ALIYUN::Config::Rule

ALIYUN::Config::Rule类型用于新建或修改规则。

语法

{
  "Type": "ALIYUN::Config::Rule",
  "Properties": {
    "TagKeyScope": String,
    "TagValueScope": String,
    "Description": String,
    "ExcludeResourceIdsScope": String,
    "SourceOwner": String,
    "SourceIdentifier": String,
    "MaximumExecutionFrequency": String,
    "RegionIdsScope": String,
    "ConfigRuleTriggerTypes": String,
    "ResourceGroupIdsScope": String,
    "RiskLevel": Integer,
    "ResourceTypesScope": List,
    "RuleName": String,
    "InputParameters": Map,
    "TagKeyLogicScope": String
  }
}

属性

属性名称

类型

必须

允许更新

描述

约束

ConfigRuleTriggerTypes

String

规则的触发器类型。

取值:

  • ConfigurationItemChangeNotification:规则在配置更改时触发。

  • ScheduledNotification:规则按计划触发。

ResourceTypesScope

List

需要根据规则评估的资源类型。

RiskLevel

Integer

风险等级。

取值:

  • 1:高风险。

  • 2:中风险。

  • 3:低风险。

RuleName

String

规则名称。

SourceIdentifier

String

规则标识或函数ARN。

当SourceOwner取值为ALIYUN(托管规则)时,该参数为规则标识。

当SourceOwner取值为CUSTOM_FC(用户自定义函数)时,该参数为函数ARN。

SourceOwner

String

规则来源的归属。

取值:

  • CUSTOM_FC:用户自定义函数。

  • ALIYUN:托管规则。

Description

String

规则的描述信息。

ExcludeResourceIdsScope

String

规则排除的资源ID。

多个资源ID间以半角逗号(,)分隔。

当SourceOwner取值为ALIYUN(托管规则)时该参数有效。

InputParameters

Map

规则入参。

取值示例:{"cpuCount": "2"}

MaximumExecutionFrequency

String

规则执行周期。

取值:

  • One_Hour:1小时。

  • Three_Hours:3小时。

  • Six_Hours:6小时。

  • Twelve_Hours:12小时。

  • TwentyFour_Hours:24小时。

RegionIdsScope

String

规则的地域ID。

多个地域ID间以半角逗号(,)分隔。

当SourceOwner取值为ALIYUN(托管规则)时该参数有效。

ResourceGroupIdsScope

String

规则的资源组ID。

多个资源组ID间以半角逗号(,)分隔。

当SourceOwner取值为ALIYUN(托管规则)时该参数有效。

TagKeyLogicScope

String

规则的标签键逻辑类型。

TagKeyScope

String

规则的标签键。

当SourceOwner取值为ALIYUN(托管规则)时该参数有效。

TagValueScope

String

规则的标签值。

当SourceOwner取值为ALIYUN(托管规则)时该参数有效。

返回值

Fn::GetAtt

  • TagKeyScope:规则的标签键。

  • TagValueScope:规则的标签值。

  • Description:规则的描述信息。

  • ExcludeResourceIdsScope:规则排除的资源ID。

  • SourceOwner:规则来源的归属。

  • SourceIdentifier:规则标识。

  • MaximumExecutionFrequency:规则执行周期。

  • ConfigRuleId:规则ID。

  • EventSource:事件来源。

  • RegionIdsScope:规则的地域ID。

  • ConfigRuleArn:规则ARN。

  • ConfigRuleTriggerTypes:规则的触发器类型。

  • ResourceGroupIdsScope:规则的资源组ID。

  • RiskLevel:规则的风险等级。

  • ResourceTypesScope:需要根据规则评估的资源类型。

  • RuleName:规则名称。

  • InputParameters:规则入参。

示例

YAML

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  Description:
    Default: test
    Type: String
    Description: The description of the rule
  SourceOwner:
    Type: String
    Description: 'Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule'
    Default: ALIYUN
  SourceIdentifier:
    Type: String
    Description: The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule
    Default: ecs-instances-in-vpc
  ConfigRuleTriggerTypes:
    Type: String
    Description: 'The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.'
    Default: ConfigurationItemChangeNotification
  RiskLevel:
    Type: Number
    Description: 'The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info'
    Default: 3
  ResourceTypesScope:
    Type: Json
    Description: The types of the resources to be evaluated against the rule
    Default:
      - ACS::ECS::Instance
  RuleName:
    Type: String
    Description: The name of the rule.
    Default: MyRule
Resources:
  ConfigRule:
    Type: ALIYUN::Config::Rule
    Properties:
      Description:
        Ref: Description
      SourceOwner:
        Ref: SourceOwner
      SourceIdentifier:
        Ref: SourceIdentifier
      ConfigRuleTriggerTypes:
        Ref: ConfigRuleTriggerTypes
      RiskLevel:
        Ref: RiskLevel
      ResourceTypesScope:
        Ref: ResourceTypesScope
      RuleName:
        Ref: RuleName
Outputs:
  TagKeyScope:
    Description: The rule monitors the tag key, only applies to rules created based on managed rules
    Value:
      Fn::GetAtt:
        - ConfigRule
        - TagKeyScope
  TagValueScope:
    Description: The rule monitors the tag value, only applies to rules created based on managed rules
    Value:
      Fn::GetAtt:
        - ConfigRule
        - TagValueScope
  Description:
    Description: The description of the rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - Description
  ExcludeResourceIdsScope:
    Description: The rule monitors excluded resource IDs, multiple of which are separated by commas, only applies to rules created based on managed rules, , custom rule this field is empty
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ExcludeResourceIdsScope
  SourceOwner:
    Description: 'Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule'
    Value:
      Fn::GetAtt:
        - ConfigRule
        - SourceOwner
  SourceIdentifier:
    Description: The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - SourceIdentifier
  MaximumExecutionFrequency:
    Description: 'The frequency of the compliance evaluations. Valid values:  One_Hour Three_Hours Six_Hours Twelve_Hours TwentyFour_Hours'
    Value:
      Fn::GetAtt:
        - ConfigRule
        - MaximumExecutionFrequency
  ConfigRuleId:
    Description: The ID of the rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ConfigRuleId
  EventSource:
    Description: The event source of the rule.
    Value:
      Fn::GetAtt:
        - ConfigRule
        - EventSource
  RegionIdsScope:
    Description: The rule monitors region IDs, separated by commas, only applies to rules created based on managed rules
    Value:
      Fn::GetAtt:
        - ConfigRule
        - RegionIdsScope
  ConfigRuleArn:
    Description: config rule arn
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ConfigRuleArn
  ConfigRuleTriggerTypes:
    Description: 'The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.'
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ConfigRuleTriggerTypes
  ResourceGroupIdsScope:
    Description: The rule monitors resource group IDs, separated by commas, only applies to rules created based on managed rules
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ResourceGroupIdsScope
  RiskLevel:
    Description: 'The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info'
    Value:
      Fn::GetAtt:
        - ConfigRule
        - RiskLevel
  ResourceTypesScope:
    Description: The types of the resources to be evaluated against the rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - ResourceTypesScope
  RuleName:
    Description: The name of the rule.
    Value:
      Fn::GetAtt:
        - ConfigRule
        - RuleName
  InputParameters:
    Description: The settings of the input parameters for the rule
    Value:
      Fn::GetAtt:
        - ConfigRule
        - InputParameters

JSON

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "Description": {
      "Default": "test",
      "Type": "String",
      "Description": "The description of the rule"
    },
    "SourceOwner": {
      "Type": "String",
      "Description": "Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule",
      "Default": "ALIYUN"
    },
    "SourceIdentifier": {
      "Type": "String",
      "Description": "The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule",
      "Default": "ecs-instances-in-vpc"
    },
    "ConfigRuleTriggerTypes": {
      "Type": "String",
      "Description": "The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.",
      "Default": "ConfigurationItemChangeNotification"
    },
    "RiskLevel": {
      "Type": "Number",
      "Description": "The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info",
      "Default": 3
    },
    "ResourceTypesScope": {
      "Type": "Json",
      "Description": "The types of the resources to be evaluated against the rule",
      "Default": [
        "ACS::ECS::Instance"
      ]
    },
    "RuleName": {
      "Type": "String",
      "Description": "The name of the rule.",
      "Default": "MyRule"
    }
  },
  "Resources": {
    "ConfigRule": {
      "Type": "ALIYUN::Config::Rule",
      "Properties": {
        "Description": {
          "Ref": "Description"
        },
        "SourceOwner": {
          "Ref": "SourceOwner"
        },
        "SourceIdentifier": {
          "Ref": "SourceIdentifier"
        },
        "ConfigRuleTriggerTypes": {
          "Ref": "ConfigRuleTriggerTypes"
        },
        "RiskLevel": {
          "Ref": "RiskLevel"
        },
        "ResourceTypesScope": {
          "Ref": "ResourceTypesScope"
        },
        "RuleName": {
          "Ref": "RuleName"
        }
      }
    }
  },
  "Outputs": {
    "TagKeyScope": {
      "Description": "The rule monitors the tag key, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "TagKeyScope"
        ]
      }
    },
    "TagValueScope": {
      "Description": "The rule monitors the tag value, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "TagValueScope"
        ]
      }
    },
    "Description": {
      "Description": "The description of the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "Description"
        ]
      }
    },
    "ExcludeResourceIdsScope": {
      "Description": "The rule monitors excluded resource IDs, multiple of which are separated by commas, only applies to rules created based on managed rules, , custom rule this field is empty",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ExcludeResourceIdsScope"
        ]
      }
    },
    "SourceOwner": {
      "Description": "Specifies whether you or Alibaba Cloud owns and manages the rule. Valid values:  CUSTOM_FC: The rule is a custom rule and you own the rule. ALIYUN: The rule is a managed rule and Alibaba Cloud owns the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "SourceOwner"
        ]
      }
    },
    "SourceIdentifier": {
      "Description": "The identifier of the rule.  For a managed rule, the value is the name of the managed rule. For a custom rule, the value is the ARN of the custom rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "SourceIdentifier"
        ]
      }
    },
    "MaximumExecutionFrequency": {
      "Description": "The frequency of the compliance evaluations. Valid values:  One_Hour Three_Hours Six_Hours Twelve_Hours TwentyFour_Hours",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "MaximumExecutionFrequency"
        ]
      }
    },
    "ConfigRuleId": {
      "Description": "The ID of the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ConfigRuleId"
        ]
      }
    },
    "EventSource": {
      "Description": "The event source of the rule.",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "EventSource"
        ]
      }
    },
    "RegionIdsScope": {
      "Description": "The rule monitors region IDs, separated by commas, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "RegionIdsScope"
        ]
      }
    },
    "ConfigRuleArn": {
      "Description": "config rule arn",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ConfigRuleArn"
        ]
      }
    },
    "ConfigRuleTriggerTypes": {
      "Description": "The trigger type of the rule. Valid values:  ConfigurationItemChangeNotification: The rule is triggered upon configuration changes. ScheduledNotification: The rule is triggered as scheduled.",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ConfigRuleTriggerTypes"
        ]
      }
    },
    "ResourceGroupIdsScope": {
      "Description": "The rule monitors resource group IDs, separated by commas, only applies to rules created based on managed rules",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ResourceGroupIdsScope"
        ]
      }
    },
    "RiskLevel": {
      "Description": "The risk level of the resources that are not compliant with the rule. Valid values:  1: critical 2: warning 3: info",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "RiskLevel"
        ]
      }
    },
    "ResourceTypesScope": {
      "Description": "The types of the resources to be evaluated against the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "ResourceTypesScope"
        ]
      }
    },
    "RuleName": {
      "Description": "The name of the rule.",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "RuleName"
        ]
      }
    },
    "InputParameters": {
      "Description": "The settings of the input parameters for the rule",
      "Value": {
        "Fn::GetAtt": [
          "ConfigRule",
          "InputParameters"
        ]
      }
    }
  }
}