Tag policies are a type of policy that is used to standardize the tags that are added to resources. You can use a tag policy to define the tags that must be added to your resources. Compliant tags can help you improve the efficiency in aspects such as cost allocation by tag, access control by tag, and automated O&M. The Tag Policy feature supports the single-account mode and resource directory mode. The two modes can meet your business requirements for standardized tag management in different stages.
Scenarios
As your resources on the cloud increase, you can add tags to the resources to classify the resources. This way, you can allocate costs by tag and implement automated O&M. When you add tags to a resource, issues may occur. For example, after you create a resource, you forget to add tags to the resource, you add only some tags such as O&M-related tags but forget to add finance-related tags, or the tags that you added contain spelling errors. If these issues occur, the costs of some resources cannot be allocated based on your business requirements when you allocate costs by tag, or automated O&M operations cannot be performed for some resources. The Tag Policy feature provides solutions to these issues in the following scenarios:
Automatic tag detection
After you create a resource and add tags to the resource, you can use a tag policy to periodically check the following items to determine the tag compliance of the resource:
Whether the tags added to the resource are compliant
Whether the tags defined in the tag policy are added to the resource
Automatic tag detection can help you identify issues at the earliest opportunity.
Automatic remediation for tags
If you enable automatic remediation for tags and the remediation rules that you configure match the conditions for triggering automatic remediation, the system remediates the non-compliant tags based on the detection results.
Pre-event interception of non-compliant tags
Automatic tag detection starts with a latency. After a resource is created, non-compliant tags for the resource cannot be detected before automatic tag detection is started. We recommend that you perform standardized tag management when you create a resource. To achieve this, you can use a tag policy to implement pre-event interception of non-compliant tags for a resource type. This way, when you create a resource of this type, the resource can be successfully created only if tags defined in the tag policy are attached to the resource.
By default, pre-event interception of non-compliant tags takes effect only for tags that are defined in a tag policy. If no tags are added to a resource to which the tag policy is applied or other tags are added to the resource, pre-event interception of non-compliant tags does not take effect.
ImportantIf you want pre-event interception of non-compliant tags to take effect on a resource to which no tags are added or other tags are added when you create the resource, you must contact the service manager of Alibaba Cloud to apply for a trial. Before you enable pre-event interception of non-compliant tags in the production environment, we recommend that you perform a test by using a test account.
Automatic tag inheritance from a resource group
After you add a tag to a resource group, if you create a resource in or add a resource to the resource group, the tag is automatically added to the resource.
Modes of the Tag Policy feature
Resource Management allows you to enable the Tag Policy feature in single-account mode or in resource directory mode. You can enable the Tag Policy feature that is in a specific mode based on your business scenario and the type of your logon account. The following table describes the two modes.
Scenario | Type of the logon account | Mode of the Tag Policy feature | References |
If your business in the cloud is simple and you use a single Alibaba Cloud account and the RAM users within the Alibaba Cloud account to perform management operations, you can use the Alibaba Cloud account to enable the Tag Policy feature that is in single-account mode. Then, you can use tag policies to manage the tag-related operations performed by using the Alibaba Cloud account or the RAM users. | Alibaba Cloud account that is not the management account or a member of a resource directory | Single-account mode: The Tag Policy feature in this mode can be used to manage tag-related operations performed by using an Alibaba Cloud account or the RAM users within the Alibaba Cloud account. | Use an Alibaba Cloud account to enable the Tag Policy feature |
If your business in the cloud is complex and you use a resource directory to manage all your accounts, you can use the management account of the resource directory to enable the Tag Policy feature that is in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member of the resource directory. | Management account of a resource directory | You can enable the Tag Policy feature in both modes or in one of the modes based on your business requirements.
| Use the management account of a resource directory to enable the Tag Policy feature |
Member of a resource directory | The following situations may occur based on whether the Tag Policy feature is enabled for a resource directory:
| Use a member of a resource directory to enable the Tag Policy feature |
Limits
Item | Limit |
Maximum number of tag policies you can create when you use the Tag Policy feature that is in single-account mode | 10 |
Maximum number of tag policies you can create when you use the Tag Policy feature that is in resource directory mode | 100 |
Maximum number of characters that each tag policy can contain | 2,048 |
Time required before pre-event interception of non-compliant tags takes effect |
|
Time required before automatic tag detection is started or complete |
|
Time required before automatic remediation is complete | After resources to which compliant tags are not added or non-compliant tags are added are detected, the system remediates tags for the resources within 10 minutes. |
Best practices
Services that work with tag policies
Service | Service code | Resource type | Support for automatic tag detection and automatic tag remediation | Support for automatic tag inheritance from a resource group | Support for pre-event interception of non-compliant tags | API operation that supports pre-event interception of non-compliant tags1 | API operation that supports pre-event interception of non-compliant tags when you create a resource2 |
Elastic Compute Service (ECS) | ecs | instance | Yes | Yes | Yes | ||
None | |||||||
eni | Yes | No | Yes | ||||
None | |||||||
securitygroup | Yes | Yes | Yes | ||||
None | |||||||
disk | Yes | Yes | Yes | ||||
None | |||||||
snapshot | Yes | No | Yes | ||||
None | |||||||
ddh | Yes | Yes | Yes | ||||
None | |||||||
image | No | No | Yes | ||||
None | |||||||
None | |||||||
keypair | No | No | Yes | ||||
None | |||||||
launchtemplate | Yes | Yes | Yes | ||||
None | |||||||
snapshotpolicy | No | No | Yes | ||||
ApsaraDB RDS | rds | instance | Yes | Yes | Yes | None | |
None | |||||||
Server Load Balancer (SLB) | slb | instance | Yes | Yes | Yes | None | |
certificate | No | No | Yes | None | |||
acl | No | No | Yes | None | |||
Application Load Balancer (ALB) | alb | acl | No | No | Yes | None | |
loadbalancer | No | No | Yes | None | |||
securitypolicy | No | No | Yes | None | |||
servergroup | No | No | Yes | None | |||
Virtual Private Cloud (VPC) | vpc | vpc | Yes | Yes | Yes | None | |
vswitch | Yes | No | Yes | None | |||
routetable | Yes | No | Yes | None | |||
NAT Gateway | vpc | natgateway | Yes | Yes | Yes | None | |
VPN Gateway | vpc | vpngateway | No | No | Yes | None | |
EIP Bandwidth Plan | vpc | commonbandwidthpackage | No | No | Yes | None | |
Elastic IP Address (EIP) | vpc | eip | Yes | Yes | Yes | None | |
Cloud Enterprise Network | cen | cen | Yes | Yes | Yes | None | |
bandwidthpackage | No | No | Yes | None | |||
CDN | cdn | domain | Yes | Yes | No | None | None |
Object Storage Service (OSS) | oss | bucket | Yes | Yes | No | None | None |
ApsaraDB for Redis | kvstore | instance | Yes | Yes | Yes | None | |
None | |||||||
ApsaraDB for MongoDB | dds | instance | Yes | Yes | Yes | None | |
ApsaraDB for HBase | multimod | cluster | Yes | Yes | Yes | None | |
PolarDB | polardb | cluster | Yes | Yes | No | None | None |
Apsara File Storage NAS (NAS) | nas | filesystem | Yes | Yes | Yes | None | None |
Anti-DDoS | ddoscoo | instance | Yes | Yes | Yes | None | |
None | |||||||
Container Service for Kubernetes (ACK) | cs | cluster | Yes | Yes | No | None | None |
API Gateway | apigateway | api | Yes | Yes | No | None | None |
apigroup | Yes | Yes | No | None | None | ||
app | No | No | No | None | None | ||
instance | No | No | No | None | None | ||
plugin | No | No | No | None | None | ||
Alibaba Cloud DNS (DNS) | alidns | domain | No | No | Yes | None | None |
Auto Scaling | ess | scalinggroup | No | No | Yes | ||
None | |||||||
Elastic Container Instance | eci | containergroup | No | No | Yes | ||
None | |||||||
imagecache | No | No | Yes | None | |||
None | |||||||
virtualnode | No | No | Yes | None | |||
ApsaraMQ for RocketMQ | mq | group | No | No | Yes | None | |
instance | No | No | Yes | None | |||
topic | No | No | Yes | None | |||
Bastionhost | bastionhost | instance | No | No | Yes | None | |
Resource Orchestration Service (ROS) | ros | changeset | No | No | Yes | None | |
stack | No | No | Yes | ||||
None | |||||||
None | |||||||
template | No | No | Yes | None |
Additional information:
1 Pre-event interception of non-compliant tags supports two scenarios: pre-event interception when you create a resource and pre-event interception when you add tags to a resource. Support for the two scenarios varies based on the Alibaba Cloud service, resource type, and API operation. For example, non-compliant tags can be intercepted when you call the CreateInstance operation to create an ECS instance or when you call the TagResources operation to add tags to an ECS instance. By default, pre-event interception of non-compliant tags takes effect only for tags that are defined in a tag policy. If no tags are added to a resource to which the tag policy is applied or other tags are added to the resource, pre-event interception of non-compliant tags does not take effect. This column lists the support of different types of resources for pre-event interception of non-compliant tags.
2The following feature is in invitational preview: pre-event interception of non-compliant tags for resources to which no tags are added or other tags are added. If you want to use this feature, you must contact the service manager of Alibaba Cloud to apply for a trial. This column lists the API operations that support the feature in invitational preview.