tencent cloud

Feedback

Policy Syntax

Last updated: 2024-05-21 17:45:40
    A policy is composed of several sub-statements. Each sub-statement contains the following elements: policy_key, tag_key, tag_value, effective scope, etc.

    Syntax Format

    The policy syntax is based on the JSON format. If a created or updated policy does not meet the JSON format requirement, it cannot be successfully submitted and cannot take effect. Therefore, you must ensure that the JSON format is correct.

    Syntax Conventions

    The following is the general syntax of tag policies:
    Specified Value
    Dynamic Value
    {
    "tags": {
    "Principal (Person in Charge)": {
    "tag_key": {"@@assign": "principal"},
    "tag_value": {"@@assign": ["name 1"]},
    "resource_type_scope":{"@@assign": ["ecs:instance","ecs:disk"]},
    "detection":"on",//Detection is a system default enabled feature. It will check whether the Tag value is compliant for specified resources with specified Tag keys by default, and is not shown in json by default.
    "correction": {"@@assign": "on"},//Automatic repair, can be enabled when specifying one value, but multiple specified values cannot be automatically repaired.
    "auto_assign":{"@@assign":"on"},//Auto-fill.
    "enforced_for": { "@@assign": [ "*"] }, //Enforced.
    "auto_assign_value": { "@@assign": "on" } //Auto-fill - Tag value
    }
    }
    }
    {
    "tags": {
    "Principal (Person in Charge)": {
    "tag_key": {"@@assign": "principal"},
    "tag_value_dynamic": {"@@assign": "on"},//Enable dynamic value, the value is determined based on the value of the similarly named Tag key of the Sub-user in CAM.
    "resource_type_scope":{"@@assign": ["ecs:instance","ecs:disk"]},
    "detection":"on",//Detection is a system default enabled feature. It will check whether the Tag value is compliant for specified resources with specified Tag keys by default, and is not shown in json by default.
    "correction": {"@@assign": "on"},//Automatic repair, even dynamic values have only one value, automatic repair can be enabled.
    "auto_assign":{"@@assign":"on"},//Auto-fill.
    "enforced_for": { "@@assign": [ "*"] }, //Enforced.
    "auto_assign_value": { "@@assign": "on" } //Auto-fill - Tag value
    }
    }
    }
    Elements
    Element
    Required
    Description
    Description in above example
    tags
    Yes
    A tag policy always starts with tags. tags is always on the first line of a tag policy and is fixed.
    tags, which is fixed
    policy_key
    Yes
    Tag key, which identifies a compliant tag key and takes the same value as the policy key. Tag keys are case sensitive. You can define multiple tag keys in a tag policy.
    principal is the tag key.
    tag_key
    Yes
    Tag key, which identifies a compliant tag key and takes the same value as the policy key (case-sensitive). You can define multiple tag keys in a tag policy.
    principal
    tag_value
    Yes
    Tag value, which identifies a compliant tag value.
    Tag value is set to name1 and use principal as a valid value
    resource_type_scope
    Yes
    The effective scope of resource types, which is specified by the tag key-value pair.
    Effective scope is limited to ecs:instance,ecs:disk
    detection
    Yes
    The system is enabled by default
    on enables the Detection feature within the resource range where the Tag Key Value is effective
    correction
    No
    Whether to enable Automatic repair. Acts as a switch for whether the Tag Key Value needs automatic repair
    on enables the Automatic repair feature within the resource range where the Tag Key Value is effective
    auto_assign
    No
    Whether to enable Auto-fill. Indicates whether the Tag Key needs to be displayed by default in the Edit Tag position
    on enables the Auto-fill feature within the resource range where the Tag Key is effective
    auto_assign_value
    No
    Whether to enable Auto-fill. Indicates whether the Tag Value needs to be displayed by default in the Edit Tag position
    on enables the Auto-assignment Functionality within the resource range where the Tag Value is effective
    enforced_for
    No
    Whether to enable Forcible Execution. Indicates whether to Block Affinity for Non-compliant Tag Key-value Pairs
    * enables the Forcible Execution feature for All Resources with Tag Key-Value

    Length Limit

    Each policy is limited to 4096 characters. Exceeding this limit will prevent the policy from being submitted. If exceeded, please add a new policy.
    
    
    

    Syntax Effective Rules

    Object

    You can bind a tag policy to multiple user entities (such as the root account and sub-users under the root account), but it will only be valid for the bound user.
    When you bind a tag policy to the root account, it will only affect that root account.
    When you bind a tag policy to a sub-user, it will only affect that sub-user.

    Latency

    When operating on resource tags, the effective object will check whether the resources are bound to the corresponding key-value pair in real time according to the tag policy. The latency in this process will be within 10 seconds.

    Priority

    You can bind multiple tag policies to a single user entity, but the earliest bound policy will take effect.

    Operators

    You can use operators to control the calculation rules in the tag policy. Only the assignment operator are currently supported.
    Operator
    Required
    Description
    Description in above example
    @@assign
    Yes
    This operator is used to assign the specified content to the specified element.
    Assign principal to the policy key and tag key
    Assign name 1 to the tag value
    Assign ecs:instance,ecs:disk to the effective scope of resource types
    Assign on to whether the correction feature is enabled
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support