1.6.8.1. BridgeCrew Yor

Yor is an open-source Infrastructure as Code (IaC) auto-tagging tool developed by Bridgecrew (acquired by Palo Alto Networks). It automatically adds consistent and meaningful tags to cloud resources in templates such as Terraform, AWS CloudFormation, and Serverless Framework. These tags contain information about resource ownership and change tracking, such as the team or person who owns the code, unique resource identifiers, etc. The basic principle of Yor is to inject tag metadata into each infrastructure resource block at the code level, and then these tags are passed to the actual cloud resources when the resources are deployed to the cloud, enabling information carrying and tracking from "code to cloud". Through this "code-as-tags" approach, Yor provides a unified tagging strategy for infrastructure.

Yor can be used as a GitHub Action, a pre-commit hook, or a standalone command-line tool, making it easy to integrate into developers' existing CI/CD workflows. When developers commit code to the repository, Yor automatically adds tags to the modified IaC template fragments; these tags are passed from the template file to the deployed cloud resources without manual intervention by the developer. The result is that developers do not need to perform tedious manual tagging work, but security and operations teams can obtain consistent and accurate resource tags for auditing and management.

1.6.8.1.1. Governance Pain Points: Why Yor is Needed?

In large Terraform modules and multi-cloud environments, achieving consistent resource tag naming and ownership marking is a common governance challenge. In the past, cloud providers and teams often had different tagging standards, posing challenges for cost allocation, access control, operational support, and security auditing. Traditionally, manually adding tags to each infrastructure resource is cumbersome and error-prone, and it is difficult to ensure consistency across teams and projects. When a security misconfiguration or cloud resource anomaly occurs, the lack of unified tags makes it difficult to locate the responsible person and the source of the problem.

Yor was created to address these governance and traceability pain points. Barak Schoster, Chief Architect at Palo Alto Networks, pointed out that effective infrastructure tagging is critical for tracking costs, access rights, operations, and cloud security, but previously it was a completely manual process with inconsistent standards. By automating and standardizing tagging, Yor provides visibility and traceability from IaC configurations to production cloud resources. Specifically:

Comprehensive Ownership Tracking: Yor adds a series of tag information to each resource block by default, including the Git repository organization, repository name, IaC definition file name, hash and time of the last modification commit, list of modifiers, and a unique tracking identifier yor_trace. This information allows cloud resources to be directly mapped to the code and developers that generated them. For example, if a configuration error occurs in the runtime environment, the unique ID yor_trace on the resource can be used to trace back to the specific resource definition in the codebase. Similarly, tags such as git_last_modified_by on the resource can determine the person and time of the last code modification. This enables security teams to quickly find the responsible developer and collaborate to fix the problem.
Consistent Cost and Permission Tagging: Yor automatically inherits and supplements existing environment and business tags, ensuring that all resources are tagged with a unified format, facilitating financial cost allocation analysis and operations teams setting resource grouping and access control based on tags. A unified tagging system acts like a common language across teams, allowing different departments (development, operations, security) to quickly identify resource ownership and purpose based on tags, thereby improving collaboration efficiency.
Reducing Human Error: With Yor, developers no longer need to remember and manually add various tagging standards, reducing the possibility of omissions and spelling errors. Yor automatically inserts standardized tags when code is committed, greatly reducing situations where tags are incomplete or inaccurate due to human factors. This not only improves governance but also reduces the burden on engineers, allowing them to focus on core business logic rather than trivial tagging work.

In short, Yor automates the previously tedious and error-prone cloud resource tagging process, bringing every module of the infrastructure under traceable governance, achieving unified identification and accountability tracing of resources in large-scale environments.

1.6.8.1.2. Executive Order 14028 and SBOM: Yor Supports Supply Chain Transparency

Executive Order 14028 (issued in May 2021) focuses on improving the nation's cybersecurity. One of its core requirements is that federal agencies must obtain a Software Bill of Materials (SBOM) for the software when purchasing software to improve the transparency and controllability of the software supply chain. An SBOM typically refers to a machine-readable list that details all components, libraries, and modules contained in a software product and their origins. Through an SBOM, users can track software components and identify vulnerabilities within them, thereby strengthening supply chain risk management. Executive Order 14028 makes SBOM a mandatory requirement for US federal government software procurement. This move reflects the government's high regard for software component transparency after experiencing the SolarWinds supply chain attack and the Log4j vulnerability incident.

Although Yor targets Infrastructure as Code rather than traditional application software, the code-to-cloud resource tracking it achieves is similar in purpose to the supply chain visibility that SBOM aims to achieve. SBOM focuses on the list of software components, while in the cloud infrastructure field, we also need to know "who created which cloud components, through which code, and when". The tags automatically injected by Yor provide exactly this "infrastructure bill of materials" information:

Tags like yor_trace provide a traceable identity for each infrastructure resource, which can be seen as a bill of materials item at the infrastructure level.
Tags like git_org/git_repo/git_commit reveal the code source and version behind each resource, just like an SBOM lists the versions of software dependency components.
With this metadata, an organization can compile a "resource bill of materials" for its IaC deployment, clearly knowing which code modules constitute its cloud environment and where the latest changes came from, so as to quickly locate the affected infrastructure parts when vulnerabilities or compliance requirements arise.

For example, one of the software supply chain security measures required by Executive Order 14028 is timely response to known component vulnerabilities. If a version of a Terraform module is found to have security risks, using Yor tags, operations and security teams can search for all resources with the corresponding git_commit or yor_trace on the cloud, quickly find the list of affected resources, and take remedial measures. This is similar to the principle of SBOM helping to locate software components affected by a certain vulnerability. It can be said that Yor introduces supply chain traceability capabilities to Infrastructure as Code: realizing the link "from running resources back to source code" at the cloud infrastructure level, providing support for meeting the requirements of Executive Order 14028 on software component transparency.

Of course, Yor itself is not an SBOM generation tool, and the focus of the two is different. SBOM focuses more on dependency transparency at the software package and library level, while Yor focuses on deployment transparency at the infrastructure level. But in the context of DevSecOps, the two complement each other: Yor ensures that every infrastructure change is traceable, and this powerful traceability is exactly one of the elements needed for a secure supply chain. This also allows organizations to more confidently answer questions like "where do our cloud infrastructure components come from and who maintains them" during the implementation of Executive Order 14028. Overall, Yor improves the auditability and inventory level of infrastructure code, helping organizations meet compliance requirements including SBOM and strengthen their own supply chain security.

1.6.8.1.3. Using Yor: Methods, Configuration, and Commands

Basic Usage: Yor provides a command-line interface for scanning directories and batch tagging IaC templates within them. After installation, simply run a command like this to apply tags:

yor tag --directory ./terraform/

The above command adds preset tags to all Terraform configuration files in the ./terraform/ directory. Yor enables all built-in tags by default (including yor_trace tracking ID, all Git history related tags, etc.) as well as user-defined custom tags. If you need to apply only a certain type of tag or skip certain tags, you can use command-line options to control it. For example:

Skip specific tags: yor tag --directory terraform/ --skip-tags git_last_modified_by,yor_trace will skip adding yor_trace and git_last_modified_by tags. Wildcards are supported to skip a group of tags, such as --skip-tags git* to skip all Git information related tags.
Apply only specific tag groups: yor tag --tag-group git --directory ./terraform/ will only add the Git information related tag group, and not other types of tags. Similarly, there are built-in "tracing" tag groups available for selection.

Integration Methods: In practice, Yor is often integrated into CI/CD workflows or developer toolchains to achieve continuous automated injection of tags. Common integration methods include:

Pre-commit Hook: Configure Yor as a pre-commit hook for the code repository to ensure that tags are automatically added to modified IaC files before each developer commits code. The configuration method is to add a Yor hook in the project's .pre-commit-config.yaml, making it execute the yor tag command on Terraform files. In this way, tag injection is completed at the time of commit, and the commit record will reflect the addition of tags.
CI Platform Integration: Yor provides GitHub Action and GitLab CI templates that can run in Pull Requests or pipelines. For example, using the official bridgecrewio/yor-action in GitHub Actions allows Yor tagging to be automatically executed before every PR creation or merge. In GitLab CI, a Yor step can also be added to the pipeline to automatically submit changes with tag updates every time code is merged. This ensures that the main branch code always keeps tags up-to-date and consistent.
Docker and Local CLI: If you do not want to install Yor directly on the local machine, you can also use the official Docker image to run it. Run docker run -v <local IaC directory>:/data bridgecrew/yor tag --directory /data to execute tag addition in the container. For one-time large-scale tagging of existing configurations, you can also run the yor tag command locally and commit the results via Git. Yor also supports --dry-run mode to preview which tags will be added without actually modifying files, facilitating review of changes before actual application.

Configuration and Extension: In addition to built-in tags (such as the aforementioned yor_trace and Git information), Yor also allows users to customize additional tagging strategies to meet specific organizational governance needs. Extension methods include:

Simple Tags via Environment Variables: By setting the environment variable YOR_SIMPLE_TAGS, static key-value pair tags can be injected for all resources at once. For example:

export YOR_SIMPLE_TAGS='{"team": "devops", "env": "prod"}'
yor tag --tag-groups simple --directory terraform/dev/

This will add team=devops and env=prod tags to each resource. Suitable for scenarios where you want to add organization-level tags (such as department, environment) uniformly without repeating them in the code every time.

Golang Plugin Extension: For more advanced customization, Yor allows writing custom Tagger plugins using the Go language to implement complex tag generation logic, and then compiling them into Yor for execution. This is suitable for secondary development of Yor, or tagging schemes not yet supported by Bridgecrew officially.
Inline Annotation Skipping: In addition to skipping specified tags or directories via the command line, developers can also add special comments in the template code to skip tag injection for certain resources (for example, adding a specific comment in the Terraform configuration to identify that this resource does not need Yor tagging). This provides flexibility for the few resources that do not wish to be automatically tagged.

Through the above various configuration and extension mechanisms, Yor can adapt to the requirements of different teams and achieve flexible customization of tagging strategies. For example, an organization can pre-stipulate that all resources must be tagged with cost_center and solidify the rule in the Yor configuration, so that developers will automatically get tags that meet organizational requirements regardless of which project or module they deploy resources in, without the need for manual checks.

1.6.8.1.4. Tag Injection Example: Before and After Terraform Module

To more intuitively understand the effect of Yor's automatic tagging, here is a Terraform code example showing the difference before and after using Yor. Suppose we have a Terraform module that defines a cloud resource and only contains basic environment tags beforehand:

# Terraform module snippet before Yor tagging
module "remote_module" {
  source  = "Azure/avm-res-resources-resourcegroup/azurerm"
  tags = {
    env = var.env
  }
}

In the code above, tags only defines the environment tag env. Now we run yor tag to automatically tag it, and Yor will inject multiple new tag key-value pairs into the code:

# Terraform module snippet after Yor tagging (Yor automatically injected extra tags)
module "remote_module" {
  source  = "Azure/avm-res-resources-resourcegroup/azurerm"
  tags = {
    env                  = var.env
    yor_trace            = "d835d6de-7aa7-4a1e-bbe5-8f5ee206e1d0"
    git_repo             = "example"
    git_org              = "bridgecrewio"
    git_file             = "applyTag.md"
    git_commit           = "COMMITHASH"
    git_modifiers        = "bana/gandalf"
    git_last_modified_at = "2021-01-08 00:00:00"
    git_last_modified_by = "bana@bridgecrew.io"
  }
}

As shown above, Yor added a series of tags with the git_* prefix and a unique yor_trace tag to the module's tags field. These tags record code source and change history: Git repository organization and name, file path where the resource definition is located, hash value of the last commit, identifiers of all developers who modified the resource, last modification time, and modifier email, etc. Through these tags, you can directly see on the cloud platform's resource tag interface which project, which file, when, and by whom was modified to create this cloud resource. Yor determines which lines of code were changed in the last Git commit by analyzing Git Blame information, identifying which Terraform blocks were involved, and then writing Git version information into the code in the form of Tags.

It is worth noting that new tags added by Yor will not overwrite existing tags (like env in the example remains unchanged), but supplement extra information. Developers can still define business-related tags (such as Name, Environment, etc.) in the code, and Yor is only responsible for injecting tracking and ownership tags, achieving compatibility with existing tagging systems. These additional tags will be applied to the actual cloud resources along with the Terraform module, allowing operations personnel to see the same information in the cloud console, thereby achieving two-way traceability between code and cloud resources. For example, if operations personnel discover an unfiled resource on the cloud, they can trace back to the corresponding code repository and module location just by checking information like yor_trace or git_repo in its tags, greatly shortening troubleshooting and positioning time.

Through Yor's tag injection, the Terraform module in the above example not only defines the resource functionally but also implicitly records metadata, effectively attaching "who created it, where, and when" to the infrastructure itself. This practice strengthens Terraform module governance: in a large-scale environment composed of hundreds or thousands of modules and resources, the origin and development of every resource can be traced. As industry comments say, tags automatically added by Yor "simplify the process of connecting active cloud resources back to the code that created them," significantly improving the visibility of cloud resource management.

1.6.8.1.5. Pros and Cons

As an open-source project, Yor has received considerable attention and feedback in the infrastructure and DevOps communities since its launch. Overall, the community's evaluation of Yor is positive, believing that it fills a gap in IaC governance, but also puts forward some suggestions for improvement and considerations.

Positive Reviews: Many Terraform users and cloud architects view Yor as a "sharp weapon" for automated tag management. It significantly simplifies the management process of cloud resource tags and greatly improves resource manageability and traceability through an automated tagging system. Community articles point out that Yor can be seamlessly integrated into mainstream IaC platforms, providing powerful tag management functions for development and operations teams without changing existing workflows. This feature makes cross-team collaboration easier—tags become a unified language, and people with different functions can quickly obtain the information they need from them, reducing communication costs. In addition, Yor supports user-defined tagging rules, which is praised for its high flexibility and ability to meet the specific needs of different organizations. Many users share the experience that it was very difficult to promote consistent tagging strategies in large-scale environments in the past, but after introducing Yor, not only was a lot of manual time saved, but human errors were also reduced, achieving "continuous tag compliance". In actual operation scenarios, Yor helps teams locate responsible persons and relevant code faster when alerts occur, greatly shortening fault response time. Community blogs also list Yor as one of the excellent tools for practicing AWS best tagging strategies, recognizing its value in providing consistency and traceability in multi-cloud and complex environments. Looking at GitHub open-source community indicators, the Yor project has active contributors and user base (regular issue discussions and improvement submissions), showing the industry's strong interest in automated tagging governance.

Negative Reviews and Deficiencies: Despite its prominent advantages, some users also pointed out areas that need attention when using Yor in practice. First, some people worry that inserting a large number of tags into the code may cause a decline in code readability. For large Terraform codebases with many resource blocks, automatically injected tag lines will significantly increase the number of file lines, "polluting" the original code structure to some extent. However, some users also reported that Yor is relatively restrained when injecting tags and does not interfere excessively with the original configuration, as long as the tag part is folded during review, the impact is not significant. This is a matter of opinion, but can be partially mitigated through Yor's skip mechanism: teams can configure skipping certain modules or certain tags injection to avoid unnecessary information filling the code. Secondly, the integration cost of introducing new tools is also a focus of discussion. For teams with mature processes, adding Yor requires time to adjust CI processes, train developers to use pre-commit, etc. Some teams were initially cautious about adding automatic commit tags to the pipeline, worrying that it might affect existing review processes (for example, automatically generated tag commits might intersect with manual commits). To this end, practitioners suggest enabling Yor's --dry-run mode in the pilot phase or applying it only to specific projects, and gradually promoting it to gain team approval.

Another problem with Yor is that for open source reusable Terraform modules, tags added via Yor cannot be opted out by the module user. This can be troublesome for teams with more complex restrictions on resource tags.

Some community members also mentioned the issue of project maintenance activity: Yor's functions have gradually improved since its release, but the update frequency has decreased in certain periods, and the processing speed of raised Issues is not as expected. This has raised doubts about the long-term maintainability of the project, and some people have begun to explore alternatives with similar functions (such as env0's Terratag tool). For example, Terratag focuses on batch tagging of Terraform code, but lacks Yor's cross-framework support and rich tracking information advantages. Yor's multi-cloud multi-framework support and Git traceability tag functions are still its unique selling points, but the community also hopes to see Yor continue to iterate, support newer IaC types (such as Kubernetes native manifests, Pulumi, etc.), and provide richer documentation and use cases.

In addition, if you want to use Yor to add tags within tags, you will need two Git commits. The first is the user's change to the code, and the second is Yor modifying the tag information based on the previous version information and then committing. If we run Yor automatically through a CI platform, it will require permission to directly modify the code and Push to the trunk, which is prohibited in some projects with strict control over change processes.

In general, Yor's advantages are very obvious in the community's view: it lowers the threshold for implementing tag governance in large-scale environments, improves resource traceability, and helps teams achieve a higher level of infrastructure visibility and compliance. Its disadvantages mainly focus on some extra overhead brought by the tool itself, such as increased code verbosity, introduction of process complexity, and possible incomplete coverage for specific scenarios. These deficiencies can often be mitigated through configuration and process adjustments. As more and more organizations realize the importance of tags in cloud governance, the automated tagging solution represented by Yor is gaining widespread recognition. The community expects that in future developments, Yor can continue to evolve, absorb feedback, and further improve its functions, making it play a more indispensable role in large-scale Terraform module governance.

yor