Resource Management:Enable pre-event interception of non-compliant tags

Usage notes

Scenarios

• Scenario 1: Intercept non-compliant tags when you create a resource.

  Situations in which non-compliant tags exist

  • Situation 1: When you create a resource, you add a tag whose key is defined in a tag policy to the resource. However, the value of the tag is not defined in the tag policy.

  • Situation 2: When you create a resource, the tag key that is defined in a tag policy is not added to the resource.

  Default feature and feature in invitational preview

  • Default feature: Pre-event interception of non-compliant tags is triggered only in Situation 1. For information about the resource types and API operations that support the default feature, see the API operation that supports pre-event interception of non-compliant tags column in the Services that support tag policies section of the Overview topic.

  • Feature in invitational preview: Pre-event interception of non-compliant tags is triggered in both Situation 1 and Situation 2. If you want to use the feature in invitational preview, you must contact the customer business manager (CBM) of Alibaba Cloud to apply for a trial. For information about the resource types and API operations that support the feature in invitational preview, see the API operation that supports pre-event interception of non-compliant tags when you create a resource column in the Services that support tag policies section of the Overview topic.

  Example

  A tag policy in which the CostCenter:Beijing tag is defined for Elastic Compute Service (ECS) instances is created and attached to an Alibaba Cloud account. When you create an ECS instance within the Alibaba Cloud account, you must add the tag to the instance. Otherwise, the instance fails to be created. If you use the default feature, the system checks tag compliance of the instance based only on the tag key CostCenter when you create the instance. The check can be triggered regardless of the case sensitivity of the tag key. If a tag such as CostCenter:Beijing is added to the instance, the tag is compliant and the instance can be successfully created. If a tag such as costcenter:Shanghai is added to the instance, the tag is non-compliant and the instance cannot be created. If you use the feature in invitational preview, the system also checks whether the tag key CostCenter is added to the instance when you create the instance. If the tag CostCenter:Beijing is not added to the instance, the instance fails to be created.

• Scenario 2: Intercept non-compliant tags when you add tags to a resource.

  When you add tags to a resource, the system checks whether the tag keys and tag values of the tags meet the requirements of a tag policy. You can add tags to the resource only if the tag keys and tag values of the tags meet the requirements of the tag policy.

Best practices

• If you enable pre-event interception of non-compliant tags, the production of resources may be affected. Before you enable pre-event interception of non-compliant tags in the production environment, we recommend that you perform a test by using a test account.

• Enabling pre-event interception of non-compliant tags for a cloud service may affect other cloud services. For example, if you enable pre-event interception of non-compliant tags for ECS instances, resource scaling in Auto Scaling or Container Service for Kubernetes (ACK) may fail because compliant tags are not added to the related ECS instances. Before you enable pre-event interception of non-compliant tags, make sure that you can perform tag-related operations that meet the requirements of the related services.

Procedure

In this example, the management account of a resource directory is used to enable the Tag Policy feature that is in resource directory mode and create a tag policy. The tag policy defines that a cost center tag must be added to an ECS instance when you use a member in the resource directory to create the ECS instance. The tag key of the cost center tag is CostCenter, and the tag value is Beijing or Shanghai. The ECS instance can be successfully created only if the defined cost center tag is added to the instance.

For security purposes, we recommend that you create a RAM user within the management account of your resource directory, attach the AdministratorAccess policy to the RAM user, and then use the RAM user as the administrator of the resource directory. You need to perform the following operations by using the RAM user. For more information about how to create a RAM user and grant permissions to the RAM user, see Create a RAM user and Grant permissions to RAM users.

1. Log on to the Resource Management console.

2. Enable the Tag Policy feature that is in resource directory mode.

   For more information, see Enable the Tag Policy feature.

3. Create a tag policy.

   1. On the Resource Directory tab of the Policy Library page, click Create Tag Policy.

   2. On the Create Tag Policy page, enter a policy name in the Policy Name field.

   3. Enter a policy description in the Policy Description field.

   4. Configure the tag policy on the Quick Mode tab.

      1. In the Tag Key field, enter CostCenter.

      2. Enter one or more tag values in the Specify Allowed Tag Values field.

         You can specify multiple tag values for each tag key. You must make sure that each tag value occupies one row. In this example, two tag values Beijing and Shanghai are specified for the tag key.

      3. Select Enforcement and click Specify Resource Types.

      4. In the Specify Resource Types for Policy Enforcement dialog box, read the prompt message for risks of pre-event interception, accept the risks, select ECS Instance as the resource type, and then click OK.

   5. Click Create.

4. Attach the tag policy.

   1. Go back to the Resource Directory tab of the Policy Library page, find the tag policy that is created in Step 3 and click Attach in the Actions column.

   2. In the Attach dialog box, select the object to which you want to attach the tag policy and click OK.

      You can attach the tag policy to one of the following objects. You can attach the tag policy to a member for testing. If the test is successful, you can attach the tag policy to the Root folder or a specific folder.

      • Root folder: If you attach the tag policy to the Root folder, the tag policy takes effect for all members in the resource directory.

      • Specific folder: If you attach the tag policy to a specific folder, the tag policy takes effect for all members in the folder and its subfolders.

      • Specific member: If you attach the tag policy to a specific member, the tag policy takes effect only for the member.

5. Check whether the tag policy is in effect.

   1. Use the member to which the tag policy is attached in Step 4 to log on to the Alibaba Cloud Management Console.

      For more information, see Use a member to log on to the Alibaba Cloud Management Console.

   2. Create an ECS instance within the member to check whether the tag policy is in effect.

      • Creation successful

        If you add the CostCenter:Beijing or CostCenter:Shanghai tag to the ECS instance when you create the ECS instance, the ECS instance will be successfully created.

      • Creation failed

        By default, pre-event interception of non-compliant tags takes effect only for tags that are defined in the tag policy. In the following scenarios, the ECS instance will fail to be created:

        • The case of the tag key or tag value that you enter when you add the tag to the ECS instance is inconsistent with that of the tag key or tag value defined in the tag policy. For example, costCenter:beijing is a non-compliant tag.

        • You add the tag key CostCenter to the ECS instance, but you do not add a tag value or you add a non-compliant tag value to the ECS instance.

        If you enable the feature that is in invitational preview but you do not add tags to the ECS instance or you add other tags to the ECS instance, the ECS instance fails to be created.

Error codes