Focus

Prisma Cloud Application Security Administrator's Guide

Set up IaC Tag and Trace

Table of Contents

Set up IaC Tag and Trace

Prisma Cloud Application Security supports infrastructure-as-code (IaC) tags that help you trace the link for your resources deployed from code to cloud infrastructure. Using Yor, an open-source auto-tagging tool that supports Terraform, CloudFormation, and Serverless, you can add tags to all resource blocks in your repository. Yor uses YAML configuration to tag and trace resources, and these automated tags are unique to a repository. Yor automatically creates additional tags that contain details such as:

Git organization, repository, and the exact file that contains the infrastructure-as-code (IaC) template used to create the cloud resource.

Timestamp of Git commits for supported cloud resources includes a list of all editors and contributors who modified the file.

Custom tags that you create for your resource.

These tags can be as simple as key and value pairs or a complex combination of values, yet Yor can auto-detect them. You can edit custom tags by adding a tag rule on the Prisma Cloud console. Tag rule is helpful to define resources that impact the cost and ownership of any third-party resources within your environment, including managing the out-of-the-box tags.

If you do have an existing tag management strategy, you can choose to replicate it using tag rules on the Prisma Cloud console.

In addition to auto-tag and custom tag, each runtime resource has a unique yor_trace tag to detect drift in code and locate the specific resource within a commit that identifies teams and resource owners to help triage a fix in the most time and cost-effective way. Yor trace tags are accessible for you on the Prisma Cloud console, where you can choose to enable or disable them. Yor scan runs for every resource, and if any resource is not compliant with a tag rule, Yor automatically creates a PR (pull request) for the repository. You can access your version control system to fix the tag violation. The new defined tag and tag rules apply to all existing and new resources for selected repositories.

Manage Tags

You can manage tags and tag rules for all resources with assigned repositories integrated on Prisma Cloud for governance and monitoring or enforcement of policies for provisioned resources. You can enable, disable, and edit tags for any cloud resource, except auto-generated trace tags (yor_trace) on the Prisma Cloud console.

Access manage tags for resources.

Select Application Security > Projects
.

Select More options
and then select Manage tags
.

If Yor has already run for your repositories, a list of yor_trace tags, out-of-the-box tags, and custom tags will appear. Otherwise, you will not see a list of tags for your resources.

For both auto-generated tags, out-of-the-box tags and custom tags.

Enable

Enable a tag to run a scan on all resources in the assigned repositories.

It is a must to assign repositories for a tag before the tag is enabled.

Disable

Disable a tag for future resource scans in the repositories. A disabled tag continues to appear on the list of the Prisma Cloud console, and any previous change made using the tag, such as an automated Pull request (PR), will not be reverted.

Only for custom tags.

Edit

Edit a custom tag for all your resources in the assigned repositories.

Assign repositories to the tag rule.

You can add or remove assigned repositories to the tag. Each assigned repository affects the number of resources. You can monitor the affected resources on the Prisma Cloud console.

Edit values.

You can edit existing values of Key
and Value
.

Add Conditional Value.

You can optionally choose to add or delete conditional values to the tag.

You must save an edit made to the tag rule and then enable it for Yor to run the scan for all resources.

Delete

Delete tags from the Prisma Cloud console. Any previous change made using the tag, such as an automated Pull request (PR) or Clone, will not be reverted.