FAQs

In this section, we address common questions and issues that users might encounter while using Firefly | Manage Your Cloud with Infrastructure-as-Code. If you run into a problem, there's a good chance it's covered below. The FAQ is organized by topic: general usage, integration issues, feature behavior, security concerns, and licensing/support.

General Usage

Q: How can I grant a new user access to Firefly and what level should I give? A: In Firefly:

Invite the user via Settings > Users (enter email, pick role Admin or Viewer).
Admin vs Viewer: Admin can integrate new sources, manage settings, codify/delete resources, etc. Viewer can see everything (inventory, violations) but not perform actions that change things or alter settings.
For most developers or auditors who just need to see data, Viewer is appropriate. For DevOps/SRE who will actively manage infrastructure through Firefly (codifying, fixing drift, approving guardrails), Admin might be needed.
There are currently only two roles. If you need more granular control (like someone can manage some integrations but not others), that's not yet built out – you'd have to either trust them as Admin or restrict to viewer and handle those tasks centrally.
If the user did not receive an invite email (common issue), check that the email is correct and not in spam. Resend invite if needed. They can also go to the Firefly login page and use "Forgot password" with that email, sometimes that triggers setting a password if invite link failed.

Q: Where can I get help if I encounter a problem not covered here? A: Several resources:

Firefly Documentation: (You're likely reading it on GitBook). The docs have specific how-to guides and deep-dives – use the search function for keywords.
Community/Support Forum: Firefly might have a community Slack or forum where you can ask questions and see if others had similar issues.
Direct Support: If you have a support contract or during trial, you can email Firefly support (support@firefly.ai or via the in-app chat if available). Provide as much detail as possible (screenshots, asset IDs, timestamps, etc.).
Contacting Firefly Support Page: In the docs, there is usually a section on contacting support with instructions on what info to include (version, org ID, etc.).
Updates: It's possible your issue is fixed in a newer version of Firefly – make sure you're on the latest (if Firefly is SaaS, they update it automatically, but if on-prem, apply the latest patch). Check the release notes for bug fixes related to your problem.

Feature Behavior

Q: I created a new .tfstate (Terraform state) file in my cloud storage, but Firefly isn't marking those resources as codified. A: Firefly might not automatically know about new state files unless told:

For AWS, if you enabled Auto-discovery on integration, Firefly scans S3 for .tfstate files daily. If urgent, you can manually trigger the S3 scan via the integration settings.
For GCP, if you stored states in GCS, ensure you integrated that bucket under "Integrate remote states > GCS" in Firefly.
Make sure the state file's resources actually map to the same cloud account that Firefly is scanning. Firefly correlates by resource IDs; if the state is from another account or environment not integrated, it won't match.
If all set and still not seeing it, check Firefly's Discovery Status (some integrations have a sub-page showing last scan time and results, e.g., "AWS Discovery Status" might list discovered state files).
Ultimately, if needed, you can explicitly integrate the remote state via Firefly's Integrations (there are options for Terraform Cloud, Terraform Enterprise, etc., which will feed those known states in).

Q: I have duplicate resources showing up in Inventory. Why could that be? A: Duplicates can happen if:

The same resource is integrated via two paths. For example, if you integrated an AWS account normally, and also integrated the same Terraform state that manages it via Terraform Cloud integration, Firefly might list the resource twice (once from cloud scan, once from state). Firefly usually de-duplicates by matching IDs, but if those IDs are slightly different formats or if one integration lacks the ID, duplicates appear.
Another scenario: a resource moved from one stack to another in code but Firefly hasn't caught up (so temporarily it shows under both old and new).
Solution: Check if the duplicate entries have slight differences (maybe one has IaC Stack "Terraform Cloud run X" and another "AWS direct"). If so, you might remove one integration to avoid double tracking. Firefly is supposed to merge them, but if not, consult support – they might adjust how they correlate the data.
If it's a scenario of resource ID changes (like some Azure resources have different IDs via API vs portal), Firefly might treat them separately. In such niche cases, again contacting support with details helps.
Usually, duplicates are rare. A quick fix can be to force a rescan and ensure all integrations (cloud and IaC) are updated. Firefly might then realize they're the same resource and merge.

Security Concerns

Q: What are the security implications of Firefly having read access to my cloud? A: Firefly is designed to be read-only in your cloud accounts. By using least-privilege IAM roles, it should not be able to alter any infrastructure on its own (unless you explicitly allow actions like deletion or adding tags as part of some automation via codify, and even those usually go through your pipelines or via assumed roles when you trigger them).

All data Firefly reads (resource configurations, tags, etc.) is stored in Firefly's system (likely encrypted at rest). Check the Firefly security documentation for details on data handling – for instance, secrets like keys are not fetched, only metadata.
If you use the AI features, consider that descriptions of your infrastructure are sent to an AI model (OpenAI or similar). Firefly likely uses that in a secure way, but avoid inputting highly sensitive information verbatim (e.g., don't paste secret keys into the AI prompt). The AI usage policy from Firefly should state that they don't retain your specific data beyond the session, etc.
Ensure that Integration Keys (like API keys for Slack, PagerDuty, etc.) are treated like secrets. Firefly stores them to send notifications. If you suspect any compromise, you can rotate those keys both in the external service and update Firefly's stored key.
Principle of Least Privilege: The IAM role you create for Firefly doesn't need to read your data, only configurations. For example, Firefly will know a bucket exists and its settings, but not the objects inside it. It reads security group rules but not the traffic going through. This limits exposure. If you have extremely sensitive contexts (say government classified), you might run Firefly in a more isolated way or on-prem with even stricter scopes, but generally Firefly has been vetted for enterprise security.
Penetration Testing: If concerned, ask Firefly for any pen test reports or compliance certifications (they might have SOC2 for their service). It's reasonable due diligence.

Licensing and Support

Q: How is Firefly licensed and what if I hit asset limits? A: Firefly's licensing often is based on number of assets under management or number of cloud accounts, etc. Common questions:

If you approach your asset tier limit, Firefly will likely notify you (either via account team or an in-app notice). It won't immediately stop working, but you should discuss upgrading the plan. Some features might be rate-limited if severely over the limit.
Unused assets (deleted ones) typically don't count once they're gone. But ghost assets might still count if they remain in inventory. Clean them up if you're near limits.
For trial versions, you may have a time limit or asset cap. In that case, integrate what's most important first to evaluate. You can always integrate more later after licensing.
If you need to add, say, another 1000 assets and aren't sure about license, reach out to Firefly support or your account manager – they can often grant a temporary extension or quote an upgrade.
Best Practice: Regularly audit what Firefly is managing to ensure you're within your expected range. If you remove a cloud account or project, also remove it from Firefly to free up license counts and avoid confusion.

PreviousCommon Issues and Solutions NextFirefly API

Last updated 1 month ago

Was this helpful?

General Usage

Q: How can I grant a new user access to Firefly and what level should I give? A: In Firefly:

Invite the user via Settings > Users (enter email, pick role Admin or Viewer).

Admin vs Viewer: Admin can integrate new sources, manage settings, codify/delete resources, etc. Viewer can see everything (inventory, violations) but not perform actions that change things or alter settings.

For most developers or auditors who just need to see data, Viewer is appropriate. For DevOps/SRE who will actively manage infrastructure through Firefly (codifying, fixing drift, approving guardrails), Admin might be needed.

There are currently only two roles. If you need more granular control (like someone can manage some integrations but not others), that's not yet built out – you'd have to either trust them as Admin or restrict to viewer and handle those tasks centrally.

If the user did not receive an invite email (common issue), check that the email is correct and not in spam. Resend invite if needed. They can also go to the Firefly login page and use "Forgot password" with that email, sometimes that triggers setting a password if invite link failed.

Q: Where can I get help if I encounter a problem not covered here? A: Several resources:

Firefly Documentation: (You're likely reading it on GitBook). The docs have specific how-to guides and deep-dives – use the search function for keywords.

Community/Support Forum: Firefly might have a community Slack or forum where you can ask questions and see if others had similar issues.

Direct Support: If you have a support contract or during trial, you can email Firefly support (support@firefly.ai or via the in-app chat if available). Provide as much detail as possible (screenshots, asset IDs, timestamps, etc.).

Contacting Firefly Support Page: In the docs, there is usually a section on contacting support with instructions on what info to include (version, org ID, etc.).

Updates: It's possible your issue is fixed in a newer version of Firefly – make sure you're on the latest (if Firefly is SaaS, they update it automatically, but if on-prem, apply the latest patch). Check the release notes for bug fixes related to your problem.

Feature Behavior

For AWS, if you enabled Auto-discovery on integration, Firefly scans S3 for .tfstate files daily. If urgent, you can manually trigger the S3 scan via the integration settings.

For GCP, if you stored states in GCS, ensure you integrated that bucket under "Integrate remote states > GCS" in Firefly.

Make sure the state file's resources actually map to the same cloud account that Firefly is scanning. Firefly correlates by resource IDs; if the state is from another account or environment not integrated, it won't match.

If all set and still not seeing it, check Firefly's Discovery Status (some integrations have a sub-page showing last scan time and results, e.g., "AWS Discovery Status" might list discovered state files).

Ultimately, if needed, you can explicitly integrate the remote state via Firefly's Integrations (there are options for Terraform Cloud, Terraform Enterprise, etc., which will feed those known states in).

Q: I have duplicate resources showing up in Inventory. Why could that be? A: Duplicates can happen if:

The same resource is integrated via two paths. For example, if you integrated an AWS account normally, and also integrated the same Terraform state that manages it via Terraform Cloud integration, Firefly might list the resource twice (once from cloud scan, once from state). Firefly usually de-duplicates by matching IDs, but if those IDs are slightly different formats or if one integration lacks the ID, duplicates appear.

Another scenario: a resource moved from one stack to another in code but Firefly hasn't caught up (so temporarily it shows under both old and new).

Solution: Check if the duplicate entries have slight differences (maybe one has IaC Stack "Terraform Cloud run X" and another "AWS direct"). If so, you might remove one integration to avoid double tracking. Firefly is supposed to merge them, but if not, consult support – they might adjust how they correlate the data.

If it's a scenario of resource ID changes (like some Azure resources have different IDs via API vs portal), Firefly might treat them separately. In such niche cases, again contacting support with details helps.

Usually, duplicates are rare. A quick fix can be to force a rescan and ensure all integrations (cloud and IaC) are updated. Firefly might then realize they're the same resource and merge.

Security Concerns

All data Firefly reads (resource configurations, tags, etc.) is stored in Firefly's system (likely encrypted at rest). Check the Firefly security documentation for details on data handling – for instance, secrets like keys are not fetched, only metadata.

If you use the AI features, consider that descriptions of your infrastructure are sent to an AI model (OpenAI or similar). Firefly likely uses that in a secure way, but avoid inputting highly sensitive information verbatim (e.g., don't paste secret keys into the AI prompt). The AI usage policy from Firefly should state that they don't retain your specific data beyond the session, etc.

Ensure that Integration Keys (like API keys for Slack, PagerDuty, etc.) are treated like secrets. Firefly stores them to send notifications. If you suspect any compromise, you can rotate those keys both in the external service and update Firefly's stored key.

Principle of Least Privilege: The IAM role you create for Firefly doesn't need to read your data, only configurations. For example, Firefly will know a bucket exists and its settings, but not the objects inside it. It reads security group rules but not the traffic going through. This limits exposure. If you have extremely sensitive contexts (say government classified), you might run Firefly in a more isolated way or on-prem with even stricter scopes, but generally Firefly has been vetted for enterprise security.

Penetration Testing: If concerned, ask Firefly for any pen test reports or compliance certifications (they might have SOC2 for their service). It's reasonable due diligence.

Licensing and Support

Q: How is Firefly licensed and what if I hit asset limits? A: Firefly's licensing often is based on number of assets under management or number of cloud accounts, etc. Common questions:

If you approach your asset tier limit, Firefly will likely notify you (either via account team or an in-app notice). It won't immediately stop working, but you should discuss upgrading the plan. Some features might be rate-limited if severely over the limit.

Unused assets (deleted ones) typically don't count once they're gone. But ghost assets might still count if they remain in inventory. Clean them up if you're near limits.

For trial versions, you may have a time limit or asset cap. In that case, integrate what's most important first to evaluate. You can always integrate more later after licensing.

If you need to add, say, another 1000 assets and aren't sure about license, reach out to Firefly support or your account manager – they can often grant a temporary extension or quote an upgrade.

Best Practice: Regularly audit what Firefly is managing to ensure you're within your expected range. If you remove a cloud account or project, also remove it from Firefly to free up license counts and avoid confusion.