_car_id>.
» Import
The Sag Qos Car can be imported using the id, e.g.
$ terraform import alicloud_sag_qos_car.example qos-abc123456:qoscar-abc123456
» alicloud_sag_qos_policy
Provides a Sag qos policy resource. You need to create a QoS policy to set
priorities, rate limits, and quintuple rules for different messages.
For information about Sag Qos Policy and how to use it, see What is Qos Policy.
» Example Usage
Basic Usage
}
resource "alicloud_sag_qos_policy" "default" {
qos_id = "${alicloud_sag_qos.default.id}"
name = "tf-testSagQosPolicyName"
504
description = "tf-testSagQosPolicyDescription"
priority = "1"
ip_protocol = "ALL"
source_cidr = "192.168.0.0/24"
source_port_range = "-1/-1"
dest_cidr = "10.10.0.0/24"
dest_port_range = "-1/-1"
start_time = "2019-10-25T16:41:33+0800"
end_time = "2019-10-26T16:41:33+0800"
}

• qos_id - (Required) The instance ID of the QoS policy to which the
quintuple rule is created.
• name - (Optional) The name of the QoS policy.
• description - (Optional) The description of the QoS policy.
• priority - (Required) The priority of the quintuple rule. A smaller value
indicates a higher priority. If the priorities of two quintuple rules are the
same, the rule created earlier is applied first.Value range: 1 to 7.
• ip_protocol - (Required) The transport layer protocol.
• source_cidr - (Required) The source CIDR block.
• source_port_range - (Required) The source port range of the transport
layer.
• dest_cidr - (Required) The destination CIDR block.
• dest_port_range - (Required) The destination port range.
• start_time - (Optional) The time when the quintuple rule takes effect.
• end_time - (Optional) The expiration time of the quintuple rule.

• id - The ID of the Qos Policy id and formates as <qos_id>:<qos_policy_id>.
» Import
The Sag Qos Policy can be imported using the id, e.g.
$ terraform import alicloud_sag_qos_policy.example qos-abc123456:qospy-abc123456
505
» alicloud_sag_snat_entry
Provides a Sag SnatEntry resource. This topic describes how to add a SNAT
entry to enable the SNAT function. The SNAT function can hide internal IP ad-
dresses and resolve private IP address conflicts. With this function, on-premises
sites can access internal IP addresses, but cannot be accessed by internal IP ad-
dresses. If you do not add a SNAT entry, on-premises sites can access each
other only when all related IP addresses do not conflict.
For information about Sag SnatEntry and how to use it, see What is Sag Sna-
tEntry.
» Example Usage
Basic Usage
resource "alicloud_sag_snat_entry" "default" {
sag_id = "sag-3rb1t3iagy3w0zgwy9"
cidr_block = "192.168.7.0/24"
snat_ip = "192.0.0.2"
}

• sag_id - (Required) The ID of the SAG instance.
• cidr_block - (Required) The destination CIDR block.
• snat_ip - (Required) The public IP address.

• id - The ID of the SNAT entry Id and formates as <sag_id>:<snat_id>.
» Import
The Sag SnatEntry can be imported using the id, e.g.
506
$ terraform import alicloud_sag_snat_entry.example sag-abc123456:snat-abc123456
» alicloud_cas_certificates
This data source provides a list of CAS Certificates in an Alibaba Cloud account
» Example Usage
data "alicloud_cas_certificates" "certs" {

name_regex = "^cas"
output_file = "${path.module}/cas_certificates.json"
}
output "cert" {
value = "${data.alicloud_cas_certificates.certs.certificates.0.id}"
}

• name_regex - (Optional) A regex string to filter results by the certificate
name.
• ids - (Optional, Available in 1.52.0+) A list of cert IDs.
• ids - A list of cert IDs.
• names - A list of cert names.
• certificates - A list of apis. Each element contains the following at-
tributes:
– id - The cert’s id.
– name - The cert’s name.
– common - The cert’s common name.
– finger_print - The cert’s finger.
– issuer - The cert’s .
– org_name - The cert’s organization.
507
– province - The cert’s province.
– city - The cert’s city.
– country - The cert’s country.
– start_date - The cert’s not valid before time.
– end_date - The cert’s not valid after time.
– sans - The cert’s subject alternative name.
– expired - The cert is expired or not.
– buy_in_aliyun - The cert is buy from aliyun or not.
» alicloud_cas_certificate
Provides a CAS Certificate resource.
NOTE: The Certificate name which you want to add must be already registered
and had not added by another account. Every Certificate name can only exist
in a unique group.
NOTE: The Cas Certificate region only support cn-hangzhou, ap-south-1, me-
east-1, eu-central-1, ap-northeast-1, ap-southeast-2.
» Example Usage
# Add a new Certificate.

resource "alicloud_cas_certificate" "cert" {
name = "test"
cert = "${file("${path.module}/test.crt")}"
key = "${file("${path.module}/test.key")}"
}

• name - (Required, ForcesNew) Name of the Certificate. This name without
suffix can have a string of 1 to 63 characters, must contain only alphanu-
meric characters or ”-”, and must not begin or end with ”-”, and ”-” must
not in the 3th and 4th character positions at the same time. Suffix .sh
and .tel are not supported.
• cert - (Required, ForcesNew) Cert of the Certificate in which the Certifi-
cate will add.
• key - (Required, ForcesNew) Key of the Certificate in which the Certificate
will add.
508

• id - The cert id.
» alicloud_common_bandwidth_packages
This data source provides a list of Common Bandwidth Packages owned by an
Alibaba Cloud account.
» Example Usage
data "alicloud_common_bandwidth_packages" "foo" {

ids = ["${alicloud_common_bandwidth_package.foo.id}"]
}
resource "alicloud_common_bandwidth_package" "foo" {

bandwidth = "2"
name = "tf-testAccCommonBandwidthPackage"
description = "tf-testAcc-CommonBandwidthPackage"
}

• ids - (Optional) A list of Common Bandwidth Packages IDs.
• name_regex - (Optional) A regex string to filter results by name.
of resource group which the common bandwidth package belongs.
• ids - (Optional) A list of Common Bandwidth Packages IDs.
• names - A list of Common Bandwidth Packages names.
509
• packages - A list of Common Bandwidth Packages. Each element contains
– id - ID of the Common Bandwidth Package.
– bandwidth - The peak bandwidth of the Internet Shared Bandwidth
instance.
– status - Status of the Common Bandwidth Package.
– name - Name of the Common Bandwidth Package.
– description - The description of the Common Bandwidth Package
instance.
– business_status - The business status of the Common Bandwidth
Package instance.
– isp - ISP of the Common Bandwidth Package.
– public_ip_addresses - Public ip addresses that in the Common
Bandwidth Pakcage.
– resource_group_id - The Id of resource group which the common
bandwidth package belongs. ## Public ip addresses Block
The public ip addresses mapping supports the following:
• ip_address - The address of the EIP.
• allocation_id - The ID of the EIP instance.
» alicloud_eips
This data source provides a list of EIPs (Elastic IP address) owned by an Alibaba
Cloud account.
» Example Usage
data "alicloud_eips" "eips_ds" {

}
output "first_eip_id" {
value = "${data.alicloud_eips.eips_ds.eips.0.id}"
}

• ids - (Optional) A list of EIP IDs.
• ip_addresses - (Optional) A list of EIP public IP addresses.
510
the resource.
• in_use - (Deprecated) Deprecated since the version 1.8.0 of this provider.
of resource group which the eips belongs.
• ids - (Optional) A list of EIP IDs.
• names - (Optional) A list of EIP names.
• eips - A list of EIPs. Each element contains the following attributes:
– id - ID of the EIP.
– status - EIP status. Possible values are: Associating,
Unassociating, InUse and Available.
– ip_address - Public IP Address of the the EIP.
– bandwidth - EIP internet max bandwidth in Mbps.
– internet_charge_type - EIP internet charge type.
– instance_id - The ID of the instance that is being bound.
– instance_type - The instance type of that the EIP is bound.
– resource_group_id - The Id of resource group which the eips be-
longs.
» alicloud_nat_gateways
This data source provides a list of Nat Gateways owned by an Alibaba Cloud
account.
» Example Usage
variable "name" {
default = "natGatewaysDatasource"
}

}
511
cidr_block = "172.16.0.0/12"
}
resource "alicloud_nat_gateway" "foo" {

specification = "Small"
}
data "alicloud_nat_gateways" "foo" {

name_regex = "${alicloud_nat_gateway.foo.name}"
ids = ["${alicloud_nat_gateway.foo.id}"]
}

• ids - (Optional) A list of NAT gateways IDs.
• name_regex - (Optional) A regex string to filter nat gateways by name.
• vpc_id - (Optional) The ID of the VPC.
• ids - (Optional) A list of Nat gateways IDs.
• names - A list of Nat gateways names.
• gateways - A list of Nat gateways. Each element contains the following
attributes:
– id - The ID of the NAT gateway.
– name - Name of the NAT gateway.
– description - The description of the NAT gateway.
– spec - The specification of the NAT gateway.
– status - The status of the NAT gateway.
– snat_table_id - The snat table id.
– forward_table_id - The forward table id.
– vpc_id - The ID of the VPC.
512
» alicloud_route_entries
This data source provides a list of Route Entries owned by an Alibaba Cloud
account.
» Example Usage

}
cpu_core_count = 1
memory_size = 2
}
most_recent = true
owners = "system"
}
variable "name" {
default = "tf-testAccRouteEntryConfig"
}
cidr_block = "10.1.0.0/21"
}

cidr_block = "10.1.1.0/24"
}
resource "alicloud_route_entry" "foo" {

route_table_id = "${alicloud_vpc.foo.route_table_id}"
nexthop_id = "${alicloud_instance.foo.id}"
}
513
resource "alicloud_security_group" "tf_test_foo" {
description = "foo"
}
resource "alicloud_security_group_rule" "ingress" {

type = "ingress"
ip_protocol = "tcp"
policy = "accept"
priority = 1
security_group_id = "${alicloud_security_group.tf_test_foo.id}"
cidr_ip = "0.0.0.0/0"
}

# cn-beijing
security_groups = ["${alicloud_security_group.tf_test_foo.id}"]
allocate_public_ip = true
# series III
}
data "alicloud_route_entries" "foo" {

route_table_id = "${alicloud_route_entry.foo.route_table_id}"
}

• route_table_id - (Required, ForceNew) The ID of the router table to
which the route entry belongs.
514
• instance_id - (Optional) The instance ID of the next hop.
• type - (Optional) The type of the route entry.
• cidr_block - (Optional) The destination CIDR block of the route entry.
• entries - A list of Route Entries. Each element contains the following
attributes:
– type - The type of the route entry.
– next_hop_type - The type of the next hop.
– status - The status of the route entry.
– instance_id - The instance ID of the next hop.
– route_table_id - The ID of the router table to which the route
entry belongs.
» alicloud_route_tables
This data source provides a list of Route Tables owned by an Alibaba Cloud
account.
» Example Usage
variable "name" {
default = "route-tables-datasource-example-name"
}

cidr_block = "172.16.0.0/12"
}
resource "alicloud_route_table" "foo" {

}
515
data "alicloud_route_tables" "foo" {
ids = ["${alicloud_route_table.foo.id}"]
}
output "route_table_ids" {
value = "${data.alicloud_route_tables.foo.ids}"
}

• ids - (Optional) A list of Route Tables IDs.
• name_regex - (Optional) A regex string to filter route tables by name.
• vpc_id - (Optional) Vpc id of the route table.
the resource.
of resource group which route tables belongs.
• ids - (Optional) A list of Route Tables IDs.
• names - A list of Route Tables names.
• tables - A list of Route Tables. Each element contains the following
attributes:
– id - ID of the Route Table.
– router_id - Router Id of the route table.
– route_table_type - The type of route table.
– name - Name of the route table.
– description - The description of the route table instance.
– resource_group_id - The Id of resource group which route tables
belongs.
516
» alicloud_router_interfaces
This data source provides information about router interfaces that connect
VPCs together.
» Example Usage
data "alicloud_router_interfaces" "router_interfaces_ds" {

name_regex = "^testenv"
status = "Active"
}
output "first_router_interface_id" {
value = "${data.alicloud_router_interfaces.router_interfaces_ds.interfaces.0.id}"
}

• name_regex - (Optional) A regex string used to filter by router interface
name.
• status - (Optional) Expected status. Valid values are Active, Inactive
and Idle.
• specification - (Optional) Specification of the link, such as Small.1
(10Mb), Middle.1 (100Mb), Large.2 (2Gb), ...etc.
• router_id - (Optional) ID of the VRouter located in the local region.
• router_type - (Optional) Router type in the local region. Valid values
are VRouter and VBR (physical connection).
• role - (Optional) Role of the router interface. Valid values are
InitiatingSide (connection initiator) and AcceptingSide (connection
receiver). The value of this parameter must be InitiatingSide if the
router_type is set to VBR.
• opposite_interface_id - (Optional) ID of the peer router interface.
• opposite_interface_owner_id - (Optional) Account ID of the owner of
the peer router interface.
• ids - (Optional, Available in 1.44.0+) A list of router interface IDs.
517
• ids - A list of router interface IDs.
• names - A list of router interface names.
• interfaces - A list of router interfaces. Each element contains the fol-
lowing attributes:
– id - Router interface ID.
– status - Router interface status. Possible values: Active, Inactive
and Idle.
– name - Router interface name.
– description - Router interface description.
– role - Router interface role. Possible values: InitiatingSide and
AcceptingSide.
– specification - Router interface specification. Possible values:
Small.1, Middle.1, Large.2, ...etc.
– router_id - ID of the VRouter located in the local region.
– router_type - Router type in the local region. Possible values:
VRouter and VBR.
– vpc_id - ID of the VPC that owns the router in the local region.
– access_point_id - ID of the access point used by the VBR.
– creation_time - Router interface creation time.
– opposite_region_id - Peer router region ID.
– opposite_interface_id - Peer router interface ID.
– opposite_router_id - Peer router ID.
– opposite_router_type - Router type in the peer region. Possible
values: VRouter and VBR.
– opposite_interface_owner_id - Account ID of the owner of the
peer router interface.
– health_check_source_ip - Source IP address used to perform
health check on the physical connection.
– health_check_target_ip - Destination IP address used to perform
health check on the physical connection.
» alicloud_snat_entries
This data source provides a list of Snat Entries owned by an Alibaba Cloud
account.
» Example Usage
variable "name" {
default = "snat-entry-example-name"
}
518
}

cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/21"
}
resource "alicloud_nat_gateway" "foo" {

}
resource "alicloud_eip" "foo" {

}
resource "alicloud_eip_association" "foo" {

allocation_id = "${alicloud_eip.foo.id}"
instance_id = "${alicloud_nat_gateway.foo.id}"
}
resource "alicloud_snat_entry" "foo" {

snat_table_id = "${alicloud_nat_gateway.foo.snat_table_ids}"
source_vswitch_id = "${alicloud_vswitch.foo.id}"
snat_ip = "${alicloud_eip.foo.ip_address}"
}
data "alicloud_snat_entries" "foo" {

snat_table_id = "${alicloud_snat_entry.foo.snat_table_id}"
}

• ids - (Optional) A list of Snat Entries IDs.
519
• snat_ip - (Optional) The public IP of the Snat Entry.
• source_cidr - (Optional) The source CIDR block of the Snat Entry.
• snat_table_id - (Required) The ID of the Snat table.
• ids - (Optional) A list of Snat Entries IDs.
• entries - A list of Snat Entries. Each element contains the following
attributes:
– id - The ID of the Snat Entry.
– snat_ip - The public IP of the Snat Entry.
– source_cidr - The source CIDR block of the Snat Entry.
– status - The status of the Snat Entry.
» alicloud_vpcs
This data source provides VPCs available to the user.
» Example Usage
data "alicloud_vpcs" "vpcs_ds" {

cidr_block = "172.16.0.0/12"
status = "Available"
name_regex = "^foo"
}
output "first_vpc_id" {
value = "${data.alicloud_vpcs.vpcs_ds.vpcs.0.id}"
}

• cidr_block - (Optional) Filter results by a specific CIDR block. For
example: ”172.16.0.0/12”.
• status - (Optional) Filter results by a specific status. Valid value are
Pending and Available.
520
• name_regex - (Optional) A regex string to filter VPCs by name.
• is_default - (Optional, type: bool) Indicate whether the VPC is the
default one in the specified region.
• vswitch_id - (Optional) Filter results by the specified VSwitch.
the resource.
• ids - (Optional, Available in 1.52.0+) A list of VPC IDs.
of resource group which VPC belongs.
• ids - A list of VPC IDs.
• names - A list of VPC names.
• vpcs - A list of VPCs. Each element contains the following attributes:
– id - ID of the VPC.
– region_id - ID of the region where the VPC is located.
– status - Status of the VPC.
– vpc_name - Name of the VPC.
– vswitch_ids - List of VSwitch IDs in the specified VPC
– cidr_block - CIDR block of the VPC.
– vrouter_id - ID of the VRouter.
– route_table_id - Route table ID of the VRouter.
– description - Description of the VPC
– is_default - Whether the VPC is the default VPC in the region.
– tags - A map of tags assigned to the VPC.
» alicloud_vswitches
This data source provides a list of VSwitches owned by an Alibaba Cloud ac-
count.
» Example Usage
variable "name" {
default = "vswitchDatasourceName"
}
data "alicloud_zones" "default" {}
521
cidr_block = "172.16.0.0/16"
}

cidr_block = "172.16.0.0/24"
}
data "alicloud_vswitches" "default" {

name_regex = "${alicloud_vswitch.vswitch.name}"
}

• cidr_block - (Optional) Filter results by a specific CIDR block. For
example: ”172.16.0.0/12”.
• zone_id - (Optional) The availability zone of the VSwitch.
• name_regex - (Optional) A regex string to filter results by name.
• is_default - (Optional, type: bool) Indicate whether the VSwitch is
created by the system.
• vpc_id - (Optional) ID of the VPC that owns the VSwitch.
the resource.
• ids - (Optional, Available in 1.52.0+) A list of VSwitch IDs.
of resource group which VSWitch belongs.
• ids - A list of VSwitch IDs.
• names - A list of VSwitch names.
• vswitches - A list of VSwitches. Each element contains the following
attributes:
– id - ID of the VSwitch.
522
– zone_id - ID of the availability zone where the VSwitch is located.
– vpc_id - ID of the VPC that owns the VSwitch.
– name - Name of the VSwitch.
– instance_ids - List of ECS instance IDs in the specified VSwitch.
– cidr_block - CIDR block of the VSwitch.
– description - Description of the VSwitch.
– is_default - Whether the VSwitch is the default one in the region.
» alicloud_forward_entries
This data source provides a list of Forward Entries owned by an Alibaba Cloud
account.
» Example Usage
variable "name" {
default = "forward-entry-config-example-name"
}

}

cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/21"
}
resource "alicloud_nat_gateway" "default" {

}
523
resource "alicloud_eip" "default" {
}
resource "alicloud_eip_association" "default" {

allocation_id = "${alicloud_eip.default.id}"
instance_id = "${alicloud_nat_gateway.default.id}"
}
resource "alicloud_forward_entry" "default" {

forward_table_id = "${alicloud_nat_gateway.default.forward_table_ids}"
external_ip = "${alicloud_eip.default.ip_address}"
external_port = "80"
ip_protocol = "tcp"
internal_ip = "172.16.0.3"
}
data "alicloud_forward_entries" "default" {

forward_table_id = "${alicloud_forward_entry.default.forward_table_id}"
}

• ids - (Optional) A list of Forward Entries IDs.
• name_regex - (Optional, Available in 1.44.0+) A regex string to filter
results by forward entry name.
• external_ip - (Optional) The public IP address.
• internal_ip - (Optional) The private IP address.
• forward_table_id - (Required) The ID of the Forward table.
• ids - A list of Forward Entries IDs.
• names - A list of Forward Entries names.
• entries - A list of Forward Entries. Each element contains the following
attributes:
– id - The ID of the Forward Entry.
– external_ip - The public IP address.
524
– external_port - The public port.
– ip_protocol - The protocol type.
– internal_ip - The private IP address.
– internal_port - The private port.
– name - The forward entry name.
– status - The status of the Forward Entry.
» alicloud_common_bandwidth_package
Provides a common bandwidth package resource.
NOTE: Terraform will auto build common bandwidth package instance while
it uses alicloud_common_bandwidth_package to build a common bandwidth
package resource.
For information about common bandwidth package and how to use it, see What
is Common Bandwidth Package.
For information about common bandwidth package billing methods, see Com-
mon Bandwidth Package Billing Methods.
» Example Usage
Basic Usage
bandwidth = "200"
name = "test-common-bandwidth-package"
description = "test-common-bandwidth-package"
}

• bandwidth - (Required) The bandwidth of the common bandwidth pack-
age, in Mbps.
• internet_charge_type - (Optional, ForceNew) The billing method of
the common bandwidth package. Valid values are ”PayByBandwidth”
and ”PayBy95” and ”PayByTraffic”. ”PayBy95” is pay by classic 95th
percentile pricing. International Account doesn’t supports ”PayByBand-
width” and ”PayBy95”. Default to ”PayByTraffic”.
525
• ratio - (Optional, ForceNew Available in 1.55.3+) Ratio of the common
bandwidth package. It is valid when internet_charge_type is PayBy95.
Default to 100. Valid values: [10-100].
• name - (Optional) The name of the common bandwidth package.
• description - (Optional) The description of the common bandwidth pack-
age instance.
• resource_group_id - (ForceNew, Available in 1.58.0+) The Id of resource
group which the common bandwidth package belongs.

• id - The ID of the common bandwidth package instance id.
» Import
The common bandwidth package can be imported using the id, e.g.
$ terraform import alicloud_common_bandwidth_package.foo cbwp-abc123456
» alicloud_common_bandwidth_package_attachment
Provides an Alicloud Common Bandwidth Package Attachment resource for
associating Common Bandwidth Package to EIP Instance.
NOTE: Terraform will auto build common bandwidth package attachment
while it uses alicloud_common_bandwidth_package_attachment to build a
common bandwidth package attachment resource.
For information about common bandwidth package and how to use it, see What
is Common Bandwidth Package.
» Example Usage
Basic Usage
bandwidth = "2"
name = "test_common_bandwidth_package"
description = "test_common_bandwidth_package"
}
resource "alicloud_eip" "foo" {
526
bandwidth = "2"
}
resource "alicloud_common_bandwidth_package_attachment" "foo" {

bandwidth_package_id = "${alicloud_common_bandwidth_package.foo.id}"
instance_id = "${alicloud_eip.foo.id}"
}

• bandwidth_package_id - (Required, ForceNew) The bandwidth_package_id
of the common bandwidth package attachment, the field can’t be changed.
• instance_id - (Required, ForceNew) The instance_id of the common
bandwidth package attachment, the field can’t be changed.

• id - The ID of the common bandwidth package attachment id and for-
mates as <bandwidth_package_id>:<instance_id>.
» Import
The common bandwidth package attachemnt can be imported using the id, e.g.
$ terraform import alicloud_common_bandwidth_package_attachment.foo cbwp-abc123456:eip-abc12
» alicloud_eip
Provides an elastic IP resource.
NOTE: The resource only supports to create PostPaid PayByTraffic or
PrePaid PayByBandwidth elastic IP for international account. Otherwise,
you will happened error COMMODITY.INVALID_COMPONENT. Your account is
international if you can use it to login in International Web Console.
NOTE: From version 1.10.1, this resource supports creating ”PrePaid” EIP. In
addition, it supports setting EIP name and description.
527
» Example Usage
# Create a new EIP.

resource "alicloud_eip" "example" {
bandwidth = "10"
}
» Module Support
You can use the existing eip module to create several EIP instances and associate
them with other resources one-click, like ECS instances, SLB, Nat Gateway and
so on.

• name - (Optional) The name of the EIP instance. This name can have a
string of 2 to 128 characters, must contain only alphanumeric characters
or hyphens, such as ”-”,”.”,”_”, and must not begin or end with a hyphen,
and must not begin with http:// or https://.
• description - (Optional) Description of the EIP instance, This descrip-
tion can have a string of 2 to 256 characters, It cannot begin with http://
or https://. Default value is null.
• bandwidth - (Optional) Maximum bandwidth to the elastic public net-
work, measured in Mbps (Mega bit per second). If this value is not speci-
fied, then automatically sets it to 5 Mbps.
• internet_charge_type - (Optional, ForceNew) Internet charge type of
the EIP, Valid values are PayByBandwidth, PayByTraffic. Default to
PayByBandwidth. From version 1.7.1, default to PayByTraffic. It is
only PayByBandwidth when instance_charge_type is PrePaid.
• instance_charge_type - (Optional, ForceNew) Elastic IP instance charge
type. Valid values are ”PrePaid” and ”PostPaid”. Default to ”PostPaid”.
• period - (Optional, ForceNew) The duration that you will buy the re-
source, in month. It is valid when instance_charge_type is PrePaid.
Default to 1. Valid values: [1-9, 12, 24, 36]. At present, the provider does
not support modify ”period” and you can do that via web console.
• isp - (Optional, ForceNew, Available in 1.47.0+) The line type of the
Elastic IP instance. Default to BGP. Other type of the isp need to open a
whitelist.
the resource.
528
of resource group which the eip belongs.

• id - The EIP ID.
• bandwidth - The elastic public network bandwidth.
• internet_charge_type - The EIP internet charge type.
• status - The EIP current status.
• ip_address - The elastic ip address
» Import
Elastic IP address can be imported using the id, e.g.

$ terraform import alicloud_eip.example eip-abc12345678
» alicloud_eip_association
Provides an Alicloud EIP Association resource for associating Elastic IP to ECS
Instance, SLB Instance or Nat Gateway.
NOTE: alicloud_eip_association is useful in scenarios where EIPs are ei-
ther pre-existing or distributed to customers or users and therefore cannot be
changed.
NOTE: From version 1.7.1, the resource support to associate EIP to SLB In-
stance or Nat Gateway.
NOTE: One EIP can only be associated with ECS or SLB instance which in
the VPC.
» Example Usage
# Create a new EIP association and use it to associate a EIP form a instance.

}

cidr_block = "10.1.0.0/21"
}
529
resource "alicloud_vswitch" "vsw" {
cidr_block = "10.1.1.0/24"
depends_on = [
"alicloud_vpc.vpc",
]
}

}

most_recent = true
owners = "system"
}
resource "alicloud_instance" "ecs_instance" {

vswitch_id = "${alicloud_vswitch.vsw.id}"
instance_name = "hello"
tags = {
Name = "TerraformTest-instance"
}
}
resource "alicloud_eip" "eip" {}
resource "alicloud_eip_association" "eip_asso" {

allocation_id = "${alicloud_eip.eip.id}"
instance_id = "${alicloud_instance.ecs_instance.id}"
}

}
530
» Module Support
You can use the existing eip module to create several EIP instances and associate
them with other resources one-click, like ECS instances, SLB, Nat Gateway and
so on.

• allocation_id - (Required, ForcesNew) The allocation EIP ID.
• instance_id - (Required, ForcesNew) The ID of the ECS or SLB instance
or Nat Gateway.
• instance_type - (Optional, ForceNew, Available in 1.46.0+) The type of
cloud product that the eip instance to bind.
• private_ip_address - (Optional, ForceNew, Available in 1.52.2+) The
private IP address in the network segment of the vswitch which has been
assigned.

• allocation_id - As above.
• instance_id - As above.
» alicloud_forward_entry
Provides a forward resource.
» Example Usage
Basic Usage
variable "name" {
default = "forward-entry-example-name"
}

}
531
cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/21"
}

}

}

allocation_id = "${alicloud_eip.default.id}"
}
resource "alicloud_forward_entry" "default" {

forward_table_id = "${alicloud_nat_gateway.default.forward_table_ids}"
external_ip = "${alicloud_eip.default.ip_address}"
external_port = "80"
ip_protocol = "tcp"
internal_ip = "172.16.0.3"
}

• forward_table_id - (Required, ForceNew) The value can get from
alicloud_nat_gateway Attributes ”forward_table_ids”.
• name - (Optional, Available in 1.44.0+) The name of forward entry.
• external_ip - (Required, ForceNew) The external ip address, the ip must
along bandwidth package public ip which alicloud_nat_gateway argu-
ment bandwidth_packages.
532
• external_port - (Required) The external port, valid value is 1~65535|any.
• ip_protocol - (Required) The ip protocal, valid value is tcp|udp|any.
• internal_ip - (Required) The internal ip, must a private ip.
• internal_port - (Required) The internal port, valid value is 1~65535|any.

• id - The ID of the forward entry. The value formats as <forward_table_id>:<forward_entry_id>
• forward_entry_id - The id of the forward entry on the server.
» alicloud_nat_gateway
Provides a resource to create a VPC NAT Gateway.
NOTE: Resource bandwidth packages will not be supported since 00:00 on
November 4, 2017, and public IP can be replaced be elastic IPs. If a Nat
Gateway has already bought some bandwidth packages, it can not bind elastic
IP and you have to submit the work order to solve. If you want to add public
IP, you can use resource ’alicloud_eip_association’ to bind several elastic IPs
for one Nat Gateway.
NOTE: From version 1.7.1, this resource has deprecated bandwidth packages.
But, in order to manage stock bandwidth packages, version 1.13.0 re-support
configuring ’bandwidth_packages’.
» Example Usage
Basic usage
variable "name" {
default = "natGatewayExampleName"
}

}

cidr_block = "172.16.0.0/12"
}
533
cidr_block = "172.16.0.0/21"
}

vpc_id = "${alicloud_vswitch.default.vpc_id}"
}

• vpc_id - (Required, ForceNew) The VPC ID.
• spec - (Deprecated) It has been deprecated from provider version 1.7.1,
and new field ’specification’ can replace it.
• specification - (Optional) The specification of the nat gateway. Valid
values are Small, Middle and Large. Default to Small. Details refer to
Nat Gateway Specification.
• name - (Optional) Name of the nat gateway. The value can have a string of
2 to 128 characters, must contain only alphanumeric characters or hyphens,
such as ”-”,”.”,”_”, and must not begin or end with a hyphen, and must
not begin with http:// or https://. Defaults to null.
• description - (Optional) Description of the nat gateway, This description
can have a string of 2 to 256 characters, It cannot begin with http:// or
https://. Defaults to null.
• bandwidth_packages - (Optional) A list of bandwidth packages for the
nat gatway. Only support nat gateway created before 00:00 on November
4, 2017. Available in v1.13.0+ and v1.7.1-.
• instance_charge_type - (Optional, ForceNew, Available in 1.45.0+) The
billing method of the nat gateway. Valid values are ”PrePaid” and ”Post-
Paid”. Default to ”PostPaid”.
• period - (Optional, ForceNew, Available in 1.45.0+) The dura-
tion that you will buy the resource, in month. It is valid when
instance_charge_type is PrePaid. Default to 1. Valid values: [1-9, 12,
24, 36]. At present, the provider does not support modify ”period” and
you can do that via web console.
» Block bandwidth packages
The bandwidth package mapping supports the following:
534
• ip_count - (Required) The IP number of the current bandwidth package.
Its value range from 1 to 50.
• bandwidth - (Required) The bandwidth value of the current bandwidth
package. Its value range from 5 to 5000.
• zone - (Optional) The AZ for the current bandwidth. If this value is not
specified, Terraform will set a random AZ.
• public_ip_addresses - (Computer) The public ip for bandwidth package.
the public ip count equal ip_count, multi ip would complex with ”,”, such
as ”10.0.0.1,10.0.0.2”.

• id - The ID of the nat gateway.
• name - The name of the nat gateway.
• description - The description of the nat gateway.
• spec - It has been deprecated from provider version 1.7.1.
• specification - The specification of the nat gateway.
• vpc_id - The VPC ID for the nat gateway.
• bandwidth_package_ids - A list ID of the bandwidth packages, and split
them with commas.
• snat_table_ids - The nat gateway will auto create a snap and forward
item, the snat_table_ids is the created one.
• forward_table_ids - The nat gateway will auto create a snap and forward
item, the forward_table_ids is the created one.
» Import
Nat gateway can be imported using the id, e.g.

$ terraform import alicloud_nat_gateway.example ngw-abc123456
» alicloud_network_acl
Provides a network acl resource to add network acls.
NOTE: Available in 1.43.0+. Currently, the resource are only available in
Hongkong(cn-hongkong), India(ap-south-1), and Indonesia(ap-southeast-1) re-
gions.
535
» Example Usage
Basic Usage
cidr_block = "172.16.0.0/12"
name = "VpcConfig"
}
resource "alicloud_network_acl" "default" {

name = "network_acl"
description = "network_acl"
}

• vpc_id - (Required, ForceNew) The vpc_id of the network acl, the field
can’t be changed.
• name - (Optional) The name of the network acl.
• description - (Optional) The description of the network acl instance.

• id - The ID of the network acl instance id.
» Import
The network acl can be imported using the id, e.g.

$ terraform import alicloud_network_acl.default nacl-abc123456
» alicloud_network_acl_attachment
Provides a network acl attachment resource to associate network acls to
vswitches.
gions.
536
» Example Usage
Basic Usage
variable "name" {
default = "NatGatewayConfigSpec"
}

}

cidr_block = "172.16.0.0/12"
}

}

cidr_block = "172.16.0.0/21"
}
resource "alicloud_network_acl_attachment" "default" {

network_acl_id = "${alicloud_network_acl.default.id}"
resources {
resource_id = "${alicloud_vswitch.default.id}"
resource_type = "VSwitch"
}
}

• network_acl_id - (Required, ForceNew) The id of the network acl, the
field can’t be changed.
• resources - (Required) List of the resources associated with the network
acl. The details see Block Resources.
537
» Block Resources
The resources mapping supports the following:

• resource_id - (Required) The resource id that the network acl will asso-
ciate with.
• resource_type - (Required) The resource id that the network acl will
associate with. Only support VSwitch now.

• id - The ID of the network acl attachment. It is formatted as
<network_acl_id>:<a unique id>.
» alicloud_network_acl_entries
Provides a network acl entries resource to create ingress and egress entries.
gions.
NOTE: It doesn’t support concurrency and the order of the ingress and egress
entries determines the priority.
NOTE: Using this resource need to open a whitelist.
» Example Usage
Basic Usage
variable "name" {
default = "NetworkAclEntries"
}

}

cidr_block = "172.16.0.0/12"
}
538
}

cidr_block = "172.16.0.0/21"
}
resource "alicloud_network_acl_attachment" "default" {

resources = [
{
resource_id = "${alicloud_vswitch.default.id}"
resource_type = "VSwitch"
}
]
}
resource "alicloud_network_acl_entries" "default" {

ingress = [
{
protocol = "all"
port = "-1/-1"
source_cidr_ip = "0.0.0.0/32"
entry_type = "custom"
policy = "accept"
}
]
egress = [
{
protocol = "all"
port = "-1/-1"
destination_cidr_ip = "0.0.0.0/32"
entry_type = "custom"
policy = "accept"
539
}
]
}

• network_acl_id - (Required, ForceNew) The id of the network acl, the
field can’t be changed.
• ingress - (Optional) List of the ingress entries of the network acl. The
order of the ingress entries determines the priority. The details see Block
Ingress.
• egress - (Optional) List of the egress entries of the network acl. The
order of the egress entries determines the priority. The details see Block
Egress.
» Ingress Resources

• description - (Optional) The description of the ingress entry.
• source_cidr_ip - (Optional) The source ip of the ingress entry.
• entry_type - (Optional) The entry type of the ingress entry. It must be
custom or system. Default value is custom.
• name - (Optional) The name of the ingress entry.
• policy - (Optional) The policy of the ingress entry. It must be accept or
drop.
• port - (Optional) The port of the ingress entry.
• protocol - (Optional) The protocol of the ingress entry.
» Egress Resources

• description - (Optional) The description of the egress entry.
• destination_cidr_ip - (Optional) The destination ip of the egress entry.
• entry_type - (Optional) The entry type of the egress entry. It must be
custom or system. Default value is custom.
• name - (Optional) The name of the egress entry.
• policy - (Optional) The policy of the egress entry. It must be accept or
drop.
• port - (Optional) The port of the egress entry.
• protocol - (Optional) The protocol of the egress entry.
540

• id - The ID of the network acl entries. It is formatted as <network_acl_id>:<a
unique id>.
» alicloud_route_entry
Provides a route entry resource. A route entry represents a route item of one
VPC route table.
» Example Usage
Basic Usage
}
cpu_core_count = 1
memory_size = 2
}
most_recent = true
owners = "system"
}
variable "name" {
default = "RouteEntryConfig"
}
cidr_block = "10.1.0.0/21"
}

cidr_block = "10.1.1.0/24"
}
541
resource "alicloud_security_group" "tf_test_foo" {
description = "foo"
}
resource "alicloud_security_group_rule" "ingress" {

type = "ingress"
ip_protocol = "tcp"
policy = "accept"
priority = 1
security_group_id = "${alicloud_security_group.tf_test_foo.id}"
cidr_ip = "0.0.0.0/0"
}

security_groups = ["${alicloud_security_group.tf_test_foo.id}"]
}
resource "alicloud_route_entry" "foo" {
route_table_id = "${alicloud_vpc.foo.route_table_id}"
nexthop_id = "${alicloud_instance.foo.id}"
}
» Module Support
You can use to the existing vpc module to create a VPC, several VSwitches and
add several route entries one-click.
542

• router_id - (Deprecated) This argument has beeb deprecated. Please use
other arguments to launch a custom route entry.
• route_table_id - (Required, ForceNew) The ID of the route table.
• destination_cidrblock - (ForceNew) The RouteEntry’s target network
segment.
• nexthop_type - (ForceNew) The next hop type. Available values:
– Instance (Default): Route the traffic destined for the destination
CIDR block to an ECS instance in the VPC.
– RouterInterface: Route the traffic destined for the destination
CIDR block to a router interface.
– VpnGateway: Route the traffic destined for the destination CIDR
block to a VPN Gateway.
– HaVip: Route the traffic destined for the destination CIDR block to
an HAVIP.
– NetworkInterface: Route the traffic destined for the destination
CIDR block to an NetworkInterface.
– NatGateway: Route the traffic destined for the destination CIDR
block to an Nat Gateway.
• nexthop_id - (ForceNew) The route entry’s next hop. ECS instance ID
or VPC router interface ID.
• name - (Optional, ForceNew, Available in 1.55.1+) The name of the route
entry. This name can have a string of 2 to 128 characters, must contain
only alphanumeric characters or hyphens, such as ”-”,”.”,”_”, and must not
begin or end with a hyphen, and must not begin with http:// or https://.

• id - The route entry id,it formats of <route_table_id:router_id:destination_cidrblock:nexthop_ty
• router_id - The ID of the virtual router attached to Vpc.
• route_table_id - The ID of the route table.
• destination_cidrblock - The RouteEntry’s target network segment.
• nexthop_type - The next hop type.
• nexthop_id - The route entry’s next hop.
543
» Import
Router entry can be imported using the id, e.g (formatted as).
$ terraform import alicloud_route_entry.example vtb-123456:vrt-123456:0.0.0.0/0:NatGateway:n
» alicloud_route_table
Provides a route table resource to add customized route tables.
NOTE: Terraform will auto build route table instance while it uses
alicloud_route_table to build a route table resource.
Currently, customized route tables are available in most regions apart from
China (Beijing), China (Hangzhou), and China (Shenzhen) regions. For infor-
mation about route table and how to use it, see What is Route Table.
» Example Usage
Basic Usage
cidr_block = "172.16.0.0/12"
name = "vpc-example-name"
}

name = "route-table-example-name"
description = "route-table-example-description"
}

• vpc_id - (Required, ForceNew) The vpc_id of the route table, the field
can’t be changed.
• name - (Optional) The name of the route table.
• description - (Optional) The description of the route table instance.
the resource.
544

• id - The ID of the route table instance id.
» Import
The route table can be imported using the id, e.g.

$ terraform import alicloud_route_table.foo vtb-abc123456
» alicloud_route_table_attachment
Provides an Alicloud Route Table Attachment resource for associating Route
Table to VSwitch Instance.
NOTE: Terraform will auto build route table attachment while it uses
alicloud_route_table_attachment to build a route table attachment
resource.
For information about route table and how to use it, see What is Route Table.
» Example Usage
Basic Usage
variable "name" {
default = "route-table-attachment-example-name"
}
cidr_block = "172.16.0.0/12"
}
}
cidr_block = "172.16.0.0/21"
}
545
description = "route_table_attachment"
}
resource "alicloud_route_table_attachment" "foo" {

route_table_id = "${alicloud_route_table.foo.id}"
}

• vswitch_id - (Required, ForceNew) The vswitch_id of the route table
attachment, the field can’t be changed.
• route_table_id - (Required, ForceNew) The route_table_id of the route
table attachment, the field can’t be changed.

• id - The ID of the route table attachment id and formates as
<route_table_id>:<vswitch_id>.
» Import
The route table attachemnt can be imported using the id, e.g.
$ terraform import alicloud_route_table_attachment.foo vtb-abc123456:vsw-abc123456
» alicloud_router_interface
Provides a VPC router interface resource aim to build a connection between
two VPCs.
NOTE: Only one pair of connected router interfaces can exist between two
routers. Up to 5 router interfaces can be created for each router and each
account.
NOTE: The router interface is not connected when it is created. It can be
connected by means of resource alicloud_router_interface_connection.
546
» Example Usage

name = "tf_test_foo12345"
cidr_block = "172.16.0.0/12"
}
resource "alicloud_router_interface" "interface" {

opposite_region = "cn-beijing"
router_type = "VRouter"
router_id = "${alicloud_vpc.foo.router_id}"
role = "InitiatingSide"
specification = "Large.2"
name = "test1"
}

• opposite_region - (Required, ForceNew) The Region of peer side.
• router_type - (Required, ForceNew) Router Type. Optional value:
VRouter, VBR. Accepting side router interface type only be VRouter.
• opposite_router_type - (Deprecated) It has been deprecated from
version 1.11.0. resource alicloud_router_interface_connection’s ’oppo-
site_router_type’ instead.
• router_id - (Required, ForceNew) The Router ID.
• opposite_router_id - (Deprecated) It has been deprecated from ver-
sion 1.11.0. Use resource alicloud_router_interface_connection’s ’oppo-
site_router_id’ instead.
• role - (Required, ForceNew) The role the router interface plays. Optional
value: InitiatingSide, AcceptingSide.
• specification - (Optional) Specification of router interfaces. It is valid
when role is InitiatingSide. Accepting side’s role is default to set
as ’Negative’. For more about the specification, refer to Router interface
specification.
• access_point_id - (Deprecated) It has been deprecated from version
1.11.0.
• opposite_access_point_id - (Deprecated) It has been deprecated from
version 1.11.0.
• opposite_interface_id - (Deprecated) It has been deprecated from ver-
sion 1.11.0. Use resource alicloud_router_interface_connection’s ’oppo-
site_router_id’ instead.
• opposite_interface_owner_id - (Deprecated) It has been deprecated
547
from version 1.11.0. Use resource alicloud_router_interface_connection’s
’opposite_interface_id’ instead.
• name - (Optional) Name of the router interface. Length must be 2-80
characters long. Only Chinese characters, English letters, numbers, period
(.), underline (_), or dash (-) are permitted. If it is not specified, the
default value is interface ID. The name cannot start with http:// and
https://.
• description - (Optional) Description of the router interface. It can be 2-
256 characters long or left blank. It cannot start with http:// and https://.
• health_check_source_ip - (Optional) Used as the Packet Source IP
of health check for disaster recovery or ECMP. It is only valid when
router_type is VBR. The IP must be an unused IP in the local VPC.
It and health_check_target_ip must be specified at the same time.
• health_check_target_ip - (Optional) Used as the Packet Target IP
of health check for disaster recovery or ECMP. It is only valid when
router_type is VBR. The IP must be an unused IP in the local VPC.
It and health_check_source_ip must be specified at the same time.
• instance_charge_type - (Optional, ForceNew) The billing method of the
router interface. Valid values are ”PrePaid” and ”PostPaid”. Default to
”PostPaid”. Router Interface doesn’t support ”PrePaid” when region and
opposite_region are the same.
• period - (Optional, ForceNew) The duration that you will buy the re-
source, in month. It is valid when instance_charge_type is PrePaid.
Default to 1. Valid values: [1-9, 12, 24, 36]. At present, the provider does
not support modify ”period” and you can do that via web console.

• id - Router interface ID.
• router_id - Router ID.
• router_type - Router type.
• role - Router interface role.
• name - Router interface name.
• description - Router interface description.
• specification - Router nterface specification.
• access_point_id - Access point of the router interface.
• opposite_access_point_id - (Deprecated) It has been deprecated from
version 1.11.0.
• opposite_router_type - Peer router type.
• opposite_router_id - Peer router ID.
• opposite_interface_id - Peer router interface ID.
• opposite_interface_owner_id - Peer account ID.
• health_check_source_ip - Source IP of Packet of Line HealthCheck.
548
• health_check_target_ip - Target IP of Packet of Line HealthCheck.
» Import
The router interface can be imported using the id, e.g.

$ terraform import alicloud_router_interface.interface ri-abc123456
» alicloud_router_interface_connection
Provides a VPC router interface connection resource to connect two router inter-
faces which are in two different VPCs. After that, all of the two router interfaces
will be active.
NOTE: At present, Router interface does not support changing opposite router
interface, the connection delete action is only deactivating it to inactive, not
modifying the connection to empty.
NOTE: If you want to changing opposite router interface, you can delete router
interface and re-build them.
NOTE: A integrated router interface connection tunnel requires both Initiat-
ingSide and AcceptingSide configuring opposite router interface.
NOTE: Please remember to add a depends_on clause in the router interface
connection from the InitiatingSide to the AcceptingSide, because the connection
from the AcceptingSide to the InitiatingSide must be done first.
» Example Usage
region = "${var.region}"
}
variable "region" {
default = "cn-hangzhou"
}
variable "name" {
default = "alicloudRouterInterfaceConnectionBasic"
}
cidr_block = "172.16.0.0/12"
}
resource "alicloud_vpc" "bar" {
provider = "alicloud"
549
cidr_block = "192.168.0.0/16"
}
resource "alicloud_router_interface" "initiate" {
opposite_region = "${var.region}"
router_id = "${alicloud_vpc.foo.router_id}"
role = "InitiatingSide"
}
resource "alicloud_router_interface" "opposite" {
opposite_region = "${var.region}"
router_id = "${alicloud_vpc.bar.router_id}"
role = "AcceptingSide"
name = "${var.name}-opposite"
description = "${var.name}-opposite"
}
// A integrated router interface connection tunnel requires both InitiatingSide and Acceptin
resource "alicloud_router_interface_connection" "foo" {
interface_id = "${alicloud_router_interface.initiate.id}"
opposite_interface_id = "${alicloud_router_interface.opposite.id}"
depends_on = ["alicloud_router_interface_connection.bar"] // The connection mus
}
resource "alicloud_router_interface_connection" "bar" {
interface_id = "${alicloud_router_interface.opposite.id}"
opposite_interface_id = "${alicloud_router_interface.initiate.id}"
}

• interface_id - (Required, ForceNew) One side router interface ID.
• opposite_interface_id - (Required, ForceNew) Another side router in-
terface ID. It must belong the specified ”opposite_interface_owner_id”
account.
• opposite_interface_owner_id - (Optional, ForceNew) Another side
550
router interface account ID. Log on to the Alibaba Cloud console, select
User Info > Account Management to check the account ID. Default to
Provider account_id.
• opposite_router_id - (Optional, ForceNew) Another side router ID. It
must belong the specified ”opposite_interface_owner_id” account. It is
valid when field ”opposite_interface_owner_id” is specified.
• opposite_router_type - (Optional, ForceNew) Another side router
Type. Optional value: VRouter, VBR. It is valid when field ”oppo-
site_interface_owner_id” is specified.
NOTE: The value of ”opposite_interface_owner_id” or ”account_id” must be
main account and not be sub account.

• id - Router interface ID. The value is equal to ”interface_id”.
» Import
The router interface connection can be imported using the id, e.g.
$ terraform import alicloud_router_interface_connection.foo ri-abc123456
» alicloud_snat
Provides a snat resource.
» Example Usage
Basic Usage
variable "name" {
default = "snat-entry-example-name"
}
}

cidr_block = "172.16.0.0/12"
551
}

cidr_block = "172.16.0.0/21"
}

vpc_id = "${alicloud_vswitch.vswitch.vpc_id}"
}

count = 2
}

count = 2
allocation_id = "${element(alicloud_eip.default.*.id, count.index)}"
}
resource "alicloud_common_bandwidth_package" "default" {

name = "tf_cbp"
bandwidth = 10
ratio = 100
}
resource "alicloud_common_bandwidth_package_attachment" "default" {

count = 2
bandwidth_package_id = "${alicloud_common_bandwidth_package.default.id}"
instance_id = "${element(alicloud_eip.default.*.id, count.index)}"
}
resource "alicloud_snat_entry" "default" {

depends_on = [alicloud_eip_association.default]
snat_table_id = "${alicloud_nat_gateway.default.snat_table_ids}"
source_vswitch_id = "${alicloud_vswitch.vswitch.id}"
snat_ip = "${join(",", alicloud_eip.default.*.ip_address)}"
}
552

• snat_table_id - (Required, ForceNew) The value can get from
alicloud_nat_gateway Attributes ”snat_table_ids”.
• source_vswitch_id - (Optional, ForceNew) The vswitch ID.
• source_cidr - (Optional, ForceNew, Available in 1.71.1+) The private
network segment of Ecs. This parameter and the source_vswitch_id
parameter are mutually exclusive and cannot appear at the same time.
• snat_entry_name - (Optional, Available in 1.71.2+) The name of snat
entry.
• snat_ip - (Required) The SNAT ip address, the ip must along band-
width package public ip which alicloud_nat_gateway argument
bandwidth_packages.

• id - The ID of the snat entry. The value formats as <snat_table_id>:<snat_entry_id>
• snat_entry_id - The id of the snat entry on the server.
» Import
Snat Entry can be imported using the id, e.g.

$ terraform import alicloud_snat_entry.foo stb-1aece3:snat-232ce2
» alicloud_vpc
Provides a VPC resource.
NOTE: Terraform will auto build a router and a route table while it uses
alicloud_vpc to build a vpc resource.
» Example Usage
Basic Usage
cidr_block = "172.16.0.0/12"
}
553
» Module Support
You can use the existing vpc module to create a VPC and several VSwitches
one-click.

• cidr_block - (Required, ForceNew) The CIDR block for the VPC.
• name - (Optional) The name of the VPC. Defaults to null.
• description - (Optional) The VPC description. Defaults to null.
of resource group which the VPC belongs.
the resource.

• id - The ID of the VPC.
• cidr_block - The CIDR block for the VPC.
• name - The name of the VPC.
• description - The description of the VPC.
• router_id - The ID of the router created by default on VPC creation.
• route_table_id - The route table ID of the router created by default on
VPC creation.
» Import
VPC can be imported using the id, e.g.

$ terraform import alicloud_vpc.example vpc-abc123456
» alicloud_vswitch
Provides a VPC switch resource.
» Example Usage
Basic Usage
554
cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/21"
}
» Module Support
You can use to the existing vpc module to create a VPC and several VSwitches
one-click.

• availability_zone - (Required, ForceNew) The AZ for the switch.
• vpc_id - (Required, ForceNew) The VPC ID.
• cidr_block - (Required, ForceNew) The CIDR block for the switch.
• name - (Optional) The name of the switch. Defaults to null.
• description - (Optional) The switch description. Defaults to null.
the resource.

• id - The ID of the switch.
• availability_zone The AZ for the switch.
• cidr_block - The CIDR block for the switch.
• vpc_id - The VPC ID.
• name - The name of the switch.
• description - The description of the switch.
» Import
Vswitch can be imported using the id, e.g.

$ terraform import alicloud_vswitch.example vsw-abc123456
555
» alicloud_ssl_vpn_client_certs
The SSL-VPN client certificates data source lists lots of SSL-VPN client certifi-
cates resource information owned by an Alicloud account.
» Example Usage
data "alicloud_ssl_vpn_client_certs" "foo" {

ids = ["fake-cert-id"]
ssl_vpn_server_id = "fake-server-id"
output_file = "/tmp/clientcert"
name_regex = "^foo"
}

• ids - (Optional) IDs of the SSL-VPN client certificates.
• ssl_vpn_server_id - (Optional) Use the SSL-VPN server ID as the search
key.
• name_regex - (Optional) A regex string of SSL-VPN client certificate
name.
• output_file - (Optional) Save the result to the file.

• ids - A list of SSL-VPN client cert IDs.
• names - A list of SSL-VPN client cert names.
• ssl_vpn_client_certs - A list of SSL-VPN client certificates. Each ele-
ment contains the following attributes:
– id - ID of the SSL-VPN client certificate.
– ssl_vpn_server_id - ID of the SSL-VPN Server.
– name - The name of the SSL-VPN client certificate.
– create_time - The time of creation.
– end_time - The expiration time of the client certificate.
– status - The status of the client certificate. valid value:expiring-soon,
normal, expired.
556
» alicloud_ssl_vpn_servers
The SSL-VPN servers data source lists lots of SSL-VPN servers resource infor-
mation owned by an Alicloud account.
» Example Usage
data "alicloud_ssl_vpn_servers" "foo" {

ids = ["fake-server-id"]
vpn_gateway_id = "fake-vpn-id"
output_file = "/tmp/sslserver"
name_regex = "^foo"
}

• ids - (Optional) IDs of the SSL-VPN servers.
• vpn_gateway_id - (Optional) Use the VPN gateway ID as the search key.
• name_regex - (Optional) A regex string of SSL-VPN server name.

• ids - A list of SSL-VPN server IDs.
• names - A list of SSL-VPN server names.
• servers - A list of SSL-VPN servers. Each element contains the following
attributes:
– vpn_gateway_id - The ID of the VPN gateway instance.
– id - The ID of the SSL-VPN server.
– name - The name of the SSL-VPN server.
– create_time - The time of creation.
– compress - Whether to compress.
– cipher - The encryption algorithm used.
– proto - The protocol used by the SSL-VPN server.
– port - The port used by the SSL-VPN server.
– client_ip_pool - The IP address pool of the client.
– local_subnet - The local subnet of the VPN connection.
– internet_ip - The public IP.
– connections - The number of current connections.
– max_connections - The maximum number of connections.
557
» alicloud_vpn_connections
The VPN connections data source lists lots of VPN connections resource infor-
mation owned by an Alicloud account.
» Example Usage
data "alicloud_vpn_connections" "foo" {

ids = ["fake-conn-id"]
vpn_gateway_id = "fake-vpn-id"
customer_gateway_id = "fake-cgw-id"
output_file = "/tmp/vpnconn"
}

• ids - (Optional) IDs of the VPN connections.
• vpn_gateway_id - (Optional) Use the VPN gateway ID as the search key.
• customer_gateway_id - (Optional)Use the VPN customer gateway ID as
the search key.
• name_regex - (Optional) A regex string of VPN connection name.

• ids - (Optional) IDs of the VPN connections.
• names - (Optional) names of the VPN connections.
• connections - A list of VPN connections. Each element contains the
– id - ID of the VPN connection.
– customer_gateway_id - ID of the VPN customer gateway.
– vpn_gateway_id - ID of the VPN gateway.
– name - The name of the VPN connection.
– local_subnet - The local subnet of the VPN connection.
– remote_subnet - The remote subnet of the VPN connection.
– status - The status of the VPN connection, valid value:ike_sa_not_established,
ike_sa_established, ipsec_sa_not_established, ipsec_sa_established.
– ike_config - The configurations of phase-one negotiation.
– ipsec_config - The configurations of phase-two negotiation.
558
### Block ike_config
The ike_config mapping supports the following:
• psk - Used for authentication between the IPsec VPN gateway and the
customer gateway.
• ike_version - The version of the IKE protocol.
• ike_mode - The negotiation mode of IKE phase-one.
• ike_enc_alg - The encryption algorithm of phase-one negotiation.
• ike_auth_alg - The authentication algorithm of phase-one negotiation.
• ike_pfs - The Diffie-Hellman key exchange algorithm used by phase-one
negotiation.
• ike_lifetime - The SA lifecycle as the result of phase-one negotiation.
• ike_local_id - The identification of the VPN gateway.
• ike_remote_id - The identification of the customer gateway.
### Block ipsec_config
The ipsec_config mapping supports the following:
• ipsec_enc_alg - The encryption algorithm of phase-two negotiation.
• ipsec_auth_alg - The authentication algorithm of phase-two negotiation.
• ipsec_pfs - The Diffie-Hellman key exchange algorithm used by phase-
two negotiation.
• ipsec_lifetime - The SA lifecycle as the result of phase-two negotiation.
» alicloud_vpn_customer_gateways
The VPN customers gateways data source lists a number of VPN customer
gateways resource information owned by an Alicloud account.
» Example Usage
data "alicloud_vpn_customer_gateways" "foo" {

name_regex = "testAcc*"
ids = ["fake-id1", "fake-id2"]
output_file = "/tmp/cgws"
}

• ids - (Optional) ID of the VPN customer gateways.
• name_regex - (Optional) A regex string of VPN customer gateways name.
559

• ids IDs of VPN customer gateway.
• names names of VPN customer gateway.
• gateways - A list of VPN customer gateways. Each element contains the
– id - ID of the VPN customer gateway .
– name - The name of the VPN customer gateway.
– description - The description of the VPN customer gateway.
– ip_address - The ip address of the VPN customer gateway.
– create_time - The creation time of the VPN customer gateway.
» alicloud_vpn_gateways
The VPNs data source lists a number of VPNs resource information owned by
an Alicloud account.
» Example Usage
data "alicloud_vpn_gateways" "vpn_gateways" {

vpc_id = "fake-vpc-id"
ids = ["fake-vpn-id1", "fake-vpn-id2"]
status = "active"
business_status = "Normal"
name_regex = "testAcc*"
output_file = "/tmp/vpns"
}

• vpc_id - (Optional) Use the VPC ID as the search key.
• ids - (Optional) IDs of the VPN.
• status - (Optional) Limit search to specific status - valid value is ”Init”,
”Provisioning”, ”Active”, ”Updating”, ”Deleting”.
• business_status - (Optional) Limit search to specific business status -
valid value is ”Normal”, ”FinancialLocked”.
560
• name_regex - (Optional) A regex string of VPN name.

• ids - IDs of the VPN.
• names - names of the VPN.
• gateways - A list of VPN gateways. Each element contains the following
attributes:
– id - ID of the VPN.
– vpc_id - ID of the VPC that the VPN belongs.
– internet_ip - The internet ip of the VPN.
– create_time - The creation time of the VPN gateway.
– end_time - The expiration time of the VPN gateway.
– specification - The Specification of the VPN
– name - The name of the VPN.
– description - The description of the VPN
– status - The status of the VPN
– business_status - The business status of the VPN gateway.
– instance_charge_type - The charge type of the VPN gateway.
– enable_ipsec - Whether the ipsec function is enabled.
– enable_ssl - Whether the ssl function is enabled.
– ssl_connections - Total count of ssl vpn connections.
» alicloud_ssl_vpn_client_cert
Provides a SSL VPN client cert resource.
NOTE: Terraform will auto build SSL VPN client certs while it uses
alicloud_ssl_vpn_client_cert to build a ssl vpn client certs resource. It
depends on VPN instance and SSL VPN Server.
» Example Usage
Basic Usage
resource "alicloud_ssl_vpn_client_cert" "foo" {
ssl_vpn_server_id = "ssl_vpn_server_fake_id"
name = "sslVpnClientCertExample"
}
561

• name - (Optional) The name of the client certificate.
• ssl_vpn_server_id - (Required, ForceNew) The ID of the SSL-VPN
server.

• id - The ID of the SSL-VPN client certificate.
• status - The status of the client certificate.
• ca_cert - The client ca cert.
• client_cert - The client cert.
• client_key - The client key.
• client_config - The vpn client config.
» Import
SSL-VPN client certificates can be imported using the id, e.g.

$ terraform import alicloud_ssl_vpn_client_cert.example vsc-abc123456
» alicloud_ssl_vpn_server
Provides a SSL VPN server resource. Refer to details
NOTE: Terraform will auto build ssl vpn server while it uses alicloud_ssl_vpn_server
to build a ssl vpn server resource.
» Example Usage
Basic Usage
resource "alicloud_vpn_gateway" "foo" {
name = "testAccVpnConfig_create"
vpc_id = "vpc-fake-id"
bandwidth = "10"
enable_ssl = true
description = "test_create_description"
}
562
resource "alicloud_ssl_vpn_server" "foo" {
name = "sslVpnServerNameExample"
vpn_gateway_id = "${alicloud_vpn_gateway.foo.id}"
client_ip_pool = "192.168.0.0/16"
local_subnet = "172.16.0.0/21"
protocol = "UDP"
cipher = "AES-128-CBC"
port = 1194
compress = "false"
}

• name - (Optional) The name of the SSL-VPN server.
• vpn_gateway_id - (Required, ForceNew) The ID of the VPN gateway.
• client_ip_pool - (Required) The CIDR block from which access ad-
dresses are allocated to the virtual network interface card of the client.
• local_subnet - (Required) The CIDR block to be accessed by the client
through the SSL-VPN connection. It supports to set multi CIDRs by
comma join ways, like 10.0.1.0/24,10.0.2.0/24,10.0.3.0/24.
• protocol - (Optional) The protocol used by the SSL-VPN server. Valid
value: UDP(default) |TCP
• cipher - (Optional) The encryption algorithm used by the SSL-VPN
server. Valid value: AES-128-CBC (default)| AES-192-CBC | AES-256-
CBC | none
• port - (Optional) The port used by the SSL-VPN server. The default
value is 1194.The following ports cannot be used: [22, 2222, 22222, 9000,
9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, 4500].
• compress - (Optional) Specify whether to compress the communication.
Valid value: true (default) | false

• id - The ID of the SSL-VPN server.
• internet_ip - The internet IP of the SSL-VPN server.
• connections - The number of current connections.
• max_connections - The maximum number of connections.
563
» Import
SSL-VPN server can be imported using the id, e.g.

$ terraform import alicloud_ssl_vpn_server.example vss-abc123456
» alicloud_vpn_connection
Provides a VPN connection resource.
NOTE: Terraform will auto build vpn connection while it uses alicloud_vpn_connection
to build a vpn connection resource. The vpn connection depends on VPN and
VPN customer gateway.
» Example Usage
Basic Usage
name = "testAccVpnConfig_create"
vpc_id = "vpc-fake-id"
bandwidth = "10"
enable_ssl = true
}
resource "alicloud_vpn_customer_gateway" "foo" {

name = "testAccVpnCgwName"
ip_address = "42.104.22.228"
description = "testAccVpnCgwDesc"
}
resource "alicloud_vpn_connection" "foo" {

name = "tf-vco_test1"
vpn_gateway_id = "${alicloud_vpn_gateway.foo.id}"
customer_gateway_id = "${alicloud_vpn_customer_gateway.foo.id}"
local_subnet = ["172.16.0.0/24", "172.16.1.0/24"]
remote_subnet = ["10.0.0.0/24", "10.0.1.0/24"]
effect_immediately = true
ike_config {
ike_auth_alg = "md5"
ike_enc_alg = "des"
ike_version = "ikev1"
ike_mode = "main"
564
ike_lifetime = 86400
psk = "tf-testvpn2"
ike_pfs = "group1"
ike_remote_id = "testbob2"
ike_local_id = "testalice2"
}
ipsec_config {
ipsec_pfs = "group5"
ipsec_enc_alg = "des"
ipsec_auth_alg = "md5"
ipsec_lifetime = 8640
}
}

• name - (Optional) The name of the IPsec connection.
• vpn_gateway_id - (Required, ForceNew) The ID of the VPN gateway.
• customer_gateway_id - (Required, ForceNew) The ID of the customer
gateway.
• local_subnet - (Required, Type:Set) The CIDR block of the VPC to be
connected with the local data center. This parameter is used for phase-two
negotiation.
• remote_subnet - (Required, Type:Set) The CIDR block of the local data
center. This parameter is used for phase-two negotiation.
• effect_immediately - (Optional) Whether to delete a successfully nego-
tiated IPsec tunnel and initiate a negotiation again. Valid value:true,false.
• ike_config - (Optional) The configurations of phase-one negotiation.
• ipsec_config - (Optional) The configurations of phase-two negotiation.
» Block ike_config
The ike_config mapping supports the following:

• psk - (Optional) Used for authentication between the IPsec VPN gateway
and the customer gateway.
• ike_version - (Optional) The version of the IKE protocol. Valid value:
ikev1 | ikev2. Default value: ikev1
• ike_mode - (Optional) The negotiation mode of IKE V1. Valid value:
main (main mode) | aggressive (aggressive mode). Default value: main
• ike_enc_alg - (Optional) The encryption algorithm of phase-one negoti-
ation. Valid value: aes | aes192 | aes256 | des | 3des. Default Valid value:
aes
565
• ike_auth_alg - (Optional) The authentication algorithm of phase-one
negotiation. Valid value: md5 | sha1 | sha256 | sha384 | sha512 |. Default
value: sha1
• ike_pfs - (Optional) The Diffie-Hellman key exchange algorithm used by
phase-one negotiation. Valid value: group1 | group2 | group5 | group14 |
group24. Default value: group2
• ike_lifetime - (Optional) The SA lifecycle as the result of phase-one
negotiation. The valid value of n is [0, 86400], the unit is second and the
default value is 86400.
• ike_local_id - (Optional) The identification of the VPN gateway.
• ike_remote_id - (Optional) The identification of the customer gateway.
» Block ipsec_config
The ipsec_config mapping supports the following:

• ipsec_enc_alg - (Optional) The encryption algorithm of phase-two ne-
gotiation. Valid value: aes | aes192 | aes256 | des | 3des. Default value:
aes
• ipsec_auth_alg - (Optional) The authentication algorithm of phase-two
negotiation. Valid value: md5 | sha1 | sha256 | sha384 | sha512 |. Default
value: sha1
• ipsec_pfs - (Optional) The Diffie-Hellman key exchange algorithm used
by phase-two negotiation. Valid value: group1 | group2 | group5 | group14
| group24| disabled. Default value: group2
• ipsec_lifetime - (Optional) The SA lifecycle as the result of phase-two
negotiation. The valid value is [0, 86400], the unit is second and the
default value is 86400.

• id - The ID of the VPN connection id.
• status - The status of VPN connection.
• ike_config - The configurations of phase-one negotiation.
• ipsec_config - The configurations of phase-two negotiation.
» Import
VPN connection can be imported using the id, e.g.

$ terraform import alicloud_vpn_connection.example vco-abc123456
566
» alicloud_vpn_customer_gateway
Provides a VPN customer gateway resource.
NOTE: Terraform will auto build vpn customer gateway instance while it uses
alicloud_vpn_customer_gateway to build a vpn customer gateway resource.
» Example Usage
Basic Usage
resource "alicloud_vpn_customer_gateway" "foo" {
name = "vpnCgwNameExample"
ip_address = "43.104.22.228"
description = "vpnCgwDescriptionExample"
}

• name - (Optional) The name of the VPN customer gateway. Defaults to
null.
• ip_address - (Required, ForceNew) The IP address of the customer gate-
way.
• description - (Optional) The description of the VPN customer gateway
instance.

• id - The ID of the VPN customer gateway instance id.
» Import
VPN customer gateway can be imported using the id, e.g.

$ terraform import alicloud_vpn_customer_gateway.example cgw-abc123456
567
» alicloud_vpn_gateway
Provides a VPN gateway resource.
NOTE: Terraform will auto build vpn instance while it uses alicloud_vpn_gateway
to build a vpn resource.
Currently International-Site account can open PostPaid VPN gateway and
China-Site account can open PrePaid VPN gateway.
» Example Usage
Basic Usage
cidr_block = "172.16.0.0/12"
}

cidr_block = "172.16.0.0/21"
}

name = "vpnGatewayConfig"
bandwidth = "10"
enable_ssl = true
vswitch_id = "${alicloud_vswitch.vsw.id}"
}

• name - (Optional) The name of the VPN. Defaults to null.
• vpc_id - (Required, ForceNew) The VPN belongs the vpc_id, the field
can’t be changed.
• instance_charge_type - (ForceNew) The charge type for instance. If
it is an international site account, the valid value is PostPaid, otherwise
PrePaid. Default to PostPaid.
568
• period - (Optional) The filed is only required while the InstanceChar-
geType is PrePaid. Valid values: [1-9, 12, 24, 36]. Default to 1.
• bandwidth - (Required) The value should be 10, 100, 200. if the user is
postpaid, otherwise it can be 5, 10, 20, 50, 100, 200. It can’t be changed
by terraform.
• enable_ipsec - (Optional) Enable or Disable IPSec VPN. At least one
type of VPN should be enabled.
• enable_ssl - (Optional) Enable or Disable SSL VPN. At least one type
of VPN should be enabled.
• ssl_connections - (Optional) The max connections of SSL VPN. Default
to 5. The number of connections supported by each account is different.
This field is ignored when enable_ssl is false.
• description - (Optional) The description of the VPN instance.
• vswitch_id - (Optional, ForceNew, Available in v1.56.0+) The VPN be-
longs the vswitch_id, the field can’t be changed.

• id - The ID of the VPN instance id.
• internet_ip - The internet ip of the VPN.
• status - The status of the VPN gateway.
• business_status - The business status of the VPN gateway.
» Import
VPN gateway can be imported using the id, e.g.

$ terraform import alicloud_vpn_gateway.example vpn-abc123456
» alicloud_vpn_route_entry
Provides a VPN Route Entry resource.
NOTE: Terraform will build vpn route entry instance while it uses
alicloud_vpn_route_entry to build a VPN Route Entry resource.
» Example Usage
Basic Usage
569
data "alicloud_zones" "default"{
}

name = "tf_test"
cidr_block = "10.1.0.0/21"
}

name = "tf_test"
cidr_block = "10.1.0.0/24"
}
resource "alicloud_vpn_gateway" "default" {

name = "tf_vpn_gateway_test"
bandwidth = 10
instance_charge_type = "PayByTraffic"
enable_ssl = false
}
resource "alicloud_vpn_connection" "default" {

name = "tf_vpn_connection_test"
customer_gateway_id = "${alicloud_vpn_customer_gateway.default.id}"
vpn_gateway_id = "${alicloud_vpn_gateway.default.id}"
local_subnet = ["192.168.2.0/24"]
remote_subnet = ["192.168.3.0/24"]
}
resource "alicloud_vpn_customer_gateway" "default" {

name = "tf_customer_gateway_test"
ip_address = "192.168.1.1"
}
resource "alicloud_vpn_route_entry" "default" {

vpn_gateway_id = "${alicloud_vpn_gateway.default.id}"
route_dest = "10.0.0.0/24"
next_hop = "${alicloud_vpn_connection.default.id}"
weight = 0
publish_vpc = false
}
570

• vpn_gateway_id - (Required, ForceNew) The id of the vpn gateway.
• next_hop - (Required, ForceNew) The next hop of the destination route.
• publish_vpc - (Required) Whether to issue the destination route to the
VPC.
• route_dest - (Required, ForceNew) The destination network segment of
the destination route.
• weight - (Required) The value should be 0 or 100.

• id - The combination id of the vpn route entry.
» Import
VPN route entry can be imported using the id(VpnGatewayId +”:”+ NextHop
+”:”+ RouteDest), e.g.
$ terraform import alicloud_vpn_route_entry.example vpn-abc123456:vco-abc123456:10.0.0.10/24
571

Alibaba Cloud

Uploaded by

Copyright:

Available Formats

Alibaba Cloud

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Alibaba Cloud

Uploaded by

Copyright:

Available Formats

» alicloud_account

This data source provides information about the current account.

data "alicloud_account" "current" {

The following attributes are exported:

data "alicloud_caller_identity" "current" {

The following attributes are exported:

data "alicloud_file_crc64_checksum" "default" {

The following arguments are supported:

The following attributes are exported:

data "alicloud_regions" "current_region_ds" {

The following arguments are supported:

# Declare the data source

# Create an ECS instance with the first matched zone

The following arguments are supported:

data "alicloud_actiontrails" "trails" {

The following arguments are supported:

# Create a new action trail.

The following arguments are supported:

The following attributes are exported:

Action trail can be imported using the id, e.g.

data "alicloud_alikafka_consumer_groups" "consumer_groups_ds" {

The following arguments are supported:

data "alicloud_zones" "default" {

resource "alicloud_vswitch" "default" {

resource "alicloud_alikafka_instance" "default" {

data "alicloud_alikafka_instances" "instances_ds" {

The following arguments are supported:

data "alicloud_alikafka_sasl_acls" "sasl_acls_ds" {

The following arguments are supported:

data "alicloud_alikafka_sasl_users" "sasl_users_ds" {

The following arguments are supported:

data "alicloud_alikafka_topics" "topics_ds" {

The following arguments are supported:

data "alicloud_zones" "default" {

resource "alicloud_vswitch" "default" {

resource "alicloud_alikafka_instance" "default" {

resource "alicloud_alikafka_consumer_group" "default" {

The following arguments are supported:

The following attributes are exported:

ALIKAFKA GROUP can be imported using the id, e.g.

data "alicloud_zones" "default" {

resource "alicloud_vswitch" "default" {

resource "alicloud_alikafka_instance" "default" {

The following arguments are supported:

io_max disk_size(min-max:lag) topic_quota(min-max:lag) eip_max(min-max:lag)

The alicloud_alikafka_instance resource allows you to manage your alikafka

The following attributes are exported:

ALIKAFKA TOPIC can be imported using the id, e.g.

data "alicloud_zones" "default" {

resource "alicloud_vswitch" "default" {

resource "alicloud_alikafka_instance" "default" {

resource "alicloud_alikafka_topic" "default" {

resource "alicloud_alikafka_sasl_user" "default" {

resource "alicloud_alikafka_sasl_acl" "default" {

The following arguments are supported:

The following attributes are exported:

ALIKAFKA GROUP can be imported using the id, e.g.

data "alicloud_zones" "default" {

resource "alicloud_vswitch" "default" {