Updated on 2024-10-15 GMT+08:00

Policy

A policy is a logical expression used to evaluate resource compliance.

A policy cannot work on its own. Instead, you need to attach a policy to a rule.

A policy can be a JSON expression. Table 1 lists policy (JSON expression) parameters.

Table 1 Policy parameters (JSON)

Parameter

Description

Remarks

id

Policy ID

N/A

name

Policy name

A policy name can contain up to 64 characters.

display_name

Display name of a policy

A policy display name can contain up to 64 characters.

description

Policy description

Policy description can contain up to 512 characters.

parameters

Policy parameters

The following attributes are used to describe each policy parameter:

  • name
  • description
  • type
  • default_value
  • allowed_values
  • minimum
  • maximum
  • min_items
  • max_items
  • min_length
  • max_length
  • pattern

The parameter names, such as name and description contained in the compliance policy remain unchanged.

  • name indicates the name of a rule.
  • description: supplementary information of parameters
  • type: the type of parameters, which can be String, Array, Boolean, Integer, or Float.
  • default_value: Specifies the default value of parameters. If the parameter is specified, you can use it when you add a rule.
  • allowed_values: Specifies the list of values allowed by parameters. If the parameter is specified, you can only select values from the list.
  • Minimum value, which is valid when type is set to Integer or Float.
  • Maximum value, which is valid when type is set to Integer or Float.
  • Minimum items, which is valid when type is set to Array.
  • Maximum items, which is valid when type is set to Array.
  • Minimum string length, which is valid when type is set to String or Array.
  • Maximum string length, which is valid when type is set to String or Array.
  • Regular expression requirements, which is valid when type is set to String or Array.

keywords

Policy keywords

Generally, the name abbreviation of the related product is used as a keyword.

policy_type

Policy type

The options are as follows:

  • builtin
  • custom
  • builtin: specifies the type of policies that are provided and maintained by Config. For details, see Built-In Policies.
  • custom: specifies the type of policies that are customized by users.

policy_rule_type

Policy syntax

Domain Specific Language (DSL): provided by Config to write policy expressions.

trigger_type

Trigger type.

The options are as follows:

  • resource
  • period
  • resource: runs when a specified resource is changed.
  • period: specifies the frequency at which a rule is triggered.

default_resource_types

Resource type

Most policies only apply to a limited scope of resources. You are advised to use a rule to only evaluate resource types in default_resource_types.

The following is an example policy used to check whether specified images are used for ECSs.

{
  "id": "5fa265c0aa1e6afc05a0ff07",
  "name": "allowed-images-by-id",
"description": "An ECS image is non-compliant if its ID is not within the specific image ID range.",
  "parameters": {
    "listOfAllowedImages": {
      "name": "null",
      "description": "The list of allowed image IDs",
      "type": "Array"
      "allowed_values": null,
      "default_value": null,
    }
  },
  "keywords": [
    "ecs",
    "ims"
  ],
  "policy_type": "builtin",
  "policy_rule_type": "dsl",
  "trigger_type": "resource",
  "policy_rule": {
    "allOf": [
      {
         "value": "${resource().provider}",
         "comparator": "equals",
         "pattern": "ecs"
      },
      {
       "value": "${resource().type}",
       "comparator": "equals",
       "pattern": "cloudservers"
      },
      {
       "value": "${resource().properties.metadata.meteringImageId}",
        "comparator": "notIn",
        "pattern": "${parameters('listOfAllowedImages')}"
      }
    ]
   },
}

For more examples, see Example Custom Rules.