A custom condition rule consists of basic elements such as Resource, Condition, and DryRun. Cloud Config uses custom condition rules as one of the ways to deploy and implement rules.
Condition is a key element of a custom condition rule. A condition consists of clauses that you can combine by using logical AND or OR operators to form a more complex logical structure. A group of clauses concatenated by logical operators is called a condition group. Each clause consists of the elements featurePath, operator, and desired.
|
Element |
Required |
Description |
|
Yes |
The resource characteristic, described by using JSONPath. For example, the resource status property is represented as |
|
|
Yes |
The source of the resource characteristic. |
|
|
Yes |
The conditional operator. |
|
|
No |
The desired value for comparison. This element can be left empty when a unary operator such as IsStringEmpty is used. |
featurePath
Cloud Config validates featurePath values against JSONPath syntax when you create or update policies. You can also use third-party JSONPath validators to check your expressions. For more information, see JSONPath.
|
JSONPath |
Description |
|
$ |
The root object or element. |
|
@ |
The current object or element. |
|
. or [] |
The child operator. |
|
.. |
The recursive descent. JSONPath borrows this syntax from E4X. |
|
* |
The wildcard. All objects or elements regardless of their names. |
|
[] |
The subscript operator. XPath uses it to iterate over element collections and for predicates. In Javascript and JSON, it is the native array operator. |
|
[,] |
The Union operator in XPath results in a combination of node sets. JSONPath allows alternate names or array indices as a set. |
|
[start:end:step] |
The array slice operator borrowed from ES4. |
|
?() |
Applies a filter (script) expression. |
|
() |
The script expression, using the underlying script engine. |
-
Example 1: The status characteristic of ACS::ECS::Instance is
$.Status, the type is determined as String, and an operator of the String type is recommended. -
Example 2: The tag characteristic of ACS::ECS::Instance is
$.Tags[*].TagKey, and the result is Array. -
Example 3: The permission configuration characteristic of ACS::ECS::SecurityGroup is
$.Permissions.Permission[?(@.Policy=='Accept')][?(@.IpProtocol=='TCP' || @.IpProtocol=='UDP')][?(@.SourceCidrIp=='0.0.0.0/0')].PortRange. This expression matches entries where the policy is Accept, the protocol is TCP or UDP, and the source CIDR block is 0.0.0.0/0. You can then check whether the port range includes sensitive ports such as 22 and 3389.{ "featureSource": "CONFIGURATION", "desired": "21/21,22/22,23/23,3389/3389,445/445,-1/-1", "children": [], "operator": "ExcludeAll", "featurePath": "$.Permissions.Permission[?(@.Policy=='Accept')][?(@.IpProtocol=='TCP' || @.IpProtocol=='UDP')][?(@.SourceCidrIp=='0.0.0.0/0')].PortRange" }
featureSource
The source of the resource characteristic.
-
CONFIGURATION (default value): the resource property configuration. If featureSource is left empty, the system uses the resource property by default.
-
RESOURCE_RELATIONSHIP_${targetResourceType}: resource relationship, such asRESOURCE_RELATIONSHIP_ACS::ECS::DISK.
operator
Operators are classified into logical operators and calculation operators. Logical operators include AND/OR operators. The following table describes the calculation operators.
|
Operator |
Description |
|
SizeLess |
The number of array elements is less than. |
|
DistinctSizeGreater |
The number of elements after deduplication is greater than. |
|
AllGreaterOrEquals |
All elements are greater than or equal to. |
|
InAllItem |
All elements contain. |
|
AllLessOrEquals |
All elements are less than or equal to. |
|
AllGreater |
All elements are greater than. |
|
SizeGreater |
The number of array elements is greater than. |
|
NotContainsIP |
The array does not contain the specified IP address. |
|
ContainsIP |
The array contains the specified IP address. |
|
ContainsAny |
The array does not contain any objects in the destination array. |
|
NotContainsNull |
The array does not contain empty elements. |
|
NotContainsInternetCidr |
Not contain public CIDR blocks. |
|
IsNotEmpty |
Not empty. |
|
AllIn |
All exist. |
|
IsEmpty |
Empty. |
|
ExcludeAll |
Exclude all. |
|
ContainsAll |
Contain all. |
|
NotIn |
Not exist. |
|
In |
Exist. |
|
NotContains |
Not contain. |
|
Contains |
Contain. |
|
NotBase64Contains |
Not contain. |
|
Base64Contains |
Contain. |
|
NotBoolEquals |
Not equal to. |
|
BoolEquals |
Equal to. |
|
NotEquals |
Not equal to. |
|
Equals |
Equal to. |
|
LessOrEquals |
Less than or equal to. |
|
Less |
Less than. |
|
Greater |
Greater than. |
|
GreaterOrEquals |
Greater than or equal to. |
|
StringItemSizeGreater |
The number of string splitting elements exceeds the specified value. |
|
StringMatch |
Regular expression match. |
|
NotStringTrimIn |
Valid values do not exist. |
|
StringTrimIn |
Valid values exist. |
|
IsNotStringEmpty |
Not empty. |
|
IsStringEmpty |
Empty. |
|
NotStringContains |
Not contain. |
|
StringContains |
Contain. |
|
NotStringIn |
Not exist. |
|
StringIn |
Exist. |
|
NotStringEquals |
Not equal to. |
|
StringEquals |
Equal to. |
desired
The desired element can be left empty when a unary operator such as IsStringEmpty is used.