Background information
The deletion protection feature is used to protect cloud resources from being accidentally deleted. If deletion protection is enabled for a resource that you want to delete, the resource fails to be deleted. This effectively prevents irreparable consequences due to reasons such as negligence or delayed communication between team members. This topic describes how to enable deletion protection for multiple resources at a time by using CloudOps Orchestration Service (OOS).
Prerequisites
For information about the prerequisites for enabling deletion protection for an Elastic Compute Service (ECS) instance, see Enable and disable release protection for ECS instances.
For information about the prerequisites for enabling deletion protection for a customer master key (CMK), see Enable deletion protection.
For information about the prerequisites for enabling deletion protection for an ApsaraDB RDS instance, see Enable or disable the release protection feature for an ApsaraDB RDS for PostgreSQL instance.
Procedure
Log on to the OOS console.
In the left-side navigation pane, choose Automated Task > Public Template.
Enter "protection" in the search box. You can view the templates that can be used to protect resources from being released or modified. Select a template based on your business requirements. Then, click Create Execution. In this example, the ACS-ECS-BulkyEnableDeletionProtection template is selected.
In the Basic Information step, click Next Step: Parameter Settings.
In the Parameter Settings step, select the resources for which you want to enable deletion protection by using one of the following methods: Manually Select Instances, Specify Instance Tags, Specify Resource Group, Upload CSV File, Select All, and Specify Inventory Conditions. Then, click Next Step: OK.
Click Create.
View the execution results.
Appendix 1: Public template and logic
Logic of the ACS-ECS-BulkyEnableDeletionProtection template
FormatVersion: OOS-2019-06-01
Description:
en: Bulky enable instances deletionprotection
name-en: ACS-ECS-BulkyEnableDeletionProtection
categories:
- security
Parameters:
regionId:
Type: String
Label:
en: RegionId
AssociationProperty: RegionId
Default: '{{ ACS::RegionId }}'
targets:
Type: Json
Label:
en: TargetInstance
AssociationProperty: Targets
AssociationPropertyMetadata:
ResourceType: ALIYUN::ECS::Instance
RegionId: regionId
rateControl:
Label:
en: RateControl
Type: Json
AssociationProperty: RateControl
Default:
Mode: Concurrency
MaxErrors: 0
Concurrency: 10
OOSAssumeRole:
Label:
en: OOSAssumeRole
Type: String
Default: OOSServiceRole
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: getInstance
Description:
en: Views the ECS instances
Action: ACS::SelectTargets
Properties:
ResourceType: ALIYUN::ECS::Instance
RegionId: '{{ regionId }}'
Filters:
- '{{ targets }}'
Outputs:
instanceIds:
Type: List
ValueSelector: Instances.Instance[].InstanceId
- Name: enableInstanceDeletionProtection
Action: ACS::ECS::EnableInstanceDeletionProtection
Description:
en: Enable instances deletionprotection
Properties:
regionId: '{{ regionId }}'
instanceId: '{{ ACS::TaskLoopItem }}'
deletionProtection: true
Loop:
RateControl: '{{ rateControl }}'
Items: '{{ getInstance.instanceIds }}'
Metadata:
ALIYUN::OOS::Interface:
ParameterGroups:
- Parameters:
- regionId
- targets
Label:
default:
en: Select Ecs Instances
- Parameters:
- rateControl
- OOSAssumeRole
Label:
default:
en: Control Options
The template executes the following tasks in sequence:
Obtain the ECS instances that you want to manage.
Enable deletion protection for multiple ECS instances at a time.
Elastic Compute Service (ECS)
Lingma
