Creating IaC-Ignore Rules

An IaC-Ignore rule allows you to tell Firefly to ignore specific unmanaged assets in your cloud inventory from being counted in IaC tracking. In other words, if there are cloud resources not managed by Infrastructure-as-Code that you want to exclude from Firefly's IaC coverage calculations, you can create a custom ignore rule to omit them. Once an asset matches an IaC-Ignore rule, it will be marked "IaC-Ignored" and no longer considered in your IaC coverage or recommendations.

How to add an IaC-Ignore rule:

Open IaC-Ignored settings: In the Firefly app, go to Settings > IaC-Ignored. This section allows you to manage ignore rules for unmanaged assets.
Add a new rule: Click on "+ Add ignore rule." This will start the wizard to create a custom ignore policy.
Name and describe the rule: Give the rule a clear Name and an optional Description so you and your team know what its purpose is. For example, "Ignore default VPCs" could be a rule name.
(Optional) Label the rule: You can assign a label or category to the rule (or create a new label) to help organize multiple ignore rules. This is useful if you have many rules and want to filter or group them.
Choose the scope: Click Next, then select the scope of the ignore rule. The scope determines which assets the rule will target. It could be specific cloud accounts, regions, resource types, or a combination. For example, you might scope the rule to a particular provider or resource type that you want to ignore.
Define the ignore logic: In the provided code editor, write the rule logic using the Rego policy language (the language used by Open Policy Agent). Firefly uses Rego to define custom rules. For instance, you could write a Rego expression that matches resources by certain tags, names, or types that you consider should be ignored. (Firefly will provide a template or examples in the editor to help get you started.)
Preview matched assets: Before finalizing, you can preview which assets would be ignored by this rule. Use the preview option (e.g. a "View Assets" button) to see a list of assets that currently meet the rule criteria and would become IaC-Ignored. This helps validate that your rule is correctly targeting the intended assets.
Save the rule: Click Next and then Done to create the ignore rule. The rule will be activated, and any asset matching the rule's conditions will now show up as IaC-Ignored in the inventory.

After creating an ignore rule, those assets will be excluded from IaC coverage metrics. You can view all ignored assets by going to the Inventory and using the filter IaC-Ignored (this filter will show assets that have been marked to ignore). If needed, you can always disable or delete the custom rule later via the Settings > IaC-Ignored page (there is a toggle to turn rules on/off, or an option to remove the rule entirely).

When to ignore unmanaged assets:

Creating IaC-Ignore rules is helpful in several scenarios:

Default cloud resources: Cloud providers often create default resources (like a "default VPC" or default subnets in a new AWS account). These are unmanaged (not created by your IaC), but you might not want them counted as gaps in your IaC coverage. Marking them as IaC-Ignored will exclude such defaults from your IaC statistics.
Benign unmanaged assets: If certain resources are intentionally left out of code (perhaps managed manually or by another system), and you don't plan to codify them, ignoring them can reduce noise. For example, maybe an experimental server or a one-off cloud service that is not worth codifying – you can ignore it so Firefly doesn't flag it as "unmanaged" in your reports.
Ephemeral/test resources: Some teams create temporary resources for testing or development that are short-lived. If Firefly detects these as unmanaged, it might not be useful to track them. An ignore rule can hide those ephemeral assets from continuous IaC tracking.
False positives or unsupported types: In some cases, Firefly might identify an asset as unmanaged due to an edge case or lack of support for a certain resource type. If you are confident the asset should be excluded, an ignore rule can be a workaround until a proper support or fix is in place.
Third-party or externally managed resources: You may have resources managed by external tools or other teams' IaC, which Firefly flags as unmanaged in your context. You can ignore those to focus on the assets you are responsible for.

By using IaC-Ignore rules judiciously, you ensure your IaC coverage and governance reports focus on relevant gaps only, filtering out assets that you deliberately want to leave unmanaged.

PreviousDeleting Assets NextCreating Exclude-Drift Rules

Last updated 1 month ago

Was this helpful?

How to add an IaC-Ignore rule:

Open IaC-Ignored settings: In the Firefly app, go to Settings > IaC-Ignored. This section allows you to manage ignore rules for unmanaged assets.

Add a new rule: Click on "+ Add ignore rule." This will start the wizard to create a custom ignore policy.

Name and describe the rule: Give the rule a clear Name and an optional Description so you and your team know what its purpose is. For example, "Ignore default VPCs" could be a rule name.

(Optional) Label the rule: You can assign a label or category to the rule (or create a new label) to help organize multiple ignore rules. This is useful if you have many rules and want to filter or group them.

Choose the scope: Click Next, then select the scope of the ignore rule. The scope determines which assets the rule will target. It could be specific cloud accounts, regions, resource types, or a combination. For example, you might scope the rule to a particular provider or resource type that you want to ignore.

Define the ignore logic: In the provided code editor, write the rule logic using the Rego policy language (the language used by Open Policy Agent). Firefly uses Rego to define custom rules. For instance, you could write a Rego expression that matches resources by certain tags, names, or types that you consider should be ignored. (Firefly will provide a template or examples in the editor to help get you started.)

Preview matched assets: Before finalizing, you can preview which assets would be ignored by this rule. Use the preview option (e.g. a "View Assets" button) to see a list of assets that currently meet the rule criteria and would become IaC-Ignored. This helps validate that your rule is correctly targeting the intended assets.

Save the rule: Click Next and then Done to create the ignore rule. The rule will be activated, and any asset matching the rule's conditions will now show up as IaC-Ignored in the inventory.

When to ignore unmanaged assets:

Creating IaC-Ignore rules is helpful in several scenarios:

Default cloud resources: Cloud providers often create default resources (like a "default VPC" or default subnets in a new AWS account). These are unmanaged (not created by your IaC), but you might not want them counted as gaps in your IaC coverage. Marking them as IaC-Ignored will exclude such defaults from your IaC statistics.

Benign unmanaged assets: If certain resources are intentionally left out of code (perhaps managed manually or by another system), and you don't plan to codify them, ignoring them can reduce noise. For example, maybe an experimental server or a one-off cloud service that is not worth codifying – you can ignore it so Firefly doesn't flag it as "unmanaged" in your reports.

Ephemeral/test resources: Some teams create temporary resources for testing or development that are short-lived. If Firefly detects these as unmanaged, it might not be useful to track them. An ignore rule can hide those ephemeral assets from continuous IaC tracking.

False positives or unsupported types: In some cases, Firefly might identify an asset as unmanaged due to an edge case or lack of support for a certain resource type. If you are confident the asset should be excluded, an ignore rule can be a workaround until a proper support or fix is in place.

Third-party or externally managed resources: You may have resources managed by external tools or other teams' IaC, which Firefly flags as unmanaged in your context. You can ignore those to focus on the assets you are responsible for.

By using IaC-Ignore rules judiciously, you ensure your IaC coverage and governance reports focus on relevant gaps only, filtering out assets that you deliberately want to leave unmanaged.