Bridgecrew recently released Yor, their open-source tool for automated infrastructure as code tagging. Yor automatically adds tags to infrastructure configurations which are then applied to the running cloud resources, simplifying connecting the active resources back to the code that created them. Yor currently supports Terraform, CloudFormation, and Serverless.
By default, Yor will add a number of tags to each resource block. This includes the name of the git organization, repository, the file that contains the template that created the resource, the timestamp of the commit, and the list of modifiers for the file. A unique identifier is added that simplifies tying the running resource back to the code block.
It is possible to extend these default tags with custom tags. Custom tags can be simple key:value pairings, dynamically generated key:value tags, or custom taggers. For example, a simple key can be defined by setting the environment variable YOR_SIMPLE_TAGS
with a JSON object. This will add these tags to all objects whenever Yor is run.
export YOR_SIMPLE_TAGS='{"environment": "production"}'
More complex tags can be created by implementing the ITag
interface. The CalculateValue
function is used to define how the value is to be determined. Then create a file within package main that contains the variable ExtraTags
. This should be an array of pointers to all the implemented tags:
package main
var ExtraTags = []interface{}{&GitOwnerTag{}, &CheckovTag{}}
When running Yor, it is possible to identify tags that should be excluded. For example, to apply tags on a given directory of resource files but exclude the last modified by user tag, you could run:
yor tag --directory terraform/ --skip-tags git_last_modified_by
It is also possible to skip directory paths of resource files that should not be tagged:
yor tag -d path/to/files --skip-dirs path/to/files/skip,path/to/files/another/skip2
Yor can be combined with policy generation, such as via Bridgecrew's policy as code tool Checkov, to create more complex custom policies. As an example, Yor could be used to apply a custom tag to resources that are required to be encrypted with a specific customer-managed encryption key. A Checkov custom policy could be written to validate that the tagged resources were in fact encrypted with the desired key.
Yor can be executed as a pre-commit hook, within a CI/CD pipeline, or via the CLI. Included at this time is a pre-built GitHub Action. Yor is extensible and they are looking for contributions of additional CI/CD integrations, parsers, and taggers.
According to Barak Schoster, CTO at Bridgecrew, the team is "working on tagging for Kubernetes and leveraging Yor for drift detection" for inclusion in an upcoming release. Yor is open-source and available via GitHub.