Rule

A rule is created by specifying a policy and the application scope, for example, some resources in a region.

You can use a JSON expression to represent a rule, as shown in Table 1.

**Table 1** Rule in JSON
Parameter	Description	Limitations	Remarks
id	Specifies the unique ID of a rule.	N/A	N/A
policy_assignment_type	Specifies the rule type.	N/A	The options are as follows: builtin: built-in policy. In this case, policy_definition_id for the rule is mandatory. custom: custom policy. In this case, custom_policy for the rule is mandatory. If this parameter is not configured, builtin is used by default.
name	Specifies the rule name.	Its value must be a string with up to 64 characters.	By default, the rule name is the same as the selected policy name. You can customize the rule name. You can set a name of up to 64 characters.
description	Specifies supplementary information about the rule.	Its value must be a string with up to 512 characters.	By default, the rule description is the same as the description of the selected policy. You can customize the rule description. You can set the description of up to 512 characters.
period	Specifies how often the rule is executed.	N/A	Possible values are: One_Hour Three_Hours Six_Hours Twelve_Hours TwentyFour_Hours
policy_filter	Specifies the rule filter, which is used to filter the resources that will be evaluated by this rule. A filter has the following properties: region_id: Specifies the region ID. resource_provider: Specifies the service. resource_type: Specifies the resource type of the service. resource_id: Specifies the resource ID. tag_key: Specifies the resource tag key. tag_value: Specifies the resource tag value.	policy_filter: Its value must be an object. region_id: Its value must be a string with up to 128 characters. Only letters, digits, and hyphens (-) are allowed. resource_provider: Its value must be a string with up to 128 characters. Only letters and digits are allowed. resource_type: Its value must be a string with up to 128 characters. Only letters and digits are allowed. resource_id: Its value must be a string with up to 256 characters. tag_key: Its value must be a string with up to 128 characters. tag_value: Its value must be a string with up to 256 characters.	NOTE: resource_provider is used to determine the filter type (Specific resources or All resources). If resource_provider exists in policy_filter, the filter type is Specific resources. If resource_provider does not exist in policy_filter, the filter type is All resources. Therefore, no separate filter type property is set in policy_filter.
state	Specifies the rule status.	N/A	Possible values are: Enabled: The rule is available. Disabled: The rule is disabled. Evaluating: The rule is being used for resource compliance evaluation.
created	Specifies the time when the rule was created.	N/A	NOTE: The time is a UTC time in a fixed format complying with ISO-8601 (for example, 2018-11-14T08:59:14Z).
updated	Specifies the time when the rule was updated.	N/A
policy_definition_id	Specifies the ID of the compliance policy bound to the rule.	Its value must be a string with up to 64 characters. Only letters, digits, and hyphens (-) are allowed.	Policy ID
custom_policy	Custom policy, which contains the following attributes: function_urn: Specifies the URN of the function. auth_type: Specifies the authentication type for the function to be invoked. auth_value: Specifies the authentication value of the function to be invoked.	custom_policy: Its value is an object type. function_urn: Its value must be a string with up to 1,024 characters. auth_type: Its value must be a string. Only agency is supported. auth_value: Its value must be an object which is related to auth_type. Only the {"agency_name": value_name} structure is supported, where value_name indicates the IAM agency name configured for Config.	custom_policy specifies the URN of the function in the custom policy and the authentication type for invoking the function.
parameters	Specifies the values of rule parameters.	parameters: Its value must be an object. key: Its value must be a string including only letters and numbers. If the policy type of the rule is Custom policy, the value can have up to 1,024 characters. value: Its value must be an object, and the value restrictions vary depending on the parameter type.	The compliance policy bound to the rule has corresponding parameters. The number, type, and value range of those parameters depend on the selected compliance policy.

You cannot create a rule to evaluate another rule or a conformance package.

The following is an example policy used to check whether ECSs in region 1 have the tag (env: production).

{
  "id": "5fcd8696dfb78231e6f2f899",
  "name": "required-tag-check",
  "description": "A resource is non-compliant if it does not contain the specific tag.",
  "policy_filter": {
        "region_id": "regionid_1",
        "resource_provider": "ecs",
        "resource_type": "cloudservers",
        "tag_key": "env",
        "tag_value": "production"
  },
  "period": null,
  "state": "Enabled",
  "created": "2020-12-07T01:34:14.266Z",
  "updated": "2020-12-07T01:34:14.266Z",
  "policy_definition_id": "5fa9f89b6eed194ccb2c04db",
  "parameters": {
        "specifiedTagKey": {
        "value": "a"    },
        "specifiedTagValue": {
        "value": []
    }
  }
}

The following JSON file contains a custom rule for checking ECSs in regionid_1:

{
  "id": "719d8696dfb78231e6f2f719",
  "name": "test_consume_policy",
"description": "A resource is non-compliant if it does not contain the specific tag.",
  "policy_filter": {
        "region_id": "regionid_1",
        "resource_provider": "ecs",
        "resource_type": "cloudservers",
        "tag_key": null,
        "tag_value": null
  },
  "period": null,
  "state": "Enabled",
  "created": "2022-07-19T01:34:14.266Z",
  "updated": "2022-07-19T01:34:14.266Z",
  "policy_definition_id": null,
  "custom_policy": {  
    "function_urn": "urn:fss:regionid_1:projectidforpolicy:function:default:test_consume_policy:latest",  
    "auth_type": "agency",  
    "auth_value": {"agency_name": "rms_fg_agency"}
  },
  "parameters": {
        "vpcId": {"value": "allowed-vpc-id"}
    }
  }
}

Parent topic: Compliance Rule Concepts

Previous topic: Policies

Next topic: Evaluation Results