Detects risks of an operation that you want to perform on a stack.

The ListStackOperationRisks operation is suitable for the following scenarios:

  • You want to detect high risks that may arise in resources when you delete a stack that contains the resources, and query the reason for each risk in a resource.
  • You want to detect risks of creation failure that may arise when you create a stack. In this case, Resource Orchestration Service (ROS) allows you to detect only the required permissions that are not granted to the Alibaba Cloud account of the caller.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ListStackOperationRisks

The operation that you want to perform. Set the value to ListStackOperationRisks.

RegionId String Yes cn-hangzhou

The region ID of the stack.

You can call the DescribeRegions operation to query the most recent region list.

StackId String No 4a6c9851-3b0f-4f5f-b4ca-a14bf691****

The ID of the stack.

OperationType String Yes DeleteStack

The type of the operation of which you want to detect risks.

Valid values:

  • DeleteStack: detects high risks that may arise in resources when you delete a stack.
  • CreateStack: detect risks of creation failure that may arise when you create a stack. In this case, ROS allows you to detect only the required permissions that are not granted to the Alibaba Cloud account of the caller.
ClientToken String No 123e4567-e89b-12d3-a456-42665544****

The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must make sure that the value is unique among different requests.

The token can be up to 64 characters in length, and can contain letters, digits, hyphens (-), and underscores (_).

For more information, see Ensure idempotence.

RamRoleName String No test-role

The name of the RAM role.

  • If you specify a RAM role, ROS creates stacks based on the permissions that are granted to the RAM role and uses the credentials of the RAM role to call the API operations of Alibaba Cloud services.
  • If you do not specify a RAM role, ROS creates stacks based on the permissions of your Alibaba Cloud account.

The name of the RAM role can be up to 64 bytes in length.

RetainAllResources Boolean No false

Specifies whether to retain all resources in the stack.

Default value: false. Valid values:

  • true
  • false
Note This parameter takes effect when the OperationType parameter is set to DeleteStack.
RetainResources.N String No instance

The resource N that you want to retain in the stack.

TemplateBody String No {"ROSTemplateFormatVersion":"2015-09-01"}

The structure that contains the template body. The template body must be 1 to 524,288 bytes in length. If the length of the template body exceeds the upper limit, we recommend that you add parameters to the HTTP POST request body to prevent request failures caused by excessively long URLs.

Note You must specify only one of the following parameters: TemplateBody, TemplateURL, TemplateId, and TemplateScratchId.
TemplateURL String No oss://ros-template/demo

The URL of the file that contains the template body. The URL must point to a template that is located on an HTTP or HTTPS web server or in an Object Storage Service (OSS) bucket, such as oss://ros/stack-policy/demo or oss://ros/stack-policy/demo?RegionId=cn-hangzhou. The template body can be up to 524,288 bytes in length. If you do not specify the region ID of the OSS bucket, the value of the RegionId parameter is used.

Note You must specify only one of the following parameters: TemplateBody, TemplateURL, TemplateId, and TemplateScratchId.
TemplateId String No 5ecd1e10-b0e9-4389-a565-e4c15efc****

The ID of the template. This parameter applies to shared and private templates.

Note You must specify only one of the following parameters: TemplateBody, TemplateURL, TemplateId, and TemplateScratchId.
TemplateVersion String No v1

The version of the template.

Note This parameter takes effect only when the TemplateId parameter is specified.

Response parameters

Parameter Type Example Description
RequestId String 72108E7A-E874-4A5E-B22C-A61E94AD12CD

The ID of the request.

RiskResources Array of Resource

The resources that are at risk.

LogicalResourceId String MySG

The logical ID of the resource. The logical ID is the resource name that is defined in the template.

PhysicalResourceId String sg-bp1dpioafqphedg9****

The physical ID of the resource. The physical ID is the actual ID of the resource.

RequestId String DF4296CF-F45F-4845-A72B-BE617601DB25

The ID of the request when the risk detection fails.

Note This parameter is not returned if the risk detection is successful.
ResourceType String ALIYUN::ECS::SecurityGroup

The resource type.

Code String NoPermission

The error code that is returned when the risk detection fails.

Note This parameter is not returned if the risk detection is successful.
Message String You are not authorized to complete this action.

The error message that is returned when the risk detection fails.

Note This parameter is not returned if the risk detection is successful.
RiskType String Referenced

The type of the risk. Valid values:

  • Referenced: The resource is referenced by other resources.
  • MaybeReferenced: The resource may be referenced by other resources.
  • AdditionalRiskCheckRequired: An additional risk detection is required for a nested stack.
  • OperationIgnored: The operation does not take effect for the resource.
Reason String There are some ECS instances (i-bp18el96s4wq635e****) depending on the security group.

The reason for the risk.

MissingPolicyActions Array of String ["ecs:DescribeInstance", "ros:CreateStack"]

The operations on which the permissions are not granted to the Alibaba Cloud account of the caller.

Examples

Sample requests

http(s)://ros.aliyuncs.com/?Action=ListStackOperationRisks
&OperationType=DeleteStack
&RegionId=cn-hangzhou
&StackId=4a6c9851-3b0f-4f5f-b4ca-a14bf691****	
&<Common request parameters>

Sample success responses

XML format 

HTTP/1.1 200 OK
Content-Type:application/xml

<ListStackOperationRisksResponse>
    <RequestId>72108E7A-E874-4A5E-B22C-A61E94AD12CD</RequestId>
    <RiskResources>
        <LogicalResourceId>MySG</LogicalResourceId>
        <PhysicalResourceId>sg-bp1dpioafqphedg9****</PhysicalResourceId>
        <RequestId>DF4296CF-F45F-4845-A72B-BE617601DB25</RequestId>
        <ResourceType>ALIYUN::ECS::SecurityGroup</ResourceType>
        <Code>NoPermission</Code>
        <Message>You are not authorized to complete this action.</Message>
        <RiskType>Referenced</RiskType>
        <Reason>There are some ECS instances (i-bp18el96s4wq635e****) depending on the security group.</Reason>
    </RiskResources>
    <MissingPolicyActions>["ecs:DescribeInstance", "ros:CreateStack"]</MissingPolicyActions>
</ListStackOperationRisksResponse>

JSON format 

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "72108E7A-E874-4A5E-B22C-A61E94AD12CD",
  "RiskResources" : [ {
    "LogicalResourceId" : "MySG",
    "PhysicalResourceId" : "sg-bp1dpioafqphedg9****",
    "RequestId" : "DF4296CF-F45F-4845-A72B-BE617601DB25",
    "ResourceType" : "ALIYUN::ECS::SecurityGroup",
    "Code" : "NoPermission",
    "Message" : "You are not authorized to complete this action.",
    "RiskType" : "Referenced",
    "Reason" : "There are some ECS instances (i-bp18el96s4wq635e****) depending on the security group."
  } ],
  "MissingPolicyActions" : [ "[\"ecs:DescribeInstance\", \"ros:CreateStack\"]" ]
}

Error codes

For a list of error codes, visit the API Error Center.