All Products
Search

This Product

    CloudOps Orchestration Service:Use OOS to configure the approval process

    Document Center

    CloudOps Orchestration Service:Use OOS to configure the approval process

    Last Updated:Jun 10, 2020

    Scenario

    During automatic O&M, you must pay special attention to some operations, such as deleting important resources or purchasing instances with high costs. If these operations are performed automatically, you may lose control and face risks. However, if these operations are not performed automatically, you need to perform them manually or in some other non-automated ways. In this case, you can use the ACS::Approve action in an Operation Orchestration Service (OOS) template to strike a balance between automatic execution and operations that need special attention.

    Workaround

    When executing an ACS::Approve action in a template, the OOS execution engine suspends the execution of the subsequent operations, sets the execution status to Waiting, and sends a notification with an approval link to the administrator. After receiving the notification, the administrator can determine whether to approve or reject the operation based on the business requirements. If the operation is approved, the OOS execution engine continues to perform the subsequent operations. If the operation is rejected, the OOS execution engine stops the execution and sets the execution status to Canceled.

    Procedure

    1. Log on to the OOS console.

    2. In the left-side navigation pane, click My Templates. On the page that appears, click Create Template. In the Create Template dialog box, click the Empty Templates tab, select Empty Templates, and then click OK.

    3. On the page that appears, select the language or mode for creating the template. In this example, select YAML. Copy the template content in Appendix 1: Template for approving restart of Elastic Compute Service (ECS) instances of this topic to the template editor. Set Template Name in the Basic Information section. Then, click Create Template.oos

    4. Go back to the My Templates page, find the created template, and then click Create Execution in the Actions column.

    5. On the Create Execution page, click Next: Parameter Settings.

    6. Set the following parameters:

      • targets: required. The ECS instances to be restarted.
      • webHookUrl: required. The WebHook URL for receiving the approval notifications and links. For more information about how to obtain the WebHook URL, see Appendix 2: Obtain the WebHook URL.
      • rateControl: optional. Controls the concurrency and error threshold.
      • atMobiles: optional. The users to be reminded when an approval notification is sent to the specified DingTalk group.
      • atAll: optional. Specifies whether to remind all group members when an approval notification is sent to the specified DingTalk group.
      • OOSAssumeRole: optional. The Resource Access Management (RAM) role to be assumed by OOS. By default, OOS uses the permissions granted to the current account. If a RAM role is specified, OOS performs O&M tasks by assuming this RAM role.oos

    7. After setting parameters, click Next: OK. On the page that appears, check the parameter settings and click Confirm and Create.

    8. Go to the Executions page to view the created execution. If the template is executed, the execution is in the Waiting state. When an operation needs to be approved, OOS sends an approval notification to the specified DingTalk group and reminds the specified users in the group. The specified users can click the approval link to approve or reject the operation based on the business requirements.

    Appendix 1: Template for approving restart of ECS instances

    • The template executes the following tasks in sequence:

      1. Query the information about ECS instances to be restarted.
      2. Send a notification with a link for approving the restart of the ECS instances.
      3. Restart the ECS instances if the restart application is approved.

    • Template in the YAML format

    1. FormatVersion: OOS-2019-06-01
    2. Description:
    3.   en: Bulky restarts the ECS instances with Approval.
    4.   name-en: BulkyRebootInstancesWithApproval
    5. Parameters:
    6.   targets:
    7.     Type: Json
    8.     AssociationProperty: Targets
    9.     AssociationPropertyMetadata:
    10.       ResourceType: 'ALIYUN::ECS::Instance'
    11.   rateControl:
    12.     Description:
    13.       en: Concurrency ratio of task execution.
    14.     Type: Json
    15.     AssociationProperty: RateControl
    16.     Default:
    17.       Mode: Concurrency
    18.       MaxErrors: 0
    19.       Concurrency: 100%
    20.   webHookUrl:
    21.     Description:
    22.       en: 'The webHook url of dingtalk group assistant, e.g.https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414.'
    23.     Type: String
    24.   atMobiles:
    25.     Description:
    26.       en: 'The telephone numbers of member in dingtalk group assistant @, when notify comes.'
    27.     Type: List
    28.     Default:
    29.       - '12345678901'
    30.   atAll:
    31.     Description:
    32.       en: 'assistant @ all members in dingtalk group or not, when notify comes.'
    33.     Type: String
    34.     Default: 'false'
    35.   OOSAssumeRole:
    36.     Description:
    37.       en: The RAM role to be assumed by OOS.
    38.     Type: String
    39.     Default: OOSServiceRole
    40. RamRole: '{{ OOSAssumeRole }}'
    41. Tasks:
    42.   - Name: getInstance
    43.     Description:
    44.       en: Views the ECS instances.
    45.     Action: 'ACS::SelectTargets'
    46.     Properties:
    47.       ResourceType: 'ALIYUN::ECS::Instance'
    48.       Filters:
    49.         - '{{ targets }}'
    50.     Outputs:
    51.       instanceIds:
    52.         Type: List
    53.         ValueSelector: 'Instances.Instance[].InstanceId'
    54.       instanceNames:
    55.         Type: List
    56.         ValueSelector: 'Instances.Instance[].InstanceName'
    57.   - Name: approveRestart
    58.     Action: 'ACS::Approve'
    59.     Properties:
    60.       NotifyType: WebHook
    61.       WebHook:
    62.         URI: '{{webhookUrl}}'
    63.         Headers:
    64.           Content-Type: application/json
    65.         Content:
    66.           msgtype: text
    67.           text:
    68.             content: 'Notify: please approve instances restart, instance names to approve  are {{getInstance.instanceNames}}, sent by {{ACS::RegionId}} oos {{ACS::ExecutionId}}.'
    69.           at:
    70.             atMobiles: '{{atMobiles}}'
    71.             isAtAll: '{{atAll}}'
    72.   - Name: rebootInstance
    73.     Action: 'ACS::ECS::RebootInstance'
    74.     Description:
    75.       en: Restarts the ECS instances.
    76.     Properties:
    77.       instanceId: '{{ ACS::TaskLoopItem }}'
    78.     Loop:
    79.       RateControl: '{{ rateControl }}'
    80.       Items: '{{ getInstance.instanceIds }}'
    81. Outputs:
    82.   instanceIds:
    83.     Type: List
    84.     Value: '{{ getInstance.instanceIds }}'

    Appendix 2: Obtain the WebHook URL

    1. Log on to DingTalk. Find the group for receiving approval notifications and click the More icon on the right-side navigation pane.oos
    2. In the dialog box that appears, find Assist and click Open.2
    3. Click Add Robot.oos
    4. In the ChatBot dialog box, click the Custom card.oos
    5. In the Robot Details dialog box, click Add.5
    6. Set Chatbot name and Security Settings. In this example, select Custom Keywords for Security Settings. Set keywords for the DingTalk chatbot by using words in the notification. For example, the notification content in the sample template contains the word Notify. You set Notify as a keyword for the DingTalk chatbot. Select I have read and accepted DingTalk Custom Robot Service Terms of Service and click Finished.oos
    7. In the dialog box that appears, click Copy to copy the WebHook URL.oos