如何執行ACS::Approve - CloudOps Orchestration Service

用於審批任務的動作。

用途

在自動化營運的一些情境中，有些特殊的操作需要被特殊關注，例如刪除重要資源，或使用費用較高的執行個體等。如果把這些操作也納入自動化的範疇，您可能會擔心失去控制，超過預算。若不納入自動化的範疇，又會導致這些操作退化到手工執行或其他非自動化方式。審批動作能夠讓您在自動化和特殊關注之間尋找一個平衡。

當執行一個模板中包括審批動作，且執行到審批動作這一步時，OOS執行引擎會暫停執行，執行進入等待中狀態，並發送一個包含通知的審批連結到管理使用者。在訪問審批連結後，管理員可根據業務需求做出決定，同意或拒絕，同意後則OOS引擎繼續執行後續任務，拒絕後引擎停止執行，執行狀態為取消（Cancelled）。

Webhook 文法

對於DingTalk，可以通過Webhook的方式支援。

YAML格式

Tasks:
  - Name: approvalTask
    Action: ACS::Approve
    Properties:
      AppendExecutionLink: 'true' # 是否附加執行詳情連結，可選項true和false。ACS::Approve動作預設為true。
      Approvers: ["user1", "user2"， "user3"] # 待審批的RAM子帳號名字。
      MinRequiredApprovals: 2  # 審批通過時至少需要贊同的人數。
      NotifyType: WebHook
      WebHook:
        URI: url # 必填，webhook地址，如https://oapi.dingtalk.com/robot/send?access_token=xxxxxx
        Headers: # 可選，Http請求的Headers，如Content-Type
          Content-Type: 'application/json; charset=utf-8'
        Content: # 必填，根據具體的Webhook要求提供，如DingTalkwebhook要求如下：https://open-doc.dingtalk.com/docs/doc.htm?treeId=257&articleId=105735&docType=1 
          msgtype: text
          text:
            content: 'the approve notify to user'  # 必填，發送審批通知的內容。
          at:  # 在DingTalk群中@的使用者
            atMobiles: # 可選，@群裡面的指定使用者，此處的手機號為使用者註冊DingTalk的手機號。
                        - 138albb1234
                        - 130albb1234
            isAtAll: 'false'  # 可選，是否@所有使用者，可選true 或 false，預設為false。

JSON格式（請參照YAML注釋說明）

{
  "Tasks": [
    {
      "Name": "approvalTask",
      "Action": "ACS::Approve",
      "Properties": {
        "AppendExecutionLink": "true",
        "Approvers": [
          "user1",
          "user2",
          "user3"
        ],
        "MinRequiredApprovals": 2,
        "NotifyType": "WebHook",
        "WebHook": {
          "URI": "url",
          "Headers": {
            "Content-Type": "application/json; charset=utf-8"
          },
          "Content": {
            "msgtype": "text",
            "text": {
              "content": "the approve notify to user"
            },
            "at": {
              "atMobiles": [
                "138albb1234",
                "130albb1234"
              ],
              "isAtAll": "false"
            }
          }
        }
      }
    }
  ]
}

Webhook 樣本

以下模板：在刪除執行個體前需要審批。

YAML格式

---
FormatVersion: OOS-2019-06-01
Description:
  en: Bulky restarts the ECS instances with Approval.
  zh-cn: 大量重啟ECS執行個體帶審批。
  name-en: BulkyRebootInstancesWithApproval
  name-zh-cn: 大量重啟ECS執行個體帶審批
Parameters:
  targets:
    Type: Json
    AssociationProperty: Targets
    AssociationPropertyMetadata:
      ResourceType: 'ALIYUN::ECS::Instance'
  rateControl:
    Description:
      en: Concurrency ratio of task execution.
      zh-cn: 任務執行的並發比率。
    Type: Json
    AssociationProperty: RateControl
    Default:
      Mode: Concurrency
      MaxErrors: 0
      Concurrency: 100%
  webHookUrl:
    Description:
      en: >-
        The webHook url of dingtalk group assistant,
        e.g.https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414.
      zh-cn: >-
        DingTalk群助手的webhook地址，形如https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414。
    Type: String
  atMobiles:
    Description:
      en: >-
        The telephone numbers of member in dingtalk group assistant @, when
        notify comes.
      zh-cn: 當群助手向DingTalk群中發送審批通知時，要被@的群成員註冊DingTalk所用手機號。
    Type: List
    Default:
      - '1390000****'
  atAll:
    Description:
      en: 'assistant @ all members in dingtalk group or not, when notify comes.'
      zh-cn: 當群助手向DingTalk群中發送審批通知時是否@所有人。
    Type: String
    Default: 'false'
  OOSAssumeRole:
    Description:
      en: The RAM role to be assumed by OOS.
      zh-cn: OOS扮演的RAM角色。
    Type: String
    Default: OOSServiceRole
RamRole: '{{ OOSAssumeRole }}'
Tasks:
  - Name: getInstance
    Description:
      en: Views the ECS instances.
      zh-cn: 擷取ECS執行個體。
    Action: 'ACS::SelectTargets'
    Properties:
      ResourceType: 'ALIYUN::ECS::Instance'
      Filters:
        - '{{ targets }}'
    Outputs:
      instanceIds:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceId'
      instanceNames:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceName'
  - Name: approveRestart
    Action: 'ACS::Approve'
    Properties:
      NotifyType: WebHook
      WebHook:
        URI: '{{webhookUrl}}'
        Headers:
          Content-Type: application/json
        Content:
          msgtype: text
          text:
            content: >-
              Notify: please approve instances restart, instance names to
              approve  are {{getInstance.instanceNames}}, sent by
              {{ACS::RegionId}} oos {{ACS::ExecutionId}}.
          at:
            atMobiles: '{{atMobiles}}'
            isAtAll: '{{atAll}}'
  - Name: rebootInstance
    Action: 'ACS::ECS::RebootInstance'
    Description:
      en: Restarts the ECS instances.
      zh-cn: 重啟執行個體。
    Properties:
      instanceId: '{{ ACS::TaskLoopItem }}'
    Loop:
      RateControl: '{{ rateControl }}'
      Items: '{{ getInstance.instanceIds }}'
Outputs:
  instanceIds:
    Type: List
    Value: '{{ getInstance.instanceIds }}'

JSON格式

{
  "FormatVersion": "OOS-2019-06-01",
  "Description": {
    "en": "Bulky restarts the ECS instances with Approval.",
    "zh-cn": "大量重啟ECS執行個體帶審批。",
    "name-en": "BulkyRebootInstancesWithApproval",
    "name-zh-cn": "大量重啟ECS執行個體帶審批"
  },
  "Parameters": {
    "targets": {
      "Type": "Json",
      "AssociationProperty": "Targets",
      "AssociationPropertyMetadata": {
        "ResourceType": "ALIYUN::ECS::Instance"
      }
    },
    "rateControl": {
      "Description": {
        "en": "Concurrency ratio of task execution.",
        "zh-cn": "任務執行的並發比率。"
      },
      "Type": "Json",
      "AssociationProperty": "RateControl",
      "Default": {
        "Mode": "Concurrency",
        "MaxErrors": 0,
        "Concurrency": "100%"
      }
    },
    "webHookUrl": {
      "Description": {
        "en": "The webHook url of dingtalk group assistant, e.g.https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414.",
        "zh-cn": "DingTalk群助手的webhook地址，形如https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414。"
      },
      "Type": "String"
    },
    "atMobiles": {
      "Description": {
        "en": "The telephone numbers of member in dingtalk group assistant @, when notify comes.",
        "zh-cn": "當群助手向DingTalk群中發送審批通知時，要被@的群成員註冊DingTalk所用手機號。"
      },
      "Type": "List",
      "Default": [
        "1390000****"
      ]
    },
    "atAll": {
      "Description": {
        "en": "assistant @ all members in dingtalk group or not, when notify comes.",
        "zh-cn": "當群助手向DingTalk群中發送審批通知時是否@所有人。"
      },
      "Type": "String",
      "Default": "false"
    },
    "OOSAssumeRole": {
      "Description": {
        "en": "The RAM role to be assumed by OOS.",
        "zh-cn": "OOS扮演的RAM角色。"
      },
      "Type": "String",
      "Default": "OOSServiceRole"
    }
  },
  "RamRole": "{{ OOSAssumeRole }}",
  "Tasks": [
    {
      "Name": "getInstance",
      "Description": {
        "en": "Views the ECS instances.",
        "zh-cn": "擷取ECS執行個體。"
      },
      "Action": "ACS::SelectTargets",
      "Properties": {
        "ResourceType": "ALIYUN::ECS::Instance",
        "Filters": [
          "{{ targets }}"
        ]
      },
      "Outputs": {
        "instanceIds": {
          "Type": "List",
          "ValueSelector": "Instances.Instance[].InstanceId"
        },
        "instanceNames": {
          "Type": "List",
          "ValueSelector": "Instances.Instance[].InstanceName"
        }
      }
    },
    {
      "Name": "approveRestart",
      "Action": "ACS::Approve",
      "Properties": {
        "NotifyType": "WebHook",
        "WebHook": {
          "URI": "{{webhookUrl}}",
          "Headers": {
            "Content-Type": "application/json"
          },
          "Content": {
            "msgtype": "text",
            "text": {
              "content": "Notify: please approve instances restart, instance names to approve  are {{getInstance.instanceNames}}, sent by {{ACS::RegionId}} oos {{ACS::ExecutionId}}."
            },
            "at": {
              "atMobiles": "{{atMobiles}}",
              "isAtAll": "{{atAll}}"
            }
          }
        }
      }
    },
    {
      "Name": "rebootInstance",
      "Action": "ACS::ECS::RebootInstance",
      "Description": {
        "en": "Restarts the ECS instances.",
        "zh-cn": "重啟執行個體。"
      },
      "Properties": {
        "instanceId": "{{ ACS::TaskLoopItem }}"
      },
      "Loop": {
        "RateControl": "{{ rateControl }}",
        "Items": "{{ getInstance.instanceIds }}"
      }
    }
  ],
  "Outputs": {
    "instanceIds": {
      "Type": "List",
      "Value": "{{ getInstance.instanceIds }}"
    }
  }
}

Mail 文法

YAML格式

Tasks:
  - Action: ACS::Approve
    Name: ApproveByMail
    Properties:
      NotifyType: Mail
      Mail:
      	Host: SMTPHostAddress # SMTP 伺服器主機地址如 smtp.example1.com
        Port: SMTPPort # SMTP 伺服器連接埠如 465
        Username: sender  # 代發送的信箱使用者如 usr001@example1.com
        Password: senderPassword # 需要填寫的是"IMAP/SMTP服務"的授權碼，而不是郵箱登入密碼
        Subject: mailSubject # 郵件主題如 hello world
        Body: mailBody # 郵件內文如 hello world ！！！
        From: senderAddress # 郵件來自如 usr001@example1.com
        To: # 收件者郵箱地址清單如 [usr1234@example2.com,usr123@example2.com]
        	- usr123@example2.com
        	- usr1234@example2.com

JSON格式（請參照YAML注釋說明）

{
  "Tasks": [
    {
      "Action": "ACS::Approve",
      "Name": "ApproveByMail",
      "Properties": {
        "NotifyType": "Mail",
        "Mail": {
          "Host": "SMTPHostAddress",
          "Port": "SMTPPort",
          "Username": "sender",
          "Password": "senderPassword",
          "Subject": "mailSubject",
          "Body": "mailBody",
          "From": "senderAddress",
          "To": [
            "usr123@example2.com,usr1234@example2.com"
          ]
        }
      }
    }
  ]
}