Scenario
During automatic O&M, you must pay special attention to some operations, such as deleting important resources or purchasing instances with high costs. If these operations are performed automatically, you may lose control and face risks. However, if these operations are not performed automatically, you need to perform them manually or in some other non-automated ways. In this case, you can use the ACS::Approve action in an Operation Orchestration Service (OOS) template to strike a balance between automatic execution and operations that need special attention.
Workaround
When executing an ACS::Approve action in a template, the OOS execution engine suspends the execution of the subsequent operations, sets the execution status to Waiting, and sends a notification with an approval link to the administrator. After receiving the notification, the administrator can determine whether to approve or reject the operation based on the business requirements. If the operation is approved, the OOS execution engine continues to perform the subsequent operations. If the operation is rejected, the OOS execution engine stops the execution and sets the execution status to Canceled.
Procedure
Log on to the OOS console.
In the left-side navigation pane, click My Templates. On the page that appears, click Create Template. In the Create Template dialog box, click the Empty Templates tab, select Empty Templates, and then click OK.
On the page that appears, select the language or mode for creating the template. In this example, select YAML. Copy the template content in Appendix 1: Template for approving restart of Elastic Compute Service (ECS) instances of this topic to the template editor. Set Template Name in the Basic Information section. Then, click Create Template.
Go back to the My Templates page, find the created template, and then click Create Execution in the Actions column.
On the Create Execution page, click Next: Parameter Settings.
Set the following parameters:
- targets: required. The ECS instances to be restarted.
- webHookUrl: required. The WebHook URL for receiving the approval notifications and links. For more information about how to obtain the WebHook URL, see Appendix 2: Obtain the WebHook URL.
- rateControl: optional. Controls the concurrency and error threshold.
- atMobiles: optional. The users to be reminded when an approval notification is sent to the specified DingTalk group.
- atAll: optional. Specifies whether to remind all group members when an approval notification is sent to the specified DingTalk group.
- OOSAssumeRole: optional. The Resource Access Management (RAM) role to be assumed by OOS. By default, OOS uses the permissions granted to the current account. If a RAM role is specified, OOS performs O&M tasks by assuming this RAM role.
After setting parameters, click Next: OK. On the page that appears, check the parameter settings and click Confirm and Create.
Go to the Executions page to view the created execution. If the template is executed, the execution is in the Waiting state. When an operation needs to be approved, OOS sends an approval notification to the specified DingTalk group and reminds the specified users in the group. The specified users can click the approval link to approve or reject the operation based on the business requirements.
Appendix 1: Template for approving restart of ECS instances
The template executes the following tasks in sequence:
- Query the information about ECS instances to be restarted.
- Send a notification with a link for approving the restart of the ECS instances.
- Restart the ECS instances if the restart application is approved.
- Query the information about ECS instances to be restarted.
Template in the YAML format
FormatVersion: OOS-2019-06-01
Description:
en: Bulky restarts the ECS instances with Approval.
name-en: BulkyRebootInstancesWithApproval
Parameters:
targets:
Type: Json
AssociationProperty: Targets
AssociationPropertyMetadata:
ResourceType: 'ALIYUN::ECS::Instance'
rateControl:
Description:
en: Concurrency ratio of task execution.
Type: Json
AssociationProperty: RateControl
Default:
Mode: Concurrency
MaxErrors: 0
Concurrency: 100%
webHookUrl:
Description:
en: 'The webHook url of dingtalk group assistant, e.g.https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414.'
Type: String
atMobiles:
Description:
en: 'The telephone numbers of member in dingtalk group assistant @, when notify comes.'
Type: List
Default:
- '12345678901'
atAll:
Description:
en: 'assistant @ all members in dingtalk group or not, when notify comes.'
Type: String
Default: 'false'
OOSAssumeRole:
Description:
en: The RAM role to be assumed by OOS.
Type: String
Default: OOSServiceRole
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: getInstance
Description:
en: Views the ECS instances.
Action: 'ACS::SelectTargets'
Properties:
ResourceType: 'ALIYUN::ECS::Instance'
Filters:
- '{{ targets }}'
Outputs:
instanceIds:
Type: List
ValueSelector: 'Instances.Instance[].InstanceId'
instanceNames:
Type: List
ValueSelector: 'Instances.Instance[].InstanceName'
- Name: approveRestart
Action: 'ACS::Approve'
Properties:
NotifyType: WebHook
WebHook:
URI: '{{webhookUrl}}'
Headers:
Content-Type: application/json
Content:
msgtype: text
text:
content: 'Notify: please approve instances restart, instance names to approve are {{getInstance.instanceNames}}, sent by {{ACS::RegionId}} oos {{ACS::ExecutionId}}.'
at:
atMobiles: '{{atMobiles}}'
isAtAll: '{{atAll}}'
- Name: rebootInstance
Action: 'ACS::ECS::RebootInstance'
Description:
en: Restarts the ECS instances.
Properties:
instanceId: '{{ ACS::TaskLoopItem }}'
Loop:
RateControl: '{{ rateControl }}'
Items: '{{ getInstance.instanceIds }}'
Outputs:
instanceIds:
Type: List
Value: '{{ getInstance.instanceIds }}'
Appendix 2: Obtain the WebHook URL
- Log on to DingTalk. Find the group for receiving approval notifications and click the More icon on the right-side navigation pane.
- In the dialog box that appears, find Assist and click Open.
- Click Add Robot.
- In the ChatBot dialog box, click the Custom card.
- In the Robot Details dialog box, click Add.
- Set Chatbot name and Security Settings. In this example, select Custom Keywords for Security Settings. Set keywords for the DingTalk chatbot by using words in the notification. For example, the notification content in the sample template contains the word Notify. You set Notify as a keyword for the DingTalk chatbot. Select I have read and accepted DingTalk Custom Robot Service Terms of Service and click Finished.
- In the dialog box that appears, click Copy to copy the WebHook URL.