Use EventBridge to forward resource compliance events from Simple Message Queue (formerly MNS) to a DingTalk group.
Prerequisites
-
EventBridge is activated. Activate EventBridge and grant permissions.
-
SMQ is activated. Activate SMQ and authorize RAM users to access SMQ.
ImportantSMQ topics and queues incur fees. Billing.
Overview
Cloud Config delivers events to Simple Log Service, Object Storage Service (OSS), or SMQ. With EventBridge, you can route these events to additional channels such as DingTalk, Message Queue, Function Compute, Short Message Service, or Alibaba Mail. This topic uses a resource non-compliance event as an example: an EventBridge event flow converts the non-compliance detection into an event and sends it to DingTalk in a specified format.
Step 1: Create an SMQ topic and queue
-
Create an SMQ topic.
-
Create an SMQ queue.
-
Subscribe the queue to the SMQ topic so that messages sent to the topic are pushed to the queue.
Skip this step if you already have an SMQ topic and queue.
Step 2: Configure event delivery to SMQ
-
Create a Cloud Config rule.
Create a rule based on a managed rule or Create a custom rule based on Function Compute.
-
Configure event delivery to SMQ.
Skip this step if you already have a Cloud Config rule with SMQ delivery configured.
Step 3: Create an EventBridge event bus and configure event delivery
-
Log on to the EventBridge console.
-
In the left navigation pane, click EventBridge.
-
In the top navigation pane, select a region.
-
On the input tab, click Quickly Create.
-
In the Create Custom Event Bus panel, configure the parameters.
-
On the Event Bus page, enter a name and description for the custom event bus, and then click Next.
-
On the Event Source page, configure the following parameters and click Next.
-
Specify Event Source Name. In this example, enter
noncompliant.event. -
From the Event Provider drop-down list, select Simple Message Queue (formerly MNS).
-
Select a QueueName.
-
Select Enable Base64 Decoding.
-
-
On the Rules page, configure the following parameters and click Next.
-
For Rule Name, enter a name such as
noncompliant-resource-rule. -
Configure the pattern content to filter events.
The following configuration delivers only events with the source noncompliant.event to the event target. Event patterns.
{ "source": [ "noncompliant.event" ] }
-
-
On the Target page, configure the following parameters and click Create.
-
From the Service type drop-down list, select acs.dingtalk.
-
Configure the Webhook address and Secret key for the DingTalk group.
To obtain the webhook address, see Add a custom chatbot.
-
Configure the Pushed Content parameter.
The following template extracts the resource Alibaba Cloud Resource Name (ARN) and rule name from non-compliance events and pushes them to DingTalk. Event transformation.
/**Variables**/ { "resourceArn": "$.data.messageBody.evaluationResultIdentifier.evaluationResultQualifier.resourceArn", "configRuleName": "$.data.messageBody.evaluationResultIdentifier.evaluationResultQualifier.configRuleName" }/**Template**/ { "msgtype": "text", "text": { "content": "Resource non-compliance notification: Resource: ${resourceArn}. Rule name: ${configRuleName}" } } -
-
Step 4: Verify the result
Log on to the Cloud Config console.
In the left-side navigation pane, choose .
-
On the Rules page, find your target rule, click the
icon in the Actions column, and then click Re-evaluate. -
Go to the DingTalk group configured in Step 3 and check for chatbot notifications.
If the group shows resource non-compliance notifications, the configuration is successful.
FAQ
Can I use the SMQ topic configured for event delivery as the event bus event source?
No. EventBridge event buses support only SMQ queues as event sources. Configure a queue for the SMQ topic and use that queue as the event source.
Why does DingTalk fail to receive notifications after I configure an EventBridge event flow and manually run evaluation?
-
If no non-compliant resources exist, notifications are not sent. Verify that non-compliant resources exist in the Cloud Config console:
-
Log on to the Cloud Config console.
-
In the left-side navigation pane, choose Compliance & Audit > Rules.
Check the rule evaluation results for non-compliant resources.
-
-
Verify event delivery in the EventBridge console:
-
Log on to the EventBridge console.
-
In the left navigation pane, click EventBridge.
-
On the EventBridge page, find your event bus and click Event tracking in the Actions column.
Query events by time range to verify that data exists in the event source.
-
Find the target event and click Event trace in the Actions column.
In the Event Trace dialog box, verify that the event was delivered.
-
What do I do if EventBridge event delivery fails?
-
If the error message
[500]java.lang.RuntimeExceptionjava.lang.RuntimeExceptionjava.lang.RuntimeException is missing parameter JSONappears, perform the following steps:Ensure that key-value pairs in the
$.dataobject do not contain unescaped quotation marks. Unescaped quotes truncate the JSON string after variable substitution. Use the built-injsonEscapetool in your rule template to handle variables that may contain quotes. In the following example,jsonEscapeescapes theconfigRuleNamevariable:/**Variables**/ { "resourceArn": "$.data.messageBody.evaluationResultIdentifier.evaluationResultQualifier.resourceArn", "configRuleName": "$.data.messageBody.evaluationResultIdentifier.evaluationResultQualifier.configRuleName" }/**Template**/ { "msgtype": "text", "text": { "content": "Resource non-compliance notification: Resource: ${resourceArn}. Rule name: ${jsonEscape(configRuleName)}" } } -
If the error message
[500]java.lang.RuntimeExceptionjava.lang.RuntimeExceptionjava.lang.RuntimeExceptionsendtoofast,exceed20timesperminuteappears:DingTalk rate-limits custom chatbots to 20 messages per minute per group. Exceeding this limit triggers a 10-minute throttle. To send high-volume messages such as monitoring alerts, consolidate them into a single Markdown message. Add a custom chatbot.