Elastic Compute Service (ECS) instances are typically configured with resources such as cloud disks, elastic network interfaces (ENIs), and elastic IP addresses (EIPs). When you add tags to ECS instances, you can use Operation Orchestration Service (OOS) to automatically add the tags to the resources that are associated with the ECS instances. This ensures tag consistency between ECS instances and their associated resources and facilitates subsequent maintenance.

Background information

In this topic, an OOS custom template is created to add the owner:alice tag to the cloud disk, elastic network interfaces (ENIs), and elastic IP addresses (EIPs) associated with an ECS instance.

Note The OOS custom template, ECS instance, cloud disk, ENIs, and EIPs must reside in the same region.

Step 1: Create a RAM role and attach permission policies to it

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a custom policy named OOSAutoTag. For more information, see Create a custom policy.

    The following policy is created:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:DescribeDisks",
                    "ecs:DescribeInstances",
                    "ecs:TagResources"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:TagResources"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

    The following table lists the permissions defined in the preceding policy.

    Permission Parameter
    Query the information of ECS instances, ENIs, and EIPs ecs:DescribeInstances
    Query the information of cloud disks ecs:DescribeDisks
    Add tags to ECS instances, cloud disks, and ENIs ecs:TagResources
    Add tags to EIPs vpc:TagResources
  3. Create the OOSServiceRole RAM role.
    For more information, see Create a normal service role.
  4. Attach the custom policy OOSAutoTag to the RAM role.
    For more information, see Grant permissions to a RAM role.
  5. Attach the system policy AliyunOOSFullAccess to the RAM role.
    For more information, see Grant permissions to a RAM role.

Step 2: Create and execute an OOS custom template

  1. Log on to the OOS console.
  2. In the left-side navigation pane, click My Templates.
  3. In the top navigation bar, select a region.
  4. Create a custom template.
    1. On the My Templates page, click Create Template.
    2. In the Basic Information section, enter a name for your template, such as AutoTag.
    3. Click the JSON tab. Then, write code for the template and click Create Template.

      The following code provides an example:

      {
        "FormatVersion": "OOS-2019-06-01",
        "Description": {
          "en": "When instance is labeled with the specified tag, Tags will be propagated to the related resources.",
          "name-zh-cn": "zh-cn":
          "categories": [
            "event-trigger"
          ]
        },
        "Parameters": {
          "TagKey": {
            "Type": "String",
            "Description": "Tag key for tag instance"
          },
          "TagValue": {
            "Type": "String",
            "Description": "Tag value for tag instance"
          },
          "OOSAssumeRole": {
            "Description": {
              "en": "The RAM role to be assumed by OOS.",
            },
            "Type": "String",
            "Default": "OOSServiceRole"
          }
        },
        "RamRole": "{{ OOSAssumeRole }}",
        "Tasks": [
          {
            "Name": "eventTrigger",
            "Description": {
              "en": "Monitor the ECS instance TAG event.",
            },
            "Action": "ACS::EventTrigger",
            "Properties": {
              "Product": "tag",
              "Name": [
                "Tag:ChangeOnResource"
              ],
              "Level": [
                "INFO"
              ],
              "Content": {
                "product": [
                  "ecs"
                ],
                "resourceType": [
                  "instance"
                ]
              }
            },
            "Outputs": {
              "instanceId": {
                "ValueSelector": ".content.resourceId",
                "Type": "String"
              },
              "isTag": {
                "ValueSelector": ".content.addedTags|select(.{{TagKey}}==\"{{TagValue}}\") |[.] |all|tostring",
                "Type": "String"
              }
            }
          },
          {
            "Name": "whetherNeedTag",
            "Action": "ACS::Choice",
            "Description": {
              "en": "Determine whether the tag needs to be propagated"
            },
            "Properties": {
              "DefaultTask": "describeInstancesFinally",
              "Choices": [
                {
                  "When": {
                    "Fn::Equals": [
                      "true",
                      "{{ eventTrigger.isTag }}"
                    ]
                  },
                  "NextTask": "describeInstances"
                }
              ]
            }
          },
          {
            "Name": "describeInstances",
            "Action": "ACS::ExecuteAPI",
            "Description": {
              "en": "Query the instance to obtain the network interface and elastic public network IP resources related to the instance."
            },
            "Properties": {
              "Service": "ECS",
              "API": "DescribeInstances",
              "Parameters": {
                "RegionId": "{{ ACS::RegionId }}",
                "InstanceIds": [
                  "{{ eventTrigger.instanceId }}"
                ]
              }
            },
            "Outputs": {
              "eips": {
                "Type": "List",
                "ValueSelector": "Instances.Instance[].EipAddress.AllocationId"
              },
              "enis": {
                "Type": "List",
                "ValueSelector": "Instances.Instance[].NetworkInterfaces.NetworkInterface[].NetworkInterfaceId"
              }
            }
          },
          {
            "Name": "describeDisks",
            "Action": "ACS::ExecuteAPI",
            "Description": {
              "en": "Obtain disk ids based on instance id."
            },
            "Properties": {
              "Service": "ECS",
              "API": "DescribeDisks",
              "Parameters": {
                "RegionId": "{{ ACS::RegionId }}",
                "InstanceId": "{{ eventTrigger.instanceId }}"
              }
            },
            "Outputs": {
              "diskIds": {
                "Type": "List",
                "ValueSelector": "Disks.Disk[].DiskId"
              }
            }
          },
          {
            "Name": "tagResourcesDisks",
            "Action": "ACS::ExecuteAPI",
            "Description": {
              "en": "Tag disks"
            },
            "Properties": {
              "Service": "ECS",
              "API": "TagResources",
              "Parameters": {
                "RegionId": "{{ ACS::RegionId }}",
                "ResourceIds": [
                  "{{ ACS::TaskLoopItem }}"
                ],
                "ResourceType": "disk",
                "Tags": [
                  {
                    "Key": "{{TagKey}}",
                    "Value": "{{TagValue}}"
                  }
                ]
              }
            },
            "Loop": {
              "RateControl": {
                "Mode": "Batch",
                "MaxErrors": 0,
                "Batch": [
                  50
                ],
                "BatchPauseOption": "Automatic",
                "ConcurrencyInBatches": [
                  1
                ]
              },
              "Items": "{{ describeDisks.diskIds }}"
            }
          },
          {
            "Name": "tagResourcesEnis",
            "Action": "ACS::ExecuteAPI",
            "Description": {
              "en": "Tag network interface."
            },
            "Properties": {
              "Service": "ECS",
              "API": "TagResources",
              "Parameters": {
                "RegionId": "{{ ACS::RegionId }}",
                "ResourceIds": [
                  "{{ ACS::TaskLoopItem }}"
                ],
                "ResourceType": "eni",
                "Tags": [
                  {
                    "Key": "{{TagKey}}",
                    "Value": "{{TagValue}}"
                  }
                ]
              }
            },
            "Loop": {
              "RateControl": {
                "Mode": "Batch",
                "MaxErrors": 0,
                "Batch": [
                  50
                ],
                "BatchPauseOption": "Automatic",
                "ConcurrencyInBatches": [
                  1
                ]
              },
              "Items": "{{ describeInstances.enis }}"
            }
          },
          {
            "Name": "tagResourcesEips",
            "Action": "ACS::ExecuteAPI",
            "Description": {
              "en": "Tag eips"
            },
            "Properties": {
              "Service": "VPC",
              "API": "TagResources",
              "Parameters": {
                "RegionId": "{{ ACS::RegionId }}",
                "ResourceIds": [
                  "{{ ACS::TaskLoopItem }}"
                ],
                "ResourceType": "eip",
                "Tags": [
                  {
                    "Key": "{{TagKey}}",
                    "Value": "{{TagValue}}"
                  }
                ]
              }
            },
            "Loop": {
              "RateControl": {
                "Mode": "Batch",
                "MaxErrors": 1,
                "Batch": [
                  50
                ],
                "BatchPauseOption": "Automatic",
                "ConcurrencyInBatches": [
                  1
                ]
              },
              "Items": "{{ describeInstances.eips }}"
            }
          },
          {
            "Name": "describeInstancesFinally",
            "Action": "ACS::ExecuteAPI",
            "Description": {
              "en": "Views the ECS instances Status."
            },
            "Properties": {
              "Service": "ECS",
              "API": "DescribeInstances",
              "Parameters": {
                "RegionId": "{{ ACS::RegionId }}",
                "InstanceIds": [
                  "{{ eventTrigger.instanceId }}"
                ]
              }
            },
            "Outputs": {
              "status": {
                "Type": "String",
                "ValueSelector": "Instances.Instance[].Status"
              }
            }
          }
        ],
        "Outputs": {
          "instanceId": {
            "Value": "{{ eventTrigger.instanceId}}",
            "Type": "String"
          },
          "diskIds": {
            "Value": "{{ describeDisks.diskIds }}",
            "Type": "String"
          },
          "eips": {
            "Value": "{{ describeInstances.eips  }}",
            "Type": "String"
          },
          "enis": {
            "Value": "{{ describeInstances.enis  }}",
            "Type": "String"
          }
        }
      }
  5. Execute the custom template.
    1. In the left-side navigation pane, click My Templates. On the My Templates page, find the AutoTag custom template that you created, and click Create Execution in the Actions column.
      Create Execution
    2. In the Basic Information step, keep the default values and click Next: Parameter Settings.
    3. In the Parameter Settings step, configure the parameters and click Next: OK.

      The following parameters are configured in this example:

      Parameter Settings section
      • TagKey: Enter the tag key owner.
      • TagValue: Enter the tag value alice.
      • OOSAssumeRole: Select the OOSServiceRole RAM role.
    4. Click Create.

Step 3: Add the tag to the ECS instance

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the upper-left corner of the top navigation bar, select a region.
  4. On the Instances page, find your desired ECS instance, move the pointer over the icon in the Tag column, and click Edit Tags. Then, add the owner:alice tag to the instance.
    Add a tag

Result

After the owner:alice tag is added to the ECS instance, the OOS custom template AutoTag is automatically executed. Then, the tag is automatically added to the cloud disk, ENIs, and EIPs that are associated with the ECS instance.

Tag added to a cloud disk