search

Azure / terraform-azure-modules

Azure verified modules for Terraform
MIT License
75 stars 28 forks source link

[Feature]: Introducing yorbox into verified module #25

Open lonegunmanb opened 1 year ago

lonegunmanb commented 1 year ago

Module Name

all

Description

I'd like to introduce yorbox into verified module's CI pipeline, for now the generated toggle name is yor_toggle, maybe it's not a good name.

BridgeCrew's Yor is an open-source tool that helps add informative and consistent tags across infrastructure as code (IaC) frameworks.

Assume we've got such Terraform code:

resource azurerm_kubernetes_cluster "k8s_cluster" {
  dns_prefix          = "terragoat-${var.environment}"
  location            = var.location
  name                = "terragoat-aks-${var.environment}"
  resource_group_name = azurerm_resource_group.example.name
  identity {
    type = "SystemAssigned"
  }
  default_node_pool {
    name       = "default"
    vm_size    = "Standard_D2_v2"
    node_count = 2
  }
  addon_profile {
    oms_agent {
      enabled = false
    }
    kube_dashboard {
      enabled = true
    }
  }
  role_based_access_control {
    enabled = false
  }
  tags = var.tags
}

After applying yor, it could be:

resource azurerm_kubernetes_cluster "k8s_cluster" {
  dns_prefix          = "terragoat-${var.environment}"
  location            = var.location
  name                = "terragoat-aks-${var.environment}"
  resource_group_name = azurerm_resource_group.example.name
  identity {
    type = "SystemAssigned"
  }
  default_node_pool {
    name       = "default"
    vm_size    = "Standard_D2_v2"
    node_count = 2
  }
  addon_profile {
    oms_agent {
      enabled = false
    }
    kube_dashboard {
      enabled = true
    }
  }
  role_based_access_control {
    enabled = false
  }
  tags = merge(var.tags, {
    git_commit           = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
    git_file             = "terraform/azure/aks.tf"
    git_last_modified_at = "2020-06-17 12:59:55"
    git_last_modified_by = "nimrodkor@gmail.com"
    git_modifiers        = "nimrodkor"
    git_org              = "bridgecrewio"
    git_repo             = "terragoat"
    yor_trace            = "6103d111-864e-42e5-899c-1864de281fd1"
  })
}

These auto-generated tags can help our users to trace their production resources back to IaC code and repo. It completes the picture of the components and their connections from code to the cloud.

The problem is, Azure Verified Modules are reusable child modules that meant to be called by user's root modules. The tags that yor generated cannot be turned off, that's not user friendly if user doesn't like these tags.

This is where YorBox comes in. It scans the tags created by Yor and puts them into a "box" with a variable toggle that allows users to turn it on and off as needed. This makes it easier to manage tags and ensures consistency across your infrastructure.

After applying yorbox on the previous code, it would be:

resource azurerm_kubernetes_cluster "k8s_cluster" {
  dns_prefix          = "terragoat-${var.environment}"
  location            = var.location
  name                = "terragoat-aks-${var.environment}"
  resource_group_name = azurerm_resource_group.example.name
  identity {
    type = "SystemAssigned"
  }
  default_node_pool {
    name       = "default"
    vm_size    = "Standard_D2_v2"
    node_count = 2
  }
  addon_profile {
    oms_agent {
      enabled = false
    }
    kube_dashboard {
      enabled = true
    }
  }
  role_based_access_control {
    enabled = false
  }
  tags = merge(var.tags, var.yor_toggle ?  {
    git_commit           = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
    git_file             = "terraform/azure/aks.tf"
    git_last_modified_at = "2020-06-17 12:59:55"
    git_last_modified_by = "nimrodkor@gmail.com"
    git_modifiers        = "nimrodkor"
    git_org              = "bridgecrewio"
    git_repo             = "terragoat"
    yor_trace            = "6103d111-864e-42e5-899c-1864de281fd1"
  } : {} )
}

So the users can turn these yor tags off by setting var.yor_toggle to false.

Though this var.yor_toggle's name can be changed via yorbox's cli flag, it looks like we still need a default name that better than yor_toggle.

Example usage

No response

Other information

No response

matt-FFFFFF commented 1 year ago

We have used disable_telemetry = bool with default = false in the Azure Landing Zones modules. The implementation is different but maybe worth considering.