This topic describes how to push alert notifications to specified Message Service (MNS) topics when Cloud Config detects non-compliant configuration changes of resources. If you receive a non-compliance alert, Cloud Config uses the relevant functions in Function Compute to automatically remediate these resources.

Prerequisites

Sample scenario

You create a rule function and associate it with the OSS bucket resource type based on the test-oss-bucket-public-read-prohibited managed rule. Cloud Config evaluates all OSS buckets within your Alibaba Cloud account. One of the OSS buckets is evaluated as Non-compliant, as shown in the following figure. Bucket non-compliance

Configuration items

The following sections describe the method to automatically remediate non-compliant resources by using MNS topics. In this example, the read and write permissions on an OSS bucket are remediated. The following table describes the configuration items that you can specify.
Cloud service Configuration item Example
Cloud Config Managed rule test-oss-bucket-public-read-prohibited
Rule test-oss-bucket-public-read-prohibited
MNS Topic MNSTestConfig
Region Singapore (Singapore)
OSS OSS bucket config-snapshot
Bucket access control list (ACL) Public read
Function Compute Service resource_repair
System policy AliyunOSSFullAccess
Function oss_repair_acl_trigger
Trigger ConfigRuleNonComplianceMNSTrigger
Note

Cloud Config is deployed in the Singapore (Singapore) region. To reduce packet loss, we recommend that you specify Singapore (Singapore) as the region for the MNS topic.

Workflow

The following figure shows how non-compliant resources are automatically remediated by using MNS topics. Workflow

Procedure

  1. Log on to the Cloud Config console. Specify an MNS topic to which resource non-compliance events are delivered, such as MNSTestConfig.
    For more information, see Deliver resource data to an MNS topic.
  2. Create a service.
    1. Log on to the Function Compute console.
    2. In the left-side navigation pane, click Services & Functions.
    3. In the top navigation bar, select a region, such as Singapore.
    4. On the Services page, click Create Service.
    5. In the Create Service panel, enter resource_repair in the Name field.
    6. Click OK.
  3. Authorize the created service to modify the permissions on the sample non-compliant OSS bucket.
    1. On the Services page, click resource_repair in the Name column. In the left-side navigation pane, click Service Details.
    2. In the Role Settings section, click Modify.
    3. Select AliyunFCLogExecutionRole from the drop-down list.
      The AliyunOSSFullAccess policy is attached to the AliyunFCLogExecutionRole role.
    4. Click Save.
  4. Create a function.
    1. On the details page of the resource_repair service, click Functions in the left-side navigation pane.
    2. Click Create Function.
    3. On the Create Function page, set the Function Name parameter to oss_repair_acl_trigger, the Runtime Environments parameter to Python 3, and the Function Trigger Mode parameter to Event-triggered.
    4. Click Create.
  5. Set the environment variable of the function.
    1. On the details page of the oss_repair_acl_trigger function, click the Configurations tab.
    2. In the Environment Variables section, click Modify.
    3. Click Add Variable and set the name and value for the environment variable.
      • Enter prepareRuleName in the Variable field.

        The name prepareRuleName is the same as the value of the ENV_RULE_NAME parameter in the automatic remediation code that is used in this example.

      • Enter test-oss-bucket-public-read-prohibited in the Value field.

        The value test-oss-bucket-public-read-prohibited indicates the rule name used in this example.

    4. Click Save.
  6. Create a trigger.
    1. On the details page of the oss_repair_acl_trigger function, click the Triggers tab.
    2. Click Create Trigger.
    3. Select MNS from the Trigger Type drop-down list.
    4. Set parameters for the MNS topic trigger.
      In this example, set the parameters in the following way:
      • Enter ConfigRuleNonComplianceMNSTrigger in the Name field.
      • Set the MNS Region parameter to Singapore.
      • Set the Topic parameter to MNSTestConfig.
      • Set the Event Format parameter to JSON.
      • Set the Role Name parameter to AliyunMNSNotificationRole.
    5. Click OK.
      After the trigger is created, notifications of non-compliant events are sent to you when Cloud Config evaluates resource compliance.
  7. Configure the automatic remediation code.
    1. On the details page of the oss_repair_acl_trigger function, click the Code tab.
    2. In the code editor, select the index.py file.
    3. Copy and paste the following code to the index.py file:
      # -*- coding: utf-8 -*-
      import logging
      import json
      import os
      import base64
      import binascii
      from aliyunsdkcore.acs_exception.exceptions import ClientException, ServerException
      
      IDENTIFIER = 'evaluationResultIdentifier'
      QUALIFIER = 'evaluationResultQualifier'
      RULE_NAME = 'configRuleName'
      ENV_RULE_NAME = 'prepareRuleName'
      RESOURCE_ID = 'resourceId'
      REGION_ID = 'regionId'
      FAIL = 'fail'
      SUCC = 'success'
      
      logger = logging.getLogger()
      
      
      def handler(event, context):
          logger.info("mns_topic trigger event = {}".format(event))
          decoded = None
          if event:
              try:
                  decoded = base64.b64decode(event)
              except binascii.Error as ex:
                  logger.exception('mns_topic trigger event malformed!')
                  return FAIL
          if not decoded:
              return FAIL
          notify_json = json.loads(decoded)
          if notify_json and IDENTIFIER in notify_json:
              evaluationResultIdentifier = notify_json.get(IDENTIFIER)
              if QUALIFIER in evaluationResultIdentifier and RULE_NAME in evaluationResultIdentifier.get(QUALIFIER):
                  evaluationResultQualifier = evaluationResultIdentifier.get(QUALIFIER)
                  configRuleName = evaluationResultQualifier.get(RULE_NAME)
                  # os.environ.get(ENV_RULE_NAME) // Specify the rule name, such as test-oss-bucket-public-read-prohibited. 
                  if configRuleName == os.environ.get(ENV_RULE_NAME):
                      if RESOURCE_ID in evaluationResultQualifier and REGION_ID in evaluationResultQualifier:
                          bucket_name = evaluationResultQualifier.get(RESOURCE_ID)
                          region = evaluationResultQualifier.get(REGION_ID)
                          if region and bucket_name:
                              try:
                                  remedy_by_fc_assume(context, region, bucket_name)
                              except Exception as ex:
                                  logger.exception('remedy fail!')
          return FAIL
      
      
      def remedy_by_fc_assume(context, region, bucket_name):
          creds = context.credentials
          auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token)
          bucket = oss2.Bucket(auth, 'http://oss-' + region + '.aliyuncs.com', bucket_name)
          bucket.put_bucket_acl(oss2.BUCKET_ACL_PRIVATE)
          logger.info('bucket {bucket_name} in {region} acl remedy succ.'.format(bucket_name=bucket_name, region=region))
                                      
      Note The sample code describes the automatic remediation method of non-compliant resources. The prepareRuleName environment variable is used in this example. For information about how to remediate non-compliant resources by using other parameters, see Example of resource non-compliance events.
    4. In the code editor, click Deploy in the upper-right corner.
  8. Wait 10 minutes and view the remediation result.
    Note If a resource is evaluated as non-compliant based on the rule but no configurations are changed, you must re-evaluate the resource before you perform this step. For more information, see Manually re-evaluate resources.
    • View the remediation result in the Cloud Config console.OSS bucket compliance
    • View the remediation result in the OSS console.OSS bucket compliance