All Products
Search
Document Center

Elastic Compute Service:Use OOS to add tags to multiple ECS resources at a time

Last Updated:Dec 28, 2023

You can use CloudOps Orchestration Service (OOS) to add tags to multiple resources that reside in the same region to control permissions on the resources based on the tags.

Background information

You can use OOS custom templates to add tags to the resources of Elastic Compute Service (ECS) and other Alibaba Cloud services. For more information about the services that support tags, see Services that support tags. In this topic, a custom template is created in OOS to add the owner:zhangsan tag to ECS instances that reside in the same region.

Note

The resources to which you want to add tags must reside in the same region.

Step 1: Create a custom policy and a RAM role

Create a RAM role named OOSServiceRole for OOS and attach policies to the role.

  1. Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.

  2. Create a custom policy named OOSAutoBindTag.

    For more information, see Create custom policies. The following policy is used in this step.

    Note

    This policy is used to grant permissions on ECS instances, and the permission in the policy is set to ecs:DescribeInstances. You can set the permission based on your business requirements. For example, if you want to add a tag to multiple security groups, you can replace ecs:DescribeInstances with ecs:DescribeSecurityGroups.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:TagResources"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  3. Create a RAM role named OOSServiceRole.

  4. Attach the custom policy to the RAM role.

    For more information, see Grant permissions to a RAM role. In this step, the OOSAutoBindTag custom policy is attached to the OOSServiceRole RAM role.

  5. Attach the AliyunOSSFullAccess system policy to the OOSServiceRole RAM role.

Step 2: Add a tag to multiple resources at a time

  1. Log on to the Operation Orchestration Service console.

  2. In the upper-left corner of the top navigation bar, select a region. 地域

  3. In the left-side navigation pane, click My Templates.

  4. Create a custom template.

    1. Click Create Template.

    2. In the Basic Information section, set Template Name to OOSAutoBindTag.

      You can also click Show More and configure the Tag, Resource Group, and Version Description parameters based on your business requirements.

    3. Click the YAML tab to edit the template. Then, click Create Template.

      Sample code:

      FormatVersion: OOS-2019-06-01
      Description: Tag Resources Without The Specified Tags
      Parameters:
        tags:
          Type: Json
          Description:
            en: The tags to select ECS instances.
             
          AssociationProperty: Tags
        regionId:
          Type: String
          Description:
            en: The region to select ECS instances.
             
        OOSAssumeRole:
          Description:
            en: The RAM role to be assumed by OOS.
             
          Type: String
          Default: OOSServiceRole
      RamRole: OOSServiceRole
      Tasks:
        - Name: getInstancesByTags
          Action: 'ACS::ExecuteAPI'
          Description: ''
          Properties:
            Service: ECS
            API: DescribeInstances
            Parameters:
              Tags: '{{ tags }}'
              RegionId: '{{ regionId }}'
          Outputs:
            InstanceIds:
              Type: List
              ValueSelector: 'Instances.Instance[].InstanceId'
        - Name: getAllInstances
          Action: 'ACS::ExecuteAPI'
          Description: ''
          Properties:
            Service: ECS
            API: DescribeInstances
            Parameters:
              RegionId: '{{regionId}}'
          Outputs:
            InstanceIds:
              Type: List
              ValueSelector: 'Instances.Instance[].InstanceId'
        - Name: TagResources_ECS_Instances
          Action: 'ACS::ExecuteAPI'
          Description:
             
            en: 'tag ecs instances, which are without the specified tags.'
          Properties:
            Service: ECS
            API: TagResources
            Parameters:
              Tags: '{{ tags }}'
              RegionId: '{{regionId}}'
              ResourceType: Instance
              ResourceIds:
                - '{{ACS::TaskLoopItem}}'
          Loop:
            MaxErrors: 100%
            Concurrency: 20
            Items:
              'Fn::Difference':
                - '{{ getAllInstances.InstanceIds }}'
                - '{{ getInstancesByTags.InstanceIds }}'
      Outputs:
        InstanceIds:
          Type: List
          Value:
            'Fn::Difference':
              - '{{ getAllInstances.InstanceIds }}'
              - '{{ getInstancesByTags.InstanceIds }}'

      Parameters:

      • tags: the tags that you want to add to ECS instances.

      • regionId: the region ID of the ECS instances.

      • OOSAssumeRole: the RAM role that is used by OOS.

      Permissions:

      • DescribeInstances: filters resources based on source tags.

      • TagResources: creates tags for or adds tags to specified resources.

  5. Execute the custom template.

    1. In the left-side navigation pane, click My Templates. On the My Templates page, find the OOSAutoBindTag custom template that you created in Step 5 and click Create Execution in the Actions column.

      1

    2. Use the default execution mode or select a different mode. Then, click Next Step: Parameters Settings.

    3. In the Parameter Settings step, configure the parameters and click Next Step: OK.

      In this example, the following parameters are configured:

      1

      • tags: Select the owner:zhangsan tag.

      • regionId: Select the region of the instances, such as cn-shanghai. For more information, see Regions and zones.

      • oosAssumeRole: Use the OOSServiceRole RAM role.

    4. In the OK step, click Create.

    5. On the execution details page, click the Advanced View tab.

    6. On the right side of the page, click the Execution Result tab.

    View the execution result. If Success is displayed in the Execution Status column as shown in the following figure, the owner:zhangsan tag is added to all ECS instances in the selected region. 1

    If Failed is displayed in the Execution Status column, you can view the information about the execution status and the execution logs to adjust the content of the template.