Bridgecrew IaC Tag Rules Manager 🏷

Boost your tagging strategy using Bridgecrew's IaC auto-tagging and centralized management

One of the key cloud security and asset management best practices is using tagging strategy for your runtime environments. AWS and Azure support resource tags, and GCP supports labels that enable users to understand resource ownership, cost allocation, access control, traceability, and more.

Bridgecrew now supports tagging management for IaC templates, both for Terraform and CloudFormation, based on Bridgecrew’s open-source tool Yor. With Tag Rules, you can manage your tagging strategies easily across providers and repositories, even before they go live. Using such an approach, tagging enforcement is more flexible and maintainable.

As part of “Resource Inventory” and “Projects” screens, users have access to a brand new Tag Rule Manager where you can:

  • Enable or disable out-of-the-box Bridgecrew tag rules such as the traceability tag (“yor_trace”) used for code to cloud resource tracing and drift detection.
  • Custom tag rule creation and management (edit, clone, enable, disable,and delete)

Tag Rules manager

Custom Tag Rule logic can be used for any of these use cases:

  • Basic: Assign a tag and value to all resources in the selected repositories.
  • Conditional: Assign a tag and value to all resources in the selected repositories that meet a certain condition. For example, assign team:dev to all resources that already have the tag key:value pair group:rd.
  • Conditional with Multiple Conditions: You can define multiple conditions per rule with different tag key:value pairs per condition. For example, you could assign a rule that adds team:dev_USA to all resources in selected repositories that have both meet condition A (for example, resources with group:rd & location:US) and team:dev_europe for those resources that meet condition B (for example, resources with group:rd & location:EU).
  • Conditional with default: You can define a rule that applies a name-value pair if a certain condition is met and define a different default key:value pair tag to any IaC resource that does not meet any of the defined conditions.

Tag rule creation form

By enabling a tag rule, Bridgecrew will open a pull request after each default branch, scanning in case IaC resources are missing a tag based on an enabled tag rule.


Tag implementation pull request

Check out full documentation here