Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog Use Alibaba Cloud ActionTrail to Propagate Tags from Parent Resources to Child Resources

Use Alibaba Cloud ActionTrail to Propagate Tags from Parent Resources to Child Resources

This tutorial explains how to propagate tags from parent resources to child resources using Alibaba Cloud ActionTrail.

Tags are widely used in the scenarios of resource management, billing, automation, and access control. Tags make resources easy to be searched and grouped. However, managing a large number of tags manually is a challenge for many users, especially when repeatedly associating tags across a cluster of resources.

There are many scenarios where users have to create a parent resource and multiple child resources to build a working component. For example, users usually have to create an ECS along with a disk (and sometimes with an image.) The disk will have snapshots as time goes by. Since the disk and image belong to the same ECS, users tend to mark them with the same tags inherited from the parent resource. Currently, users have to apply the tags on the parent to all its child resources manually to inherit them from parent resources. Another example would be VPC. VPC has vSwtich, Route Table, NAT Gateway, and VPN Gateway as child resources. NatGateway has its own child resource EIP. We often heard that users would like to inherit tags automatically from VPC when creating child resources.

This article will present a solution that will inherit parent tags automatically when creating child resources. We will use the VPC scenario as an example to walk through the solution, but this approach is generic and can be extended to other similar scenarios.

Goals

The following diagram shows the relationship between resources:

VPCTag_drawio

This solution will achieve two goals:

  1. Inherit tags from the parent automatically when creating new child resources
  2. Inherit tags from the parent automatically when adding new tags to the parent

Solution Overview

This solution includes the following cloud service:

Those services are orchestrated as below:

arch_drawio

ActionTrail keeps monitoring operations on the VPC instance and its child resources. Every log entry is routed to EventBridge where we will rule out unwanted ones with rules. We will create two rules. Rule 1 is to filter out the operations of tagging VPCs. Rule 2 is to filter out the operations of creating VPC child resources. Each rule will have a function as a destination to update tags accordingly.

Solution Walkthrough

We will walk through the configurations of each service in this pipeline step by step:

Prerequisites

You need the following to complete the steps in this walkthrough:

  • An Alibaba Cloud account
  • A basic understanding of Node.js, Alibaba Cloud Open APIs, and Alibaba Cloud CLI
  • Make sure to do the following steps in the same region

ActionTrail

ActionTrail is enabled by default. No extra configuration is necessary.

Create a RAM Service Role

To tag resources in a function, a service role with VPC and Tag permissions must be assigned to it.

  1. Go to RAM → Roles → Create Role
  2. Select Alibaba Cloud Service

ServiceRole

Configure the trust policy:

  1. Name the Role TagVPCRole
  2. Select Function Compute as a trusted service

TagVPCRole

We need to add 3 policies to the role, AliyunVPCReadOnlyAccess, AliyunLogFullAccess and AliyunTagAdministratorAccess:

Policies

Create a Service

1.  Go to Function Compute

2.  Click on Services and Functions

3.  Create Service with the name VPCTagService

4.  Find the service in the service list

5.  Click on Configure

6.  In the section of Role Settings, select the role TagVPCRole

RoleSettings

7.  Save the update

Create a Function for Rule 1

This step will create a function for Rule 1 to inherit tags from the parent when adding new tags to the parent:

1.  Go to Function Compute → Services → Functions

2.  Click on Create Function and create a Func01 as shown below:

CreateFunction

3.  You will be redirected to the function editor page. Click on Upload Code and select Upload ZIP Package

UploadCode

4.  Upload the zip file from here

5.  Make sure to click on "保存和部署"
_2021_10_28_11_50_58

Create a Function for Rule 2

This step will create a function for Rule 2 to inherit tags from the parent when adding new resources to the parent:

1.  Go to Function Compute → Services → Functions

2.  Click on Create Function and create a Func02 as shown below:

func02

3.  You will be redirected to the function editor page. Click on Upload Code and select Upload ZIP Package

UploadCode

4.  Upload the zip file from here

5.  Make sure to click on "保存和部署"
_2021_10_28_11_50_58

EventBridge

The default event bus listens to all operations from ActionTrail. However, we don't want to trigger a function execution for any log entry from ActionTrail. We are only interested in two types of operations, tag VPC and create VPC child resources. We need to create two rules to filter them out. Each of them will only capture the two operations above from the VPC logs.

Create Rule 1

The first rule is named TagVPC. It is used to only filter out the TagResources event on VPCs.

1.  Go to Event Buses->Default->
Event Pattern:

{
    "data": {
        "eventName": [
            "TagResources"
        ],
        "serviceName": [
            "Vpc"
        ]
    },
    "source": [
        "acs.vpc"
    ],
    "type": [
        "vpc:ActionTrail:AliyunServiceEvent",
        "vpc:ActionTrail:ApiCall",
        "vpc:ActionTrail:ConsoleOperation"
    ]
}

Add the func01 as destination

The targets of the EventBridge rules have to be set to the corresponding functions:

2.  Select Function Compute as the Service Type and set the Function to func01 for the rule TagVPC and func02 for the rule CreateVPCResources

EditRule

Alernatively, you can Go to EventBridge → Event Buses → Default → Event Rules → Edit Targets

EditTargets

Create Rule 2

The second rule is named CreateVPCResources. It is used to filter out the events of VPC child resource creation.

1. Define Event Pattern

{
    "data": {
        "resourceType": [
            "ACS::VPC::NatGateway",
            "ACS::VPNGateway::VpnGateway",
            "ACS::ECS::Instance;ACS::EIP::EipAddress",
            "ACS::VPC::VSwitch;ACS::VPC::VPC",
            "ACS::VPC::RouteTable;ACS::VPC::VPC",
            "ACS::VPC::VPC"
        ],
        "eventName": [
            "Create",
            "AssociateEipAddress",
            "CreateVSwitch",
            "CreateRouteTable"
        ]
    },
    "source": [
        "acs.vpc"
    ],
    "type": [
        "vpc:ActionTrail:AliyunServiceEvent",
        "vpc:ActionTrail:ApiCall",
        "vpc:ActionTrail:ConsoleOperation"
    ]
}

2. Add func02 as destination in the same way above

Conclusion

This article explained how to propagate tags from a parent resource to its child resources with ActionTrail, EventBridge, and Function Compute. VPC is used as an example, but this idea can be extended to other similar resources.

VPC automation Resource Management Function Compute TAG ActionTrail EventBridge Child Resource Parent Resource
0 1 0
Share on

Chenyue Gao (高晨悦)

1 posts | 0 followers

You may also like

Comments

Chenyue Gao (高晨悦)

1 posts | 0 followers

Related Products

  • Resource Management

    Organize and manage your resources in a hierarchical manner by using resource directories, folders, accounts, and resource groups.

    Learn More

  • Function Compute

    Alibaba Cloud Function Compute is a fully-managed event-driven compute service. It allows you to focus on writing and uploading code without the need to manage infrastructure such as servers.

    Learn More

  • Robotic Process Automation (RPA)

    Robotic Process Automation (RPA) allows you to automate repetitive tasks and integrate business rules and decisions into processes.

    Learn More

  • Cloud Shell

    A Web browser-based admin tool that allows you to use command line tools to manage Alibaba Cloud resources.

    Learn More