Resource Management provides the Tag Policy feature. This feature allows you to create and configure tag policies. Tag policies are a type of policy that is used to standardize the tags that are added to resources. You can use a tag policy to define the tags that must be added to your resources. Compliant tags can help you improve the efficiency in aspects such as tag-based cost allocation, tag-based access control, and automated O&M. The Tag Policy feature supports the single-account mode and resource directory mode. The two modes can meet your business requirements for standardized tag management in different stages.
Scenarios
As your resources on the cloud increase, you can add tags to the resources to classify the resources. This way, you can allocate costs by tag and implement automated O&M. When you add tags to a resource, issues may occur. For example, after you create a resource, you forget to add tags to the resource, you add only some tags such as O&M-related tags but forget to add finance-related tags, or the tags that you added contain spelling errors. If these issues occur, the costs of some resources cannot be allocated based on your business requirements when you allocate costs by tag, or automated O&M operations cannot be performed for some resources. The Tag Policy feature provides solutions to these issues in the following scenarios:
Automatic tag detection
After you create a resource and add tags to the resource, you can use a tag policy to periodically check the following items to determine the tag compliance of the resource:
Whether the tags added to the resource are compliant
Whether the tags defined in the tag policy are added to the resource
Automatic tag detection can help you identify issues at the earliest opportunity.
For more information, see Perform automatic tag detection.
Automatic remediation for tags
If you enable automatic remediation for tags and the remediation rules that you configure match the conditions for triggering automatic remediation, the system remediates the non-compliant tags based on the detection results.
For more information, see Enable automatic tag remediation.
Pre-event interception of non-compliant tags
Automatic tag detection starts with a latency. After a resource is created, non-compliant tags for the resource cannot be detected before automatic tag detection is started. We recommend that you perform standardized tag management when you create a resource. To achieve this, you can use a tag policy to implement pre-event interception of non-compliant tags for a resource type. This way, when you create a resource of this type, the resource can be successfully created only if tags defined in the tag policy are attached to the resource.
By default, pre-event interception of non-compliant tags takes effect only for tags that are defined in a tag policy. After you enable strong verification for pre-event interception of non-compliant tags, the system performs pre-event interception on a resource to which no tags are added or other tags are added when you create the resource.
For more information, see Enable pre-event interception of non-compliant tags.
Automatic tag inheritance from a resource group
After you add a tag to a resource group, if you create a resource in or add a resource to the resource group, the tag is automatically added to the resource.
For more information, see Enable automatic tag inheritance from a resource group.
Modes of the Tag Policy feature
Resource Management allows you to enable the Tag Policy feature in single-account mode or in resource directory mode. You can enable the Tag Policy feature that is in a specific mode based on your business scenario and the type of your logon account. The following table describes the two modes.
Scenario | Type of the logon account | Mode of the Tag Policy feature | References |
If your business in the cloud is simple and you use a single Alibaba Cloud account and the RAM users within the Alibaba Cloud account to perform management operations, you can use the Alibaba Cloud account to enable the Tag Policy feature that is in single-account mode. Then, you can use tag policies to manage the tag-related operations performed by using the Alibaba Cloud account or the RAM users. | Alibaba Cloud account that is not the management account or a member of a resource directory | Single-account mode: The Tag Policy feature in this mode can be used to manage tag-related operations performed by using an Alibaba Cloud account or the RAM users within the Alibaba Cloud account. | Use an Alibaba Cloud account to enable the Tag Policy feature |
If your business in the cloud is complex and you use a resource directory to manage all your accounts, you can use the management account of the resource directory to enable the Tag Policy feature that is in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member of the resource directory. | Management account of a resource directory | You can enable the Tag Policy feature in both modes or in one of the modes based on your business requirements.
| Use the management account of a resource directory to enable the Tag Policy feature |
Member of a resource directory | The following situations may occur based on whether the Tag Policy feature is enabled for a resource directory:
| Use a member of a resource directory to enable the Tag Policy feature |
Limits
Item | Limit |
Maximum number of tag policies you can create when you use the Tag Policy feature that is in single-account mode | 100 |
Maximum number of tag policies you can create when you use the Tag Policy feature that is in resource directory mode | 100 |
Maximum number of characters that each tag policy can contain | 2,048 |
Time required before pre-event interception of non-compliant tags takes effect |
|
Time required before automatic tag detection is started or complete |
|
Time required before automatic remediation is complete | After resources to which compliant tags are not added or non-compliant tags are added are detected, the system remediates tags for the resources within 10 minutes. |
Best practices
Services that support tag policies
Service | Service code | Resource type | Support for automatic tag detection and automatic tag remediation | Support for automatic tag inheritance from a resource group | Support for pre-event interception of non-compliant tags | API operation that supports the default feature for pre-event interception of non-compliant tags1 | API operation that supports strong verification for pre-event interception of non-compliant tags2 |
Elastic Compute Service (ECS) | ecs | instance | Yes | Yes | Yes | ||
None | |||||||
eni | Yes | No | Yes | ||||
None | |||||||
securitygroup | Yes | Yes | Yes | ||||
None | |||||||
disk | Yes | Yes | Yes | ||||
None | |||||||
snapshot | Yes | No | Yes | ||||
None | |||||||
ddh | Yes | Yes | Yes | ||||
None | |||||||
image | No | No | Yes | ||||
None | |||||||
None | |||||||
keypair | No | No | Yes | ||||
None | |||||||
launchtemplate | Yes | Yes | Yes | ||||
None | |||||||
snapshotpolicy | No | No | Yes | ||||
ApsaraDB RDS | rds | instance | Yes | Yes | Yes | None | |
None | |||||||
Server Load Balancer (SLB) | slb | instance | Yes | Yes | Yes | None | |
certificate | No | No | Yes | None | |||
acl | No | No | Yes | None | |||
Application Load Balancer (ALB) | alb | acl | No | No | Yes | None | |
loadbalancer | No | No | Yes | None | |||
securitypolicy | No | No | Yes | None | |||
servergroup | No | No | Yes | None | |||
Virtual Private Cloud (VPC) | vpc | vpc | Yes | Yes | Yes | None | |
vswitch | Yes | No | Yes | None | |||
routetable | Yes | No | Yes | None | |||
NAT Gateway | vpc | natgateway | Yes | Yes | Yes | None | |
VPN Gateway | vpc | vpngateway | No | No | Yes | None | |
Internet Shared Bandwidth | vpc | commonbandwidthpackage | No | No | Yes | None | |
Elastic IP Address (EIP) | vpc | eip | Yes | Yes | Yes | None | |
Cloud Enterprise Network (CEN) | cen | cen | Yes | Yes | Yes | None | |
bandwidthpackage | No | No | Yes | None | |||
Alibaba Cloud CDN (CDN) | cdn | domain | Yes | Yes | No | None | None |
Object Storage Service (OSS) | oss | bucket | Yes | Yes | No | None | None |
ApsaraDB for Redis | kvstore | instance | Yes | Yes | Yes | None | |
None | |||||||
ApsaraDB for MongoDB | dds | instance | Yes | Yes | Yes | None | |
ApsaraDB for HBase | multimod | cluster | Yes | Yes | Yes | None | |
PolarDB | polardb | cluster | Yes | Yes | No | None | None |
File Storage NAS (NAS) | nas | filesystem | Yes | Yes | Yes | None | None |
Anti-DDoS | ddoscoo | instance | Yes | Yes | Yes | None | |
None | |||||||
Container Service for Kubernetes (ACK) | cs | cluster | Yes | Yes | No | None | None |
API Gateway | apigateway | api | Yes | Yes | No | None | None |
apigroup | Yes | Yes | No | None | None | ||
app | No | No | No | None | None | ||
instance | No | No | No | None | None | ||
plugin | No | No | No | None | None | ||
Alibaba Cloud DNS (DNS) | alidns | domain | No | No | Yes | None | None |
Auto Scaling | ess | scalinggroup | No | No | Yes | ||
None | |||||||
Elastic Container Instance | eci | containergroup | No | No | Yes | ||
None | |||||||
imagecache | No | No | Yes | None | |||
None | |||||||
virtualnode | No | No | Yes | None | |||
ApsaraMQ for RocketMQ | mq | group | No | No | Yes | None | |
instance | No | No | Yes | None | |||
topic | No | No | Yes | None | |||
Bastionhost | bastionhost | instance | No | No | Yes | None | |
Resource Orchestration Service (ROS) | ros | changeset | No | No | Yes | None | |
stack | No | No | Yes | ||||
None | |||||||
None | |||||||
template | No | No | Yes | None |
Additional information:
1Pre-event interception of non-compliant tags supports two scenarios: pre-event interception when you create a resource and pre-event interception when you add tags to a resource. Support for the two scenarios varies based on the Alibaba Cloud service, resource type, and API operation. For example, non-compliant tags can be intercepted when you call the CreateInstance operation to create an ECS instance or when you call the TagResources operation to add tags to an ECS instance.
2Strong verification for pre-event interception of non-compliant tags takes effect only after you manually enable it. For more information, see Enable pre-event interception of non-compliant tags.