Creating IaC-Ignore Rules
An IaC-Ignore rule allows you to tell Firefly to ignore specific unmanaged assets in your cloud inventory from being counted in IaC tracking. In other words, if there are cloud resources not managed by Infrastructure-as-Code that you want to exclude from Firefly's IaC coverage calculations, you can create a custom ignore rule to omit them. Once an asset matches an IaC-Ignore rule, it will be marked IaC-Ignored and no longer considered in your IaC coverage or recommendations.
How to add an IaC-Ignore rule:
Open IaC-Ignored settings: In the Firefly app, go to Settings > IaC-Ignored. This section allows you to manage ignore rules for unmanaged assets.
Add a new rule: Click on + Add ignore rule. This will start the wizard to create a custom ignore policy.
Name and describe the rule: Give the rule a clear Name and an optional Description so you and your team know what its purpose is. For example, Ignore default VPCs could be a rule name.
(Optional) Label the rule: You can assign a label or category to the rule (or create a new label) to help organize multiple ignore rules. This is useful if you have many rules and want to filter or group them.
Choose the scope: Click Next, then select the scope of the ignore rule. The scope determines which assets the rule will target. You can select specific resource types. For example, you might scope the rule to ignore only in scope of EC2 instances.
Define the ignore logic: In the provided code editor, write the rule logic using the Rego policy language (the language used by Open Policy Agent). Firefly uses Rego to define custom rules. For instance, you could write a Rego expression that matches resources by certain tags, names, or types that you consider should be ignored.
Example Rule - Ignoring Default Resources:
firefly { exclude } exclude { input.id = "default" }
This example rule will ignore any asset where the
id
field equalsdefault
. This is particularly useful for ignoring default resources that cloud providers automatically create (like default VPCs, default security groups, etc.). The rule works by:The
firefly
rule evaluates to true when theexclude
rule is satisfied.The
exclude
rule matches any asset whereinput.id
equalsdefault
.When both conditions are met, Firefly will mark the asset as IaC-Ignored.
Evaluate matched assets: Before finalizing, you can preview which assets would be ignored by this rule. Use the Evaluate button to see a list of assets that currently meet the rule criteria and would become IaC-Ignored. This helps validate that your rule is correctly targeting the intended assets.
Save the rule: Click Next and then Done to create the ignore rule. The rule will be activated, and any asset matching the rule's conditions will now show up as IaC-Ignored in the inventory.
After creating an ignore rule, those assets will be excluded from IaC coverage metrics. You can view all ignored assets by going to the Inventory and using the filter IaC-Ignored on the created rule(this filter will show assets that have been marked to ignore). If needed, you can always disable or delete the custom rule later via the Settings > IaC-Ignored page (there is a toggle to turn rules on/off, or an option to remove the rule entirely).
When to ignore unmanaged assets:
Creating IaC-Ignore rules is helpful in several scenarios:
Default cloud resources: Cloud providers often create default resources (like a "default VPC" or default subnets in a new AWS account). These are unmanaged (not created by your IaC), but you might not want them counted as gaps in your IaC coverage. Marking them as IaC-Ignored will exclude such defaults from your IaC statistics. Firefly comes with built-in rules for some of these cases.
Benign unmanaged assets: If certain resources are intentionally left out of code (perhaps managed manually or by another system), and you don't plan to codify them, ignoring them can reduce noise. For example, maybe an experimental server or a one-off cloud service that is not worth codifying – you can ignore it so Firefly doesn't flag it as unmanaged in your reports.
Ephemeral/test resources: Some teams create temporary resources for testing or development that are short-lived. If Firefly detects these as unmanaged, it might not be useful to track them. An ignore rule can hide those ephemeral assets from continuous IaC tracking.
Third-party or externally managed resources: You may have resources managed by external tools or other teams' IaC, which Firefly flags as unmanaged in your context. You can ignore those to focus on the assets you are responsible for.
By using IaC-Ignore rules judiciously, you ensure your IaC coverage and governance reports focus on relevant gaps only, filtering out assets that you deliberately want to leave unmanaged.
Last updated
Was this helpful?