Thanks, it kinda makes sense, but I'm still not there. I'm using ECS Fargate on AWS, [API requests] if I get the ECS service entityId, I can see a link to the Host, and the host should give me the ability to check AWS accountID? Could I use the activegatewayId as the MZ definer? 

Be nice to have an easier way to explore relationships etc. except via api post request 🙂

If you are using Fargate, I wrote the following article. It would be easy to separate in host groups and later assign host and services to MZ. I'm doing that. AFAIK you can't use AG id.

We deploy the same container over all the AWS estates, do adding to the container doesn't make sense to me?

Your original reply makes sense, I'm just struggling with the syntax - If I understand this, I need to follow the tree, Service -> Host -> account id, I don't use lambda but I can see that the fromRelationships connects to a HOST, so I thought i could do something like

type(SERVICE),fromRelationships.runsOn(type(HOST),fromRelationships.isAccessibleBy(type(AWS_CREDENTIALS),awsAccountId("XXxxXxxxxXXXX")))

@Mat-Mooyou need to query the entities API to have all valid relationships but based on what you say:

type(SERVICE),fromRelationships.runsOnHost(type(HOST),fromRelationships.runsOn(type(EC2_INSTANCE),fromRelationships.isAccessibleBy(type(AWS_CREDENTIALS),awsAccountId("XXxxXxxxxXXXX"))))

 Hope it helps!!!

All starting to click, but so close but so far. When I use the above and do preview I get no matching entities. Looking at my API responses, runsonHost is good, but then runsOn(type(EC2_INSTANCE) - nothing I can see in the api responses. In fact the fromRelationships only contains a single item. which is a RELATIONAL_DATABASE_SERVICE.

The service is linked to a PROCESS_GROUP which has the AWS_CLUSTER name, I'm wondering if I can use that property metadata to link instead? but this is where my entity selector syntax lets me down - type(SERVICE)->fromRelationship(PROCESS_GROUP)->isAccessableBy(typeAWS_Credentials),awsAccountID("XXX"))

Thanks for help so far btw

Hi @Mat-Moo under {{baseUrl}}/entityTypes?pageSize=500 you can see the relations. But may be this approach is better.

type(SERVICE),fromRelationships.runsOn(type(PROCESS_GROUP),metadata("AWS_ECS_CLUSTER:arnecs:us-west-2:XXXXXXXxxxXXXXXxxXX"))

I've just realised the ARN includes the AWS account id, so it could be as simple as type(SERVICE),fromRelationships.runsOn(type(PROCESS_GROUP),metadata("AWS_ECS_CLUSTER:*XXX*")) - but now I can't figure out the wildcard selection (Not sure it's possible) - or even metadata.startsWith("AWS_ECS_CLUSTER:xxxx"))

Unluckily it isn't possible to use Wildcards at that level.

BTW your last answer is almost perfect, but with 20+ clusternames, would be hard to maintain, hence the wildcard

type(SERVICE),fromRelationships.runsOnHost(type(HOST),fromRelationships.isNetworkClientOfHost(type(RELATIONAL_DATABASE_SERVICE),fromRelationships.isAccessibleBy(type(AWS_CREDENTIALS),awsAccountId("XXXXX"))))

Bit messy but works - I have some services that use non-relational DB's though so need to look at those now as well. In the meantime, looking at the one-agent see if I can inject a tag to make life easier