yor icon indicating copy to clipboard operation
yor copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

External modules resources tagging

Open pault28 opened this issue 2 years ago • 4 comments

Is your feature request related to a problem? Please describe. We are looking at using yor to auto tag terraform IAC files. One specific use case which doesn't seem to be supported at the moment is module level tagging. If given a module defined as follows:

# Example module to tag
module "consul" {
  source = "hashicorp/consul/aws"
  version = "0.1.0"
}

Describe the solution you'd like I would like yor to be able to tag all resources that will be created by the module. The reason we looking for something like this is we have internal terraform modules, using yor as it is we won't be able to tag them dynamically from repos where they are being used. Possible option is:

  • I run terraform init which should download the relevant module
  • Running yor tag I am able to tag local files as well as modules I have downloaded from terraform init.

pault28 avatar Nov 30 '21 15:11 pault28

Hello @pault28 !

This is a feature we've been discussing internally for a while, so I'll share how we see it and maybe we can come up with a better idea. The problem with tagging the .terraform directory is that it isn't persisted with the tags. This can lead to tags being changes without the option to review, creating a diff within a module you do not know and don't understand the changes. It can clutter the plan, and make things more "scary".

  • The best way we thought of was to handle the tags parameter on modules - but it seems this module doesn't support it.
  • Adding default tags to the provider - but then the yor_trace tag is not unique. Also, the file etc will point to the provider...
  • Open a PR / issue for the relevant modules, to support the tags input :)

CC: @schosterbarak if you have any inputs here 🙏

nimrodkor avatar Dec 01 '21 07:12 nimrodkor

@nimrodkor I agree tagging the .terraform directory could lead to unintended changes. First item on your list is indeed the best way. For our use case in particular the module tagging will be mostly for inhouse modules meaning supporting the tag input at the module level will be easy to do for us. Of course the problem will be what happens to public modules....guessing these can be excluded with a #yor_exclude comment or something.

In any case this feature will be of great use to many folks who are operating similar model like us.

pault28 avatar Dec 01 '21 09:12 pault28

We do what @nimrodkor is saying, all of our modules have a tags input and that's used in all the resources the module declares internally, we use tflint to verify this; it's been working perfectly, but it might be an issue with third-party modules that are not under your control.

EduardoRT avatar Apr 29 '22 21:04 EduardoRT

https://gsd.fundapps.io/how-we-make-yor-work-with-terraform-caller-and-child-modules-22216afd775d should solve this

anthonyangel avatar Jun 14 '22 16:06 anthonyangel

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Feb 05 '23 19:02 stale[bot]