Description

Batch export Alibaba Cloud WAF 3.0 CNAME-based domain configuration to Excel. Use when the user needs "export WAF domain config", "WAF onboarding checklist",...

README (SKILL.md)

Alibaba Cloud WAF 3.0 CNAME Domain Configuration Batch Export

Name: Alibabacloud Waf Cname Config Export
Author: sdk-team

Batch query all CNAME-based domain configurations under WAF 3.0 instances and generate a structured Excel file for configuration audit, delivery documentation, and inspection reports.

Architecture: WAF 3.0 Instance → CNAME Domains (DescribeDomains) → Domain Config: Listen + Redirect + Cert (DescribeDomainDetail) → Excel Export

Site and Instance Types

Dimension	Chinese Mainland Instance	Non-Chinese Mainland Instance
RegionId	`cn-hangzhou`	`ap-southeast-1`
Endpoint	`wafopenapi.cn-hangzhou.aliyuncs.com`	`wafopenapi.ap-southeast-1.aliyuncs.com`

A single account can have both instance types. Export must query both RegionIds and merge results.

Installation

Pre-check: Aliyun CLI >= 3.3.3 required

Run aliyun version to verify >= 3.3.3. If not installed, see references/cli-installation-guide.md.

Pre-check: Aliyun CLI plugin update required

aliyun configure set --auto-plugin-install true
aliyun plugin update

Python dependency (pinned version for reproducibility):

pip install openpyxl==3.1.5

Authentication

Pre-check: Alibaba Cloud Credentials Required

Security Rules:

NEVER read, echo, or print AK/SK values

NEVER ask the user to input AK/SK directly

NEVER use aliyun configure set with literal credential values

ONLY use aliyun configure list to check credential status
aliyun configure list
If no valid profile exists, STOP here.

Obtain credentials from Alibaba Cloud Console

Configure credentials outside of this session

Return and re-run after aliyun configure list shows a valid profile

International site users must configure a separate profile (e.g., aliyun configure --profile intl). Chinese mainland and International site AKs are NOT interchangeable.

RAM Policy

Action	Description
`yundun-waf:DescribeInstance`	Query WAF instance info
`yundun-waf:DescribeDomains`	Query domain list
`yundun-waf:DescribeDomainDetail`	Query domain detailed config

Recommended: attach system policy AliyunYundunWAFReadOnlyAccess.

Full RAM policy list: see references/ram-policies.md

[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:

Read references/ram-policies.md to get the full list of permissions required by this SKILL

Use ram-permission-diagnose skill to guide the user through requesting the necessary permissions

Pause and wait until the user confirms that the required permissions have been granted

Parameter Confirmation

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks, passwords, domain names, resource specifications, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.

Parameter	Required/Optional	Description	Default Value
RegionId	Auto	Query both regions (cn-hangzhou + ap-southeast-1)	Both
InstanceId	Auto	Auto-discovered via DescribeInstance	—
CLI Profile	Optional	Uses default profile; add `--profile \x3Cname>` if user specifies	default
Output File	Auto	Fixed filename with timestamp	waf_cname_config_export_YYYYMMDD_HHMMSS.xlsx

Core Workflow

At the start of the Core Workflow (before any CLI invocation): [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-waf-cname-config-export"

Step 1: Auto-discover WAF Instances

[MUST] Query BOTH regions unconditionally. Even if the user states they "only have domestic" / "only have overseas" / "only use one region", you MUST still execute both commands below. User assertions about instance distribution are NOT a reason to skip either region. Discovery is the only authoritative source.

aliyun waf-openapi describe-instance --region cn-hangzhou
aliyun waf-openapi describe-instance --region ap-southeast-1

If the response contains a non-empty InstanceId, the instance exists. International site users add --profile intl.

Step 2: Batch Query Domain List

aliyun waf-openapi describe-domains \
  --region cn-hangzhou \
  --instance-id \x3CInstanceId> \
  --page-number 1 \
  --page-size 50

Pagination: loop PageNumber when TotalCount > 50.

Step 3: Query Detailed Config for Each Domain

aliyun waf-openapi describe-domain-detail \
  --region cn-hangzhou \
  --instance-id \x3CInstanceId> \
  --domain \x3CDomainName>

Returns Listen (HttpPorts/HttpsPorts/TLSVersion/CipherSuite/Http2Enabled/CertId) and Redirect (BackendList/BackupBackends/Loadbalance/SniEnabled/SniHost/Timeouts).

[MUST] Always call DescribeDomainDetail at least once per discovered instance. Iterate the domain list from Step 2 and call this API for every domain. If Step 2 returns an empty list (TotalCount == 0) for a given instance, you MUST still issue one describe-domain-detail call against that instance using a placeholder domain (e.g. --domain none) to verify API reachability and permissions, then record "no domains" and continue. Do NOT skip this step based on an empty list.

Step 4: Generate Excel Export

One sheet per region ("Chinese Mainland" / "Non-Chinese Mainland"). 18 columns: Domain, CNAME, Status, HTTP Ports, HTTPS Ports, Backends, Backup Backends, Load Balancing, TLS Version, HTTP/2, Cert ID, SNI, SNI Host, Connect Timeout(s), Read Timeout(s), Write Timeout(s), Force HTTP Backend, Resource Group.

[MUST] Use the bundled script — this is the ONLY allowed execution path:

python scripts/alibabacloud_waf_cname_config_export.py

Do NOT rewrite, inline, or reimplement the export logic in your own Python code. The bundled script encapsulates the correct 18-column schema, per-region sheet layout, pagination, and field-name conventions. If the script fails, diagnose the failure (missing openpyxl==3.1.5, credential issues, etc.) and fix the root cause — do NOT fall back to ad-hoc code.

Field name notes: Load balancing is Redirect.Loadbalance (not LoadBalanceType). Backend IP list is Redirect.BackendList (string array). Cert ID is at Listen.CertId.

Step 5: Disable AI-Mode

[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first.
aliyun configure ai-mode disable

Success Verification

See references/verification-method.md for detailed verification steps.

Excel file opens with one sheet per region
Each sheet has 18 column headers and data intact
Domain count per sheet matches WAF console display
Spot-check 2-3 domains against console for CNAME and backend config accuracy

Cleanup

No resources created — no cleanup needed.

Best Practices

Always query both regions to avoid missing dual-instance scenarios
Set PageSize to 50 (maximum) to reduce request count
Add at least 200ms delay between requests (time.sleep(0.2)) to prevent throttling
Non-CNAME domains may have empty CNAME fields; label them accordingly
Chinese mainland and International site CLI profiles must be configured separately

References

Topic	Link
CLI Commands	See references/related-commands.md
RAM Policies	See references/ram-policies.md
Verification Method	See references/verification-method.md
Acceptance Criteria	See references/acceptance-criteria.md
CLI Installation	See references/cli-installation-guide.md
DescribeDomains API	https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-describedomains
DescribeDomainDetail API	https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-describedomaindetail
DescribeInstance API	https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-describeinstance

Usage Guidance

Install only if you are comfortable granting read access to Alibaba Cloud WAF configuration. Prefer short-lived or least-privileged RAM credentials, avoid putting real access keys directly in shell commands or logs, review where the Excel export will be saved, and handle the exported file as sensitive infrastructure data.

Capability Tags

requires-walletrequires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

Exporting WAF CNAME configuration is coherent with the apparent purpose, but the exported fields can reveal domains, backend targets, certificate identifiers, ports, SNI settings, and resource groups, and the artifacts do not clearly warn users about that sensitivity before writing the spreadsheet.

⚠ Instruction Scope

The skill directs shell, Alibaba Cloud CLI, and bundled Python-script use without clear capability scoping, and the script reportedly performs a detail API call with a fake domain when there are no domains to export, which is not necessary for the stated export workflow.

⚠ Install Mechanism

No malicious installer behavior is evident, but the installation guide includes credential setup patterns that may expose or persist Alibaba Cloud access keys without placing clear warnings next to those examples.

⚠ Credentials

Alibaba Cloud API access is expected for this purpose, but the combination of cloud credentials, debug logging guidance, and local export of sensitive WAF configuration is under-disclosed for an agent-run skill.

⚠ Persistence & Privilege

There is no evidence of background persistence, privilege escalation, or destructive behavior, but credentials may be stored in the local Alibaba Cloud CLI profile and sensitive WAF data is written to a local Excel file.

Version History

v0.0.1

Initial release of Alibaba Cloud WAF 3.0 CNAME domain configuration batch export. - Enables batch export of all CNAME-based WAF domain configurations to a structured Excel file. - Queries and merges configurations from both Chinese Mainland (`cn-hangzhou`) and Non-Chinese Mainland (`ap-southeast-1`) WAF instances. - Automatically discovers all WAF 3.0 instances and their domains; retrieves detailed config for audit and report purposes. - Uses a bundled Python script to generate Excel files with standardized 18-column schema, one sheet per region. - Strictly enforces credential, permission, and parameter confirmation best practices before any execution. - AI-mode enable/disable steps integrated to comply with Agent Skill requirements.

Metadata

Slug alibabacloud-waf-cname-config-export

Version 0.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Alibabacloud Waf Cname Config Export?

Batch export Alibaba Cloud WAF 3.0 CNAME-based domain configuration to Excel. Use when the user needs "export WAF domain config", "WAF onboarding checklist",... It is an AI Agent Skill for Claude Code / OpenClaw, with 32 downloads so far.

How do I install Alibabacloud Waf Cname Config Export?

Run "/install alibabacloud-waf-cname-config-export" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Alibabacloud Waf Cname Config Export free?

Yes, Alibabacloud Waf Cname Config Export is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Alibabacloud Waf Cname Config Export support?

Alibabacloud Waf Cname Config Export is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Alibabacloud Waf Cname Config Export?

It is built and maintained by alibabacloud-skills-team (@sdk-team); the current version is v0.0.1.

More Skills

Alibabacloud Waf Cname Config Export