Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Introducing yorbox into verified module #25

Open
lonegunmanb opened this issue Mar 24, 2023 · 1 comment
Open

[Feature]: Introducing yorbox into verified module #25

lonegunmanb opened this issue Mar 24, 2023 · 1 comment
Labels
feature new functionality for existing module

Comments

@lonegunmanb
Copy link
Member

lonegunmanb commented Mar 24, 2023
edited
Loading

Module Name

all

Description

I'd like to introduce yorbox into verified module's CI pipeline, for now the generated toggle name is yor_toggle, maybe it's not a good name.

BridgeCrew's Yor is an open-source tool that helps add informative and consistent tags across infrastructure as code (IaC) frameworks.

Assume we've got such Terraform code:

resource azurerm_kubernetes_cluster "k8s_cluster" {
  dns_prefix          = "terragoat-${var.environment}"
  location            = var.location
  name                = "terragoat-aks-${var.environment}"
  resource_group_name = azurerm_resource_group.example.name
  identity {
    type = "SystemAssigned"
  }
  default_node_pool {
    name       = "default"
    vm_size    = "Standard_D2_v2"
    node_count = 2
  }
  addon_profile {
    oms_agent {
      enabled = false
    }
    kube_dashboard {
      enabled = true
    }
  }
  role_based_access_control {
    enabled = false
  }
  tags = var.tags
}

After applying yor, it could be:

resource azurerm_kubernetes_cluster "k8s_cluster" {
  dns_prefix          = "terragoat-${var.environment}"
  location            = var.location
  name                = "terragoat-aks-${var.environment}"
  resource_group_name = azurerm_resource_group.example.name
  identity {
    type = "SystemAssigned"
  }
  default_node_pool {
    name       = "default"
    vm_size    = "Standard_D2_v2"
    node_count = 2
  }
  addon_profile {
    oms_agent {
      enabled = false
    }
    kube_dashboard {
      enabled = true
    }
  }
  role_based_access_control {
    enabled = false
  }
  tags = merge(var.tags, {
    git_commit           = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
    git_file             = "terraform/azure/aks.tf"
    git_last_modified_at = "2020-06-17 12:59:55"
    git_last_modified_by = "[email protected]"
    git_modifiers        = "nimrodkor"
    git_org              = "bridgecrewio"
    git_repo             = "terragoat"
    yor_trace            = "6103d111-864e-42e5-899c-1864de281fd1"
  })
}

These auto-generated tags can help our users to trace their production resources back to IaC code and repo. It completes the picture of the components and their connections from code to the cloud.

The problem is, Azure Verified Modules are reusable child modules that meant to be called by user's root modules. The tags that yor generated cannot be turned off, that's not user friendly if user doesn't like these tags.

This is where YorBox comes in. It scans the tags created by Yor and puts them into a "box" with a variable toggle that allows users to turn it on and off as needed. This makes it easier to manage tags and ensures consistency across your infrastructure.

After applying yorbox on the previous code, it would be:

resource azurerm_kubernetes_cluster "k8s_cluster" {
  dns_prefix          = "terragoat-${var.environment}"
  location            = var.location
  name                = "terragoat-aks-${var.environment}"
  resource_group_name = azurerm_resource_group.example.name
  identity {
    type = "SystemAssigned"
  }
  default_node_pool {
    name       = "default"
    vm_size    = "Standard_D2_v2"
    node_count = 2
  }
  addon_profile {
    oms_agent {
      enabled = false
    }
    kube_dashboard {
      enabled = true
    }
  }
  role_based_access_control {
    enabled = false
  }
  tags = merge(var.tags, var.yor_toggle ?  {
    git_commit           = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
    git_file             = "terraform/azure/aks.tf"
    git_last_modified_at = "2020-06-17 12:59:55"
    git_last_modified_by = "[email protected]"
    git_modifiers        = "nimrodkor"
    git_org              = "bridgecrewio"
    git_repo             = "terragoat"
    yor_trace            = "6103d111-864e-42e5-899c-1864de281fd1"
  } : {} )
}

So the users can turn these yor tags off by setting var.yor_toggle to false.

Though this var.yor_toggle's name can be changed via yorbox's cli flag, it looks like we still need a default name that better than yor_toggle.

Example usage

No response

Other information

No response
@lonegunmanb lonegunmanb added the feature new functionality for existing module label Mar 24, 2023
@matt-FFFFFF
Copy link
Member

We have used disable_telemetry = bool with default = false in the Azure Landing Zones modules. The implementation is different but maybe worth considering.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature new functionality for existing module
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lonegunmanb @matt-FFFFFF