This topic describes the syntax of a tag policy and the supported inheritance operators.
Syntax
Tag policies support the JSON format and follow the standard JSON syntax. The syntax of a tag policy varies based on the use scenario of the tag policy.
Addition of tags that have specific tag values to resources
The document of a tag policy used for this scenario starts with tags.
Element | Required | Description | Example |
Policy key | Yes | A policy key is the unique identifier of a statement in a tag policy. A policy key must be in lowercase. You can specify multiple policy keys in a tag policy. If capitalization is not considered, policy keys are the same as tag keys. |
|
Tag key | Yes | Tag keys are specified by |
|
Tag value | Yes | Tag values are specified by |
|
Resource type scope | No | You can configure |
|
Region scope | No | You can configure |
|
Resource group scope | No | You can configure |
|
Pre-event interception | No | You can configure |
|
Automatic remediation | No | You can configure | |
Inheritance operator | Yes | An inheritance operator is used to aggregate the tag policy that is attached to an object and the tag policy that is inherited by the object to obtain an effective policy for the object. |
Sample code:
{
"tags": {
"color": {
"tag_key": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": "COLER"
},
"tag_value": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"red",
"green",
"grey"
]
},
"resource_type_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"ecs:instance"
]
},
"region_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"cn-hangzhou"
]
},
"rg_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"rg-xxxx"
]
},
"enforced_for": {
"@@operators_allowed_for_child_policies": [
"@@remove"
],
"@@assign": [
"ecs:instance"
]
},
"tag_value_correction": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": {
"red": {
"value_type": "Tag",
"value_scope": {
"acs:rm:rgId": "rg-xx1"
}
},
"green": {
"value_type": "Tag",
"value_scope": {
"k1": "v2"
}
},
"grey": {
"value_type": "Tag",
"value_scope": {
"k111": "v222"
}
}
}
}
}
}
}Automatic tag inheritance from resource groups
The document of a tag policy used for this scenario starts with rg_inherit.
Element | Required | Description | Example |
Policy key | Yes | A policy key is the unique identifier of a statement in a tag policy. A policy key must be in lowercase. You can specify multiple policy keys in a tag policy. If capitalization is not considered, policy keys are the same as tag keys. |
|
Tag key | Yes | Tag keys are specified by |
|
Resource type scope | No | You can configure |
|
Region scope | No | You can configure |
|
Resource group scope | No | You can configure |
|
Inheritance operator | Yes | An inheritance operator is used to aggregate the tag policy that is attached to an object and the tag policy that is inherited by the object to obtain an effective policy for the object. |
Sample code:
{
"rg_inherit": {
"color": {
"tag_key": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": "COLER"
},
"resource_type_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"ecs:instance"
]
},
"region_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"cn-hangzhou"
]
},
"rg_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"rg-xxxx"
]
}
}
}
}Matching between tag values and a specific regular expression
The document of a tag policy used for this scenario starts with matched_tags.
Element | Required | Description | Example |
Policy key | Yes | A policy key is the unique identifier of a statement in a tag policy. A policy key must be in lowercase. You can specify multiple policy keys in a tag policy. If capitalization is not considered, policy keys are the same as tag keys. |
|
Tag key | Yes | Tag keys are specified by |
|
Tag value | Yes | The regular expression that tag values must match is specified by |
|
Resource type scope | No | You can configure |
|
Region scope | No | You can configure |
|
Resource group scope | No | You can configure |
|
Automatic remediation | No | You can configure | |
Inheritance operator | Yes | An inheritance operator is used to aggregate the tag policy that is attached to an object and the tag policy that is inherited by the object to obtain an effective policy for the object. |
{
"matched_tags": {
"number": {
"tag_key": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": "NUMBER"
},
"tag_value": {
"@@operators_allowed_for_child_policies": [
"@@assign"
],
"@@assign": [
"^[0-9]+$"
]
},
"resource_type_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"ecs:instance"
]
},
"region_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"cn-hangzhou"
]
},
"rg_scope": {
"@@operators_allowed_for_child_policies": [
"@@append"
],
"@@assign": [
"rg-xxxx"
]
},
"tag_value_correction": {
"@@operators_allowed_for_child_policies": [
"@@none"
],
"@@assign": {
"1": {
"value_type": "Tag",
"value_scope": {
"acs:rm:rgId": "rg-xx1"
}
},
"2": {
"value_type": "Tag",
"value_scope": {
"k1": "v2"
}
},
"3": {
"value_type": "Tag",
"value_scope": {
"k111": "v222"
}
}
}
}
}
}
}Inheritance operators
An inheritance operator is used to aggregate the tag policy that is attached to an object and the tag policy that is inherited by the object to obtain an effective policy for the object. Inheritance operators are classified into value-setting operators and child control operators.
If you configure a tag policy on the Quick Mode tab in the Resource Management console, you can use only the @@assign operator. This operator is a basic operator. If you configure a tag policy on the JSON tab in the Resource Management console, you can use all operators described in this section. Operators other than @@assign are advanced operators.
Value-setting operators
Operator
Description
@@assignThis operator indicates the overwrite operation.
If you specify this operator for a setting in a tag policy attached to an object, and the setting conflicts with the related setting in the tag policy inherited by the object, the setting in the attached tag policy overwrites the related setting in the inherited tag policy.
If the settings for
@@assignin tag policies attached to an object conflict with each other, the setting in the tag policy that is first attached is used.
@@appendThis operator indicates the append operation. If you specify this operator for a setting in a tag policy attached to an object, the setting is appended to the tag policy inherited by the object. You can use this operator only if you specify multiple tag values for a tag key in a tag policy attached to an object.
@@removeThis operator indicates the remove operation. If you specify this operator for a setting in a tag policy attached to an object, the related setting is removed from the tag policy inherited by the object. You can use this operator only if you specify multiple tag values for a tag key in a tag policy attached to an object.
Child control operators
Child control operators are advanced operators. You can use child control operators if you want to limit the value-setting operators that can be used in child policies. By default, all value-setting operators are allowed in child policies.
Operator
Description
"@@operators_allowed_for_child_policies":["@@all"]If you specify this operator in a tag policy attached to a folder, you can use any value-setting operator in the policies attached to the subfolders of the folder and members in the folder. By default, if no child control operator is specified in a parent policy, all value-setting operators are allowed in child policies.
"@@operators_allowed_for_child_policies":["@@assign"If you specify this operator in a tag policy attached to a folder, you can use the value-setting operator @@assign in the policies attached to the subfolders of the folder and members in the folder. You can specify one or more value-setting operators in this operator.
"@@operators_allowed_for_child_policies":["@@none"]If you specify this operator in a tag policy attached to a folder, value-setting operators cannot be used in the policies attached to the subfolders of the folder and members in the folder. You can use this operator to lock the settings that are defined in a parent policy. This way, child policies do not take effect during the calculation of an effective policy, and the parent policy is used as an effective policy.