Announcing our latest open-source project, Yor: Automated IaC tag and trace

While operating a cloud environment, especially a large, distributed, multi-tenant environment, it can be difficult to track down the owner of a resource. Similarly, if you’re leveraging infrastructure as code (IaC), locating the line of code that configured the cloud resource is a challenge. If you’re trying to fix something or limit access, it can be difficult (or impossible without the right access) to sift through logs to identify the right team to help.

That’s why cloud providers recommend leveraging tags for resource owners. Adding tags (or “labels” as they’re known as within the Google Cloud ecosystem) to resources, such as virtual machines and storage buckets, makes it easy to quickly track down the owner. This helps speed up fixing an issue, assigning access, defining risk, and allocating cost. All three of our supported cloud providers discuss the benefits and best practices for using tags:

There are two major challenges with cloud tagging. It’s tedious for developers to manually add all required tags and hard to maintain consistency for things like common casing and spelling—especially when under a time crunch. Second, solely tagging cloud resources means the benefits of tagging stop at runtime. That’s why we launched Yor.

Introducing the newest member of the Crew, Yor

Yor is an automated infrastructure as code (IaC) tagging and tracing framework. With initial support for Terraform, CloudFormation, and Serverless, Yor adds tags to IaC configurations that carry over to running cloud resource tags.

The default tags added to every resource block include:

  • Organization, repository, and file | The name of the git organization, repository, and exact file that contains the IaC template that created the cloud resource.
  • Commit and modifier details | The timestamp and modifier list for all editors of the file.
  • Trace | A unique identifier that can tie a running resource back to a line of code.
  • Custom tags | Either simple key:value pairs or complex tags designed by users.

Yor additions in GitHub

All of these tags are created locally using a CLI, as a pre-commit hook, or as a step in your CI/CD pipeline.

These tags allow you to quickly answer the questions:

  • Who owns this code block?
  • Which cloud resource is created by this code?
  • Who owns this cloud resource?
  • How was the cloud resource configured?
  • What changed in the IaC template to create this configuration in runtime?
  • Where do I go to fix this misconfigured cloud resource?

Yor GitOps Flow

Imagine you’re an SRE and you notice a misconfiguration in a running cloud resource. If you’re following GitOps practices, you shouldn’t fix it directly in the cloud, so you’ll need to track down the developer who wrote or recently modified the code that led to that misconfiguration.

With Yor, those details are automatically and continuously added as tags to all resources, making it easier and faster to find the developer and the line of code that caused the misconfiguration. This, in turn, decreases your mean time to resolution (MTTR).

Getting started with Yor

You have a few options to get started using Yor. To try it out locally, you can install and try it out using Homebrew.

brew tap bridgecrewio/tap
brew install bridgecrewio/tap/yor

Or as a Docker container

docker pull bridgecrew/yor
docker run --tty --volume /local/path/to/tf:/tf bridgecrew/yor tag --directory /tf

The tag a directory of IaC templates on your computer to see how it works.

We designed Yor to be an automated step in your DevOps processes, so you can run it as a step in your continuous integration pipeline, such as our pre-built GitHub Action by adding the following YAML to your repo.

name: IaC trace

on:
  # Triggers the workflow on push or pull request events but only for the main branch
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

jobs:
  yor:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        name: Checkout repo
        with:
          fetch-depth: 0
          ref: ${{ github.head_ref }}
      - name: Run yor action
        uses: bridgecrewio/yor-action@main
      - name: Commit tag changes
        uses: stefanzweifel/git-auto-commit-action@v4

We also include a pre-commit hook for git.

  - repo: git://github.com/bridgecrewio/yor
    rev: 0.0.44
    hooks:
      - id: yor
        name: yor
        entry: yor tag -d
        args: ["."]
        language: golang
        types: [terraform]
        pass_filenames: false

We built Yor to be extensible, so you can plug it into your favorite dev tool, such as other CI pipelines. We’re excited about the possibilities you, our community, will think up.

How does this relate to Checkov?

If you aren’t familiar with Checkov, it is our policy as code tool. When used in tandem, Yor can enrich your custom policies based on specific tags.

For example, if you want to only allow a specific team to modify a specific cloud resource, you can use Yor to tag the resource and write a Checkov custom policy to ensure that IAM policies are in place to allow only that team.

Custom Checkov check with Yor tags

What’s coming next?

We’re working on tagging for Kubernetes and leveraging Yor for drift detection. Tagging Kubernetes will provide the same benefits of simplifying hunting through YAML files for Kubernetes updates that borked a deployment. Adding in tagging will make detecting a drift from IaC templates easier to trace back to the code differences, improving the time to bring cloud resources and templates inline.

Additionally, we’re asking you, our community, to help us prioritize and develop more integrations with your favorite dev tools.

 

When we announced our acquisition by Palo Alto Networks, we committed to doubling down on our open source contributions. We are incredibly proud of our existing projects—Checkov, AirIAM, and the Goats—and are humbled by the community’s support. That’s why, when we identified a new problem space, we knew we had to start with an open-source solution.

Yor will ease the burden of consistent tagging for developers, which leads to easier triaging and reduced MTTR. We’d love to get your feedback and questions in the #yor channel in the CodifiedSecurity Slack. If you enjoy Yor, give it a ⭐️ on GitHub!