Use OOS to add tags to multiple ECS resources at a time - Elastic Compute Service

You can use Operation Orchestration Service (OOS) to add tags to multiple resources that reside in the same region to control permissions on the resources based on the tags.

Background information

You can use OOS custom templates to add tags to the resources of Elastic Compute Service (ECS) and other Alibaba Cloud services. For more information about the services that support tags, see Services that support tags. In this topic, a custom template is created in OOS to add the owner:zhangsan tag to ECS instances that reside in the same region.

Note The resources to which you want to add tags must reside in the same region.

Step 1: Create a custom policy and a RAM role

Create a RAM role named OOSServiceRole for OOS and attach policies to the role.

Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.
Create a custom policy named OOSAutoBindTag.
For more information, see Create a custom policy. The following policy is used in this step.

Note This policy is used to grant permissions on ECS instances, and the permission in the policy is set to ecs:DescribeInstances. You can set the permission based on your business requirements. For example, if you want to add a tag to multiple security groups, you can replace ecs:DescribeInstances with ecs:DescribeSecurityGroups.
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:TagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
```
Create a RAM role named OOSServiceRole.
For more information, see Create a RAM role for a trusted Alibaba Cloud service.
Attach the custom policy to the RAM role.
For more information, see Grant permissions to a RAM role. In this step, the OOSAutoBindTag custom policy is attached to the OOSServiceRole RAM role.
Attach the AliyunOSSFullAccess system policy to the OOSServiceRole RAM role.

Step 2: Add a tag to multiple resources at a time

Log on to the Operation Orchestration Service console.
In the top navigation bar, select a region.
In the left-side navigation pane, click My Templates.

Create a custom template.

Click Create Template.
In the Basic Information section, set Template Name to OOSAutoBindTag.
You can also click Show More and configure the Tag, Resource Group, and Version Description parameters based on your business requirements.

Click the YAML tab to edit the template. Then, click Create Template.

Sample code:

FormatVersion: OOS-2019-06-01
Description: Tag Resources Without The Specified Tags
Parameters:
  tags:
    Type: Json
    Description:
      en: The tags to select ECS instances.
       
    AssociationProperty: Tags
  regionId:
    Type: String
    Description:
      en: The region to select ECS instances.
       
  OOSAssumeRole:
    Description:
      en: The RAM role to be assumed by OOS.
       
    Type: String
    Default: OOSServiceRole
RamRole: OOSServiceRole
Tasks:
  - Name: getInstancesByTags
    Action: 'ACS::ExecuteAPI'
    Description: ''
    Properties:
      Service: ECS
      API: DescribeInstances
      Parameters:
        Tags: '{{ tags }}'
        RegionId: '{{ regionId }}'
    Outputs:
      InstanceIds:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceId'
  - Name: getAllInstances
    Action: 'ACS::ExecuteAPI'
    Description: ''
    Properties:
      Service: ECS
      API: DescribeInstances
      Parameters:
        RegionId: '{{regionId}}'
    Outputs:
      InstanceIds:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceId'
  - Name: TagResources_ECS_Instances
    Action: 'ACS::ExecuteAPI'
    Description:
       
      en: 'tag ecs instances, which are without the specified tags.'
    Properties:
      Service: ECS
      API: TagResources
      Parameters:
        Tags: '{{ tags }}'
        RegionId: '{{regionId}}'
        ResourceType: Instance
        ResourceIds:
          - '{{ACS::TaskLoopItem}}'
    Loop:
      MaxErrors: 100%
      Concurrency: 20
      Items:
        'Fn::Difference':
          - '{{ getAllInstances.InstanceIds }}'
          - '{{ getInstancesByTags.InstanceIds }}'
Outputs:
  InstanceIds:
    Type: List
    Value:
      'Fn::Difference':
        - '{{ getAllInstances.InstanceIds }}'
        - '{{ getInstancesByTags.InstanceIds }}'

Parameters:

tags: the tags that you want to add to ECS instances.
regionId: the region ID of the ECS instances.
OOSAssumeRole: the RAM role that is used by OOS.

Permissions:

DescribeInstances: filters resources based on source tags.
TagResources: creates tags for or adds tags to specified resources.

Execute the custom template.
1. In the left-side navigation pane, click My Templates. On the My Templates page, find the OOSAutoBindTag custom template that you created in Step 5 and click Create Execution in the Actions column.
2. Use the default execution mode or select a different mode. Then, click Next Step: Parameters Settings.
3. In the Parameter Settings step, configure the parameters and click Next Step: OK.
  In this example, the following parameters are configured:
  - tags: Select the owner:zhangsan tag.
  - regionId: Select the region of the instances, such as cn-shanghai. For more information, see Regions and zones.
  - oosAssumeRole: Use the OOSServiceRole RAM role.
4. In the OK step, click Create.
5. On the execution details page, click the Advanced View tab.
6. On the right side of the page, click the Execution Result tab.
View the execution result. If Success is displayed in the Execution Status column as shown in the following figure, the owner:zhangsan tag is added to all ECS instances in the selected region.
If Failed is displayed in the Execution Status column, you can view the information about the execution status and the execution logs to adjust the content of the template.