Tag policies use JSON syntax with inheritance operators to enforce tagging rules across your resource hierarchy.
Syntax
Tag policies use JSON format. The syntax varies by scenario.
Add tags with specific values to resources
This policy type starts with tags.
|
Element |
Required |
Description |
Example |
|
Policy key |
Yes |
Uniquely identifies a statement. Must be lowercase. Multiple policy keys allowed per policy. Case-insensitive match with tag keys. |
|
|
Tag key |
Yes |
Specified by |
|
|
Tag value |
Yes |
Specified by |
|
|
Resource type scope |
No |
Use |
|
|
Region scope |
No |
Use |
|
|
Resource group scope |
No |
Use |
|
|
Pre-event interception |
No |
Use |
|
|
Automatic remediation |
No |
Use |
|
|
Inheritance operator |
Yes |
Aggregates attached and inherited tag policies to compute the effective policy for the object. |
Sample code:
{
"tags": {
"color": {
"tag_key": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": "COLER"
},
"tag_value": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"red",
"green",
"grey"
]
},
"resource_type_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"ecs:instance"
]
},
"region_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"cn-hangzhou"
]
},
"rg_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"rg-xxxx"
]
},
"enforced_for": {
"@@operators_allowed_for_child_policies": [
"@@remove"
],
"@@assign": [
"ecs:instance"
]
},
"tag_value_correction": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": {
"red": {
"value_type": "Tag",
"value_scope": {
"acs:rm:rgId": "rg-xx1"
}
},
"green": {
"value_type": "Tag",
"value_scope": {
"k1": "v2"
}
},
"grey": {
"value_type": "Tag",
"value_scope": {
"k111": "v222"
}
}
}
}
}
}
}
Automatic tag inheritance from resource groups
This policy type starts with rg_inherit.
|
Element |
Required |
Description |
Example |
|
Policy key |
Yes |
Uniquely identifies a statement. Must be lowercase. Multiple policy keys allowed per policy. Case-insensitive match with tag keys. |
|
|
Tag key |
Yes |
Specified by |
|
|
Resource type scope |
No |
Use |
|
|
Region scope |
No |
Use |
|
|
Resource group scope |
No |
Use |
|
|
Inheritance operator |
Yes |
Aggregates attached and inherited tag policies to compute the effective policy for the object. |
Sample code:
{
"rg_inherit": {
"color": {
"tag_key": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": "COLER"
},
"resource_type_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"ecs:instance"
]
},
"region_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"cn-hangzhou"
]
},
"rg_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"rg-xxxx"
]
}
}
}
}
Match tag values against a regular expression
This policy type starts with matched_tags.
|
Element |
Required |
Description |
Example |
|
Policy key |
Yes |
Uniquely identifies a statement. Must be lowercase. Multiple policy keys allowed per policy. Case-insensitive match with tag keys. |
|
|
Tag key |
Yes |
Specified by |
|
|
Tag value |
Yes |
Specified by |
|
|
Resource type scope |
No |
Use |
|
|
Region scope |
No |
Use |
|
|
Resource group scope |
No |
Use |
|
|
Automatic remediation |
No |
Use |
|
|
Inheritance operator |
Yes |
Aggregates attached and inherited tag policies to compute the effective policy for the object. |
{
"matched_tags": {
"number": {
"tag_key": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": "NUMBER"
},
"tag_value": {
"@@operators_allowed_for_child_policies": [
"@@assign"
],
"@@assign": [
"^[0-9]+$"
]
},
"resource_type_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"ecs:instance"
]
},
"region_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"cn-hangzhou"
]
},
"rg_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"rg-xxxx"
]
},
"tag_value_correction": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": {
"1": {
"value_type": "Tag",
"value_scope": {
"acs:rm:rgId": "rg-xx1"
}
},
"2": {
"value_type": "Tag",
"value_scope": {
"k1": "v2"
}
},
"3": {
"value_type": "Tag",
"value_scope": {
"k111": "v222"
}
}
}
}
}
}
}
Inheritance operators
Inheritance operators aggregate attached and inherited tag policies to compute the effective policy for an object. They fall into two categories: value-setting operators and child control operators.
In the Quick Mode of the console, only the @@assign operator is supported. Use JSON mode for other operators.
-
Value-setting operators
Operator
Description
@@assignOverwrites conflicting settings.
-
When a setting in an attached policy conflicts with the inherited policy, the attached policy takes precedence.
-
When multiple
@@assignsettings in attached policies conflict, the first-attached policy takes precedence.
@@appendAppends the attached policy's setting to the inherited policy. Only applicable when multiple tag values are specified for a tag key.
@@removeRemoves the specified setting from the inherited policy. Only applicable when multiple tag values are specified for a tag key.
-
-
Child control operators
Child control operators limit which value-setting operators child policies can use. By default, all value-setting operators are allowed.
Operator
Description
"@@operators_allowed_for_child_policies":["@@all"]Allows all value-setting operators in child policies attached to subfolders and members. This is the default behavior.
"@@operators_allowed_for_child_policies":["@@assign"Restricts child policies to the specified value-setting operators only. You can list one or more operators.
"@@operators_allowed_for_child_policies":["@@none"]Blocks all value-setting operators in child policies. Locks the parent policy settings so they serve as the effective policy.