This topic describes the syntax of a tag policy and the supported inheritance operators.

Syntax

Tag policies support the JSON format and follow the standard JSON syntax. In this example, a simple tag policy is used to describe the syntax of a tag policy. The following code provides the document of the tag policy:

{
    "tags": {
        "CostCenter": {
            "tag_key": {
                "@@assign": "CostCenter"
            },
            "tag_value": {
                "@@assign": [
                    "*"
                ]
            },
            "enforced_for": {
                "@@assign": [
                    "ecs:instance"
                ]
            }
        },
        "owner": {
            "tag_key": {
                "@@assign": "owner"
            },
            "tag_value": {
                "@@assign": [
                    "*"
                ]
            },
            "enforced_for": {
                "@@assign": [
                    "ecs:instance"
                ]
            }
        }
    }
}

The preceding tag policy defines that the cost center tag whose tag key is CostCenter and the resource owner tag whose tag key is owner must be added to all Elastic Compute Service (ECS) instances. The following table describes the elements contained in a tag policy.

Element Description Required
Tag The document of a tag policy starts with tags. Yes
Policy key A policy key is the unique identifier of a statement in a tag policy. Policy keys are case-sensitive. You can specify multiple policy keys in a tag policy. Policy keys are the same as tag keys.

In this example, the policy keys are CostCenter and owner.

Yes
Tag key Tag keys are specified by tag_key and are case-sensitive.

In this example, the tag keys are CostCenter and owner.

Yes
Tag value Tag values are specified by tag_value. If tag_value is not configured, tags added to resources can have any tag values or no tag values. You can also set tag_value to an asterisk (*), which indicates any tag values.

In this example, tag_value is set to *. This indicates that any tag values can be used when you add the cost center tag whose tag key is CostCenter and the resource owner tag whose tag key is owner to all ECS instances.

No
Enforcement You can configure enforced_for to enforce a tag policy. The enforcement of a tag policy can prevent non-compliant tags from being added to resources.

In this example, the tag policy is enforced when an ECS instance is created. The tags whose tag keys are CostCenter and owner must be added to the ECS instance when the ECS instance is created. Otherwise, the ECS instance fails to be created.

No
Inheritance operator An inheritance operator is used to aggregate the tag policy that is attached to an object and the tag policy that is inherited by the object to obtain an effective policy for the object. For more information about inheritance operators, see Inheritance operators.

In this example, the inheritance operator @@assign is used for tag_key, tag_value, and enforced_for.

Yes

Inheritance operators

An inheritance operator is used to aggregate the tag policy that is attached to an object and the tag policy that is inherited by the object to obtain an effective policy for the object. Inheritance operators are classified into value-setting operators and child control operators.

Note If you configure a tag policy on the Quick Mode tab in the Resource Management console, you can use only the @@assign operator. This operator is a basic operator. If you configure a tag policy on the JSON tab in the Resource Management console, you can use all operators described in this section. Operators other than @@assign are advanced operators.
  • Value-setting operators
    Operator Description
    @@assign This operator indicates the overwrite operation. If you specify this operator for a setting in a tag policy attached to an object, and the setting conflicts with the related setting in the tag policy inherited by the object, the setting in the attached tag policy overwrites the related setting in the inherited tag policy.
    @@append This operator indicates the append operation. If you specify this operator for a setting in a tag policy attached to an object, the setting is appended to the tag policy inherited by the object. You can use this operator only when you specify multiple tag values for a tag key in a tag policy attached to an object.
    @@remove This operator indicates the remove operation. If you specify this operator for a setting in a tag policy attached to an object, the related setting is removed from the tag policy inherited by the object. You can use this operator only when you specify multiple tag values for a tag key in a tag policy attached to an object.
  • Child control operators

    Child control operators are advanced operators. You can use child control operators if you want to control which value-setting operators can be used in child policies. By default, all value-setting operators are allowed in child policies.

    Operator Description
    "@@operators_allowed_for_child_policies":["@@all"] If you specify this operator in a tag policy attached to a folder, you can use any value-setting operator in the policies attached to the subfolders of the folder and members in the folder. By default, if no child control operator is specified in a parent policy, all value-setting operators are allowed in child policies.
    "@@operators_allowed_for_child_policies":["@@assign" If you specify this operator in a tag policy attached to a folder, you can use the value-setting operator @@assign in the policies attached to the subfolders of the folder and members in the folder. You can specify one or more value-setting operators in this operator.
    "@@operators_allowed_for_child_policies":["@@none"] If you specify this operator in a tag policy attached to a folder, value-setting operators cannot be used in the policies attached to the subfolders of the folder and members in the folder. You can use this operator to lock the settings that are defined in a parent policy. This way, child policies do not take effect when you calculate an effective policy, and the parent policy is used as an effective policy.