You can use a tag policy to forbid a non-compliant tag-related operation. If a tag-related operation does not conform to the rules defined in the tag policy, the operation fails.

Note The tag policy enforcement feature is in invitational preview. You can contact the service manager of Alibaba Cloud to apply for a trial.

Usage notes

You can use the tag policy enforcement feature in one of the following scenarios:

  • Enforce tag compliance with a tag policy when you create a resource.
  • Enforce tag compliance with a tag policy when you add tags to a resource.
Tag policy enforcement

Before you enable tag policy enforcement, you must take note of the following items:

  • If you enable tag policy enforcement, the production of resources may be affected. Before you enforce tag policy enforcement, we recommend that you perform a test by using a test account.
  • Only some types of resources support tag policy enforcement. For more information, see the Support for tag policy enforcement column in Services that work with tag policies.
    Note Subscription Elastic Compute Service (ECS) instances that are newly created by using the ECS console do not support tag policy enforcement.
  • The enforcement of a tag policy for a cloud service may affect other cloud services. For example, you enable enforcement for a tag policy of ECS instances and want to perform scaling for your resources in Auto Scaling or Container Service for Kubernetes (ACK). In this case, the scaling may fail because compliant tags are not added to the resources. Therefore, before you enable tag policy enforcement, make sure that you can perform tag-related operations that meet the requirements of the related services.

Procedure

In this example, the Tag Policy feature in multi-account mode is used. The management account of a resource directory is used to enable the Tag Policy feature that is in multi-account mode and create a tag policy. The tag policy defines that a cost center tag must be added to an ECS instance when you use a member in the resource directory to create the ECS instance. The tag key of the cost center tag is CostCenter, and the tag value is Beijing or Shanghai. The ECS instance can be created only if the cost center tag is added to the ECS instance. The tag key and tag value of the cost center tag are case-sensitive.

For security purposes, we recommend that you create a RAM user within the management account of your resource directory, attach the AdministratorAccess policy to the RAM user, and then use the RAM user as the administrator of the resource directory. Perform the following operations by using the RAM user. For more information about how to create a RAM user and grant permissions to the RAM user, see Create a RAM user and Grant permissions to a RAM user.

  1. Enable the Tag Policy feature that is in multi-account mode.

    For more information, see Enable the Tag Policy feature.

  2. Create a tag policy.
    1. On the All Tag Policies tab of the Policy Library page, click Create Tag Policy.
    2. On the Create Tag Policy page, enter a policy name.
    3. Optional:Enter a policy description.
    4. Configure the tag policy on the Quick Mode tab.
      1. In the Tag Key field, enter CostCenter.
      2. Select Specify Allowed Tag Values and click Specify Tag Values.
      3. In the Specify Allowed Tag Values dialog box, enter the desired tag value and click OK.

        You can click Add to specify multiple tag values for the tag key. In this example, two tag values Beijing and Shanghai are specified for the tag key.

      4. Select Enforcement and click Specify Resource Types for Policy Enforcement.
      5. In the Specify Resource Types for Policy Enforcement dialog box, read the risk warning and select I have read and fully understand the risks of enforcement. Then, select instance in the Elastic Compute Service (ECS) section.
      6. Click OK.
    5. Click Create.
  3. Attach the tag policy.
    1. On the All Tag Policies tab of the Policy Library page, find the tag policy that is created in Step 2 and click Attach in the Actions column.
    2. In the Attach dialog box, select the object to which you want to attach the tag policy and click OK.
      You can attach the tag policy to one of the following objects. You can attach the tag policy to a member for testing. If the test is successful, you can attach the tag policy to the Root folder or a specific folder.
      • Root folder: If you attach the tag policy to the Root folder, the tag policy takes effect for all members in the resource directory.
      • Specific folder: If you attach the tag policy to a specific folder, the tag policy takes effect for all members in the folder and its subfolders.
      • Specific member: If you attach the tag policy to a specific member, the tag policy takes effect only for the member.
  4. Check whether the tag policy is in effect.
    1. Access a member to which the tag policy is attached in Step 3.
      For more information, see Access a member.
    2. Create an ECS instance in the member to check whether the tag policy is in effect.
      If you add the tag CostCenter:Beijing or CostCenter:Shanghai to the ECS instance when you create the ECS instance, the ECS instance will be created. If one of the following situations occur, the ECS instance will fail to be created:
      • The case of the tag key or tag value that you enter when you add the tag to the ECS instance is inconsistent with that of the tag key or tag value defined in the tag policy. For example, you add the costCenter:beijing tag to the ECS instance.
      • You specify only the tag key CostCenter and does not specify the tag value when you add the tag to the ECS instance.
      Note The system uses the tag policy to detect the compliance of the tag added to the ECS instance based on the tag key of the tag. In this example, the system starts the detection only if you add the tag key CostCenter to the ECS instance. After the detection is started, the system checks whether the tag key and tag value that you added to the ECS instance are compliant. For other situations, the system does not perform the detection. For example, no tags are added to the ECS instance, or a tag that has another tag key is added to the ECS instance.

Error code

Error code Sample error message Description
Forbidden.TagPolicy The operation is failure, because the valid tag policy values of 'TagValue' are ["red","green","orange","blue","pink","white","black","grey"], but the value is "xxx". The error message returned because the tag value is non-compliant and the resource fails to be created. Enter the tag value that is defined in the tag policy.
The operation is failure, because the valid tag policy values of 'TagKey' are ["colorful"], but the value is "colorFul". The error message returned because the case of the tag key is non-compliant and the resource fails to be created. Enter the tag key that is defined in the tag policy.