ALIYUN::Config::Rule is used to create or modify a rule.

Syntax

{
  "Type": "ALIYUN::Config::Rule",
  "Properties": {
    "TagKeyScope": String,
    "TagValueScope": String,
    "Description": String,
    "ExcludeResourceIdsScope": String,
    "SourceOwner": String,
    "SourceIdentifier": String,
    "MaximumExecutionFrequency": String,
    "RegionIdsScope": String,
    "ConfigRuleTriggerTypes": String,
    "ResourceGroupIdsScope": String,
    "RiskLevel": Integer,
    "ResourceTypesScope": List,
    "RuleName": String,
    "InputParameters": Map,
    "TagKeyLogicScope": String
  }
}

Properties

Property Type Required Editable Description Constraint
TagKeyScope String No Yes The tag key of the rule. This property only takes effect when the SourceOwner property is set to ALIYUN. ALIYUN specifies a managed rule of Alibaba Cloud.
TagValueScope String No Yes The tag value of the rule. This property only takes effect when the SourceOwner property is set to ALIYUN. ALIYUN specifies a managed rule of Alibaba Cloud.
Description String No Yes The description of the rule. None.
ExcludeResourceIdsScope String No Yes The IDs of the resources that are excluded by the rule. Separate multiple resource IDs with commas (,).

This property only takes effect when the SourceOwner property is set to ALIYUN. ALIYUN specifies a managed rule of Alibaba Cloud.

SourceOwner String Yes No The method based on which the rule is created. Valid values:
  • CUSTOM_FC: The rule is created based on a custom rule function that you create.
  • ALIYUN: The rule is created based on a managed rule of Alibaba Cloud.
SourceIdentifier String Yes No The identifier of the rule or the Alibaba Cloud Resource Name (ARN) of the function. This property specifies the identifier of the rule if you set the SourceOwner property to ALIYUN. ALIYUN specifies a managed rule of Alibaba Cloud.

This property specifies the ARN of the function if you set the SourceOwner property to CUSTOM_FC. CUSTOM_FC specifies a custom rule that you create.

MaximumExecutionFrequency String No Yes The interval at which the rule is triggered. Valid values:
  • One_Hour
  • Three_Hours
  • Six_Hours
  • Twelve_Hours
  • TwentyFour_Hours
RegionIdsScope String No Yes The region IDs of the rule. Separate multiple region IDs with commas (,).

This property only takes effect when the SourceOwner property is set to ALIYUN. ALIYUN specifies a managed rule of Alibaba Cloud.

ConfigRuleTriggerTypes String Yes Yes The trigger type of the rule. Valid values:
  • ConfigurationItemChangeNotification: The rule is triggered by configuration changes.
  • ScheduledNotification: The rule is triggered as scheduled.
ResourceGroupIdsScope String No Yes The resource group IDs of the rule. Separate multiple resource group IDs with commas (,).

This property only takes effect when the SourceOwner property is set to ALIYUN. ALIYUN specifies a managed rule of Alibaba Cloud.

RiskLevel Integer Yes Yes The risk level of the rule. Valid values:
  • 1: high
  • 2: medium
  • 3: low
ResourceTypesScope List Yes Yes The types of the resources that are evaluated based on the rule. None.
RuleName String Yes No The name of the rule. None.
InputParameters Map No Yes The settings of the input parameters for the rule. Sample value: {"cpuCount": "2"}.
TagKeyLogicScope String No No The logical type of the tag key of the rule. None.

Return values

Fn::GetAtt

  • TagKeyScope: the tag key of the rule.
  • TagValueScope: the tag value of the rule.
  • Description: the description of the rule.
  • ExcludeResourceIdsScope: the IDs of the resources that are excluded by the rule.
  • SourceOwner: the method based on which the rule is created.
  • SourceIdentifier: the identifier of the rule or the ARN of the function.
  • MaximumExecutionFrequency: the interval at which the rule is executed.
  • ConfigRuleId: the ID of the rule.
  • EventSource: the source of the event.
  • RegionIdsScope: the region IDs of the rule.
  • ConfigRuleArn: the ARN of the rule.
  • ConfigRuleTriggerTypes: the trigger type of the rule.
  • ResourceGroupIdsScope: the resource group IDs of the rule.
  • RiskLevel: the risk level of the rule.
  • ResourceTypesScope: the types of the resources that are evaluated based on the rule.
  • RuleName: the name of the rule.
  • InputParameters: the settings of the input parameters for the rule.

Examples

JSON format

{
  "Parameters": {
    "Description": {
      "Default":"test",
      "Type": "String",
      "Description": "The description of the rule"
    },
    "SourceOwner": {
      "Type": "String",
      "Description": "Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule",
      "Default": "ALIYUN"
    },
    "SourceIdentifier": {
      "Type": "String",
      "Description": "The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule",
      "Default": "ecs-instances-in-vpc"
    },
    "ConfigRuleTriggerTypes": {
      "Type": "String",
      "Description": "The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.",
      "Default": "ConfigurationItemChangeNotification"
    },
    "RiskLevel": {
      "Type": "Number",
      "Description": "The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info",
      "Default": 3
    },
    "ResourceTypesScope": {
      "Type": "Json",
      "Description": "The types of the resources to be evaluated against the rule",
      "Default": ["ACS::ECS::Instance"]
    },
    "RuleName": {
      "Type": "String",
      "Description": "The name of the rule.",
      "Default": "MyRule"
    }
  },
  "ROSTemplateFormatVersion": "2015-09-01",
  "Outputs": {
    "TagKeyScope": {
      "Description": "The rule monitors the tag key, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "TagKeyScope"
        ]
      }
    },
    "TagValueScope": {
      "Description": "The rule monitors the tag value, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "TagValueScope"
        ]
      }
    },
    "Description": {
      "Description": "The description of the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "Description"
        ]
      }
    },
    "ExcludeResourceIdsScope": {
      "Description": "The rule monitors excluded resource IDs, multiple of which are separated by commas, only applies to rules created based on managed rules, , custom rule this field is empty",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ExcludeResourceIdsScope"
        ]
      }
    },
    "SourceOwner": {
      "Description": "Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "SourceOwner"
        ]
      }
    },
    "SourceIdentifier": {
      "Description": "The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "SourceIdentifier"
        ]
      }
    },
    "MaximumExecutionFrequency": {
      "Description": "The frequency of the compliance evaluations. Valid values:  One_Hour Three_Hours Six_Hours Twelve_Hours TwentyFour_Hours",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "MaximumExecutionFrequency"
        ]
      }
    },
    "ConfigRuleId": {
      "Description": "The ID of the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ConfigRuleId"
        ]
      }
    },
    "EventSource": {
      "Description": "The event source of the rule.",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "EventSource"
        ]
      }
    },
    "RegionIdsScope": {
      "Description": "The rule monitors region IDs, separated by commas, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "RegionIdsScope"
        ]
      }
    },
    "ConfigRuleArn": {
      "Description": "config rule arn",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ConfigRuleArn"
        ]
      }
    },
    "ConfigRuleTriggerTypes": {
      "Description": "The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ConfigRuleTriggerTypes"
        ]
      }
    },
    "ResourceGroupIdsScope": {
      "Description": "The rule monitors resource group IDs, separated by commas, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ResourceGroupIdsScope"
        ]
      }
    },
    "RiskLevel": {
      "Description": "The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "RiskLevel"
        ]
      }
    },
    "ResourceTypesScope": {
      "Description": "The types of the resources to be evaluated against the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ResourceTypesScope"
        ]
      }
    },
    "RuleName": {
      "Description": "The name of the rule.",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "RuleName"
        ]
      }
    },
    "InputParameters": {
      "Description": "The settings of the input parameters for the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "InputParameters"
        ]
      }
    }
  },
  "Resources": {
    "ConfigRule": {
      "Type": "ALIYUN::Config::Rule",
      "Properties": {
        "Description": {
          "Ref": "Description"
        },
        "SourceOwner": {
          "Ref": "SourceOwner"
        },
        "SourceIdentifier": {
          "Ref": "SourceIdentifier"
        },
        "ConfigRuleTriggerTypes": {
          "Ref": "ConfigRuleTriggerTypes"
        },
        "RiskLevel": {
          "Ref": "RiskLevel"
        },
        "ResourceTypesScope": {
          "Ref": "ResourceTypesScope"
        },
        "RuleName": {
          "Ref": "RuleName"
        }
      }
    }
  }
}