- Notifications
You must be signed in to change notification settings - Fork123
Extensible auto-tagger for your IaC files. The ultimate way to link entities in the cloud back to the codified resource which created it.
License
bridgecrewio/yor
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Yor is an open-source tool that helps add informative and consistent tags across infrastructure as code (IaC) frameworks. Today, Yor can automatically add tags to Terraform, CloudFormation, and Serverless Frameworks.
Yor is built to run as aGitHub Action automatically adding consistent tagging logics to your IaC. Yor can also run as a pre-commit hook and a standalone CLI.
- Apply tags and labels on infrastructure as code directory
- Tracing:
yor_tracetag enables simple attribution between an IaC resource block and a running cloud resource. - Change management: git-based tags automatically add org, repo, commit and modifier details on every resource block.
- Custom taggers: user-defined tagging logics can be added to run using Yor.
- Skips: inline annotations enable developers to exclude paths that should not be tagged.
- Dry-Run: get a preview of what tags will be added without applying any.
MacOS / Linux
brew tap bridgecrewio/tapbrew install bridgecrewio/tap/yor
If not using Brew:
pip3 install lastversionlastversion bridgecrewio/yor -d --assetstar -xzf $(find . -name *.tar.gz)chmod +x yorsudo mv yor /usr/local/binOR
Windows
choco install yor
OR
Docker
docker pull bridgecrew/yordocker run --tty --volume /local/path/to/tf:/tf bridgecrew/yor tag --directory /tf
GitHub Action
name:IaC traceon:# Triggers the workflow on push or pull request events but only for the main branchpush:branches:[ main ]pull_request:branches:[ main ]# Allows you to run this workflow manually from the Actions tabworkflow_dispatch:jobs:yor:runs-on:ubuntu-lateststeps: -uses:actions/checkout@v2name:Checkout repowith:fetch-depth:0ref:${{ github.head_ref }} -name:Run yor action and commituses:bridgecrewio/yor-action@main
Azure DevOps Pipeline
Install Yor with:
trigger:-mainpool:vmImage:ubuntu-lateststeps:-script:| curl -s -k https://api.github.com/repos/bridgecrewio/yor/releases/latest | jq '.assets[] | select(.name | contains("linux_386")) | select(.content_type | contains("gzip")) | .browser_download_url' -r | awk '{print "curl -L -k " $0 " -o yor.tar.gz"}' | sh sudo tar -xf yor.tar.gz -C /usr/bin/ rm yor.tar.gz sudo chmod +x /usr/bin/yor echo 'alias yor="/usr/bin/yor"' >> ~/.bashrc yor --version
Pre-commit
-repo:https://github.com/bridgecrewio/yorrev:0.1.143hooks: -id:yorname:yorentry:yor tag -dargs:["."]language:golangtypes:[terraform]pass_filenames:false
tag : Apply tagging on a given directory.
# Apply all the tags in yor on the directory tree terraform.yor tag --directory terraform/# Apply all the tags in yor on the directory terraform, without tagging subdirectories.yor tag --directory terraform/ --non-recursive# Apply only the specified tags git_file and git_orgyor tag --directory terraform/ --tags git_file,git_org# Apply all the tags in yor except the tags starting with git and yor_traceyor tag --directory terraform/ --skip-tags git*,yor_trace# Apply only the tags under the git tag groupyor tag --tag-groups git --directory terraform/# Apply key-value tags on a specific directoryexport YOR_SIMPLE_TAGS='{ "Environment" : "Dev" }'yor tag --tag-groups simple --directory terraform/dev/# Perform a dry run to get a preview in the CLI output of all of the tags that will be added using Yor without applying any changes to your IaC files.yor tag -d. --dry-run# Use an external tag group configuration file pathyor tag -d. --config-file /path/to/conf/file/# Apply tags to all resources except of a specified typeyor tag -d. --skip-resource-types aws_s3_bucket# Apply tags with a specifix prefixyor tag -d. --tag-prefix"module_"# Apply tags to all resources except with the specified nameyor tag -d. --skip-resources aws_s3_bucket.operations# Apply tags to only the specified frameworksyor tag -d. --parsers Terraform,CloudFormation# Run yor with custom tags located in tests/yor_plugins/example and custom taggers located in tests/yor_plugins/tag_group_exampleyor tag -d. --custom-tagging tests/yor_plugins/example,tests/yor_plugins/tag_group_example
-o : Modify output formats.
# Default cli outputyor tag -d. -o cli# json outputyor tag -d. -o json# Print CLI output and additional output to a JSON file -- enables programmatic analysis alongside printing human readable resultsyor tag -d. --output cli --output-json-file result.json
--skip-dirs : Skip directory paths you can define paths that will not be tagged.
## Run on the directory path/to/filesyor tag -d path/to/files## Run yor on the directory path/to/files, skipping path/to/files/skip/ and path/to/files/another/skip2/yor tag -d path/to/files --skip-dirs path/to/files/skip,path/to/files/another/skip2
list-tag
# List tag classes that are built into yor.yor list-tag-groups# List all the tags built into yoryor list-tags# List all the tags built into yor under the tag group gityor list-tags --tag-groups git
To prevent resource from being tagged, apply the following comment pattern above the resource, currently supported only in Terraform and CloudFormation files.
## for terraform files#yor:Skipresource"aws_instance""example_instance" { ami ="ami-0c55b159cbfafe1f0" instance_type ="t2.micro" subnet_id = aws_subnet.example_subnet.id }## for cloudformation files#yor:skip ExampleInt: Type: AWS::Lambda::Function Properties: Description: An example template
## for terraform files#yor:skipAllresource"aws_vpc""example_vpc" { cidr_block ="10.0.0.0/16" }resource"aws_subnet""example_subnet" { vpc_id = aws_vpc.example_vpc.id cidr_block ="10.0.1.0/24" availability_zone ="us-west-1a" }## for cloudformation files#yor:skipAllResources: NewVolume: Type: AWS::EC2::Volume Properties: Size: 100 NewVolume2: Type: AWS::EC2::Volume Tags: - Key: MyTag Value: TagValue - Key: Name
yor_trace is a magical tag creating a unique identifier for an IaC resource code block.
Having a yor_trace in place can help with tracing code block to its cloud provisioned resources without access to sensitive data such as plan or state files.
See demohere
Contribution is welcomed!
We are working on extending Yor and adding more parsers (to support additional IaC frameworks) and more taggers (to tag using other contextual data).
To maintain our conventions, please run lint on your branch before opening a PR. To run lint:
golangci-lint run --fix --skip-dirs tests/yor_plugins
For more support contact us athttps://codifiedsecurity.slack.com/.
About
Extensible auto-tagger for your IaC files. The ultimate way to link entities in the cloud back to the codified resource which created it.