You can use Identity and Access Management (IAM) to implement fine-grained permissions control for your Config resources. With IAM, you can:
+
- Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing Config resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Entrust an account or a cloud service to perform efficient O&M on your Config resources.
+
If your account meets your permissions requirements, you can skip this section.
+
Figure 1 shows the process flow of granting Config permissions.
+
Prerequisites
Before granting permissions, learn about permissions for Config. To grant permissions for other services, see permissions.
+
+
Process Flow
Figure 1 Process of granting Config permissions
+
- On the IAM console, create a user group and assign permissions to it (Config ReadOnlyAccess as an example).
- Create an IAM user and add it to the created group.
- Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
+- Choose Service List > Config. In the navigation pane on the left, click Resource Compliance. On the displayed page, click Add Rule under the Rules tab. If a message appears indicating that you have insufficient permissions to perform the operation, the Config ReadOnlyAccess policy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the Config ReadOnlyAccess policy is in effect.
- Choose Service List > Config and check if you can view queries in the Advanced Queries page. If yes, the Config ReadOnlyAccess policy is in effect.
+
+
+
You can use IAM to create custom policies to supplement system-defined policies of Config. For more details, see the section "Permissions Policies and Supported Actions" in Config API Reference or Fine-Grained Permissions for Config.
+
To create a custom policy, choose either visual editor or JSON.
+
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
+
For details, see Creating a Custom Policy. The following lists an example of an Config custom policy.
+
Example Custom Policy
- Example 1: Grant permissions to add a rule
{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "rms:policyAssignments:create"
+ ]
+ }
+ ]
+}
+ - Example 2: Grant permission to deny a user to run an advanced query
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
+Assume that you want to grant the permissions of the Config FullAccess policy to a user but do not want the user to have the permission to delete rules. You can create a custom policy that denies rule deletion, and then attach this policy together with the Config FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on Config rules excepting deleting them.
+The following shows an example of a deny policy:
+{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Deny",
+ "Action": [
+ "rms:policyAssignments:delete"
+ ]
+ }
+ ]
+}
+ - Example 3: Create a custom policy containing multiple actions.
A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level).
+Example policy containing multiple actions:
+{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "rms:policyAssignments:create",
+ "rms:policyAssignments:delete"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "tms:predefineTags:create",
+ "tms:predefineTags:delete"
+ ]
+ }
+ ]
+}
+
+
+
Description
Config allows you to search for, record, and continuously evaluate your resource configurations to make sure that your resources are in expected status.
+
To get full functionality of Config, you need to enable the resource recorder. If the resource recorder is disabled, you may fail to update your resource data or accurately evaluate your resources with rules. For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.
+
+
+
Architecture
Config provides you with resource information, such as resource inventory, details, relationships, and change records. It stores your resource data every 24 hours and notifications of your resource changes every 6 hours. It will also notify you when a change is made to your resources. In addition, it enables you to use Config rules to evaluate your resources.
+
- Viewing resource details: You can set multiple search options to query your resources on Config console.
- Viewing resource relationships: You can view relationships between resources on Config console.
- Viewing resource change records: You can enable and configure the resource recorder to continuously monitor resource changes.
- Sending notifications: Config will notify you when a change is made to your resources after you have enabled the resource recorder and configured a Simple Message Notification (SMN) topic.
- Storing resource change notifications: Config will store your resource change notifications every 6 hours after you have enabled the resource recorder and configured an SMN topic and an Object Storage Bucket (OBS) bucket.
- Storing resource snapshots: Config will store your resource snapshots into the specified OBS bucket every 24 hours after you have enabled the resource recorder and configured an OBS bucket.
- Evaluating resource compliance: Config evaluates your resources using rules to check whether they are compliant or not.
- Advanced query: Allows you to customize queries with ResourceQL to search for your resources.
+
+
Access Methods
You can use either of the following methods to access Config.
+
- Management Console
The console is a web-based UI, where you can perform operations easily. Log in to the management console, click 
in the upper left corner, and choose Management & Deployment > Config.
+ - Application Programming Interfaces (APIs)
To integrate Config into a third-party system for secondary development, you need to access the service by calling APIs. For details, see Config API Reference.
+
+
+
Resource
A resource is an entity that you can use on the cloud platform. A resource can be an Elastic Cloud Server (ECS), an Elastic Volume Service (EVS) disk, or a Virtual Private Cloud (VPC).
+
For details about supported resources and regions, see Supported Resources.
+
+
Resource Relationship
Resource relationships indicate how your cloud resources are associated. For example, a resource relationship can be described as an EVS disk attached to a cloud server or a cloud server deployed in a VPC.
+
For details, see Relationships with Supported Resources.
+
+
Resource Change Records
Resource change records contain resource changes in a specific period of time.
+
A record will be generated if there is a change to resource relationships or attributes.
+
Resource attributes are key and value pairs that describe the characteristics of your resources. For example, a resource attribute can be the number of CPU cores of an ECS, the capacity of an EVS disk, or the password strength of an IAM user. For more details, see How Can I Obtain Resource Attributes Reported to Config?
+
+
Resource Recorder
The resource recorder tracks changes to your cloud resources that are supported by Config. What changes are tracked depends on what a service reports to Config.
+
If you have enabled the resource recorder and specified an OBS bucket and an SMN topic when you configure the resource recorder, Config will notify you if there is a change (creation, modification, deletion, relationship change) to the resources within the monitoring scope and periodically store your notifications and resource snapshots.
+
+
Resource Compliance
You can create rules to evaluate the compliance of your resources. You can view and export information of your noncompliant resources.
+
+
Advanced Query
The advanced query allows you to quickly query specific resources, helping you obtain resource details, analyze resources from multiple perspectives, and quickly export data reports.
+
+
Table 1 lists the common functions of Config.
+
To better understand Config functions, you can learn basic concepts first.
+
+
Table 1 Common functionsCategory
+ |
+Function
+ |
+Description
+ |
+
|---|
+
+Resource list
+ |
+Querying all resources
+ |
+You can view all resource information, including the resource name, region, service, resource type, and enterprise project, from the current account.
+ |
+
+Querying details about a resource
+ |
+You can query resource details, such as the resource name, creation time, and specifications.
+ |
+
+Filtering resources
+ |
+You can set a filter criterion (resource name, resource ID, tag, or enterprise project) to quickly find out specific resources.
+ |
+
+Exporting resource information
+ |
+You can export the information about required resources in an EXCEL file.
+ |
+
+Viewing resource compliance data
+ |
+You can view compliance data of a resource.
+ |
+
+Viewing relationships of a resource
+ |
+You can view relationships of a resource.
+ |
+
+Viewing change records of a resource
+ |
+You can view change records of a resource.
+ |
+
+Resource Compliance
+ |
+Adding a rule
+ |
+You can use rules to evaluate resource compliance. You can select a custom or predefined policy and configure other related parameters when creating a rule.
+ |
+
+Evaluating resource compliance
+ |
+You can click Evaluate in the Operation column to start the evaluation.
+ |
+
+Disabling a rule
+ |
+You click Disable in the Operation column to disable a rule.
+ |
+
+Enabling a rule
+ |
+If you want to use a disabled rule, you can enable it.
+ |
+
+Modifying a rule
+ |
+If a rule does not meet your needs, you can change its configurations as needed.
+ |
+
+Deleting a rule
+ |
+You can delete a rule which is no longer needed.
+ |
+
+Noncompliant resources
+ |
+You can view and export information about all noncompliant resources.
+ |
+
+| |
+ |
+
+Resource Recorder
+ |
+Enabling the resource recorder
+ |
+You can track resource changes only after the resource recorder is enabled.
+ |
+
+Configuring the resource recorder
+ |
+You can set the monitoring scope, select an SMN topic, and configure the data storage path (OBS bucket). Then you need to grant permissions to the resource recorder for using SMN to send notifications and storing resource snapshots in the OBS bucket.
+ |
+
+Modifying the resource recorder
+ |
+You can modify resource recorder configurations, such as the monitoring scope, resource dump, SMN topic, and permissions.
+ |
+
+Disabling the resource recorder
+ |
+You can disable the resource recorder at any time.
+ |
+
+Advanced Queries
+
+
+
+
+ |
+Running an advanced query
+ |
+You can use ResourceQL to query current configurations of your resources.
+ |
+
+Creating a query
+ |
+You can add custom queries, so that you can directly run them later.
+ |
+
+Viewing a query
+ |
+You can view the name, description, and SQL statement of a query.
+ |
+
+Modifying a query
+ |
+If a custom query cannot meet your requirements, you can modify its name, description, and query statement.
+ |
+
+Deleting a query
+ |
+If a custom query is no longer needed, you can delete it.
+ |
+
+CTS
+ |
+Supported CTS operations
+ |
+CTS records operations on Config for later query, audit, and backtrack.
+ |
+
+Viewing tracing logs
+ |
+You can view or export Config operation records of the last seven days on CTS console.
+ |
+
+IAM
+ |
+Managing user permissions
+ |
+You can assign users system-defined or custom policies to decide which operations they can perform on Config.
+ |
+
+
+
+
+
If you need to assign different permissions to employees in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you flexibly manage resource access.
+
You can create users using IAM and grant users permissions to implement access control.
+
If your account does not need individual IAM users for permissions management, skip this chapter.
+
System-Defined Permissions for Config
By default, new IAM users do not have permissions. You need to add a user to one or more groups and attach policies to the user groups. Users in a group inherit permissions from the group, so that they can perform operations on cloud services based on the permissions.
+
Config is a global service. You do not need to repeat Config authorization for different regions or switch regions for accessing Config.
+
A user with Config read-only permissions can view all resources on the Resource List page.
+
Policy: A type of fine-grained authorization method that defines permissions required to perform operations on specific cloud resources under certain conditions. Authorization using policies is more flexible and help you implement least privilege. Most policies define permissions based on APIs. API actions are the minimum granularity of permissions. For API actions supported by Config, see the Permissions Policies and Supported Actions section in Config API Reference. For details about fine-grained permissions and their dependencies for Config, see Fine-Grained Permissions for Config.
+
Table 1 lists all the system-defined permissions supported by Config.
+
+
Table 1 System-defined permissions supported by Config.Policy
+ |
+Description
+ |
+Dependencies
+ |
+
|---|
+
+Config FullAccess
+ |
+Grants full access to Config. This policy grants you the permissions to perform all actions on the resource list, resource recorder, resource compliance, and advanced queries.
+ |
+- iam:agencies:listAgencies
- iam:roles:listRoles
- iam:permissions:grantRoleToAgency
- smn:topic:list
- obs:bucket:ListAllMyBuckets
+ |
+
+Config ReadOnlyAccess
+ |
+Grants read-only access to Config. This policy grants you read access to the resource list, resource recorder, and resource compliance.
+ |
+None
+ |
+
+
+
+
+
Table 2 lists the common operations and the system-defined permissions of Config. √ indicates that an operation is supported, and × indicates not supported.
+
+
Table 2 Common operations supported by system-defined permissionsOperation
+ |
+Config FullAccess
+ |
+Config ReadOnlyAccess
+ |
+
|---|
+
+Querying all resources
+ |
+√
+ |
+√
+ |
+
+Query details about a resource.
+ |
+√
+ |
+√
+ |
+
+Filtering resources
+ |
+√
+ |
+√
+ |
+
+Exporting resources
+ |
+√
+ |
+√
+ |
+
+Viewing resource compliance data
+ |
+√
+ |
+√
+ |
+
+Viewing relationships of a resource
+ |
+√
+ |
+√
+ |
+
+Viewing resource change history
+ |
+√
+ |
+√
+ |
+
+Querying the resource recorder
+ |
+√
+ |
+√
+ |
+
+Enabling, configuring, or modifying the resource recorder
+ |
+√
+ |
+x
+ |
+
+Disabling the resource recorder
+ |
+√
+ |
+x
+ |
+
+Querying a compliance policy
+ |
+√
+ |
+√
+ |
+
+Modifying rules
+ |
+√
+ |
+x
+ |
+
+Adding rules
+ |
+√
+ |
+x
+ |
+
+Querying rules
+ |
+√
+ |
+√
+ |
+
+Deleting rules
+ |
+√
+ |
+x
+ |
+
+Viewing resource compliance evaluation results
+ |
+√
+ |
+√
+ |
+
+Triggering a resource compliance evaluation
+ |
+√
+ |
+x
+ |
+
+Running advanced queries
+ |
+√
+ |
+x
+ |
+
+Creating advanced queries
+ |
+√
+ |
+x
+ |
+
+Querying advanced queries
+ |
+√
+ |
+√
+ |
+
+Listing advanced queries
+ |
+√
+ |
+√
+ |
+
+Updating advanced queries
+ |
+√
+ |
+x
+ |
+
+Deleting advanced queries
+ |
+√
+ |
+x
+ |
+
+
+
+
+
+
Fine-Grained Permissions for Config
If predefined permissions cannot meet your requirements, you can create custom policies. Custom policies allow you to perform fine-grained access control flexibly. For details about how to create a custom policy, see Creating a Custom Policy. For details about example custom policies, see Creating a Custom Policy.
+
The following table lists the actions and dependencies for Config.
+
+
Table 3 Actions and dependencies for the resource listAction
+ |
+Description
+ |
+Dependencies
+ |
+Applicable Scenario
+ |
+
|---|
+
+rms:resources:getHistory
+ |
+Grants the permission to view resource history.
+ |
+- rms:resources:list
- rms:resources:getRelation
- rms:resources:get
+ |
+Viewing resource history.
+ |
+
+rms:resources:getRelation
+ |
+Grants the permission to view resource relationships and relationship details.
+ |
+- rms:resources:list
- rms:resources:get
+ |
+Viewing resource relationships and relationship details
+ |
+
+rms:resources:list
+ |
+Grants the permission to view resources.
+ |
+To filter resources by enterprise project, eps:enterpriseProjects:list is required.
+ |
+Viewing, filtering, and exporting resources.
+ |
+
+rms:resources:get
+ |
+Grants the permission to view resource details.
+ |
+- rms:resources:list
- To view resource compliance information, rms:policyAssignments:get is required.
- To view resource relationship information, rms:resources:getRelation is required.
- To view resource history, rms:resources:getHistory is required.
+ |
+Viewing resource details
+ |
+
+
+
+
+
+
Table 4 Actions and dependencies for the resource recorderAction
+ |
+Description
+ |
+Dependencies
+ |
+Applicable Scenario
+ |
+
|---|
+
+rms:trackerConfig:get
+ |
+Grants the permission to query the resource recorder.
+ |
+- iam:agencies:listAgencies
- smn:topic:list
- obs:bucket:ListAllMyBuckets
+ |
+Viewing resource recorder configurations
+ |
+
+rms:trackerConfig:put
+ |
+Grants the permission to create and modify the resource recorder.
+ |
+- iam:agencies:listAgencies
- iam:roles:listRoles
- iam:permissions:grantRoleToAgency
- iam:agencies:createAgency
+ |
+Enabling, configuring, and modifying the resource recorder.
+ |
+
+rms:trackerConfig:delete
+ |
+Grants the permission to disable the resource recorder.
+ |
+rms:trackerConfig:get
+ |
+Disabling the resource recorder.
+ |
+
+
+
+
+
+
Table 5 Actions and dependencies for resource complianceAction
+ |
+Description
+ |
+Dependencies
+ |
+Applicable Scenario
+ |
+
|---|
+
+rms:policyDefinitions:get
+ |
+Grants the permission to view built-in policies.
+ |
+None
+ |
+Viewing built-in policies
+ |
+
+rms:policyAssignments:update
+ |
+Grants the permission to update rules.
+ |
+- rms:policyDefinitions:get
- rms:policyAssignments:create
+ |
+Modifying, enabling, and disabling rules
+ |
+
+rms:policyAssignments:create
+ |
+Grants the permission to create rules.
+ |
+- To create a rule with a predefined policy, rms:policyDefinitions:get is required.
- To create a custom rule, the following permissions are required:
- iam:agencies:listAgencies
- iam:roles:listRoles
- iam:permissions:grantRoleToAgency
- iam:agencies:createAgency
+
+ |
+Adding rules.
+ |
+
+rms:policyAssignments:get
+ |
+Grants the permission to view rules
+ |
+None
+ |
+Viewing rules and their details.
+ |
+
+rms:policyAssignments:delete
+ |
+Grants the permission to delete rules.
+ |
+rms:policyAssignments:get
+ |
+Deleting rules.
+ |
+
+rms:policyStates:get
+ |
+Grants the permission to query the state and evaluation result of a rule.
+ |
+rms:policyAssignments:get
+ |
+Querying the state and evaluation result of a rule. If you call an API to query the state and evaluation result of a rule, this action is required. If you use Config console, this action is not required.
+ |
+
+rms:policyStates:runEvaluation
+ |
+Grants the permission to run rules.
+ |
+rms:policyAssignments:get
+ |
+Manually triggering a rule.
+ |
+
+
+
+
+
+
Table 6 Actions and dependencies for advanced queriesAction
+ |
+Description
+ |
+Dependencies
+ |
+Applicable Scenario
+ |
+
|---|
+
+rms:resources:runQuery
+ |
+Grants the permission to run advanced queries.
+ |
+- rms:storedQueries:list
- rms:storedQueries:get
+ |
+Running advanced queries
+ |
+
+rms:storedQueries:create
+ |
+Grants the permission to create queries.
+ |
+None
+ |
+Creating queries
+ |
+
+rms:storedQueries:get
+ |
+Grants the permission to view query statements.
+ |
+rms:storedQueries:list
+ |
+Viewing query statements
+ |
+
+rms:storedQueries:list
+ |
+Grants the permission to list queries.
+ |
+None
+ |
+Listing queries.
+ |
+
+rms:storedQueries:update
+ |
+Grants the permission to update query statements
+ |
+- rms:storedQueries:list
- rms:storedQueries:get
+ |
+Modifying custom queries
+ |
+
+rms:storedQueries:delete
+ |
+Grants the permission to deleting queries.
+ |
+rms:storedQueries:list
+ |
+Deleting custom queries
+ |
+
+rms:schemas:list
+ |
+Listing advanced query schemas
+ |
+None
+ |
+Viewing resource attributes synchronized to Config.
+ |
+
+
+
+
+
+
Scenarios
You must enable the resource recorder for Config to track changes to your resource configurations.
+
You can modify or disable the resource recorder at any time.
+
This section includes the following content:
+
+
+
Enabling the Resource Recorder
If you have enabled the resource recorder and specified an OBS bucket and an SMN topic when you configure the resource recorder, Config will notify you if there is a change (creation, modification, deletion, relationship change) to the resources within the monitoring scope and periodically store your notifications and resource snapshots.
+
- Log in to the management console.
- Click
in the upper left corner. Under Management & Deployment, click Config. - In the navigation pane on the left, choose Resource Recorder.
- Toggle on the resource recorder. In the dialog box, click Yes.
Figure 1 Enabling the resource recorder
+ - Select the monitoring scope.
By default, all resources supported by Config will be recorded by the resource recorder. You can specify a resource scope for the resource recorder.
+Figure 2 Specifying the monitoring scope
+ - Specify an OBS bucket.
Specify an OBS bucket to store notifications of resource changes and resource snapshots.
+To enable the resource recorder, you must configure either an SMN topic or an OBS bucket.
+- Select an OBS bucket from the current account:
Select Your bucket and then select a bucket from the drop-down list to store resource change notifications and resource snapshots. If you need to store the notifications and snapshots to a specific folder in the OBS bucket, enter the folder name after you select a bucket. If there are no OBS buckets in the current account, create one first. For details, see Creating a Bucket.
+ - Select an OBS bucket from another account:
Select Other users' bucket and then configure Region ID and Bucket Name. If you need to store the notifications and snapshots to a specific folder in the OBS bucket, enter the folder name after you select a bucket. If you select a bucket from another account, you need required permissions granted by the account. For details, see Cross-Account Authorization.
+
+
+Figure 3 Configuring an OBS bucket
+ - (Optional) Configure an SMN topic.
Toggle on Topic, then select a region and an SMN topic for receiving notifications of resource changes.
+- Select a topic from the current account:
Select Your topic, then select a region and an SMN topic. If there are no SMN topics available, create one first. For details, see Creating a Topic.
+ - Select a topic from another account:
Select Topic under other account, then enter a topic URN. For more details about topic URN, see Concepts If you select a topic from another account, you need required permissions granted by the account. For details, see Cross-Account Authorization.
+
+
+Figure 4 Configuring an SMN topic
+ - Grant permissions.
+
- Click Save.
- In the displayed dialog box, click Yes.
+
+
Modifying the Resource Recorder
You can modify the resource recorder at any time.
+
- In the navigation pane on the left, choose Resource Recorder.
- Click Modify Resource Recorder.
Figure 6 Modify Resource Recorder
+ - Modify configurations.
- Click Save.
- In the displayed dialog box, click Yes.
+
+
Disabling the Resource Recorder
You can disable the resource recorder at any time.
+
- In the navigation pane on the left, choose Resource Recorder.
- Toggle off the resource recorder.
- In the displayed dialog box, click OK.
Figure 7 Disabling the resource recorder
+
+
+
Cross-Account Authorization
- Granting SMN topic permissions to another account
- Log in to the management console with the authorizing account and go to the SMN console.
- Attach related SMN permissions to target accounts based on Configuring Topic Policies.
+ - Granting OBS bucket permissions to another account
- Log in to the management console with the authorizing account and go to the OBS console.
- Grant related OBS permissions to target accounts based on Configuring a Custom Bucket Policy (Coding Mode).
The following is an example of a bucket policy. The policy allows the authorized account to store data into a specific object or folder in an OBS bucket. You need to configure the following parameters in a bucket policy:
+- ${account_id}: The ID of the authorized account.
- ${agency_name}: Agency name. If you choose Quick granting, this parameter will be set to rms_tracker_agency.
- ${bucket_name}: The name of an OBS bucket.
- ${folder_name}: The name of a folder in an OBS bucket. If you do not need to specify a folder or object in an OBS bucket, you do not need to configure /${folder_name}.
+{
+ "Statement": [
+ {
+ "Sid": "org-bucket-policy",
+ "Effect": "Allow",
+ "Principal": {
+ "ID": [
+ "domain/${account_id}:agency/${agency_name}"
+ ]
+ },
+ "Action": [
+ "PutObject"
+ ],
+ "Resource": [
+ "${bucket_name}/${folder_name}/RMSLogs/*/Snapshot/*",
+ "${bucket_name}/${folder_name}/RMSLogs/*/Notification/*"
+ ]
+ }
+ ]
+}
+
+
+
+
Storing Resource Change Notifications and Resource Snapshots to an Encrypted OBS Bucket
- Using an OBS bucket that is encrypted with a default key of SSE-KMS
If you need to store resource change notifications and snapshots to an OBS bucket encrypted using a default key of SSE-KMS, you need to add the KMS Administrator permission to the agency assigned to the resource recorder.
+ - Using an OBS bucket that is encrypted with a custom key of SSE-KMS
If you need to store resource change notifications and snapshots to an OBS bucket that is encrypted using a custom key of SSE-KMS, you need to add the KMS Administrator permission to the agency assigned to the resource recorder.
+If you need to store resource change notifications and snapshots to an OBS bucket that is from another account, and that is encrypted using a custom key of SSE-KMS, you need to add the KMS Administrator permission to the agency assigned to the resource recorder, and set the cross-account permission for the key at the same time. The procedure is as follows:
+- Log in to the management console and go to the Key Management Service console.
- In the Custom Keys tab, click the alias of a target key to go to its details page and create a grant on it.
- Grant the account the permission for using the key based on Creating a Grant.
- Enter the ID of the account to be authorized for Grantee.
- Select Create Data Key, Describe Key, and Decrypt Data Key for Granted Operations.
+
+
+
+
Notifications of your resource changes will be sent to the SMN topic subscribers after you enable the resource recorder and configure the SMN topic. If no topics are available, you need to create a topic, add subscriptions to the topic, and request confirmation for the subscriptions.
+
For details, see Simple Message Notification User Guide.
+
Config sends notifications when:
+
- Resources are created, modified, or deleted.
- Resource relationships change.
- Resource change notifications are saved.
- Resource snapshots are saved.
+
For details about example code for resource change notifications, see Notification Models.
+
Your resource snapshots will be stored into the specified OBS bucket every 24 hours after you enable the resource recorder.
+
The path of in an OBS bucket where the resource recorder stores your data takes the form of ${bucket_name}/${bucket_prefix}/RMSLogs/${account_id}/Snapshot/${year}/${month}/* The fields before each slash in the path indicate different layers of folders, and * indicates the name of a file. You can go to the Objects page on the OBS console and find your resource snapshots based on the paths.
+
The name of a resource snapshot file consists of the account ID, storage file type, ID of the region where the OBS bucket resides, storage time, randomly generated character string, and sequence number of the file. Each snapshot file can contain information of up to 2,000 resources. If you have more than 2,000 resources, there will be more than one files, and the name of each file will contain a sequence number (such as part-1). If you have less than 2,000 resources, there will be no sequence number in the file name. .json.gz indicates that the file is stored as a JSON package.
+
The following shows an example file name: 0926901ef980f2150fbdc001fdd23e80_Snapshot_eu-de_ResourceSnapshot_2024-07-22T221441Z_90decead-b69b-4522-a090-657d8c299d40_part-1.json.gz.
+
For more details, see Searching for an Object or Folder.
+
For details about example code for storing resource snapshots, see Resource Snapshot Storage Model.
+
After you enable the resource recorder and specify an SMN topic and an OBS bucket, Config stores your resource change notifications to the OBS bucket every 6 hours. If no topics are available, you need to create a topic, add subscription endpoints, and request subscription confirmations for the topic.
+
The path of in an OBS bucket where the resource recorder stores your resource change notifications takes the form of ${bucket_name}/${bucket_prefix}/RMSLogs/${account_id}/Notification/${year}/${month}/* The fields before each slash in the path indicate different layers of folders, and * indicates the name of a file. You can go to the Objects page on the OBS console and find your resource change notification files based on the paths.
+
The name of the file for storing your resource change notifications consists of the account ID, storage file type, ID of the region where the OBS bucket resides, service type, resource type, and storage duration. Each file contains change notifications of only one type of resource. .json.gz indicates that the file is stored as a JSON package.
+
The following shows an example name of a resource change notification file: 0926901ef980f2150fbdc001fdd23e80_Notification_eu-de_NotificationChunk_OBS_BUCKETS_2024-07-24T214735Z_2024-07-24T214759Z.json.gz
+
For more details, see Searching for an Object or Folder.
+
For details, see Simple Message Notification User Guide.
+
For details about example code for storing resource change notifications, see Storage Model of Resource Change Notifications.
+
Scenario
You can modify, enable, disable, or delete a rule at any time.
+
You can perform these operations in the rule list or on the Rules Details page. This section describes how to modify, enable, disable, or delete a rule through the rule list.
+
+
+
Disabling a Rule
- Log in to the management console.
- Click in the upper left corner. Under Management & Deployment, click Config.
- In the navigation pane on the left, choose Resource Compliance.
- On the Rules tab, locate a target rule and click Disable in the Operation column.
- In the displayed dialog box, click OK.
Figure 1 Disabling a rule
+
+
+
Enabling a Rule
- Log in to the management console.
- Click in the upper left corner. Under Management & Deployment, click Config.
- In the navigation pane on the left, choose Resource Compliance.
- On the Rules tab, locate a target rule and click Enable in the Operation column.
- In the displayed dialog box, click OK.
After a rule is enabled, it will be automatically triggered immediately.
+
Figure 2 Enabling a rule
+
+
+
Modifying a Rule
- Log in to the management console.
- Click in the upper left corner. Under Management & Deployment, click Config.
- In the navigation pane on the left, choose Resource Compliance.
- On the Rules tab, locate a target rule and click More > Modify in the Operation column.
Figure 3 Modifying a rule
+ - On Basic Configurations page, modify the rule description and click Next.
- On the Configure Rule Parameters page, configure required parameters and click Next.
The configuration items that you can modify vary for different policies.
+- Filter Type: Can be modified when Trigger Type is set to Configuration change
- Resource Scope: Can be modified when Trigger Type is set to Configuration change
- Filter Scope: Can be modified when Trigger Type is set to Configuration change.
- Execute Every: Can be modified when Trigger Type is set to Periodic execution.
- Configure Rule Parameters: For a rule created with a predefined policy, you can only modify the values of parameters for Configure Rule Parameters. For a custom rule, you can add, delete, and modify parameters.
+ - Confirm the modifications and click Submit.
After a rule is modified, it will be automatically triggered.
+
+
+
+
Deleting a Rule
Before deleting a rule, you need to disable the rule.
+
- Log in to the management console.
- Click in the upper left corner. Under Management & Deployment, click Config.
- In the navigation pane on the left, choose Resource Compliance.
- On the Rules tab, locate a target rule and click More > Delete in the Operation column.
Figure 4 Deleting a rule
+ - Click OK.
+
+
Example Function of Evaluations Triggered by Configuration Changes
Config will invoke a function like the following example when it detects a configuration change to a related resource.
+
import requests
+import http.client
+import time
+requests.packages.urllib3.disable_warnings()
+
+
+def get_policy_resource(domain_id, resource):
+ return {
+ "domain_id": domain_id,
+ "region_id": resource.get("region_id"),
+ "resource_id": resource.get("id"),
+ "resource_name": resource.get("name"),
+ "resource_provider": resource.get("provider"),
+ "resource_type": resource.get("type")
+ }
+
+
+'''
+The evaluation result of a rule will be either Compliant or NonCompliant.
+In this example, if the properties.status of a resource matches the specified ECSstatus, NonCompliant is returned. Otherwise, Compliant is returned.
+'''
+
+def evaluate_compliance(resource, parameter):
+ if resource.get("properties").get("status") == parameter.get("ECSstatus").get("value"):
+ return "NonCompliant"
+ else:
+ return "Compliant"
+
+
+def update_policy_state(token, domain_id, evaluation):
+ endpoint = "https://rms.eu-de.otc.t-systems.com"
+ url = "{}/v1/resource-manager/domains/{}/policy-states".format(endpoint, domain_id)
+ return requests.put(
+ url=url,
+ headers={
+ "X-Auth-Token": token
+ },
+ json=evaluation,
+ verify=False,
+ )
+
+
+def handler(event, context):
+ resource = event.get("invoking_event", {})
+ parameters = event.get("rule_parameter")
+ compliance_state = evaluate_compliance(resource, parameters)
+
+ requests = {
+ "policy_resource": get_policy_resource(event.get("domain_id"), resource),
+ "trigger_type": event.get("trigger_type"),
+ "compliance_state": compliance_state,
+ "policy_assignment_id": event.get("policy_assignment_id"),
+ "policy_assignment_name": event.get("policy_assignment_name"),
+ "function_urn": event.get("function_urn"),
+ "evaluation_time": event.get("evaluation_time"),
+ "evaluation_hash": event.get("evaluation_hash")
+ }
+
+ for retry in range(3):
+ response = update_policy_state(context.getToken(), event.get("domain_id"), requests)
+ if response.status_code == http.client.TOO_MANY_REQUESTS:
+ print("TOO_MANY_REQUESTS: retry again")
+ time.sleep(1)
+ else:
+ if response.status_code == http.client.OK:
+ print("Update policyState successfully.")
+ else:
+ print("Failed to update policyState.")
+ print(response.json())
+ break
+
+
Example Function for Evaluations Triggered by Periodic Execution
Config will invoke a function like the following example for a custom rule that is executed periodically.
+
import requests
+import http.client
+import time
+requests.packages.urllib3.disable_warnings()
+
+def get_policy_resource(domain_id, resource):
+ return {
+ "domain_id": domain_id,
+ "region_id": resource.get("region_id"),
+ "resource_id": resource.get("id"),
+ "resource_name": resource.get("name"),
+ "resource_provider": resource.get("provider"),
+ "resource_type": resource.get("type")
+ }
+
+'''
+The evaluation result of a rule will be either Compliant or NonCompliant.
+In this example, if ten or more ECSs are in the status of SHUTOFF, NonCompliant is returned. Otherwise, Compliant is returned.
+Here, the Config advanced query API is used. You can use related APIs of other services as needed.
+'''
+
+def evaluate_compliance(token, domain_id):
+ endpoint = "https://rms.eu-de.otc.t-systems.com"
+ url = "{}/v1/resource-manager/domains/{}/run-query".format(endpoint, domain_id)
+ body = {"expression":"select count(*) as cnt from resources where provider = 'ecs' and type = 'cloudservers' and properties.status = 'SHUTOFF'"}
+ r = requests.post(
+ url=url,
+ json=body,
+ headers={
+ "X-Auth-Token": token
+ },
+ verify=False,
+ )
+ # example {"query_info":{"select_fields":["cnt"]},"results":[{"cnt":0}]}
+ print(r.json())
+ cnt = r.json().get("results")[0].get("cnt")
+ if cnt < 10:
+ print(cnt,"Compliant")
+ return "Compliant"
+ else:
+ print(cnt,"NonCompliant")
+ return "NonCompliant"
+
+
+def update_policy_state(token, domain_id, evaluation):
+ endpoint = "https://rms.eu-de.otc.t-systems.com
+ url = "{}/v1/resource-manager/domains/{}/policy-states".format(endpoint, domain_id)
+ return requests.put(
+ url=url,
+ headers={
+ "X-Auth-Token": token
+ },
+ json=evaluation,
+ verify=False,
+ )
+
+def handler (event, context):
+ resource = event.get("invoking_event", {})
+ parameters = event.get("rule_parameter")
+ if resource.get("name") != "Account":
+ return
+ compliance_state = evaluate_compliance(context.getToken(), event.get("domain_id"))
+
+ requests = {
+ "policy_resource": get_policy_resource(event.get("domain_id"), resource),
+ "trigger_type": event.get("trigger_type"),
+ "compliance_state": compliance_state,
+ "policy_assignment_id": event.get("policy_assignment_id"),
+ "policy_assignment_name": event.get("policy_assignment_name"),
+ "function_urn": event.get("function_urn"),
+ "evaluation_time": event.get("evaluation_time"),
+ "evaluation_hash": event.get("evaluation_hash")
+ }
+
+ for retry in range(3):
+ response = update_policy_state(context.getToken(), event.get("domain_id"), requests)
+ if response.status_code == http.client.TOO_MANY_REQUESTS:
+ print("TOO_MANY_REQUESTS: retry again")
+ time.sleep(1)
+ else:
+ if response.status_code == http.client.OK:
+ print("Update policyState successfully.")
+ else:
+ print("Failed to update policyState.")
+ print(response.json())
+ break
+
+
Example Event for Evaluations Triggered by Configuration Changes
When a custom rule is triggered, Config will send an event to invoke the FunctionGraph function associated with the rule. The following example shows an event sent by Config when a custom rule was triggered by a configuration change for ecs.cloudservers.
+
{
+ "domain_id": "domain_id",
+ "policy_assignment_id": "637c6b2e6b647c4d313d9719",
+ "policy_assignment_name": "period-policy-period",
+ "function_urn": "urn:fss:region_1:123456789:function:default:test-custom-policyassignment:latest",
+ "trigger_type": "resource",
+ "evaluation_time": 1669098286719,
+ "evaluation_hash": "3bf8ecaeb0864feb98639080aea5c7d9",
+ "rule_parameter": {
+ "vpcId": {
+ "value": "fake_id"
+ }
+ },
+ "invoking_event": {
+ "id": "5e0d49c8-7ce0-4c31-9d92-28b05200b838",
+ "name": "default",
+ "provider": "vpc",
+ "type": "securityGroups",
+ "tags": {},
+ "created": "2022-11-07T12:58:46.000+00:00",
+ "updated": "2022-11-07T12:58:46.000+00:00",
+ "properties": {
+ "description": "Default security group",
+ "security_group_rules": [
+ {
+ "remote_group_id": "5e0d49c8-7ce0-4c31-9d92-28b05200b838",
+ "ethertype": "IPv6",
+ "security_group_id": "5e0d49c8-7ce0-4c31-9d92-28b05200b838",
+ "port_range_max": 0,
+ "id": "19f581bc-08a7-4037-ae59-9a6838c43709",
+ "direction": "ingress",
+ "port_range_min": 0
+ },
+ {
+ "ethertype": "IPv6",
+ "security_group_id": "5e0d49c8-7ce0-4c31-9d92-28b05200b838",
+ "port_range_max": 0,
+ "id": "75dae7b6-0b71-496f-8f11-87fb30300e18",
+ "direction": "egress",
+ "port_range_min": 0
+ }
+ ]
+ },
+ "ep_id": "0",
+ "project_id": "vpc",
+ "region_id": "region_1",
+ "provisioning_state": "Succeeded"
+ }
+}
+
+
Example Event for Evaluations Triggered by Periodic Execution
Config publishes an event when it evaluates your resources at a frequency that you specify, such as every 24 hours. The following example shows an event sent by Config when a custom rule was triggered at a specific frequency.
+
{
+ "domain_id": "domain_id",
+ "policy_assignment_id": "637c6b2e6b647c4d313d9719",
+ "policy_assignment_name": "period-policy-assignment",
+ "function_urn": "urn:fss:region_1:123456789:function:default:test-custom-policyassignment:latest",
+ "trigger_type": "period",
+ "evaluation_time": 1669098286719,
+ "evaluation_hash": "3bf8ecaeb0864feb98639080aea5c7d9",
+ "rule_parameter": {},
+ "invoking_event": {
+ "id": "domain_id",
+ "name": "Account",
+ "provider": null,
+ "type": null,
+ "tags": null,
+ "created": null,
+ "updated": null,
+ "properties": null,
+ "ep_id": null,
+ "project_id": null,
+ "region_id": "global",
+ "provisioning_state": null
+ }
+}
+
+
Scenario
After you add a rule, you can view all rules in the rule list and view evaluation results and configurations of a rule on the rule details page.
+
You can export all evaluation results. On the upper right corner of the rule details page, multiple buttons are provided for you to trigger, modify, enable, disable, or delete a rule.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner. Under Management & Deployment, click Config.
- In the navigation pane on the left, choose Resource Compliance.
- On the Rules tab, view rules, rule status, and evaluation results.
- Click the name of the target rule to go to the Rule Details page.
On the left of the Basic Information page, evaluation results are displayed, and on the right, rule details are displayed. Above the evaluation result list, you can filter evaluation results by resource name and ID. You can also export the list.
+Figure 1 Rule Details
+ A rule may be in one of the following statuses:
+
- Enabled: The rule is available.
- Disabled: The rule is disabled.
- Evaluating: The rule is evaluating resources.
- Submitting: The rule is submitting an evaluation task to the associated FunctionGraph function.
+
During the evaluation, the rule is in the Evaluating state. After the evaluation is complete, the rule status changes to Enabled, and then, you can view the evaluation results.
+
+
+
+
Resource Change Notification Model
+
Table 1 Parameters of the resource change notification modelParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+notification_type
+ |
+String
+ |
+The type of the notification. For a resource change notification, the notification type is ResourceChanged.
+ |
+
+notification_creation_time
+ |
+String
+ |
+The time when the message was sent.
+The notification creation time is a UTC time (such as 2018-11-14T08:59:14Z) that complies with ISO8601.
+ |
+
+domain_id
+ |
+String
+ |
+Account ID.
+ |
+
+detail
+ |
+Object
+ |
+Notification details.
+ |
+
+
+
+
+
+
Table 2 detail parametersParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+resource_id
+ |
+String
+ |
+Resource ID.
+ |
+
+resource_type
+ |
+String
+ |
+Resource type.
+ |
+
+event_type
+ |
+Enum
+ |
+Event type (CREATE, UPDATE, DELETE)
+ |
+
+capture_time
+ |
+String
+ |
+The event capture time.
+The event capture time is a UTC time (such as 2018-11-14T08:59:14Z) that complies with ISO8601.
+ |
+
+resource
+ |
+Object
+ |
+Resource details.
+ |
+
+
+
+
+
+
Table 3 resourceParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+id
+ |
+String
+ |
+Resource ID.
+ |
+
+name
+ |
+String
+ |
+Resource name.
+ |
+
+provider
+ |
+String
+ |
+Cloud service name.
+ |
+
+type
+ |
+String
+ |
+Resource type.
+ |
+
+region_id
+ |
+String
+ |
+The ID of the region where the resource resides.
+ |
+
+project_id
+ |
+String
+ |
+IAM project ID.
+ |
+
+project_name
+ |
+String
+ |
+IAM project name.
+ |
+
+ep_id
+ |
+String
+ |
+Enterprise project ID.
+ |
+
+ep_name
+ |
+String
+ |
+Enterprise project name.
+ |
+
+checksum
+ |
+String
+ |
+The checksum.
+ |
+
+created
+ |
+String
+ |
+Resource creation time.
+The resource creation time is a UTC time (such as 2018-11-14T08:59:14Z) that complies with ISO8601.
+ |
+
+updated
+ |
+String
+ |
+The time when the resource was last updated.
+The latest update time is a UTC time (such as 2018-11-14T08:59:14Z) that complies with ISO8601.
+ |
+
+provisioning_state
+ |
+String
+ |
+Resource provisioning state.
+ |
+
+tags
+ |
+Map
+ |
+Resource tags.
+ |
+
+properties
+ |
+Map
+ |
+Resource attributes.
+ |
+
+
+
+
+
+
Notification Example of Resource Changes
{
+ "detail": {
+ "resource": {
+ "id": "3e62c0e6-e779-469e-b0f2-35743f6229d1",
+ "name": "ecs-51c8",
+ "provider": "evs",
+ "type": "volumes",
+ "checksum": "b3bcc019cecbb701e324e0dcf2f283236685885236b49f5ba5ea2f5f788170a1",
+ "created": "2020-08-12T07:14:41.638Z",
+ "updated": "2020-08-12T07:14:44.423Z",
+ "tags": {},
+ "properties": {
+ "shareable": false,
+ "volumeType": "SATA",
+ "metadata": {},
+ "attachments": [],
+ "replicationStatus": "disabled",
+ "availabilityZone": "eu-de",
+ "bootable": "true",
+ "userId": "059b5c937d80d3e41ff3c00a3c883d16",
+ "volTenantAttrTenantId": "059b5e0a2500d5552fa1c00adada8c06",
+ "size": "40",
+ "encrypted": false,
+ "volumeImageMetadata": {
+ "virtualEnvType": "FusionCompute",
+ "isregistered": "true",
+ "imageSourceType": "uds",
+ "minDisk": "40",
+ "platform": "CentOS",
+ "size": 0,
+ "osVersion": "CentOS 7.5 64bit",
+ "minRam": "0",
+ "name": "CentOS 7.5 64bit",
+ "checksum": "d41d8cd98f00b204e9800998ecf8427e",
+ "osBit": "64",
+ "osType": "Linux",
+ "containerFormat": "bare",
+ "supportXen": "true",
+ "id": "e0adce3a-a4d2-4207-9018-69ce64b4426a",
+ "supportKvm": "true",
+ "diskFormat": "zvhd2",
+ "imageType": "gold"
+ },
+ "links": [
+ {
+ "rel": "self",
+ "href": "https://evs.eu-de.xxxxxx.com/v2/059b5e0a2500d5552fa1c00adada8c06/os-vendor-volumes/3e62c0e6-e779-469e-b0f2-35743f6229d1"
+ },
+ {
+ "rel": "bookmark",
+ "href": "https://evs.eu-de.xxxxxx.com/059b5e0a2500d5552fa1c00adada8c06/os-vendor-volumes/3e62c0e6-e779-469e-b0f2-35743f6229d1"
+ }
+ ],
+ "volHostAttrHost": "eu-de-pod01.eu-de#0",
+ "multiattach": false,
+ "status": "available"
+ },
+ "region_id": "eu-de",
+ "project_id": "059b5e0a2500d5552fa1c00adada8c06",
+ "project_name": "eu-de",
+ "ep_id": "0",
+ "ep_name": "default",
+ "provisioning_state": "Succeeded"
+ },
+ "resource_id": "3e62c0e6-e779-469e-b0f2-35743f6229d1",
+ "resource_type": "evs.volumes",
+ "event_type": "CREATE",
+ "capture_time": "2020-08-12T07:15:15.116Z"
+ },
+ "notification_type": "ResourceChanged",
+ "notification_creation_time": "2020-08-12T07:14:47.192Z",
+ "domain_id": "059b5c937100d3e40ff0c00a7675a0a0"
+}
+
+
Resource Snapshot Storage Model
+
Table 1 Resource snapshot storage modelParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+snapshot_id
+ |
+String
+ |
+Specifies the resource snapshot ID.
+ |
+
+items
+ |
+Array of Object
+ |
+Specifies the list of the resource snapshot items.
+ |
+
+snapshot_time
+ |
+String
+ |
+Specifies the time when the resource snapshot was stored.
+snapshot_time is a UTC time in a fixed format complying with ISO-8601 (for example, 2018-11-14T08:59:14Z).
+ |
+
+
+
+
+
+
Table 2 Items parametersParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+resource
+ |
+Object
+ |
+Specifies the resource.
+ |
+
+relations
+ |
+Array of Object
+ |
+Specifies the item list of the resource relationship.
+ |
+
+
+
+
+
+
Table 3 resource parametersParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+id
+ |
+String
+ |
+Specifies the resource ID.
+ |
+
+name
+ |
+String
+ |
+Specifies the resource name.
+ |
+
+provider
+ |
+String
+ |
+Specifies the cloud service name.
+ |
+
+type
+ |
+String
+ |
+Specifies the cloud resource type.
+ |
+
+region_id
+ |
+String
+ |
+Specifies the ID of the region where the resource is located.
+ |
+
+project_id
+ |
+String
+ |
+Specifies the IAM project ID.
+ |
+
+project_name
+ |
+String
+ |
+Specifies the IAM project name.
+ |
+
+ep_id
+ |
+String
+ |
+Specifies the enterprise project ID.
+ |
+
+ep_name
+ |
+String
+ |
+Specifies the enterprise project name.
+ |
+
+checksum
+ |
+String
+ |
+Specifies the checksum.
+ |
+
+created
+ |
+String
+ |
+Specifies the time when the cloud resource was created.
+created is a UTC time in a fixed format complying with ISO-8601 (for example, 2018-11-14T08:59:14Z).
+ |
+
+updated
+ |
+String
+ |
+The time when the resource was last updated.
+updated is a UTC time in a fixed format complying with ISO-8601 (for example, 2018-11-14T08:59:14Z).
+ |
+
+provisioning_state
+ |
+String
+ |
+Specifies the result of an operation on resources.
+The value can be:
+- Succeeded: The operation is successful.
- Failed: The operation fails.
- Canceled: The operation is canceled.
- Processing: The operation is in progress.
+ |
+
+tags
+ |
+Map
+ |
+Specifies the cloud resource tags.
+ |
+
+properties
+ |
+Map
+ |
+Specifies the cloud resource attributes.
+ |
+
+
+
+
+
+
Table 4 Relations parametersParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+from_resource_id
+ |
+String
+ |
+Specifies the ID of the source resource.
+ |
+
+to_resource_id
+ |
+String
+ |
+Specifies the ID of the associated resource.
+ |
+
+from_resource_type
+ |
+String
+ |
+Specifies the type of the source resource.
+ |
+
+to_resource_type
+ |
+String
+ |
+Specifies the type of the associated resource.
+ |
+
+relation_type
+ |
+String
+ |
+Specifies the resource relationship type.
+ |
+
+
+
+
+
+
Resource Snapshot Storage Example
{
+ "items": [
+ {
+ "resource": {
+ "id": "c25ee8b3-c907-4cd4-9869-6c4b07c61a0b",
+ "name": "rse-cdk-07-cdk-3sbz",
+ "provider": "vpc",
+ "type": "securityGroups",
+ "region_id": "eu-de",
+ "project_id": "fc6d40abe7e54492b7c7aa5a29d6cbab",
+ "project_name": "demo_project",
+ "ep_id": "0",
+ "ep_name": "default",
+ "checksum": "4098715092c762b3eafe25be8eeda33a10b547033f9d59b6e18f5a960a1f805d",
+ "updated": "2020-05-25T10:27:17.000Z",
+ "created": "2020-05-25T10:27:17.000Z",
+ "provisioning_state": "Succeeded",
+ "tags": {},
+ "properties": {}
+ },
+ "relations": [
+ {
+ "from_resource_id": "c25ee8b3-c907-4cd4-9869-6c4b07c61a0b",
+ "to_resource_id": "0088a276-162b-4f07-aa40-f6ed8b801ca1",
+ "from_resource_type": "vpc.securityGroups",
+ "to_resource_type": "ecs.cloudservers",
+ "relation_type": "isAssociatedWith"
+ }
+ ]
+ }
+ ],
+ "snapshot_id": "6e40483d-5499-4440-a369-284e528f3d85",
+ "snapshot_time": "2020-06-30T06:56:00.018Z"
+}
+
+
Storage Model of Resource Change Notifications
+
Table 1 Storage model of resource change notificationsParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+notification_items
+ |
+Array of Object
+ |
+Resource change notifications.
+ |
+
+
+
+
+
+
Table 2 notification_items parametersParameter
+ |
+Parameter Type
+ |
+Description
+ |
+
|---|
+
+notification_type
+ |
+String
+ |
+Notification type. For a resource change notification, the notification type is ResourceChanged.
+ |
+
+notification_creation_time
+ |
+String
+ |
+Notification sending time
+The notification sending time is a UTC time (such as 2018-11-14T08:59:14Z) that complies with ISO8601.
+ |
+
+domain_id
+ |
+String
+ |
+Account ID.
+ |
+
+detail
+ |
+Object
+ |
+Notification details.
+ |
+
+
+
+
+
+
Table 3 detail parametersParameter
+ |
+Parameter Type
+ |
+Description
+ |
+
|---|
+
+resource_id
+ |
+String
+ |
+Resource ID.
+ |
+
+resource_type
+ |
+String
+ |
+Resource type.
+ |
+
+event_type
+ |
+Enum
+ |
+Event type (CREATE, UPDATE, DELETE)
+ |
+
+capture_time
+ |
+String
+ |
+Event capture time.
+The event capture time is a UTC time (such as 2018-11-14T08:59:14Z) that complies with ISO8601.
+ |
+
+resource
+ |
+Object
+ |
+Resource details.
+ |
+
+
+
+
+
+
Table 4 resourceParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+id
+ |
+String
+ |
+Resource ID.
+ |
+
+name
+ |
+String
+ |
+Resource name.
+ |
+
+provider
+ |
+String
+ |
+Service name.
+ |
+
+type
+ |
+String
+ |
+Resource type.
+ |
+
+region_id
+ |
+String
+ |
+The ID of the region where the resource resides.
+ |
+
+project_id
+ |
+String
+ |
+IAM project ID.
+ |
+
+project_name
+ |
+String
+ |
+IAM project name.
+ |
+
+ep_id
+ |
+String
+ |
+Enterprise project ID.
+ |
+
+ep_name
+ |
+String
+ |
+Enterprise project name.
+ |
+
+checksum
+ |
+String
+ |
+The checksum.
+ |
+
+created
+ |
+String
+ |
+Resource creation time.
+The resource creation time is a UTC time (such as 2018-11-14T08:59:14Z) that complies with ISO8601.
+ |
+
+updated
+ |
+String
+ |
+The time when the resource was last updated.
+The resource update time is a UTC time (such as 2018-11-14T08:59:14Z) that complies with ISO8601.
+ |
+
+provisioning_state
+ |
+String
+ |
+Resource state.
+ |
+
+tags
+ |
+Map
+ |
+Resource tags.
+ |
+
+properties
+ |
+Map
+ |
+Resource attributes.
+ |
+
+
+
+
+
+
Example of Resource Change Notification Storage
{
+ "notification_items": [
+ {
+ "detail": {
+ "resource": {
+ "id": "ea05ef41-8bd6-4a9c-af39-244e1ec448eb",
+ "name": "as-group-test",
+ "provider": "as",
+ "type": "scalingGroups",
+ "checksum": "",
+ "region_id": "eu-de",
+ "project_id": "068d54ceca00d5302f70c00aaf6a471c",
+ "project_name": "test",
+ "ep_id": "0",
+ "ep_name": "default"
+ },
+ "resource_id": "ea05ef41-8bd6-4a9c-af39-244e1ec448eb",
+ "resource_type": "as.scalingGroups",
+ "event_type": "DELETE",
+ "capture_time": "2020-12-08T09:30:27.158Z"
+ },
+ "notification_type": "ResourceChanged",
+ "notification_creation_time": "2020-12-08T09:30:27.272Z",
+ "domain_id": "059b5c937100d3e40ff0c00a7675a0a0"
+ }
+ ]
+}
+
+
ResourceQL provides SQL-like functions, allowing you to flexibly query your cloud resources.
+
SELECT name, created, updated FROM resources WHERE region_id = 'regionid1'
+
The statement is case insensitive. SELECT COUNT(*) and select CoUnT(*) are the same. Use single quotation marks to represent the literal of a string.
+
The following are data types supported by ResourceQL. For the array type, [] is used to index a position, and the number starts from 1.
+
+
Table 1 Supported data typesType Name
+ |
+Type
+ |
+
|---|
+
+Integer
+ |
+Int/Integer
+ |
+
+Float
+ |
+Float/Double
+ |
+
+Boolean
+ |
+Boolean
+ |
+
+Array
+ |
+Array
+ |
+
+String
+ |
+String
+ |
+
+Dictionary
+ |
+Object
+ |
+
+Timestamp
+ |
+Date
+ |
+
+
+
+
+
All your cloud resources are included in a table. The table name is fixed to resources. The resources under your aggregator account forms a table. The table name is fixed to aggregator_resources. Each row in the table records a piece of data. The conventions of each column are as follows.
+
+
Table 2 Parameter descriptions in table resourcesParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+id
+ |
+String
+ |
+Specifies the resource ID.
+ |
+
+name
+ |
+String
+ |
+Specifies the resource name.
+ |
+
+provider
+ |
+String
+ |
+Specifies the cloud service name.
+ |
+
+type
+ |
+String
+ |
+Specifies the resource type.
+ |
+
+region_id
+ |
+String
+ |
+Specifies the region ID.
+ |
+
+project_id
+ |
+String
+ |
+Specifies the project ID.
+ |
+
+ep_id
+ |
+String
+ |
+Specifies the enterprise project ID.
+ |
+
+checksum
+ |
+String
+ |
+Specifies the resource checksum.
+ |
+
+created
+ |
+Date
+ |
+Specifies the time when the resource was created.
+ |
+
+updated
+ |
+Date
+ |
+Specifies the time when the resource was updated.
+ |
+
+provisioning_state
+ |
+String
+ |
+Specifies the result of an operation on resources.
+ |
+
+tag
+ |
+Array(Map<String,String>)
+ |
+Specifies the resource tag.
+ |
+
+properties
+ |
+Map<String,Object>
+ |
+Specifies the resource attribute details.
+ |
+
+
+
+
+
aggregator_resources contains domain_id that indicates the account ID. The type of a domain ID is a string.
+
provider and type represent a unique resource. For different resources, properties varies. For example, for an ECS, the provider and type are ecs and cloudservers, and the properties contains flavor. For a VPC, the provider and type are vpc and publicips, and the properties contains bandwidth.
+
You can obtain resource attributes that can be included in the properties element for each resource on Config console or by calling the related API. For more details, see How Can I Obtain Resource Attributes Reported to Config?.
+
properties supports nested queries. The following shows an example of how to query the addresses parameter under properties for the running ECS.
+
SELECT name, created, updated, properties.addresses FROM resources
+ WHERE provider = 'ecs' AND type = 'cloudservers' AND properties.status = 'ACTIVE'
+
Symbol Conventions
In this section, the words that need to be typed in the original form are capitalized, and the characters that need to be typed in the original form are enclosed in single quotation marks (').
+
'[x]' indicates that statement 'x' can be used once or not even once.
+
'(x)' indicates that statement 'x' is a whole. '(x, ...)' indicates that statement 'x' can be used once or multiple times. If statement 'x' is used multiple times, use commas (,) to separate them.
+
'|' indicates all possible alternatives.
+
'expression' indicates any expression. Specially, 'bool_expression' indicates any Boolean expression.
+
'identifier' indicates a valid identifier. An identifier can contain letters, digits, and underscores (_), and cannot start with a digit.
+
'column_name' indicates a valid field name. It can be 'identifier' or multiple identifiers, for example,'A.id'.
+
'table_name' indicates a valid table name. In the ResourceQL syntax, 'table_name' must be 'resources'.
+
A unit enclosed in double quotation marks ("") is considered as a whole. For example, to indicate a column name containing special characters, add double quotation marks ("") before and after the column name.
+
+
Basic Query Syntax
[WITH (with_item, ...)]
+SELECT [DISTINCT | ALL] (select_item, ...)
+[FROM (from_item, ...)]
+[WHERE bool_expression]
+[GROUP BY [DISTINCT | ALL] (expression, ...)]
+[HAVING booleanExpression]
+[ORDER BY (expression [ASC | DESC] [NULLS (FIRST | LAST)], ...)]
+[LIMIT number]
+
+
The field in 'select_item' can be renamed. Operation can be performed on the field values. 'select_item' supports the query of all fields in a table.
+
select_item = (expression [[AS] column_name_aias]) | *
+
'from_item' supports the join function and multiple subqueries, and the table name can be renamed.
+
from_item = table_name [[AS] table_name_aias]
+ | (from_item join_type from_item [(ON bool_expression) | USING(column_name, ...)])
+ | '(' query ')'
+
'with_item' is used to customize queries to facilitate subsequent invoking.
+
with_item = identifier AS '(' query ')'
+
For example, to list resources with a quantity greater than 100 in each region, run the following SQL statement:
+
WITH counts AS (
+ SELECT region_id, provider, type, count(*) AS number FROM resources
+ GROUP BY region_id, provider, type
+) SELECT * FROM counts WHERE number > 100
+
Numeric Operation and Boolean Operation
ResourceQL supports binary mathematical operations on integers and floating digits. The following operators are supported: '+,-,*,/,%'
+
Values of the same type can be compared. The following comparison operators are supported: <, >, <=, >=, =, <>, !=. Both <> and != indicate not equal. Values are compared in size, and strings are compared in lexicographic order. Values and sets can also be compared. In this case, one from 'ALL | SOME | ANY' on the right of the comparison operator is used to specify the comparison range. 'All' indicates that all elements in the set must be met. 'SOME/ANY' indicates that at least one element must be met.
+
expression ('=' | '<>' | '!=' | '<' | '>' | '<=' | '>=')
+expression
+expression ('=' | '<>' | '!=' | '<' | '>' | '<=' | '>=')
+[ALL | SOME | ANY] '(' query ')'
+
'bool_expression' indicates any Boolean expression. (True or False is returned after the operation.) 'bool_expression' includes the following syntax:
+
NOT bool_expression
+bool_expression (AND | OR) bool_expression
+expression [NOT] BETWEEN expression AND expression
+expression [NOT] IN '(' query ')'
+EXISTS '(' query ')'
+expression [NOT] LIKE pattern [ESCAPE escape_characters]
+expression IS [NOT] NULL
+expression IS [NOT] DISTINCT FROM expression
+
In particular, operator '||' concatenates the left and right values and returns a new value. The left and right values are of the same type: array or string.
+
+
Timestamp
ResourceQL allows you to query fields of the time type. The query result is converted to the zero time zone and returned in ISO Date format. The result is saved in milliseconds.
+
Time types can be connected by comparison operators. If you want to use a literal to indicate time, use timestamps to write 'time'. 'time' can be in any ISO date format or a common time format. The following formats are allowed:
+
2019-06-17T12:55:42.233Z
+
2019-06-17T12:55:42Z
+
2019-06-17 12:55:42
+
2019-06-17T12:55:42.00 + 08:00
+
2019-06-17 05:55:40 - 06:00
+
2019-06-17
+
2019
+
If the time zone is not added, the zero time zone is used by default. If the 24-hour time is not added, 0:00 is used by default. If the month is not added, January 1 is used by default.
+
For example, to sort resources created since 12:55:00 on September 12, 2020 by update time in descending order, run the following statement:
+
select name, created, updated from resources
+where created >= timestamp '2020-09-12T12:55:00Z'
+order by updated DESC
+
+
Fuzzy Search
string LIKE pattern [ESCAPE escape_characters]
+
'LIKE' is used to determine whether a character string complies with a pattern. If you want to express the literal of '%' and '_' in the pattern, you can specify an escape character (for example, '#') after ESCAPE and write '# %' and '#_' in the pattern.
+
Wildcard '%' indicates that zero or multiple characters are matched.
+
Wildcard '_' indicates that one character is matched.
+
The fuzzy query of OBS buckets can be written in the following format:
+
SELECT name, id FROM resources
+ WHERE provider = 'obs' AND type = 'buckets' AND name LIKE '%figure%'
+
or
+
SELECT name, id FROM resources
+ WHERE provider = 'obs' AND type = 'buckets' AND name LIKE '%figure#_%' ESCAPE '#'
+
+
Condition Functions
The return value of CASE varies according to the actual situation. CASE can be used in either of the following ways:
+
- Calculate the value of a given expression and return the corresponding result based on the value.
- Calculate the value of each bool_expression in sequence, finds the first expression that meets the requirements, and returns the result.
+
CASE expression
+ WHEN value1 THEN result1
+ [WHEN value2 THEN result2]
+ [...]
+ [ELSE result]
+END
+CASE
+ WHEN condition1 THEN result1
+ WHEN condition2 THEN result2
+ [...]
+ [ELSE result]
+END
+
IF can be used in either of the following ways:
+
- 'IF(bool_expression, value)': If the bool_expression value is true, 'value' is returned. Otherwise, NULL is returned.
- 'IF(bool_expression, value1, value2)': If the Boolean expression value is true, 'value1' is returned. Otherwise, 'value2' is returned.
+
+
Using Functions to Simplify Queries
ResourceQL provides a variety of functions to simplify queries. For details about the functions, see Functions.
+
ResourceQL supports lambda expressions. The arguments of some functions may be another function. In this case, it is convenient to use the lambda expression.
+
For example, to list the ECSs and the EVS disks attached to each ECS, run the following SQL statement:
+
SELECT ECS.id AS ecs_id, EVS.id AS evs_id FROM
+ (SELECT id, transform(properties.ExtVolumesAttached, x -> x.id) AS evs_list
+ FROM resources WHERE provider = 'ecs' AND type = 'cloudservers') ECS
+ (SELECT id FROM resources WHERE provider = 'evs' AND type = 'volumes') EVS
+ WHERE contains(ecs.evs_list, evs.id)
+
'contains(a, element)→boolean' determines whether an element appears in array a.
+
'transform(array(T), function(T, S))→array(S) can convert an array of a certain type into an array of another type.
+
+
Join and Unnest
ResourceQL supports 'JOIN' and 'UNNEST'. 'JOIN' can be classified into the following types:
+
- [INNER] JOIN
- LEFT [OUTER] JOIN
- RIGHT [OUTER] JOIN
- FULL [OUTER] JOIN
+
'JOIN' must be followed by 'USING(...)' or 'ON <bool_expression>'.
+
'USING' is used to specify the names of columns to join.
+
'ON' accepts a Boolean expression and merges values of 'JOIN' if the Boolean expression value is true. To ensure performance, there must be at least one equation in a Boolean expression in the conjunctive normal form (CNF), and the operation content at the left and right ends of the equation is provided by the left and right tables separately.
+
You can add 'NATURAL' before 'JOIN' to indicate a connection. In this case, you do not need to add 'USING' or 'ON' after 'JOIN'.
+
'UNNEST' can unpack an array into a table. With 'WITH ORDINALITY', there is an auto-increment column. The format is as follows:
+
table_name CROSS JOIN UNNEST '(' (expression, ...) ')' [WITH ORDINALITY]
+
Note that 'CROSS JOIN' can only be used to connect to 'UNNEST'. ResourceQL does not support 'CROSS JOIN' in other formats.
+
The preceding example of querying the association between an ECS and an EVS disk can also be written in the following format:
+
SELECT ECS_EVS.id AS ecs_id, EVS.id AS evs_id FROM
+ (SELECT id, evs_id FROM (SELECT id, transform(properties.ExtVolumesAttached, x ->x.id) AS evs_list
+ FROM resources WHERE provider = 'ecs' AND type = 'cloudservers') ECS
+ CROSS JOIN UNNEST(evs_list) AS t (evs_id)) ECS_EVS,
+ (SELECT id FROM resources WHERE provider = 'evs' AND type = 'volumes') EVS
+ WHERE ECS_EVS.evs_id = EVS.id
+
+
Are Resource Snapshots and Resource Change Notifications Stored into the Same OBS Bucket?
Yes, they are stored into the same OBS bucket.
+
If you specified an OBS bucket and an SMN topic when you configured the resource recorder, resource snapshots and resource change notifications are periodically stored in the OBS bucket.
+
+
How Often Are Resource Snapshots and Resource Change Notifications Stored, Respectively?
After you enable the resource recorder and specify an SMN topic and an OBS bucket, Config will store your resource snapshots to the OBS bucket every 24 hours and your resource change notifications every 6 hours.
+
+
Do I Need to Configure Both Topic and Resource Dump When I Enable and Configure the Resource Recorder?
No. However, you need to configure either Topic or Resource Dump. To enable the resource recorder, you must configure either an SMN topic or an OBS bucket.
+
+
Why Are There No Notifications of Resource Changes Even When the Resource Recorder Has Been Enabled?
The possible causes are as follows:
+
- You didn't specify an SMN topic when you configured the resource recorder. To receive resource change notifications, modify the resource recorder to configure an SMN topic.
- You did not add subscriptions or request subscription confirmations for the specified SMN topic.
- Resource changes were not reported to Config.
- There was a delay in synchronizing or sending the notification.
+
+
Why Are Resource Change Notifications Not Stored into the Configured OBS Bucket?
To store resource change notifications, you need to configure both an SMN topic and an OBS bucket.
+
To make an SMN topic effective, you not only need to create a topic, but add subscription endpoints and request subscription confirmation.
+
+
Why Do I Receive a Notification When I Did Nothing with a Resource?
If you have specified an effective SMN topic when you enabled the resource recorder, Config will send notifications of resource changes that are resulted from both user operations and non-user operations. For more details, see Notifications. You are advised to use HTTPS or FunctionGraph (functions) instead of SMS messages or emails to receive notifications from Config.
+
+
How Can I Obtain Resource Attributes Reported to Config?
You can obtain resource attributes reported to Config in either of the following ways:
+
- Go to Config console and open the Query Editor. Resource attributes that are reported to Config are displayed on the left side of the Query Editor. The following procedure shows how to open the Query Editor.
- Log in to the management console.
- Click
in the upper left corner of the page. In the service list that is displayed, under Management & Deployment, select Config. - In the navigation pane on the left, choose Advanced Queries.
- On the Default Queries tab, click Query in the Operation column of any rows.
Figure 1 Using a query
+ - View resource attributes on the left side of the Query Editor. You can also enter a resource type to search for resource attributes.
Figure 2 Viewing resource attributes
+
+ - Alternatively, you can call the the querying schema API (GET /v1/resource-manager/domains/{domain_id}/schemas) to obtain resource attributes. In the response, the type field indicates the resource type, and the schema field indicates resource attributes that are reported to Config. For more details, see Config API Reference.
+
+
Why Is an Error Reported When Data Is Dumped to the OBS Bucket After the Resource Recorder Is Enabled?
If the message "Failed to write the ConfigWritabilityCheckFile file to the OBS bucket because the OBS bucket or the IAM agency is invalid" is displayed, the possible reasons are as follows:
- The IAM agency assigned to the resource recorder does not contain the permission, obs:object:PutObject.
- If an OBS bucket from the current account was used, the reason may be that the bucket policy explicitly denies the PutObject action from the IAM agency. If an OBS bucket from another account was used, the reason may be that the bucket policy does not explicitly allow the PutObject action from the IAM agency. For more details, see Cross-Account Authorization and Effect.
- You used an encrypted OBS bucket, but the agency assigned to the resource recorder did not contain related KMS permissions. For more details, see Storing Resource Change Notifications and Resource Snapshots to an Encrypted OBS Bucket.
+
+
+
How Many Rules Can I Add?
You can add up to 500 rules in an account.
+
+
What is the Configure Rule Parameters for When I Add a Rule?
Parameters for Configure Rule Parameters vary depending on the policy selected. For example, if you select the predefined policy, required-tag-check, you will need to specify a key and value pair for Configure Rule Parameters.
+
For a predefined policy, the parameters that you need to configure for Configure Rule Parameters are also predefined. You can set different values as needed.
+
For a custom policy, you can define parameters for Configure Rule Parameters, and up to 10 parameters can be included in Configure Rule Parameters for each rule.
+
Figure 1 Configure Rule Parameters for a predefined policy
+
Figure 2 Configure Rule Parameters for a custom policy
+
+
Why Can't I Delete Resources on the Resource List Page?
On the Resource List page, you can only view resources and export resource details. To delete a resource, you need to click View Details in the Operation column to go to the corresponding service page.
+
Figure 1 Viewing resource details
+
+
Why Does Resource Information Remain Unchanged on the Resource List Page After a Change Has Been Made to My Resources?
One possible reason is that there was a delay in synchronizing related resource information to Config.
+
Another reason may be the disabled resource recorder. If the resource recorder was disabled, Config would not update resource data. If the resource recorder is enabled, Config will update related data for resources that are included in the monitoring scope within 24 hours.
+
It may also be that the resource change was not reported to Config. The services are not supposed to report all resource data to Config, just some of it. For example, Document Database Service (DDS) is not supposed to report security groups to Config, and Config will not display security group data for DDS instances.
+
+
Advanced queries allow you to query your resource configuration states for one or more regions using ResourceQL.
+
You can conveniently use ResourceQL and a query editor to search for and view your resources.
+
ResourceQL is a subset of structured query language (SQL) SELECT syntax to help you perform property-based queries and aggregations. The query complexity varies. You can query resources by tag or resource identifier, or by using complex SQL statements. For example, you can query an ECS with a specified OS version.
+
You can use Advanced Queries to:
+
- Manage inventory. For example, you can query ECSs with certain specifications.
- Check security compliance of your resources. For example, you can check if the configurations (public IPs attached or disks encrypted) of your resources meet security requirements.
- Optimize costs. For example, you can list all EVS disks that have not been attached to any ECS to avoid unnecessary expenditures.
+
You can only use advanced queries to query, view, or export cloud resources. If you need to modify or delete resources, go to related service consoles.
+
+
Scenarios
You can use the query statements preset by Config or customize query statements based on resource configuration attributes to query specific cloud resource configurations.
+
This section includes the following content:
+
+
+
Creating a Custom Query
- Log in to the management console.
- Click in the upper left corner. Under Management & Deployment, click Config.
- In the navigation pane on the left, choose Advanced Queries.
- Choose the Custom Queries tab and click Create Query in the upper right corner.
Figure 1 Create Query
+ - In the Query Editor, enter the query statements.
On the left of the page, the Schema information is displayed. Schema information shows detailed resource attributes that are specified by the properties parameter in the statement. For details about query statements, see Configuration Examples of Advanced Queries.
+ - Click Save Query and enter the query name and description.
A query name can contain only digits, letters, underscores (_), and hyphens (-). It cannot exceed 64 characters.
+ - Click OK.
Figure 2 Saving a query
+ There is a limit to how many custom queries you can create. If you exceed this limit, you will receive a notification: "The maximum number of custom queries has been reached." Although the query cannot be saved, you can still run the query and export the results.
+
+ - Click Run and then view the query results. Up to 4,000 query results can be displayed and exported.
- Click Export and select the format of the file to be exported (CSV or JSON).
+
+
Using a Predefined Query
- Choose Advanced Queries > Default Queries.
All default queries are displayed in a list.
+ - Click Query in the Operation column for the target query.
Alternatively, click the query name and then click Query in the lower right corner of the query overview page.
+Figure 3 Running a default query
+ - In the Query Editor, modify the query.
For details, see Configuration Examples of Advanced Queries.
+ - Click Save As and enter the query name and description.
- In the dialog box that is displayed, click OK.
After a new query is created, the new query becomes a custom query and will be displayed in the custom query list.
+Figure 4 Save As
+
+
+
Configuration Examples of Advanced Queries
Advanced queries use ResourceQL, a subset of SQL SELECT syntax, to query resource configuration data. You do not need to call specific APIs for the query or use multiple APIs to download full data and manually analyze the data. ResourceQL can only query data from the resources table.
+
+
Table 1 Parameter descriptions in table resourcesParameter
+ |
+Type
+ |
+Description
+ |
+
|---|
+
+id
+ |
+String
+ |
+Specifies the resource ID.
+ |
+
+name
+ |
+String
+ |
+Specifies the resource name.
+ |
+
+provider
+ |
+String
+ |
+Specifies the cloud service name.
+ |
+
+type
+ |
+String
+ |
+Specifies the resource type.
+ |
+
+region_id
+ |
+String
+ |
+Specifies the region ID.
+ |
+
+project_id
+ |
+String
+ |
+Specifies the project ID.
+ |
+
+ep_id
+ |
+String
+ |
+Specifies the enterprise project ID.
+ |
+
+checksum
+ |
+String
+ |
+Specifies the resource checksum.
+ |
+
+created
+ |
+Date
+ |
+Specifies the time when the resource was created.
+ |
+
+updated
+ |
+Date
+ |
+Specifies the time when the resource was updated.
+ |
+
+provisioning_state
+ |
+String
+ |
+Specifies the result of an operation on resources.
+ |
+
+tag
+ |
+Array(Map<String,String>)
+ |
+Specifies the resource tag.
+ |
+
+properties
+ |
+Map<String,Object>
+ |
+Specifies the resource attribute details.
+ |
+
+
+
+
+
Example quires are as follows:
+
+
- Example 2: List EVS disks with certain specifications.
SELECT *
+FROM resources
+WHERE provider = 'evs'
+ AND type = 'volumes'
+ AND properties.size = 100
+ - Example 3: List OBS buckets queried by fuzzy search.
SELECT *
+FROM resources
+WHERE provider = 'obs'
+ AND type = 'buckets'
+ AND name LIKE '%figure%'
+ - Example 4: List ECSs and the EVS disks attached to each ECS.
SELECT ECS_EVS.id AS ecs_id, EVS.id AS evs_id
+FROM (
+ SELECT id, evs_id
+ FROM (
+ SELECT id, transform(properties.ExtVolumesAttached, x -> x.id) AS evs_list
+ FROM resources
+ WHERE provider = 'ecs'
+ AND type = 'cloudservers'
+ ) ECS
+ CROSS JOIN UNNEST(evs_list) AS t (evs_id)
+) ECS_EVS, (
+ SELECT id
+ FROM resources
+ WHERE provider = 'evs'
+ AND type = 'volumes'
+ ) EVS
+WHERE ECS_EVS.evs_id = EVS.id
+ - Example 5: List ECSs and the EIPs bound to each ECS.
SELECT ECS.id AS ECS_id, publicIpAddress AS ip_address
+FROM (
+ SELECT id, transform(properties.addresses, x -> x.addr) AS ip_list
+ FROM resources
+ WHERE provider = 'ecs'
+ AND type = 'cloudservers'
+) ECS, (
+ SELECT name, properties.publicIpAddress
+ FROM resources
+ WHERE provider = 'vpc'
+ AND type = 'publicips'
+ AND properties.type = 'EIP'
+ AND properties.status = 'ACTIVE'
+ ) EIP
+WHERE CONTAINS (ECS.ip_list, EIP.name)
+ - Example 6: List resources with a quantity greater than 100 in each region.
WITH counts AS (
+ SELECT region_id, provider, type, count(*) AS number
+ FROM resources
+ GROUP BY region_id, provider, type
+)
+SELECT *
+FROM counts
+WHERE number > 100
+For details about query statements, see ResourceQL Syntax.
+
+
+
