tencent cloud

Feedback

Policy Syntax

Last updated: 2025-01-02 14:54:12
    A policy is composed of several sub-statements. Each sub-statement contains the following elements: policy_key, tag_key, tag_value, effective scope, etc.

    Syntax Format

    The policy syntax is based on the JSON format. If a created or updated policy does not meet the JSON format requirement, it cannot be successfully submitted and cannot take effect. Therefore, you must ensure that the JSON format is correct.

    Syntax Conventions

    The following is the general syntax of tag policies:
    Specified Value
    Dynamic Value
    {
    "tags": {
    "Principal (Person in Charge)": {
    "tag_key": {"@@assign": "principal"},
    "tag_value": {"@@assign": ["name 1"]},
    "resource_type_scope":{"@@assign": ["ecs:instance","ecs:disk"]},
    "detection":"on",//Detection is a system feature which is enabled by default. It detects whether the tag values are compliant for the specified tag keys of resources. It is not shown in JSON by default.
    "correction": {"@@assign": "on"},//Auto correction. It can be enabled when one value is specified, but multiple specified values cannot be automatically corrected.
    "auto_assign":{"@@assign":"on"},//Auto assignment - tag key
    "enforced_for": { "@@assign": [ "*"] }, //Forcible execution. It intercepts tag binding when the value is not "value name 1", and binding another value is not allowed.
    "auto_assign_value": { "@@assign": "on" } //Auto assignment - tag value
    }
    }
    }
    {
    "tags": {
    "Principal (Person in Charge)": {
    "tag_key": {"@@assign": "principal"},
    "tag_value_dynamic": {"@@assign": "on"},//The dynamic value is enabled. The value is determined based on the value of the tag key of the same name bound by the sub-user in CAM.
    "resource_type_scope":{"@@assign": ["ecs:instance","ecs:disk"]},
    "detection":"on",//Detection is a system feature which is enabled by default. It detects whether the tag values are compliant for the specified tag keys of resources. It is not shown in JSON by default.
    "correction": {"@@assign": "on"},//Auto correction. It can be enabled when there is only one dynamic value.
    "auto_assign":{"@@assign":"on"},//Auto assignment - tag key
    "enforced_for": { "@@assign": [ "*"] }, //Forcible execution. It intercepts tag binding when the value is not "value name 1", and binding another value is not allowed.
    "auto_assign_value": { "@@assign": "on" } //Auto assignment - tag value
    }
    }
    }
    Elements
    Element
    Required
    Description
    Description in above example
    tags
    Yes
    A tag policy always starts with tags. tags is always on the first line of a tag policy and is fixed.
    tags, which is fixed
    policy_key
    Yes
    Tag key, which identifies a compliant tag key and takes the same value as the policy key. Tag keys are case sensitive. You can define multiple tag keys in a tag policy.
    principal is the tag key.
    tag_key
    Yes
    Tag key, which identifies a compliant tag key and takes the same value as the policy key (case-sensitive). You can define multiple tag keys in a tag policy.
    principal
    tag_value
    Yes
    Tag value, which identifies a compliant tag value.
    Tag value is set to value name1 and use principal as a valid value
    resource_type_scope
    Yes
    The effective scope of resource types, which is specified by the tag key-value pair.
    Effective scope is limited to ecs:instance,ecs:disk
    detection
    Yes
    The system is enabled by default
    on enables the Detection feature within the resource range where the Tag Key Value is effective
    correction
    No
    Whether to enable Automatic repair. Acts as a switch for whether the Tag Key Value needs automatic repair
    on enables the Automatic repair feature within the resource range where the Tag Key Value is effective
    auto_assign
    No
    Whether to enable Auto-fill. Indicates whether the Tag Key needs to be displayed by default in the Edit Tag position
    on enables the Auto-fill feature within the resource range where the Tag Key is effective
    auto_assign_value
    No
    Whether to enable Auto-fill. Indicates whether the Tag Value needs to be displayed by default in the Edit Tag position
    on enables the Auto-assignment Functionality within the resource range where the Tag Value is effective
    enforced_for
    No
    Whether to enable Forcible Execution. Indicates whether to Block Affinity for Non-compliant Tag Key-value Pairs
    * enables the Forcible Execution feature for All Resources with Tag Key-Value
    tag_deletion_disable
    No
    Whether to enable 'Tag Deletion' gray out. After it is enabled, users cannot delete the tag key and must select a value.
    on enables the 'Tag Deletion' gray out feature within the resource range where the tag key takes effect.

    Policy Length Limit

    Each policy is limited to 4096 characters. Exceeding this limit will prevent the policy from being submitted. If exceeded, please add a new policy, see Use Limits in the Overview.
    
    
    

    Syntax Effective Rules

    Object

    You can bind a tag policy to multiple user entities (such as the root account and sub-users under the root account), but it will only be valid for the bound user.
    When you bind a tag policy to the root account, it will only affect that root account.
    When you bind a tag policy to a sub-user, it will only affect that sub-user.

    Effective Time

    When operating on resource tags, the effective object will check whether the resources are bound to the corresponding key-value pair in real time according to the tag policy. The latency in this process will be within 10 seconds.

    Priority

    You can bind multiple tag policies to a user entity, but multiple tag policies will be merged into one valid policy. The merging rules are as follows:
    1. If policy keys are not the same, multiple policy keys will be used. However, the total number of policy keys in a valid policy does not exceed 50. Otherwise, those behind the 51st will not be merged.
    2. If policy keys are the same and the tag value rule agreed for each policy key is different, the tag policy bound first will prevail. For example, Policy A requires value = 1 for key = 1, but Policy B requires value=2 for key=1. Policy A will prevail if it is bound to the user first.

    Operators

    You can use operators to control the calculation rules in the tag policy. Only the assignment operator are currently supported.
    Operator
    Required
    Description
    Description in above example
    @@assign
    Yes
    This operator is used to assign the specified content to the specified element.
    Assign principal to the policy key and tag key
    Assign name 1 to the tag value
    Assign ecs:instance,ecs:disk to the effective scope of resource types
    Assign on to whether the correction feature is enabled
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support