You can use CloudOps Orchestration Service (OOS) to add tags to multiple resources that reside in the same region to control permissions on the resources based on the tags.
Background information
You can use OOS custom templates to add tags to the resources of Elastic Compute Service (ECS) and other Alibaba Cloud services. For more information about the services that support tags, see Services that support tags. In this topic, a custom template is created in OOS to add the owner:zhangsan
tag to ECS instances that reside in the same region.
The resources to which you want to add tags must reside in the same region.
Step 1: Create a custom policy and a RAM role
Create a RAM role named OOSServiceRole for OOS and attach policies to the role.
Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.
Create a custom policy named OOSAutoBindTag.
For more information, see Create custom policies. The following policy is used in this step.
NoteThis policy is used to grant permissions on ECS instances, and the permission in the policy is set to
ecs:DescribeInstances
. You can set the permission based on your business requirements. For example, if you want to add a tag to multiple security groups, you can replaceecs:DescribeInstances
withecs:DescribeSecurityGroups
.{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeInstances", "ecs:TagResources" ], "Resource": "*", "Effect": "Allow" } ] }
Create a RAM role named OOSServiceRole.
For more information, see Create a RAM role for a trusted Alibaba Cloud service.
Attach the custom policy to the RAM role.
For more information, see Grant permissions to a RAM role. In this step, the OOSAutoBindTag custom policy is attached to the OOSServiceRole RAM role.
Attach the AliyunOSSFullAccess system policy to the OOSServiceRole RAM role.
Step 2: Add a tag to multiple resources at a time
Log on to the Operation Orchestration Service console.
In the upper-left corner of the top navigation bar, select a region.
In the left-side navigation pane, click My Templates.
Create a custom template.
Click Create Template.
In the Basic Information section, set Template Name to OOSAutoBindTag.
You can also click Show More and configure the Tag, Resource Group, and Version Description parameters based on your business requirements.
Click the YAML tab to edit the template. Then, click Create Template.
Sample code:
FormatVersion: OOS-2019-06-01 Description: Tag Resources Without The Specified Tags Parameters: tags: Type: Json Description: en: The tags to select ECS instances. AssociationProperty: Tags regionId: Type: String Description: en: The region to select ECS instances. OOSAssumeRole: Description: en: The RAM role to be assumed by OOS. Type: String Default: OOSServiceRole RamRole: OOSServiceRole Tasks: - Name: getInstancesByTags Action: 'ACS::ExecuteAPI' Description: '' Properties: Service: ECS API: DescribeInstances Parameters: Tags: '{{ tags }}' RegionId: '{{ regionId }}' Outputs: InstanceIds: Type: List ValueSelector: 'Instances.Instance[].InstanceId' - Name: getAllInstances Action: 'ACS::ExecuteAPI' Description: '' Properties: Service: ECS API: DescribeInstances Parameters: RegionId: '{{regionId}}' Outputs: InstanceIds: Type: List ValueSelector: 'Instances.Instance[].InstanceId' - Name: TagResources_ECS_Instances Action: 'ACS::ExecuteAPI' Description: en: 'tag ecs instances, which are without the specified tags.' Properties: Service: ECS API: TagResources Parameters: Tags: '{{ tags }}' RegionId: '{{regionId}}' ResourceType: Instance ResourceIds: - '{{ACS::TaskLoopItem}}' Loop: MaxErrors: 100% Concurrency: 20 Items: 'Fn::Difference': - '{{ getAllInstances.InstanceIds }}' - '{{ getInstancesByTags.InstanceIds }}' Outputs: InstanceIds: Type: List Value: 'Fn::Difference': - '{{ getAllInstances.InstanceIds }}' - '{{ getInstancesByTags.InstanceIds }}'
Parameters:
tags: the tags that you want to add to ECS instances.
regionId: the region ID of the ECS instances.
OOSAssumeRole: the RAM role that is used by OOS.
Permissions:
DescribeInstances: filters resources based on source tags.
TagResources: creates tags for or adds tags to specified resources.
Execute the custom template.
In the left-side navigation pane, click My Templates. On the My Templates page, find the OOSAutoBindTag custom template that you created in Step 5 and click Create Execution in the Actions column.
Use the default execution mode or select a different mode. Then, click Next Step: Parameters Settings.
In the Parameter Settings step, configure the parameters and click Next Step: OK.
In this example, the following parameters are configured:
tags: Select the
owner:zhangsan
tag.regionId: Select the region of the instances, such as
cn-shanghai
. For more information, see Regions and zones.oosAssumeRole: Use the OOSServiceRole RAM role.
In the OK step, click Create.
On the execution details page, click the Advanced View tab.
On the right side of the page, click the Execution Result tab.
View the execution result. If Success is displayed in the Execution Status column as shown in the following figure, the
owner:zhangsan
tag is added to all ECS instances in the selected region.If Failed is displayed in the Execution Status column, you can view the information about the execution status and the execution logs to adjust the content of the template.