Policy

Updated on 2024-10-15 GMT+08:00

View PDF

A policy is a logical expression used to evaluate resource compliance.

A policy cannot work on its own. Instead, you need to attach a policy to a rule.

A policy can be a JSON expression. Table 1 lists policy (JSON expression) parameters.

**Table 1** Policy parameters (JSON)
Parameter	Description	Remarks
id	Policy ID	N/A
name	Policy name	A policy name can contain up to 64 characters.
display_name	Display name of a policy	A policy display name can contain up to 64 characters.
description	Policy description	Policy description can contain up to 512 characters.
parameters	Policy parameters The following attributes are used to describe each policy parameter: name description type default_value allowed_values minimum maximum min_items max_items min_length max_length pattern	The parameter names, such as name and description contained in the compliance policy remain unchanged. name indicates the name of a rule. description: supplementary information of parameters type: the type of parameters, which can be String, Array, Boolean, Integer, or Float. default_value: Specifies the default value of parameters. If the parameter is specified, you can use it when you add a rule. allowed_values: Specifies the list of values allowed by parameters. If the parameter is specified, you can only select values from the list. Minimum value, which is valid when type is set to Integer or Float. Maximum value, which is valid when type is set to Integer or Float. Minimum items, which is valid when type is set to Array. Maximum items, which is valid when type is set to Array. Minimum string length, which is valid when type is set to String or Array. Maximum string length, which is valid when type is set to String or Array. Regular expression requirements, which is valid when type is set to String or Array.
keywords	Policy keywords	Generally, the name abbreviation of the related product is used as a keyword.
policy_type	Policy type The options are as follows: builtin custom	builtin: specifies the type of policies that are provided and maintained by Config. For details, see Built-In Policies. custom: specifies the type of policies that are customized by users.
policy_rule_type	Policy syntax	Domain Specific Language (DSL): provided by Config to write policy expressions.
trigger_type	Trigger type. The options are as follows: resource period	resource: runs when a specified resource is changed. period: specifies the frequency at which a rule is triggered.
default_resource_types	Resource type	Most policies only apply to a limited scope of resources. You are advised to use a rule to only evaluate resource types in default_resource_types.

The following is an example policy used to check whether specified images are used for ECSs.

{
  "id": "5fa265c0aa1e6afc05a0ff07",
  "name": "allowed-images-by-id",
"description": "An ECS image is non-compliant if its ID is not within the specific image ID range.",
  "parameters": {
    "listOfAllowedImages": {
      "name": "null",
      "description": "The list of allowed image IDs",
      "type": "Array"
      "allowed_values": null,
      "default_value": null,
    }
  },
  "keywords": [
    "ecs",
    "ims"
  ],
  "policy_type": "builtin",
  "policy_rule_type": "dsl",
  "trigger_type": "resource",
  "policy_rule": {
    "allOf": [
      {
         "value": "${resource().provider}",
         "comparator": "equals",
         "pattern": "ecs"
      },
      {
       "value": "${resource().type}",
       "comparator": "equals",
       "pattern": "cloudservers"
      },
      {
       "value": "${resource().properties.metadata.meteringImageId}",
        "comparator": "notIn",
        "pattern": "${parameters('listOfAllowedImages')}"
      }
    ]
   },
}

For more examples, see Example Custom Rules.

Parent topic: Compliance Rule Concepts

Previous topic: Compliance Rule Concepts

Next topic: Rule