First Steps in Firefly
A few initial activities are recommended to get value from Firefly:
Explore the Cloud Inventory
Navigate to the Inventory page to see the list of all assets Firefly has aggregated from your connected accounts. Here you can filter and search resources across AWS, GCP, Azure, Kubernetes, and SaaS providers all in one place.
Try using the filters at the left sidebar of the Inventory to drill down by data source, region, resource type, tag, or owner. For example, you might filter to a specific AWS account and resource type EC2 Instance to see your VMs, or filter by an Owner tag to see assets owned by a team.
The Inventory is your single source of truth for what's running in your cloud. Click on a resource in the table to view its Asset Details – including its configuration info, tags, IaC state (if managed by code), mutations (change history), and any policy violations or drift status.
This will help you quickly identify which assets are "codified" (managed by IaC) and which are "unmanaged" (created manually and not yet in code). Firefly automatically classifies every resource as codified, drifted, unmanaged, or ghost.
As a best practice, note any important unmanaged assets – you can decide to codify them (generate IaC) to bring them under control.
Set Up a Policy (Governance)
Go to the Governance page to view built-in policy checks and optionally create your first custom policy. Firefly comes with a library of built-in policies (powered by OPA's Rego rules) that check your assets for security, compliance, and best practices issues.
These include categories like access control, encryption, tagging, cost optimization, etc. Initially, you will see a summary of how many resources pass or violate the built-in policies.
As a new user, a good first step is to identify one or two critical policies to enforce. For example, you might want to ensure "No public S3 buckets" or "Databases must be encrypted". You can create a Custom Policy for this if it isn't covered by the built-ins.
To create a policy:
Click "+ Custom Policy".
Give it a name.
Choose a category (or create a new one) and severity level.
Select the scope of the policy (e.g. all resources, or only specific resources and/or accounts).
Write the rule in Rego (or use the AI policy generator to help).
Firefly provides an Input Schema and testing interface so you can validate the policy against existing assets before saving. Once your policy is active, Firefly will scan all relevant assets and report any violations.
The Governance page dashboard will show a compliance score (the percentage of assets passing each policy). As you get started, setting up a few key policies establishes enforcement for your environment.
Configure Notifications
It's important to get alerts when Firefly detects changes or issues. Under Settings > Notifications, configure how you'd like to receive alerts about drift, policy violations, or other events.
Firefly can send notifications to various channels: you can integrate Slack, Microsoft Teams, PagerDuty, email, or create Jira tickets, among others.
For example, for Slack, you have two options:
Using the Firefly Slack App.
Setting up a webhook URL.
In either case, you'll authorize Firefly to post messages to your workspace. Similar steps apply for Teams (via an incoming webhook connector) and PagerDuty (via an API integration key).
After integration, define what events trigger notifications. For example, you might enable alerts for:
Drift detected (when an infrastructure change occurs outside of IaC).
Policy violation detected.
New ClickOps event detected.
Firefly will then send a message with details whenever those events occur. According to your configuration, Firefly will deliver messages to your chosen channel – e.g. posting a Slack message when a non-compliant change is blocked or sending a PagerDuty incident when a drift is detected.
Setting up notifications early ensures you have near real-time visibility. Firefly's platform is event-driven for AWS, Azure, and GCP, tracking CloudTrail and equivalent events in near real-time, so you will be promptly alerted of changes.
As a next step, you can also explore the Event Center to see a log of all changes detected. Notifications and event monitoring help your team respond quickly to any issues that Firefly surfaces.
Configure Workflows and Guardrails
Firefly Workflows automate your Terraform and OpenTofu deployments. You can either integrate your existing CI/CD pipeline or use Firefly-managed workflows where Firefly handles the execution.
Integrating Existing CI/CD Pipelines
Creating Firefly-Managed Workflows
Implement Guardrail Rules
Guardrails enforce policies (cost, security, tagging, resource) on your IaC deployments, blocking non-compliant changes.
Go to Workflows > Guardrails and click "+ Add New".
Choose Rule Type: Cost, Policy (listed in the Governance page), Resource, or Tag.
Name Your Rule and define its Violation Behavior (Strict Block or Flexible Block with overrides).
Define Scope: Specify which Workspaces, Repositories, Branches, or Labels the rule applies to.
Set Rule-Specific Criteria: For example, for a Cost rule, set a budget change threshold. For a Policy rule, select policies.
By setting up workflows and guardrails, you gain automated, policy-driven control over your IaC deployments.
By completing these first steps – connecting your accounts, exploring the inventory, defining basic policies, enabling notifications, and configuring workflows with guardrails – you'll have a solid foundation in Firefly. You'll be able to continuously monitor your cloud assets, get alerted to important changes, manage your IaC deployments with policy enforcement, and start improving your infrastructure management with Infrastructure-as-Code.
Last updated
Was this helpful?