All Products
Search
Document Center

Resource Management:Create a tag policy

Last Updated:Mar 15, 2024

You can create a tag policy and use this tag policy to standardize the tags that are added to your resources.

Procedure

  1. Log on to the Resource Management console.

  2. In the left-side navigation pane, choose Tag Policy > Policy Library.

  3. On the Policy Library page, click the Resource Directory or Current Account tab.

    Note

    If you do not enable the Tag Policy feature in resource directory mode, skip this step.

  4. Click Create Tag Policy.

  5. In the Basic Information section, configure Policy Name and Policy Description.

  6. In the Policy Details section, configure the policy details in one of the following modes:

    • Quick Mode (recommended)

      Select a policy scenario and configure rules based on your business requirements.

      • Add Tags with Specified Tag Values to Resources

        In a tag policy, you can specify tags that must be added to resources. You can also enable features such as automatic detection, automatic remediation, and pre-event interception for non-compliant tags based on the execution modes you specify for the tag policy.

        Parameter

        Description

        Tag Key

        Enter a tag key.

        Specify Allowed Tag Values

        The tag value that is allowed for the tag key. You can specify multiple tag values. You can also use an asterisk (*) as a wildcard to indicate any tag values.

        Policy Execution Mode

        • Post-detection

          Post-detection is the default execution mode of a tag policy used in this scenario. You can view the detection results on the Detection Results page. You can enable the following detection rules based on your business requirements:

          • Specify Resource Types for Detection: By default, post-detection is performed for all the supported types of resources. You can specify resource types based on your business requirements. If you specify resource types, post-detection is performed only for the specified types of resources.

          • Specify Resource Groups: By default, post-detection is performed for resources in all resource groups. You can specify resource groups based on your business requirements. You can specify up to 20 resource groups.

            Note

            The Tag Policy feature in resource directory mode does not support the Specify Resource Groups parameter.

          • Set Region Scope: By default, post-detection is performed for resources in all regions. You can specify regions based on your business requirements. You can specify up to 20 regions.

          • Automatic Remediation: If you select this option, the system automatically remediates non-compliant tags. You need to specify compliant tag values and the resource scope for automatic remediation. You can specify the resource scope only by using tags.

        • Pre-event Interception

          When you create a resource or add tags to an existing resource, the system performs a check. If the tags defined in the tag policy are not added to the resource, the resource creation or tag addition operation fails. The following descriptions provide details:

          • Scenario 1: Intercept non-compliant tags when you create a resource.

            Situations in which non-compliant tags exist

            • Situation 1: When you create a resource, you add a tag whose key is defined in a tag policy to the resource. However, the value of the tag is not defined in the tag policy.

            • Situation 2: When you create a resource, the tag key that is defined in a tag policy is not added to the resource.

            Default feature and feature in invitational preview

            • Default feature: Pre-event interception of non-compliant tags is triggered only in Situation 1. For information about the resource types and API operations that support the default feature, see the API operation that supports pre-event interception of non-compliant tags column in the Services that support tag policies section of the Overview topic.

            • Feature in invitational preview: Pre-event interception of non-compliant tags is triggered in both Situation 1 and Situation 2. If you want to use the feature in invitational preview, you must contact the customer business manager (CBM) of Alibaba Cloud to apply for a trial. For information about the resource types and API operations that support the feature in invitational preview, see the API operation that supports pre-event interception of non-compliant tags when you create a resource column in the Services that support tag policies section of the Overview topic.

            Example

            A tag policy in which the CostCenter:Beijing tag is defined for Elastic Compute Service (ECS) instances is created and attached to an Alibaba Cloud account. When you create an ECS instance within the Alibaba Cloud account, you must add the tag to the instance. Otherwise, the instance fails to be created. If you use the default feature, the system checks tag compliance of the instance based only on the tag key CostCenter when you create the instance. The check can be triggered regardless of the case sensitivity of the tag key. If a tag such as CostCenter:Beijing is added to the instance, the tag is compliant and the instance can be successfully created. If a tag such as costcenter:Shanghai is added to the instance, the tag is non-compliant and the instance cannot be created. If you use the feature in invitational preview, the system also checks whether the tag key CostCenter is added to the instance when you create the instance. If the tag CostCenter:Beijing is not added to the instance, the instance fails to be created.

          • Scenario 2: Intercept non-compliant tags when you add tags to a resource.

            When you add tags to a resource, the system checks whether the tag keys and tag values of the tags meet the requirements of a tag policy. You can add tags to the resource only if the tag keys and tag values of the tags meet the requirements of the tag policy.

      • Automatically Inherit Tags for Resources from Resource Groups

        After you add tags to a resource group, you can configure a tag policy to use the automatic tag inheritance feature. This feature allows resources that are added to or created in a resource group to automatically inherit the tags that are added to the resource group.

        Parameter

        Description

        Tag Key

        Enter a tag key.

        Specify Resource Types for Detection

        By default, all the supported types of resources are detected. You can specify resource types based on your business requirements. If you specify resource types, only the specified types of resources are detected.

        Specify Resource Groups

        By default, resources in all resource groups are detected. You can specify resource groups based on your business requirements. You can specify up to 20 resource groups.

        Note

        The Tag Policy feature in resource directory mode does not support the Specify Resource Groups parameter.

        Specify IDs of Resources to Be Excluded

        You can specify the IDs of resources that do not inherit tags from the resource groups to which the resources belong. You can specify up to 20 resource IDs.

        Set Region Scope

        By default, resources in all regions are detected. You can specify regions based on your business requirements. You can specify up to 20 regions.

      • Match Tag Values with Specified Regular Expression

        You can specify a regular expression in a tag policy to limit the format of tag values. Tag values that do not match the regular expression can be automatically remediated.

        Parameter

        Description

        Tag Key

        Enter a tag key.

        Specify Allowed Tag Values

        Enter a regular expression to limit the format of tag values.

        Policy Execution Mode

        Post-detection is the default execution mode of a tag policy used in this scenario. You can view the detection results on the Detection Results page. You can enable the following detection rules based on your business requirements:

        • Specify Resource Types for Detection: By default, post-detection is performed for all the supported types of resources. You can specify resource types based on your business requirements. If you specify resource types, post-detection is performed only for the specified types of resources.

        • Specify Resource Groups: By default, post-detection is performed for resources in all resource groups. You can specify resource groups based on your business requirements. You can specify up to 20 resource groups.

          Note

          The Tag Policy feature in resource directory mode does not support the Specify Resource Groups parameter.

        • Set Region Scope: By default, post-detection is performed for resources in all regions. You can specify regions based on your business requirements. You can specify up to 20 regions.

        • Automatic Remediation: If you select this option, the system automatically remediates non-compliant tags. You need to specify compliant tag values and the resource scope for automatic remediation. You can specify the resource scope only by using tags.

      You can click Add Policy Scenario and Tag Key to configure rules for multiple policy scenarios and tag keys.

    • JSON

      In this mode, you need to specify the policy details in the JSON format. If you have high requirements for tag policies, use this mode. Before you use this mode, you must have a command of the syntax of a tag policy. For more information, see Syntax of a tag policy.

  7. Click Create.

References