LogoLogo
  • Welcome to Firefly Documentation
  • Introduction
    • What is Firefly?
    • Who is Firefly for?
    • Why use Firefly?
    • Terminology (Glossary)
  • Key Features
    • Infrastructure-as-Code Automation
    • Cloud Asset Inventory
    • Drift Detection & Remediation
    • Policy-as-Code for Compliance & Governance
    • Cost Visibility & Optimization
    • AI Assistant
    • ChatOps Integration
  • Getting Started
    • Account Setup & Onboarding
    • Connecting Cloud Accounts
    • UI Walkthrough & Navigation
    • First Steps in Firefly
  • Detailed Guides
    • Dashboard Overview
    • Cloud Asset Inventory
      • Remediating Drifts
      • Deleting Assets
      • Creating IaC-Ignore Rules
      • Creating Exclude-Drift Rules
    • Policy & Governance
      • Creating Policy-as-Code Governance Rules
      • Remediating Policy Violations
    • Workflows & Guardrails
      • Creating Workflows
      • Creating Guardrail Rules
    • Codification
    • Self-Service
    • IaC Explorer
    • Event Center
    • Backup and Disaster Recovery
    • Notifications
    • User Management
    • SSO Configuration
  • Integrations
    • Integrations Overview
    • Integrating Data Sources
      • AWS
      • Azure
      • Google Cloud
      • Kubernetes
      • Akamai
      • Datadog
      • New Relic
      • Okta
      • GitHub
      • Cloudflare
      • NS1
      • PagerDuty
      • MongoDB Atlas
      • HashiCorp Vault
    • Integrating IaC Remote State
      • Terraform Cloud
      • Google Cloud Storage
      • env0
      • HashiCorp Consul
      • Firefly States Redactor
    • Integrating Version Control
      • GitHub
      • GitLab
      • Azure DevOps
      • CodeCommit
      • Bitbucket
    • Integrating Notifications
      • Slack
      • Microsoft Teams
      • PagerDuty
      • Opsgenie
      • Torq
      • Webex
      • Google Chat
      • Webhook
    • Integrating Project Management
      • Jira
      • ServiceNow
    • Integrating Workflows with CI/CD
    • Integrating Backstage
    • Integrating MCP
  • Use Cases & Best Practices
    • Cloud Governance & Visibility
    • Cost Optimization Strategies
    • Compliance and Security Best Practices
    • Infrastructure Automation & Self-Service
    • Best Practices and Implementation Tips
  • Analytics & Reporting
    • Analytics Dashboard Overview
    • Using Analytics for Improvement
    • Exporting and Sharing Reports
    • Analytics Security and Privacy
  • Code Snippets & Examples
    • Terraform Snippet for an AWS EC2 Instance (Codified via Firefly)
    • Example Rego Policy (OPA) for a Custom Rule
    • GitHub Actions Workflow YAML for Firefly Integration
    • JSON Output Example: Exporting Inventory
  • Troubleshooting & FAQs
    • Common Issues and Solutions
    • FAQs
  • General Information
    • Firefly API
      • Authentication
      • Inventory
      • Codification
      • Workflows
      • Self-Service
      • Policy & Governance
      • IaC Explorer
      • Event Center
      • Backup & Disaster Recovery
      • Notifications
      • Integrations
      • Identity & Access Management
    • Security & Compliance
    • Pricing Tiers & Add-ons
    • Contacting Support
Powered by GitBook
On this page

Was this helpful?

  1. Detailed Guides
  2. Cloud Asset Inventory

Creating Exclude-Drift Rules

When Firefly detects a drift (a difference between the infrastructure as it exists in the cloud and what's defined in IaC), it normally alerts you so you can reconcile the change. However, not all drifts are important or actionable. An Exclude-Drift rule lets you ignore specific drift issues so that Firefly will stop alerting or notifying you about those particular differences. In effect, you are telling Firefly "I acknowledge this drift, but I want to exclude it from now on."

There are two ways to exclude drifts: by toggling an existing rule or by creating a new exclusion for a specific drift instance. Below is how you create a new drift exclusion rule for a drift you've identified:

  1. Go to Drifted assets: In the Firefly console, navigate to the Inventory and filter or view the Drifted assets. This will list resources that have drifted from their IaC definitions.

  2. Select the asset with drift: Find the resource that has the drift you want to ignore, and click on that asset's row to view details. In the asset detail pane, look for Drift Details, which will show the specific differences detected.

  3. Initiate drift exclusion: Within the drift details, click the "Exclude Drift" button or option for that asset. This starts the process to define an exclusion rule for the drift.

  4. Configure the exclusion rule: A dialog will prompt you to define the scope of the drift exclusion.

    • Scope: Choose the scope of assets the rule should apply to. You might limit it to just this one resource, or broaden it to a group (for example, all resources of a certain type or in a certain environment, if the drift is common).

    • Properties: Select the specific drift properties to ignore. Firefly will list the resource properties that have drifted (e.g., a tag value, a configuration field, etc.). You can pick which ones to exclude from drift detection. For instance, if an IAM policy document is drifted, you might choose to ignore just a particular policy statement difference.

    • Data sources: Optionally, specify the data source or provider context the rule applies to (e.g., AWS, Azure, specific account or region). This helps narrow down whether the exclusion is global or specific to certain integrations.

  5. Apply the exclusion: Confirm by clicking Exclude. Firefly will save this drift exclusion rule. Going forward, the specified drift (those properties in that scope) will no longer trigger drift alerts or appear as an active drift in Firefly.

After excluding a drift, you can always review or manage these rules. In Settings > Excluded Drifts, you will find a list of all drift exclusion rules in effect. There you can search for specific rules and toggle them on or off. For example, if you want to start detecting that drift again, you can disable the exclusion rule by turning off its toggle.

When to exclude a drift

Use drift exclusions for cases where a drift is known, acceptable, or not worth alerting on. Examples include:

  • Innocuous configuration changes: Some drifts are harmless or expected. For instance, certain cloud-managed timestamps, random IDs, or auto-generated fields might always differ from IaC and don't need action. Excluding those prevents unnecessary noise.

  • Accepted manual changes: If a resource was intentionally changed manually (out-of-band) and you prefer to keep that change (not revert it in code), you can exclude that drift. This acknowledges the difference so Firefly won't flag it repeatedly. Essentially, you're telling Firefly to treat the IaC vs. actual mismatch as acceptable for that property.

  • Partial codification or known deviation: You might have a case where most of a resource is managed in code, but a particular setting is intentionally managed in the cloud (perhaps due to a limitation or a one-time change). Creating an exclude-drift rule for that property spares you from seeing a perpetual drift alert.

  • Aligning with IaC ignore settings: If you use Terraform, you may already use the ignore_changes meta-argument in your Terraform config for certain resource attributes. Firefly is aware of this – when your VCS is integrated, Firefly automatically ignores drifts for any resource properties marked with Terraform's ignore_changes in the lifecycle settings. This built-in behavior means you might not need a manual exclude rule for those, but it's good to know Firefly honors that by default. If a similar concept applies in other IaC tools, you'd handle it similarly.

Drift exclusions are a governance tool to fine-tune what you consider a real issue. They should be used sparingly and reviewed periodically – ensure that by ignoring a drift you're not overlooking something important. If circumstances change (e.g., you codify that property later), you should remove the exclusion so Firefly can resume drift detection for it.

PreviousCreating IaC-Ignore RulesNextPolicy & Governance

Last updated 1 month ago

Was this helpful?