LogoLogo
  • Welcome to Firefly Documentation
  • Introduction
    • What is Firefly?
    • Who is Firefly for?
    • Why use Firefly?
    • Terminology (Glossary)
  • Key Features
    • Infrastructure-as-Code Automation
    • Cloud Asset Inventory
    • Drift Detection & Remediation
    • Policy-as-Code for Compliance & Governance
    • Cost Visibility & Optimization
    • AI Assistant
    • ChatOps Integration
  • Getting Started
    • Account Setup & Onboarding
    • Connecting Cloud Accounts
    • UI Walkthrough & Navigation
    • First Steps in Firefly
  • Detailed Guides
    • Dashboard Overview
    • Cloud Asset Inventory
      • Remediating Drifts
      • Deleting Assets
      • Creating IaC-Ignore Rules
      • Creating Exclude-Drift Rules
    • Policy & Governance
      • Creating Policy-as-Code Governance Rules
      • Remediating Policy Violations
    • Workflows & Guardrails
      • Creating Workflows
      • Creating Guardrail Rules
    • Codification
    • Self-Service
    • IaC Explorer
    • Event Center
    • Backup and Disaster Recovery
    • Notifications
    • User Management
    • SSO Configuration
  • Integrations
    • Integrations Overview
    • Integrating Data Sources
      • AWS
      • Azure
      • Google Cloud
      • Kubernetes
      • Akamai
      • Datadog
      • New Relic
      • Okta
      • GitHub
      • Cloudflare
      • NS1
      • PagerDuty
      • MongoDB Atlas
      • HashiCorp Vault
    • Integrating IaC Remote State
      • Terraform Cloud
      • Google Cloud Storage
      • env0
      • HashiCorp Consul
    • Integrating Version Control
      • GitHub
      • GitLab
      • Azure DevOps
      • CodeCommit
      • Bitbucket
    • Integrating Notifications
      • Slack
      • Microsoft Teams
      • PagerDuty
      • Opsgenie
      • Torq
      • Webex
      • Google Chat
      • Webhook
    • Integrating Project Management
      • Jira
      • ServiceNow
    • Integrating Workflows with CI/CD
    • Integrating Backstage
    • Integrating MCP
  • Use Cases & Best Practices
    • Cloud Governance & Visibility
    • Cost Optimization Strategies
    • Compliance and Security Best Practices
    • Infrastructure Automation & Self-Service
    • Best Practices and Implementation Tips
  • Analytics & Reporting
    • Analytics Dashboard Overview
    • Using Analytics for Improvement
    • Exporting and Sharing Reports
    • Analytics Security and Privacy
  • Code Snippets & Examples
    • Terraform Snippet for an AWS EC2 Instance (Codified via Firefly)
    • Example Rego Policy (OPA) for a Custom Rule
    • GitHub Actions Workflow YAML for Firefly Integration
    • JSON Output Example: Exporting Inventory
  • Troubleshooting & FAQs
    • Common Issues and Solutions
    • FAQs
  • General Information
    • Firefly API
      • Authentication
      • Inventory
      • Codification
      • Workflows
      • Self-Service
      • Policy & Governance
      • IaC Explorer
      • Event Center
      • Backup and Disaster Recovery
      • User Management
      • Notifications
      • Integrations
    • Security & Compliance
    • Pricing Tiers & Add-ons
    • Contacting Support
Powered by GitBook
On this page
  • Enforcing Infrastructure-as-Code Adoption
  • Preventing Manual Configurations & Drift
  • Role-Based Access Control & Change Governance
  • Governance Policy Enforcement
  • Disaster Recovery & Auditing
  • Summary

Was this helpful?

  1. Use Cases & Best Practices

Cloud Governance & Visibility

Effective cloud governance ensures that your cloud infrastructure is secure, compliant, and under control, without slowing down innovation. Firefly is purpose-built to enhance governance by giving you visibility into everything (even across multiple clouds and SaaS), and by providing tools to enforce Infrastructure-as-Code and policies.

Enforcing Infrastructure-as-Code Adoption

One of the biggest governance challenges is "shadow IT" or unmanaged infrastructure – resources created manually outside of approved IaC processes. These unmanaged assets can lead to drift, configuration mistakes, and make recovery difficult. A best practice is to strive for 100% IaC coverage – every resource defined and managed through code. Firefly helps enforce this by automatically detecting any resource that is not managed by IaC (tagging it as "Unmanaged").

As soon as Firefly is integrated, it will inventory your cloud and likely reveal assets that your Terraform/CloudFormation didn't create. The Codification feature is your friend here: use it to convert unmanaged assets into code. For example, if someone manually created an S3 bucket, Firefly will flag it unmanaged – you can then generate the Terraform code for it and add that to your configuration (thus "codifying" it).

Over time, continuously monitor the IaC Coverage metric on the dashboard (what percent codified vs unmanaged) and aim to improve it. Set a policy to alert on unmanaged assets in production. You could even fail CI pipelines if they detect unmanaged infra. Firefly can automatically open PRs for new unmanaged resources (as code) – by merging those, you effectively bring them under IaC management retroactively.

Additionally, educating your team that Firefly is watching for manual changes will discourage them from deviating; they'll stick to Terraform because they know any manual change will be caught and they'll have to justify or revert it. In short, Firefly acts as an enforcer: it precisely determines if each resource is codified, unmanaged, drifted, or ghost and gives you the means to address any that aren't codified. The result is better consistency and the ability to rebuild environments reliably from code if needed.

Preventing Manual Configurations & Drift

Even with IaC, manual tweaks sometimes happen – an admin might quickly open a firewall port in the console during an emergency, or a developer might update a cloud setting to test something. These changes, made outside of code, create drift (the live state differs from the IaC state). Drift can be dangerous: it can indicate security settings changed without review, or it can cause the next Terraform apply to potentially undo a manual hotfix.

Firefly's drift detection is continuously at work to catch this. It will compare cloud state to your IaC (via connected state files) and list any differences. To prevent drift from accumulating, adopt a policy that all changes must go through code. Use Firefly's Guardrails in CI to block changes that look like they will orphan or conflict with existing resources.

For example, if someone tries to manually delete a resource that is still defined in Terraform, Firefly's drift rules will catch that as a "ghost" resource situation and can alert or block deletion. Culturally, encourage the team: "No manual changes – Firefly will catch them, so you might as well do it in Git."

When drift is detected, act on it immediately: either update the code to match (if the manual change was legitimate and should persist) or use Firefly to revert the change (if it was unauthorized or mistaken). Firefly helps by not only detecting drift but also providing one-click remediation – e.g., generating a pull request to align code with the actual or vice versa.

By quickly fixing drifts, you maintain a single source of truth. As a best practice, review the Drift Report (or drift section on the dashboard) daily or set alerts for any drift in critical systems. Over time, as you catch drifts, you can identify their causes and address root problems (maybe a certain team needs read-only access, or a particular setting isn't governed by IaC and should be).

Some organizations even integrate Firefly with ServiceNow or Jira to create an incident each time a drift occurs, ensuring investigation. The mantra is "if it's not in code, it doesn't exist" – Firefly gives you the visibility to uphold that.

Role-Based Access Control & Change Governance

Cloud governance isn't just about technology; it's also about processes and people. RBAC (Role-Based Access Control) is essential – you want to limit who can do what, to reduce the chance of accidental or malicious changes. In Firefly, although it is read-only in terms of cloud access, you can manage user roles within the Firefly app (who can view, who can manage integrations, etc.).

Ensure you configure Firefly's own user roles such that only authorized people can, say, approve a codification pull request or mark an asset as "ignored". On the cloud side, tie this in with guardrails: for instance, rather than giving everyone broad access to cloud consoles, encourage use of IaC where code reviews and approvals (via Git) act as checkpoints.

Firefly's guardrails can serve as an automatic RBAC enforcement – for example, a Resource guardrail can block creation of certain resource types entirely (maybe only senior admins are allowed to create certain high-risk resources, so for others it will always block in pipeline).

Another aspect is tracking changes and ownership. Firefly helps by showing who made a change (via CloudTrail integration). Use this to ensure accountability: if someone did circumvent processes, you'll see it in Firefly and can follow up. Over time, if you find recurring violations by certain roles, that's a signal to tighten IAM permissions in the cloud.

The combination of cloud IAM and Firefly guardrails forms a belt-and-suspenders approach: Cloud IAM might prevent outright destructive actions, while Firefly guardrails catch things at the IaC level and policy level.

Governance Policy Enforcement

Use Firefly's Policies to enforce internal standards. For example, enforce that every resource must have an Owner tag. Firefly can't stop the creation of an untagged resource (that's where maybe cloud native tag policies or Service Control Policies come in), but Firefly will immediately flag it and you can respond.

Over time you can automate response – e.g., if a non-compliant resource appears, Firefly could trigger a workflow to tag it automatically or notify the responsible team to fix it. Firefly's ability to automate remediation with context-specific fixes is extremely useful here: it's one thing to know "this VM is open to the world," it's another for Firefly to provide the Terraform code to close it.

By integrating those fixes (with human review via PRs), you systematically improve your infrastructure. In governance meetings, you can use Firefly's compliance stats to show progress (say, "we improved from 70% to 90% adherence to encryption policy in Q1"). Also, map Firefly policies to regulatory requirements. If you have an audit, you can show evidence through Firefly that all resources are being monitored and X% are compliant with each control.

Disaster Recovery & Auditing

A sometimes overlooked part of governance is being prepared for disasters and auditing changes. Firefly assists in DR by enabling independent backups of IaC state and configurations. Because Firefly codifies everything, even if your primary Terraform state is lost, Firefly has an inventory of resources and can regenerate the code.

Consider setting up a Firefly workflow to periodically export all configurations (or rely on Firefly's internal backup of state snapshots). This can act as a safety net. For auditing, Firefly's event logs and mutation logs are gold. When an auditor asks "who changed this security group setting and when?", you can go to that asset's Mutation Log in Firefly and provide the evidence. Firefly essentially centralizes audit data across clouds.

Summary

In summary, for cloud governance, Firefly gives you visibility into your entire cloud footprint and the tools to enforce how it's managed. By adopting a practice of codifying everything, reviewing drifts daily, using guardrails to prevent bad changes, and leveraging policies for compliance, you create a robust governance framework.

This framework is largely automated – which means consistency without having to manually police everything. As one case study noted, companies using Firefly saw dramatically improved control, for example an 83% reduction in cloud resource sprawl by bringing all assets under governance. The combination of visibility and automation is key: you can't govern what you don't see – Firefly lets you see it, and then govern it through code and policy.

PreviousIntegrating MCPNextCost Optimization Strategies

Last updated 10 days ago

Was this helpful?