Manage Tag Rules

Overview

Bridgecrew gathers and stores resource tags on every scan. These tags can be used when creating Custom Policies. Furthermore, you can create Tag Rules that define specific tag-value pairs that must exist for a set of defined IaC resources. Bridgecrew creates a PR for any IaC resource that does not comply with a relevant Tag Rule.

The image below shows an example of a PR in Github that Bridgecrew generated due to a failed Tag Rule. When this PR is merged the following will be added:

  • env = dev
  • team = seceng
1558

📘

Note on Pull request creation

Additional Pull Request will be created if the previous tagging pull request was created.

📘

Note on Pull request creation

Additional Pull Request will be created if the previous tagging pull request was created.

You can Add new Tag Rules, or for existing Tag Rules you can:

  • Enable/Disable
  • Edit
  • Delete
  • Clone

Understanding Tag Rule Definitions

Tag Rule Parameters

  • Key - the tag name (you can only edit the names of custom tags, not those generated by Bridgecrew)
  • Repositories - the repositories to which the tag rule applies (Note: a repository can have only one tag rule per key.)
  • Created by - the name of the user who created a custom tag (“Bridgecrew" for automatically generated tags)
  • Status - whether tag rule is enabled or not

Tag Rule Logic

Tag Rule logic can be used for any of these:

  • Basic: assign a tag and value to all resources in the selected repositories.
  • Conditional: assign a tag and value to all resources in the selected repositories that meet a certain condition. For example, assign team:dev to all resources that already have the name-value pair group:rd.
  • Conditional with Multiple Conditions: You can define multiple conditions per rule with different key name-value pairs per condition. For example, you could assign a rule that adds team:dev_USA to all selected repositories that meet condition a and team:dev_europe for those resources that meet condition b.
  • Conditional with default: you can define a rule that applies a name-value pair if a certain condition is met and a different, default name-value pair to any IaC resource that does not meet any of the defined conditions.

Tag Rule Examples

Example 1 - Basic

In this example, we define all resources of a given repository as relevant to the production environment, use:

  • Key: env
  • Default value: prod

Example 2 - Conditional with Multiple Conditions

In this example, we define tags for internal teams (“devops” and “platform”) based on Github users:

  • Key: team
  • Value: devops if resource has tag name-value pairs: git_modifier: jhonf, git_modifier: janed
  • Value: platform if resource has tag name-value pair: git_modifier: jamesd, git_modifier: juliem

Example 3 Conditional with Multiple Conditions and Default for Non-Matches

In this example, we define tags for internal teams based on Github users, as well as a default tag value.

  • Key: team
  • Default value: community
  • Value: devops if resource has one of these tag name-value pairs: git_modifier: jhonf, git_modifier: janed
  • Value: platform if resource has one of these tag name-value pair: git_modifier: jamesd, git_modifier: juliem

Tag Rule Actions

View Tag Rules

You can view and manage Tag Rules from Resource Inventory or from Projects.

To view and manage Tag Rules, from the Resource Inventory select Manage Tags.

3800

To view and manage Tag Rules, from the Projects page select the hamburger menu on the right and then Manage Tags.

3798

After selecting Manage Tags, the Tag Rules are displayed.

905

Bridgecrew offers the following out-of-the-box tags:

Tag KeyDescription
yor_traceTraceability tag that links between IaC templates and runtime resources
git_orgName of git organization
git_repoName of git repository

📘

Note on Tags Generated by Bridgecrew

The tag “yor_trace” indicates a tag generated by Bridgecrew. It is used for unique traceability, that is, it is used to link IaC templates with specific runtime resources.

Edit Tag Rule

To edit an existing Tag Rule, hover over the hamburger menu and select Edit.

907

The Tag Rule’s current definition appears.

906

Enable/Disable Tag Rule

To enable or disable an existing Tag Rule, hover over the hamburger menu and select Enable or Disable.
When you disable a Tagging Rule, the rule will not be applied to new IaC resource definitions but the rule remains in the Tag Management list.

Edit Tag Rule

To edit an existing Tag Rule, hover over the hamburger menu and select Edit.
You can edit custom Tag Rules or change the associated repositories for Bridgecrew tag rules.

Delete Tag Rule

To delete an existing Tag Rule, hover over the hamburger menu and select Delete.
The Tag Rule is deleted from the Tag Management list.

Clone Tag Rule

To clone an existing Tag Rule, hover over the hamburger menu and select Clone.
When you clone a tag rule, the logic, conditions, etc. are carried over but not the list of repositories to which the rule applies.

Add a New Tag Rule

To add a new Tag Rule, select Add Tag Rule.

902

The example below shows a Tag Rule with multiple conditions and a default value (general) for resources that do not match any of the conditions.

910

For details on Tag Rule parameters, Tag Rule logic and examples, see Understanding Tag Definitionsabove.

📘

Note on Resource Permissions

If you do not have permissions for all of the resources associated with a Tag Rule, the only action you will be offered is Clone.