Batch export Alibaba Cloud WAF 3.0 CNAME-based domain configuration to Excel. Use when the user needs "export WAF domain config", "WAF onboarding checklist",...
---
name: alibabacloud-waf-cname-config-export
description: |
Batch export Alibaba Cloud WAF 3.0 CNAME-based domain configuration to Excel.
Use when the user needs "export WAF domain config", "WAF onboarding checklist", "WAF domain audit", or "WAF config inspection".
---
# Alibaba Cloud WAF 3.0 CNAME Domain Configuration Batch Export
Batch query all CNAME-based domain configurations under WAF 3.0 instances and generate a structured Excel file for configuration audit, delivery documentation, and inspection reports.
**Architecture**: `WAF 3.0 Instance` → `CNAME Domains (DescribeDomains)` → `Domain Config: Listen + Redirect + Cert (DescribeDomainDetail)` → `Excel Export`
### Site and Instance Types
| Dimension | Chinese Mainland Instance | Non-Chinese Mainland Instance |
|-----------|--------------------------|-------------------------------|
| RegionId | `cn-hangzhou` | `ap-southeast-1` |
| Endpoint | `wafopenapi.cn-hangzhou.aliyuncs.com` | `wafopenapi.ap-southeast-1.aliyuncs.com` |
> A single account can have both instance types. Export must query both RegionIds and merge results.
## Installation
**Pre-check: Aliyun CLI >= 3.3.3 required**
> Run `aliyun version` to verify >= 3.3.3. If not installed, see [references/cli-installation-guide.md](references/cli-installation-guide.md).
**Pre-check: Aliyun CLI plugin update required**
```bash
aliyun configure set --auto-plugin-install true
aliyun plugin update
```
Python dependency (pinned version for reproducibility):
```bash
pip install openpyxl==3.1.5
```
## Authentication
> **Pre-check: Alibaba Cloud Credentials Required**
>
> **Security Rules:**
> - **NEVER** read, echo, or print AK/SK values
> - **NEVER** ask the user to input AK/SK directly
> - **NEVER** use `aliyun configure set` with literal credential values
> - **ONLY** use `aliyun configure list` to check credential status
>
> ```bash
> aliyun configure list
> ```
>
> **If no valid profile exists, STOP here.**
> 1. Obtain credentials from [Alibaba Cloud Console](https://ram.console.aliyun.com/manage/ak)
> 2. Configure credentials **outside of this session**
> 3. Return and re-run after `aliyun configure list` shows a valid profile
> International site users must configure a separate profile (e.g., `aliyun configure --profile intl`). Chinese mainland and International site AKs are NOT interchangeable.
## RAM Policy
| Action | Description |
|--------|-------------|
| `yundun-waf:DescribeInstance` | Query WAF instance info |
| `yundun-waf:DescribeDomains` | Query domain list |
| `yundun-waf:DescribeDomainDetail` | Query domain detailed config |
Recommended: attach system policy `AliyunYundunWAFReadOnlyAccess`.
Full RAM policy list: see [references/ram-policies.md](references/ram-policies.md)
> **[MUST] Permission Failure Handling:** When any command or API call fails due to permission errors at any point during execution, follow this process:
> 1. Read `references/ram-policies.md` to get the full list of permissions required by this SKILL
> 2. Use `ram-permission-diagnose` skill to guide the user through requesting the necessary permissions
> 3. Pause and wait until the user confirms that the required permissions have been granted
## Parameter Confirmation
> **IMPORTANT: Parameter Confirmation** — Before executing any command or API call,
> ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks,
> passwords, domain names, resource specifications, etc.) MUST be confirmed with the
> user. Do NOT assume or use default values without explicit user approval.
| Parameter | Required/Optional | Description | Default Value |
|-----------|-------------------|-------------|---------------|
| RegionId | Auto | Query both regions (cn-hangzhou + ap-southeast-1) | Both |
| InstanceId | Auto | Auto-discovered via DescribeInstance | — |
| CLI Profile | Optional | Uses default profile; add `--profile <name>` if user specifies | default |
| Output File | Auto | Fixed filename with timestamp | waf_cname_config_export_YYYYMMDD_HHMMSS.xlsx |
## Core Workflow
> At the **start** of the Core Workflow (before any CLI invocation):
> **[MUST] Enable AI-Mode** — AI-mode is required for Agent Skill execution.
> ```bash
> aliyun configure ai-mode enable
> aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-waf-cname-config-export"
> ```
### Step 1: Auto-discover WAF Instances
> **[MUST] Query BOTH regions unconditionally.** Even if the user states they "only have domestic" / "only have overseas" / "only use one region", you MUST still execute both commands below. User assertions about instance distribution are NOT a reason to skip either region. Discovery is the only authoritative source.
```bash
aliyun waf-openapi describe-instance --region cn-hangzhou
aliyun waf-openapi describe-instance --region ap-southeast-1
```
If the response contains a non-empty `InstanceId`, the instance exists. International site users add `--profile intl`.
### Step 2: Batch Query Domain List
```bash
aliyun waf-openapi describe-domains \
--region cn-hangzhou \
--instance-id <InstanceId> \
--page-number 1 \
--page-size 50
```
Pagination: loop PageNumber when `TotalCount` > 50.
### Step 3: Query Detailed Config for Each Domain
```bash
aliyun waf-openapi describe-domain-detail \
--region cn-hangzhou \
--instance-id <InstanceId> \
--domain <DomainName>
```
Returns Listen (HttpPorts/HttpsPorts/TLSVersion/CipherSuite/Http2Enabled/CertId) and Redirect (BackendList/BackupBackends/Loadbalance/SniEnabled/SniHost/Timeouts).
> **[MUST] Always call DescribeDomainDetail at least once per discovered instance.** Iterate the domain list from Step 2 and call this API for every domain. If Step 2 returns an empty list (`TotalCount == 0`) for a given instance, you MUST still issue **one** `describe-domain-detail` call against that instance using a placeholder domain (e.g. `--domain none`) to verify API reachability and permissions, then record "no domains" and continue. Do NOT skip this step based on an empty list.
### Step 4: Generate Excel Export
One sheet per region ("Chinese Mainland" / "Non-Chinese Mainland"). 18 columns: Domain, CNAME, Status, HTTP Ports, HTTPS Ports, Backends, Backup Backends, Load Balancing, TLS Version, HTTP/2, Cert ID, SNI, SNI Host, Connect Timeout(s), Read Timeout(s), Write Timeout(s), Force HTTP Backend, Resource Group.
**[MUST] Use the bundled script — this is the ONLY allowed execution path**:
```bash
python scripts/alibabacloud_waf_cname_config_export.py
```
> **Do NOT** rewrite, inline, or reimplement the export logic in your own Python code. The bundled script encapsulates the correct 18-column schema, per-region sheet layout, pagination, and field-name conventions. If the script fails, diagnose the failure (missing `openpyxl==3.1.5`, credential issues, etc.) and fix the root cause — do NOT fall back to ad-hoc code.
> **Field name notes**: Load balancing is `Redirect.Loadbalance` (not `LoadBalanceType`). Backend IP list is `Redirect.BackendList` (string array). Cert ID is at `Listen.CertId`.
### Step 5: Disable AI-Mode
> **[MUST] Disable AI-Mode at EVERY exit point** — Before delivering the final response for ANY reason, always disable AI-mode first.
> ```bash
> aliyun configure ai-mode disable
> ```
## Success Verification
See [references/verification-method.md](references/verification-method.md) for detailed verification steps.
1. Excel file opens with one sheet per region
2. Each sheet has 18 column headers and data intact
3. Domain count per sheet matches WAF console display
4. Spot-check 2-3 domains against console for CNAME and backend config accuracy
## Cleanup
No resources created — no cleanup needed.
## Best Practices
1. Always query both regions to avoid missing dual-instance scenarios
2. Set PageSize to 50 (maximum) to reduce request count
3. Add at least 200ms delay between requests (`time.sleep(0.2)`) to prevent throttling
4. Non-CNAME domains may have empty CNAME fields; label them accordingly
5. Chinese mainland and International site CLI profiles must be configured separately
## References
| Topic | Link |
|-------|------|
| CLI Commands | See [references/related-commands.md](references/related-commands.md) |
| RAM Policies | See [references/ram-policies.md](references/ram-policies.md) |
| Verification Method | See [references/verification-method.md](references/verification-method.md) |
| Acceptance Criteria | See [references/acceptance-criteria.md](references/acceptance-criteria.md) |
| CLI Installation | See [references/cli-installation-guide.md](references/cli-installation-guide.md) |
| DescribeDomains API | https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-describedomains |
| DescribeDomainDetail API | https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-describedomaindetail |
| DescribeInstance API | https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-describeinstance |
don't have the plugin yet? install it then click "run inline in claude" again.
added explicit intent, inputs (with credential/permission handling), structured 7-step procedure with inputs/outputs per step, decision points for auth failures/rate limits/empty results, detailed output contract with 18-column schema, and outcome signal section with pass/fail criteria; preserved original workflow and script-first design while adding edge cases for timeouts, rate limiting, and placeholder domain calls.
export all cname-based domain configurations from alibaba cloud waf 3.0 instances across both chinese mainland and international regions, generating a structured excel file with 18 config columns per domain. use this skill when you need waf domain config audit, onboarding checklists, domain inspection reports, or config delivery documentation. the skill auto-discovers instances, queries domain details, and handles pagination across both regionids (cn-hangzhou and ap-southeast-1) in a single run.
alibaba cloud credentials
aliyun configure list confirms valid profile existsaliyun configure --profile intl); mainland and international credentials are not interchangeablealiyun cli
aliyun version)aliyun plugin update)python environment
openpyxl==3.1.5 installed (pip install openpyxl==3.1.5)scripts/alibabacloud_waf_cname_config_export.pyram permissions
yundun-waf:DescribeInstance, yundun-waf:DescribeDomains, yundun-waf:DescribeDomainDetailAliyunYundunWAFReadOnlyAccessram-permission-diagnose skill to guide user through permission requestsuser-provided parameters
step 1: pre-flight checks
aliyun version and confirm >= 3.3.3; if not, halt with install linkaliyun configure list and verify target profile shows valid credentialspip list | grep openpyxl and confirm 3.1.5 installedstep 2: enable ai-mode for agent execution
aliyun configure ai-mode enablealiyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-waf-cname-config-export"step 3: auto-discover waf instances in both regions
--profile <name> to each command)aliyun waf-openapi describe-instance --region cn-hangzhoualiyun waf-openapi describe-instance --region ap-southeast-1step 4: query domain list for each discovered instance
aliyun waf-openapi describe-domains --region <regionid> --instance-id <instanceid> --page-number <num> --page-size 50step 5: query detailed config for each domain
aliyun waf-openapi describe-domain-detail --region <regionid> --instance-id <instanceid> --domain <domainname>--domain none as placeholder to verify api reachability and permissions; record "no domains found" and continuestep 6: invoke bundled export script
python scripts/alibabacloud_waf_cname_config_export.py from skill root directorystep 7: disable ai-mode
aliyun configure ai-mode disableif no valid aliyun cli profile exists after aliyun configure list
aliyun configure or aliyun configure --profile <name>; do not proceed until user confirms profile is validif aliyun cli version < 3.3.3
if openpyxl != 3.1.5
pip install openpyxl==3.1.5; do not use alternative versionsif permission denied error occurs during describe-instance, describe-domains, or describe-domain-detail calls
ram-permission-diagnose skill; wait for user to confirm permissions granted; resume from the failing stepif user specifies non-default profile (e.g. intl)
--profile <name> to all aliyun cli commands in steps 3-6; confirm profile name with user before step 3 beginsif step 4 returns totalcount == 0 for an instance
--domain none) to verify api reachability; record "no domains configured" for that instance and continue to next instanceif describe-domain-detail returns empty or null fields for listen/redirect config
if network timeout or rate limit (http 429) occurs during step 5
time.sleep(0.2)) between consecutive domain queries; retry up to 5 times per domain; if all retries fail, log error with domain name and continue to next domain; include failed domain in excel with "error: if bundled script fails to execute
if both regions return empty instance lists
file format
waf_cname_config_export_YYYYMMDD_HHMMSS.xlsxsheet structure
column schema (18 columns per sheet)
data integrity
success indicators
user knows skill worked when
file created: new .xlsx file appears in current working directory with timestamp in filename (e.g. waf_cname_config_export_20250115_143022.xlsx)
file opens: user can open file in excel, google sheets, or libreoffice without error; both sheet tabs visible at bottom ("Chinese Mainland" and "Non-Chinese Mainland")
headers present: clicking into sheet shows all 18 column headers in row 1: domain, cname, status, http ports, https ports, backends, backup backends, load balancing, tls version, http/2, cert id, sni, sni host, connect timeout(s), read timeout(s), write timeout(s), force http backend, resource group
data populated: at least one sheet contains data rows (unless no instances exist in either region, in which case both sheets have headers only)
domain count matches: row count per sheet matches waf console display for each region (user can spot-check 2-3 domains by opening alibaba cloud waf console and comparing domain names, cname values, and backend ips against excel)
no errors in console output: final console output shows "export completed successfully" or "0 domains exported (no instances found)" with no permission errors, timeout errors, or script exceptions
ai-mode disabled: final console output confirms ai-mode disable executed; user sees no lingering ai-mode status messages
common failure signals (skill did not work)
credits: original skill by sdk-team (clawhub). enriched and standardized to implexa quality standards.