All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::Config::Rule

Last Updated:May 16, 2023

ALIYUN::Config::Rule is used to create or modify a rule.

Syntax

{
  "Type": "ALIYUN::Config::Rule",
  "Properties": {
    "TagKeyScope": String,
    "TagValueScope": String,
    "Description": String,
    "ExcludeResourceIdsScope": String,
    "SourceOwner": String,
    "SourceIdentifier": String,
    "MaximumExecutionFrequency": String,
    "RegionIdsScope": String,
    "ConfigRuleTriggerTypes": String,
    "ResourceGroupIdsScope": String,
    "RiskLevel": Integer,
    "ResourceTypesScope": List,
    "RuleName": String,
    "InputParameters": Map,
    "TagKeyLogicScope": String
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

TagKeyScope

String

No

Yes

The tag key of the rule.

This property takes effect when SourceOwner is set to ALIYUN.

TagValueScope

String

No

Yes

The tag value of the rule.

This property takes effect when SourceOwner is set to ALIYUN.

Description

String

No

Yes

The description of the rule.

None.

ExcludeResourceIdsScope

String

No

Yes

The IDs of the resources that are excluded by the rule.

Separate multiple resource IDs with commas (,).

This property takes effect when SourceOwner is set to ALIYUN.

SourceOwner

String

Yes

No

The method based on which the rule is created.

Valid values:

  • CUSTOM_FC: The rule is created based on a custom function.

  • ALIYUN: The rule is created based on a managed rule of Alibaba Cloud.

SourceIdentifier

String

Yes

No

The identifier of the rule or the Alibaba Cloud Resource Name (ARN) of the function.

This property specifies the identifier of the rule when SourceOwner is set to ALIYUN. A value of ALIYUN specifies a managed rule of Alibaba Cloud.

This property specifies the ARN of the function when SourceOwner is set to CUSTOM_FC. A value of CUSTOM_FC specifies a custom function.

MaximumExecutionFrequency

String

No

Yes

The interval at which the rule is executed.

Valid values:

  • One_Hour

  • Three_Hours

  • Six_Hours

  • Twelve_Hours

  • TwentyFour_Hours

RegionIdsScope

String

No

Yes

The region IDs of the rule.

Separate multiple region IDs with commas (,).

This property takes effect when SourceOwner is set to ALIYUN.

ConfigRuleTriggerTypes

String

Yes

Yes

The trigger types of the rule.

Valid values:

  • ConfigurationItemChangeNotification: The rule is triggered by configuration changes.

  • ScheduledNotification: The rule is triggered as scheduled.

ResourceGroupIdsScope

String

No

Yes

The resource group IDs of the rule.

Separate multiple resource group IDs with commas (,).

This property takes effect when SourceOwner is set to ALIYUN.

RiskLevel

Integer

Yes

Yes

The risk level of the rule.

Valid values:

  • 1: high

  • 2: medium

  • 3: low

ResourceTypesScope

List

Yes

Yes

The types of the resources that are evaluated based on the rule.

None.

RuleName

String

Yes

No

The name of the rule.

None.

InputParameters

Map

No

Yes

The input parameters of the rule.

Example: {"cpuCount": "2"}.

TagKeyLogicScope

String

No

No

The logical relationship between the tag keys of the rule.

None.

Return values

Fn::GetAtt

  • TagKeyScope: the tag key of the rule.

  • TagValueScope: the tag value of the rule.

  • Description: the description of the rule.

  • ExcludeResourceIdsScope: the IDs of the resources that are excluded by the rule.

  • SourceOwner: the method based on which the rule is created.

  • SourceIdentifier: the identifier of the rule.

  • MaximumExecutionFrequency: the interval at which the rule is executed.

  • ConfigRuleId: the rule ID.

  • EventSource: the source of the event.

  • RegionIdsScope: the region IDs of the rule.

  • ConfigRuleArn: the ARN of the rule.

  • ConfigRuleTriggerTypes: the trigger types of the rule.

  • ResourceGroupIdsScope: the resource group IDs of the rule.

  • RiskLevel: the risk level of the rule.

  • ResourceTypesScope: the types of the resources that are evaluated based on the rule.

  • RuleName: the name of the rule.

  • InputParameters: the input parameters of the rule.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  Description:
    Default: test
    Type: String
    Description: The description of the rule
  SourceOwner:
    Type: String
    Description: 'Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule'
    Default: ALIYUN
  SourceIdentifier:
    Type: String
    Description: The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule
    Default: ecs-instances-in-vpc
  ConfigRuleTriggerTypes:
    Type: String
    Description: 'The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.'
    Default: ConfigurationItemChangeNotification
  RiskLevel:
    Type: Number
    Description: 'The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info'
    Default: 3
  ResourceTypesScope:
    Type: Json
    Description: The types of the resources to be evaluated against the rule
    Default:
      - ACS::ECS::Instance
  RuleName:
    Type: String
    Description: The name of the rule.
    Default: MyRule
Resources:
  ConfigRule:
    Type: ALIYUN::Config::Rule
    Properties:
      Description:
        Ref: Description
      SourceOwner:
        Ref: SourceOwner
      SourceIdentifier:
        Ref: SourceIdentifier
      ConfigRuleTriggerTypes:
        Ref: ConfigRuleTriggerTypes
      RiskLevel:
        Ref: RiskLevel
      ResourceTypesScope:
        Ref: ResourceTypesScope
      RuleName:
        Ref: RuleName
Outputs:
  TagKeyScope:
    Description: The rule monitors the tag key, only applies to rules created based on managed rules
    Value:
      Fn::GetAtt:
        - ConfigRule
        - TagKeyScope
  TagValueScope:
    Description: The rule monitors the tag value, only applies to rules created based on managed rules
    Value:
      Fn::GetAtt:
        - ConfigRule
        - TagValueScope
  Description:
    Description: The description of the rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - Description
  ExcludeResourceIdsScope:
    Description: The rule monitors excluded resource IDs, multiple of which are separated by commas, only applies to rules created based on managed rules, , custom rule this field is empty
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ExcludeResourceIdsScope
  SourceOwner:
    Description: 'Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule'
    Value:
      Fn::GetAtt:
        - ConfigRule
        - SourceOwner
  SourceIdentifier:
    Description: The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - SourceIdentifier
  MaximumExecutionFrequency:
    Description: 'The frequency of the compliance evaluations. Valid values:  One_Hour Three_Hours Six_Hours Twelve_Hours TwentyFour_Hours'
    Value:
      Fn::GetAtt:
        - ConfigRule
        - MaximumExecutionFrequency
  ConfigRuleId:
    Description: The ID of the rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ConfigRuleId
  EventSource:
    Description: The event source of the rule.
    Value:
      Fn::GetAtt:
        - ConfigRule
        - EventSource
  RegionIdsScope:
    Description: The rule monitors region IDs, separated by commas, only applies to rules created based on managed rules
    Value:
      Fn::GetAtt:
        - ConfigRule
        - RegionIdsScope
  ConfigRuleArn:
    Description: config rule arn
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ConfigRuleArn
  ConfigRuleTriggerTypes:
    Description: 'The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.'
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ConfigRuleTriggerTypes
  ResourceGroupIdsScope:
    Description: The rule monitors resource group IDs, separated by commas, only applies to rules created based on managed rules
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ResourceGroupIdsScope
  RiskLevel:
    Description: 'The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info'
    Value:
      Fn::GetAtt:
        - ConfigRule
        - RiskLevel
  ResourceTypesScope:
    Description: The types of the resources to be evaluated against the rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ResourceTypesScope
  RuleName:
    Description: The name of the rule.
    Value:
      Fn::GetAtt:
        - ConfigRule
        - RuleName
  InputParameters:
    Description: The settings of the input parameters for the rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - InputParameters

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "Description": {
      "Default": "test",
      "Type": "String",
      "Description": "The description of the rule"
    },
    "SourceOwner": {
      "Type": "String",
      "Description": "Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule",
      "Default": "ALIYUN"
    },
    "SourceIdentifier": {
      "Type": "String",
      "Description": "The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule",
      "Default": "ecs-instances-in-vpc"
    },
    "ConfigRuleTriggerTypes": {
      "Type": "String",
      "Description": "The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.",
      "Default": "ConfigurationItemChangeNotification"
    },
    "RiskLevel": {
      "Type": "Number",
      "Description": "The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info",
      "Default": 3
    },
    "ResourceTypesScope": {
      "Type": "Json",
      "Description": "The types of the resources to be evaluated against the rule",
      "Default": [
        "ACS::ECS::Instance"
      ]
    },
    "RuleName": {
      "Type": "String",
      "Description": "The name of the rule.",
      "Default": "MyRule"
    }
  },
  "Resources": {
    "ConfigRule": {
      "Type": "ALIYUN::Config::Rule",
      "Properties": {
        "Description": {
          "Ref": "Description"
        },
        "SourceOwner": {
          "Ref": "SourceOwner"
        },
        "SourceIdentifier": {
          "Ref": "SourceIdentifier"
        },
        "ConfigRuleTriggerTypes": {
          "Ref": "ConfigRuleTriggerTypes"
        },
        "RiskLevel": {
          "Ref": "RiskLevel"
        },
        "ResourceTypesScope": {
          "Ref": "ResourceTypesScope"
        },
        "RuleName": {
          "Ref": "RuleName"
        }
      }
    }
  },
  "Outputs": {
    "TagKeyScope": {
      "Description": "The rule monitors the tag key, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "TagKeyScope"
        ]
      }
    },
    "TagValueScope": {
      "Description": "The rule monitors the tag value, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "TagValueScope"
        ]
      }
    },
    "Description": {
      "Description": "The description of the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "Description"
        ]
      }
    },
    "ExcludeResourceIdsScope": {
      "Description": "The rule monitors excluded resource IDs, multiple of which are separated by commas, only applies to rules created based on managed rules, , custom rule this field is empty",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ExcludeResourceIdsScope"
        ]
      }
    },
    "SourceOwner": {
      "Description": "Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "SourceOwner"
        ]
      }
    },
    "SourceIdentifier": {
      "Description": "The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "SourceIdentifier"
        ]
      }
    },
    "MaximumExecutionFrequency": {
      "Description": "The frequency of the compliance evaluations. Valid values:  One_Hour Three_Hours Six_Hours Twelve_Hours TwentyFour_Hours",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "MaximumExecutionFrequency"
        ]
      }
    },
    "ConfigRuleId": {
      "Description": "The ID of the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ConfigRuleId"
        ]
      }
    },
    "EventSource": {
      "Description": "The event source of the rule.",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "EventSource"
        ]
      }
    },
    "RegionIdsScope": {
      "Description": "The rule monitors region IDs, separated by commas, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "RegionIdsScope"
        ]
      }
    },
    "ConfigRuleArn": {
      "Description": "config rule arn",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ConfigRuleArn"
        ]
      }
    },
    "ConfigRuleTriggerTypes": {
      "Description": "The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ConfigRuleTriggerTypes"
        ]
      }
    },
    "ResourceGroupIdsScope": {
      "Description": "The rule monitors resource group IDs, separated by commas, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ResourceGroupIdsScope"
        ]
      }
    },
    "RiskLevel": {
      "Description": "The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "RiskLevel"
        ]
      }
    },
    "ResourceTypesScope": {
      "Description": "The types of the resources to be evaluated against the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ResourceTypesScope"
        ]
      }
    },
    "RuleName": {
      "Description": "The name of the rule.",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "RuleName"
        ]
      }
    },
    "InputParameters": {
      "Description": "The settings of the input parameters for the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "InputParameters"
        ]
      }
    }
  }
}