Alibaba Cloud DDoS Pro (ddoscoo) domain-level (Layer 7 website) configuration full export and import. Use for disaster recovery backup, configuration audit, rollback after misconfiguration, or batch import of domain settings. Covers 20 configuration dimensions in YAML v2.0 format. Triggers: DDoS domain config export, domain config import, domain config backup, domain config audit. Does NOT cover Layer 4 port forwarding (TCP/UDP) -- handled by alibabacloud-ddoscoo-port-config-migration.
Export all access configuration + advanced settings + security policies for website business (Layer 7 domains) under DDoS Pro (ddoscoo) to a YAML file, or import a YAML file back into the same account for restoration. YAML v2.0 follows the console layout, divided into four segments -- proxy / client / server / security -- all domain-level, supporting single domain, multiple domains, per-instance, and full-account granularity.
Scope Limitation (Important): This skill only covers domain-level (Layer 7 website) business. Non-website business (Layer 4 port forwarding: TCP/UDP) -- including port forwarding rules, session persistence, health checks, Layer 4 access control, Layer 4 CC, etc. -- is handled by the sister skill alibabacloud-ddoscoo-port-config-migration. Do NOT use this skill for those.
Disaster recovery backup: Export full configuration to local YAML for version control
Configuration audit: Export and diff to reconcile online configuration changes
Rollback after misconfiguration: Import a previous YAML version to restore
Batch import: Import a standard template YAML to multiple domains
Environment Setup
Pre-check: Aliyun CLI >= 3.3.1 required
Run aliyun version to verify >= 3.3.1. If not installed or version too low,
see references/cli-installation-guide.md for installation instructions.
[MUST] CLI Environment Configuration:
bash
aliyun configure set --auto-plugin-install true
aliyun plugin update
Observability (MUST follow for every aliyun command)
Upon loading this skill, generate a random session ID (32-char lowercase hex string) once for the entire session. Use it as <SESSION_ID> below.
Rule: Every aliyun CLI command that calls a cloud API MUST include the --user-agent flag.
Local utility commands (e.g. configure, plugin, version) do not support this flag and should be excluded.
Do not skip, alter the format, or omit --user-agent on any aliyun API command invocation.
Script / Terraform execution: When running Python SDK scripts or Terraform commands or bash scripts, inject the session-id via inline environment variable so the code can read it at runtime:
[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:
Read references/ram-policies.md to get the full list of permissions required by this SKILL
Use ram-permission-diagnose skill to guide the user through requesting the necessary permissions
Pause and wait until the user confirms that the required permissions have been granted
Parameter Confirmation
IMPORTANT: Parameter Confirmation -- Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, domain list, instance ID, output path,
conflict strategy, etc.) MUST be confirmed with the user. Do NOT assume or use default values
without explicit user approval.
Single domain / Multiple domains / Per instance / Full account
-
YAML File Path
Required
Input or output file path
-
Import Conflict Strategy
Required for import
skip / overwrite
skip
Target Instance
Optional for import
When the instance ID in the YAML does not exist in the target environment, guide the user to select; auto-pass if matched
Source instance ID from YAML
Region Isolation Warning: cn-hangzhou (mainland China DDoS Pro) and ap-southeast-1 (international DDoS Pro) are two completely independent regions.
Domain lists, instances, and configurations are not shared between them. The same account may have domains in both regions, but a single execution only covers one region.
Before execution, you MUST explicitly ask the user:
Which region are the business domains deployed in? (cn-hangzhou / ap-southeast-1 / both)
If both, the skill MUST be run twice separately, each time specifying the region explicitly -- do NOT mix them
NEVER default or guess the region; if the user's answer is ambiguous, keep asking until it is clear
The purpose of this rule is to prevent incidents where "the customer has business in both regions but only backed up one, and only discovers later that the overseas configuration was lost."
Core Workflow
Step 1: Mode Selection (Must Use AskUserQuestion)
text
Mode: [export / import]
Step 2: Scope and File Path Confirmation
Export Mode:
Region (must confirm first): cn-hangzhou or ap-southeast-1; if the customer has domains in both regions, inform them that two separate runs are required -- this run only processes the region the user explicitly selects
Domain scope (single domain / multiple domains / per instance / full account)
Output path (default: one file per domain: ./{region}-{domain}-{YYYYMMDD}.yaml)
Whether to include security policies (CC/AI/precise access/area blocking/IP blacklist-whitelist/cache/CDN linkage)
Import Mode:
Region (must confirm first): Must match exported_from.region in the YAML; if mismatched, halt execution and raise an alert
Input YAML file path
Conflict strategy (skip / overwrite)
Step 3: DDoS Pro Instance Pre-check (Shared by Export/Import)
MUST: Complete instance mapping before import to ensure instance IDs in the YAML correctly map to the target environment.
Read source instance ID list from YAML exported_from.instance_ids
Compare each against instance IDs returned by describe-instances in the target environment
Full match -> auto-pass, no user intervention needed
Partial or full mismatch -> Use AskUserQuestion to guide the user in selecting the target instance:
text
"Source instance <SOURCE_INSTANCE_ID> from the YAML does not exist in the target environment.
Please select the target instance to bind the domain to:
[A] ddoscoo-cn-xxx (used 3/50 domains, remaining capacity 47)
[B] ddoscoo-cn-yyy (used 10/50 domains, remaining capacity 40)
..."
Subsequent Phase 1 (create-domain-resource --instance-ids) uses the mapped instance IDs
If the target instance's remaining capacity is insufficient to accommodate the domains being imported, alert and block execution in advance
Note: If the target environment has only one instance and its capacity is sufficient, it may be auto-selected with user notification (no prompt needed), but the mapping must still be recorded in the log.
aliyun ddoscoo describe-domain-security-profile --domain <D> -> Global protection level and switches !! falls back to OpenAPI on aliyun-cli-ddoscoo 0.x (see edge case in references/export-workflow.md)
describe-l7-global-rule --domain <D> -> Global protection rule details (full export)
aliyun ddoscoo describe-l7cc-cookie --domain <D> -> Cookie settings !! falls back to OpenAPI on aliyun-cli-ddoscoo 0.x (see edge case in references/export-workflow.md)
aliyun ddoscoo describe-l7-mutual-auth-conf --domain <D> -> Mutual authentication mTLS config !! falls back to OpenAPI on aliyun-cli-ddoscoo 0.x (see edge case in references/export-workflow.md)
aliyun ddoscoo describe-gm-cert-list --domain <D> -> GM (GuoMi/SM2) certificate list (take the cert ID where DomainMatchCert=true and write it to gm_cert.cert_id) !! falls back to OpenAPI on aliyun-cli-ddoscoo 0.x (see edge case in references/export-workflow.md)
Plugin metadata gap & OpenAPI fallback: APIs 12 / 14 / 15 / 16 above use the standard plugin-mode kebab-case form. When the installed aliyun-cli-ddoscoo plugin (0.x as of 2026-06-22) does not yet declare these actions, the plugin route rejects them with unknown command or '<Action>' is not a valid api. In that case, follow the per-API Edge case fallback block in references/export-workflow.md -- it bypasses the plugin and routes through the core CLI's built-in OpenAPI metadata. Switch back to the kebab-case primary form once a future plugin release declares these actions.
Submit in 4 phases; each domain is an independent transaction; if a preceding phase fails, subsequent phases for that domain are skipped:
Phase
Content
Failure Handling
Phase 1: Domain entity
create-domain-resource or conflict detection
Fail -> skip this domain
Phase 2: HTTPS association
associate-web-cert (HTTPS domains only) + GM certificates config-gm-cert / config-gm-cert-enable / config-gm-cert-only !! fall back to OpenAPI on aliyun-cli-ddoscoo 0.x (see import-workflow.md)
Fail -> log but continue
Phase 3: Advanced config
modify-ocsp-status / modify-tls-config / config-l7-mutual-authentication (mTLS) !! / config-l7cc-cookie-enable (Cookie) !! / config-l7-rs-policy / config-l7-us-keepalive / modify-headers / modify-cname-reuse (!! entries fall back to OpenAPI on aliyun-cli-ddoscoo 0.x -- see import-workflow.md)
If any field mismatches, save the report to ./import-mismatch-{timestamp}.yaml for the user to decide whether to roll back.
Cleanup
This skill does not create cloud resources (export only reads configuration, import only modifies domain configuration), so no cloud resource cleanup is needed. Temporary files generated during execution:
Export YAML files: Retained as backup, no cleanup needed
./import-result-{timestamp}.yaml: Import result record, retained for auditing
./rollback-{timestamp}.yaml: Rollback snapshot, retained for rollback purposes
./import-mismatch-{timestamp}.yaml: Verification mismatch report, retained for troubleshooting
If cleanup is desired, the user may decide whether to delete these files.
General Rules
AK/SK must never be displayed in plaintext in the conversation; YAML files must NEVER contain any credential fields
The CLI product name is ddoscoo (all lowercase); using ddos or DDoSCoo is strictly forbidden
Every aliyun command must include --user-agent AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-domain-configuration-backup/<SESSION_ID> (see Observability section)
Region inference: User mentions "mainland China / China DDoS Pro" -> cn-hangzhou; "international / overseas" -> ap-southeast-1. When the region is already clear, only query that region
CLI parameter pitfalls: describe-domain-resource uses --domain, but describe-cname-reuses / describe-domain-cc-protect-switch / describe-web-cc-protect-switch / describe-web-precise-access-rule / describe-web-area-block-configs / describe-web-cache-configs all use --domains (plural). See the pitfall table at the top of references/export-workflow.md
Interaction principle: Mode selection, scope confirmation, conflict strategy, secondary confirmation must use AskUserQuestion. Never let the user hand-write JSON/API parameters
Import Safety Four Principles:
Must dry-run first with tri-color diff; execute only after user confirmation
Per-domain independent transaction; single domain failure does not affect other domains
Phased submission; earlier phase failure skips later phases, but security policy phase failure does not block
Failure list and rollback YAML must be saved to disk; output file:// links to the user
Exported YAML must not persist any sensitive information: account UID may be retained as a source marker only; AK/SK/Cert Key are strictly forbidden from export
Known Limitations:
IP Whitelist: The WhiteList field from describe-web-rules only appears when the domain has a whitelist configured (not returned when the array is empty); check for field existence during export
APIs not registered in CLI plugin metadata (use OpenAPI fallback): The following 9 ddoscoo actions are not declared in the installed aliyun-cli-ddoscoo plugin (0.x as of 2026-06-22). When invoked in plugin mode the plugin rejects them with unknown command or '<Action>' is not a valid api, and the skill falls back to the OpenAPI route documented per-API in references/export-workflow.md and references/import-workflow.md. The skill continues to default to the kebab-case primary form so that the moment a future plugin release declares these actions, no further skill changes are needed.