A Team:

  • Is an organization or company using GorillaStack
  • Can have multiple User members
  • Can support smaller groupings of Users as User Groups
  • Is the entity to which AWS Accounts and Azure Subscriptions are linked
  • Is the single billing entity for subscriptions


A User is an entity with access to GorillaStack and can be a member of many Teams.


A Role can be assigned to a User to control their capacity to perform operations in GorillaStack. A Role defines policies that allow and/or deny privileges.

A Role can optionally specify a parent Role, from which it inherits policies.

More about our role based access control (RBAC).

User Group

A User Group is group of Users in a Team. Within the scope of a User Group, a User can be assigned any Role. The Role assigned to a User in a User Group defines their level of privilege when interacting with GorillaStack entities owned by that User Group.

A single User Group can be selected as an owner of many Rules.

User Groups are a feature restricted to enterprise customers.


A Rule defines how one or multiple Actions are performed on their targeted resources within a given Context in response to a Trigger.


The Context is the scope of a Rule. A completed Context will specify:

  • The target Platform (AWS/Azure)
  • The appropriate scope for the selected cloud Platform, either:

    • One, many or all AWS Accounts and AWS Regions
    • One, many or all Azure Subscriptions


The Trigger is the observed event that will cause the Rule to run once.


An Action is an automation capability specifying how GorillaStack is to interact with targeted cloud resources in response to the observed Trigger. A Rule can support one or many Actions.


A Pause can be substituted in place of an Action. A Pause is designed to be used as a utility to control Action execution flow.

Tag Group

A Tag Group:

  • Is an entity used in an Action to define how cloud resources are to be targeted
  • Consists of key:value pairs and a boolean expression to enable flexible filtering of your resources based on their tags
  • Is created separate to Rules, allowing it to be re-used in any Rule Action

At time of execution of a Rule Action featuring a Tag Group selection, all resources within the defined Rule Context are filtered against the Tag Group. This makes resource targeting in GorillaStack low maintenance and highly scalable.

Once in use Tag Groups cannot be modified. Where Users wish to update a Tag Group they should:

  • Clone the existing Tag Group
  • Save the new version of the Tag Group
  • Update the Tag Group selection in Rules

More about targeting resources with tag groups.

AWS Account Groups

AWS Account Groups make it easier to target many AWS Accounts in a Rule. Once an AWS Account Group is created and selected in a Rule Context, a User only has to modify the AWS Account Group to influence which AWS Accounts are included in the scope or Context in those Rules.

For example:

For a hypothetical Team using AWS Account Groups, four different GorillaStack Rules exist with the responsibilities of starting and stopping non-production EC2 and RDS Instances.

An AWS Account Group named `non-prod` is selected in each Rule context, effectively targeting 23 non-production AWS Accounts across all Rules.

The Team admins then wish to add another non-production AWS Account to GorillaStack. The admins can add the AWS Account to GorillaStack, and then select the new AWS Account as a member of the `non-prod` AWS Account Group. The existing Rules will now target the new AWS Account, no further manual changes of Rule contexts required.


A template is a static definition of GorillaStack resources. Templates can be deployed to create many resources (Rules, Tag Groups) at once.