You can use an Operation Orchestration Service (OOS) custom template to add tags to multiple resources in the same region at a time. Then, you can manage permissions on these resources based on the tags.

Background information

You can add tags to Alibaba Cloud services that support tags. For more information about the services that support tags, see Alibaba Cloud services that support tags.

In this topic, a custom template is created in OOS to add the owner:zhangsan tag to multiple Elastic Compute Service (ECS) instances in the same region.

Note The resources to which tags will be added must reside in the same region.

Step 1: Create a RAM role and attach permission policies to it

Create a RAM role named OOSServiceRole for OOS and attach permission policies to the role.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a custom policy named OOSAutoBindTag. For more information, see Create a custom policy.
    Note This policy is used for ECS instances, and the permission in the policy is set to ecs:DescribeInstances. You can set the permission based on your business requirements. For example, if you want to add a tag to multiple security groups, you can replace ecs:DescribeInstances with ecs:DescribeSecurityGroups.

    The following policy is created:

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:TagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
  3. Create the OOSServiceRole RAM role.
    For more information, see Create a normal service role.
  4. Attach the custom policy OOSAutoBindTag to the RAM role.
    For more information, see Grant permissions to a RAM role.
  5. Attach the system policy AliyunOOSFullAccess to the RAM role.
    For more information, see Grant permissions to a RAM role.

Step 2: Add a tag to multiple resources at a time

  1. Log on to the OOS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click My Templates.
  4. Create a custom template.
    1. On the My Templates page, click Create Template.
    2. In the Create Template dialog box, click the Empty Templates tab, select Empty Templates, and click OK.
    3. On the Create Template page, click the YAML tab and edit the template. In the Basic Information section, enter OOSAutoBindTag in the Template Name field. After you edit the template, click Create Template.

      Sample code:

      FormatVersion: OOS-2019-06-01
Description: Tag Resources Without The Specified Tags
Parameters:
  tags:
    Type: Json
    Description:
      en: The tags to select ECS instances.
    AssociationProperty: Tags
  regionId:
    Type: String
    Description:
      en: The region to select ECS instances.
  OOSAssumeRole:
    Description:
      en: The RAM role to be assumed by OOS.
    Type: String
    Default: OOSServiceRole
RamRole: OOSServiceRole
Tasks:
  - Name: getInstancesByTags
    Action: 'ACS::ExecuteAPI'
    Description: ''
    Properties:
      Service: ECS
      API: DescribeInstances
      Parameters:
        Tags: '{{ tags }}'
        RegionId: '{{ regionId }}'
    Outputs:
      InstanceIds:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceId'
  - Name: getAllInstances
    Action: 'ACS::ExecuteAPI'
    Description: ''
    Properties:
      Service: ECS
      API: DescribeInstances
      Parameters:
        RegionId: '{{regionId}}'
    Outputs:
      InstanceIds:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceId'
  - Name: TagResources_ECS_Instances
    Action: 'ACS::ExecuteAPI'
    Description:
      en: 'tag ecs instances, which are without the specified tags.'
    Properties:
      Service: ECS
      API: TagResources
      Parameters:
        Tags: '{{ tags }}'
        RegionId: '{{regionId}}'
        ResourceType: Instance
        ResourceIds:
          - '{{ACS::TaskLoopItem}}'
    Loop:
      MaxErrors: 100%
      Concurrency: 20
      Items:
        'Fn::Difference':
          - '{{ getAllInstances.InstanceIds }}'
          - '{{ getInstancesByTags.InstanceIds }}'
Outputs:
  InstanceIds:
    Type: List
    Value:
      'Fn::Difference':
        - '{{ getAllInstances.InstanceIds }}'
        - '{{ getInstancesByTags.InstanceIds }}'

      Parameters:

      • tags: the tags that are added to ECS instances
      • regionId: the region ID of the ECS instances to which you want to add a tag
      • OOSAssumeRole: the RAM role used by OOS

      Permissions:

      • DescribeInstances: filters resources based on tags.
      • TagResources: adds tags to specified resources.
  5. Execute the custom template.
    1. In the left-side navigation pane, click My Templates. On the My Templates page, find the OOSAutoBindTag custom template that you created, and click Create Execution in the Actions column.
      1
    2. Keep the default settings or re-select the execution mode, and click Next: Parameters Settings.
    3. In the Parameter Settings step, configure parameters and click Next: OK.

      The following parameters are configured in this example:

      1
      • tags: Select the tag owner:zhangsan.
      • regionId: Select the region of the instances, such as cn-shanghai.
      • oosAssumeRole: Use the OOSServiceRole RAM role.
    4. Click Create.
    5. On the execution details page, click the Advanced View tab.
    6. Click the Execution Result tab on the right side of the page.
    7. View the execution result.
      • If the execution succeeds, the information shown in the following figure appears.1
      • If the execution fails, you can check logs for the failure cause and make adjustments accordingly.