Bidirectional DingTalk-Lark ECS Provisioning Loop

Scenario

Developers use this bidirectional loop to automate infrastructure provisioning triggered by HR or IT approval workflows in DingTalk or Lark. It eliminates manual ticket routing by capturing approval payloads, executing remote provisioning scripts on ECS instances, and pushing real-time completion status and audit logs back to the originating group chat.

Integration steps

1. Configure Collaboration Webhook: In DingTalk/Lark, create a custom bot and extract the HTTPS webhook URL. Set the bot to POST JSON approval payloads to a secure ingress endpoint.
2. Create EventBridge HTTP API Source: Use eb-integrate-events to provision a custom event source. Map the inbound webhook to a CloudEvents schema:

``json {"source": "dingtalk.approval", "detail-type": "ProvisionRequest", "detail": {"emp_id": "E123", "role": "devops"}} ``

3. Define EventBridge Rule & ECS Target: Create a rule matching $.source == "dingtalk.approval". Set the target to ACS::ECS::RunCommand with the following target config:

``json {"CommandId": "c-uf6d8f...", "InstanceIds": ["i-uf6abc..."], "Timeout": 300} ``

4. Deploy Provisioning Script: Upload /opt/provision.sh to the target Alinux ECS instance. The script must parse {{.detail.emp_id}}, install dependencies, create users, and exit with 0 on success.
5. Execute via Cloud Assistant: Trigger the workflow using ecs-execute-instances:

``bash aliyun ecs InvokeCommand --CommandId c-uf6d8f... --InstanceId i-uf6abc... --Parameters '{"emp_id":"E123","role":"devops"}' ``

6. Route Completion Back: Configure a second EventBridge rule to match $.detail.InvocationStatus == "Success". Set its target to an HTTP POST action that calls the DingTalk/Lark webhook with the audit payload.

Architecture

DingTalk/Lark pushes approval payloads via HTTPS to an EventBridge HTTP API event source. EventBridge evaluates a pattern-matching rule and routes the event to the ECS Cloud Assistant target. Cloud Assistant securely executes the shell script on the designated Alinux ECS instance via the acs:ecs:RunCommand API. Upon completion, Cloud Assistant emits an InvocationResult event back to EventBridge. A secondary rule matches this completion event and triggers an HTTP POST to the original DingTalk/Lark webhook, closing the loop with real-time status.

Prerequisites

• Alibaba Cloud account with EventBridge, ECS, and Cloud Assistant enabled
• Target ECS instance running Alibaba Cloud Linux with aliyun-service (Cloud Assistant agent) active
• DingTalk/Lark group chat with a verified custom bot webhook URL
• RAM role granting AliyunEventBridgeRolePolicy and AliyunECSAssistantAccess
• Outbound HTTPS connectivity from ECS to EventBridge endpoints

Common pitfalls

• Missing Cloud Assistant Agent: Commands fail if aliyun-service isn't running. Verify with systemctl status alicloud-service.
• Webhook Signature Validation: DingTalk/Lark require HMAC-SHA256 signatures. Bypassing validation causes EventBridge to drop inbound events.
• EventBridge Timeout Limits: Cloud Assistant defaults to 600s. Long provisioning scripts trigger InvocationTimeout; adjust Timeout in RunCommand.
• Idempotency Failures: EventBridge retries can duplicate runs. Implement file locks or state checks in /opt/provision.sh to prevent duplicate resource creation.

Typical questions

• DingTalk approval triggers ECS and sends result back
• round-trip DingTalk ECS automation
• Lark event provisions server then notifies completion
• bidirectional DingTalk ECS workflow
• approval triggers script and reports back to chat
• 钉钉审批触发ECS并回报结果
• 飞书事件驱动服务器配置并通知完成
• EventBridge双向集成DingTalk通知

Q: How does the bidirectional DingTalk or Lark ECS provisioning workflow operate? A: The workflow routes DingTalk or Lark approval events into EventBridge to trigger ECS Cloud Assistant provisioning scripts, then sends the completion status and audit results back to the respective group chats. This creates a full request-to-confirmation cycle that automates processes like new hire onboarding or resource requests.