Firefly Documentation Portal
  • Welcome to the Documentation Portal
  • Contacting Firefly support
  • User Guides
    • QuickStart Guide
      • Onboarding
      • Dashboard
      • FAQ
      • Glossary
        • IaC status
    • Exploring the Inventory
    • Compose: Generating new configuration
    • Navigating the IaC Explorer
    • Workflows
      • Guardrails
    • Integrations
      • Integrate your providers and tools
        • Integrate your data sources
          • Integrate PagerDuty
          • Integrate MongoDB Atlas
          • Integrate AWS
            • Integrate AWS using Terraform
            • Integrate AWS using CloudFormation
            • Upgrading AWS integration to event-driven
            • AWS Discovery Status
          • Integrate Google Cloud
            • Integrate Google Cloud using a service account key
            • Integrate Google Cloud using Terraform
            • Google Cloud Discovery Status
          • Integrate Kubernetes
          • Integrate Datadog
          • Integrate New Relic
          • Integrate Okta
          • Integrate GitHub service
          • Integrate Cloudflare
          • Integrate NS1
          • Integrate Microsoft Azure
            • Integrate Microsoft Azure using Terraform
            • Azure Discovery Status
          • Integrate HashiCorp Vault
        • Integrate your IaC remote states
          • Integrate Terraform Cloud
          • Integrate Terraform Enterprise
          • Integrate HashiCorp Consul
          • Integrate remote stacks in Google Cloud Storage
          • Integrate env0
        • Integrate your version control system
          • Integrate GitHub
          • Integrate GitLab
          • Integrate Bitbucket
            • Integrate Bitbucket Data Center
            • Integrate Bitbucket Cloud
          • Integrate AWS CodeCommit
          • Integrate Azure DevOps
        • Send Firefly notifications to your messaging tools
          • Send Firefly notifications to Slack
            • Send notifications to Slack using the Slack App
            • Sending notifications to Slack using a webhook
          • Send Firefly notifications to Microsoft Teams
          • Send Firefly notifications to Torq
          • Send Firefly notifications to webhooks
          • Send Firefly notifications to Opsgenie
          • Send Firefly notifications to PagerDuty
            • Integration Key
            • General Access REST API Key
          • Send Firefly notifications to Google Chat
        • Integrate project management tools
          • Integrate Jira
    • Governance
    • Event-Center
    • How-to Guides
      • Manage assets
        • Codify assets
          • Codify assets to Config Connector
          • Codify assets to Manifest
          • Codify assets to Helm
          • Codify assets to CDK8S
          • Codify assets to Terraform
          • Codify assets to Pulumi
          • Codify assets to CloudFormation
          • Codify assets to CDK
          • Codify assets to Crossplane
          • Codify assets to Ansible
        • Delete unmanaged assets
        • Fix drifts
        • Remove asset Terraform code
        • Excluded drifts
        • IaC-Ignored assets
      • Monitor events
      • Manage notifications
      • Manage user roles
    • Deep Dive articles
      • Disaster recovery
      • Drifts
      • Codification
      • Notifications
      • Governance
      • Event-driven
      • IaC-Ignored assets
  • Appendix
    • Migrating CloudFormation resources to Terraform
    • Terraform Cloud Run Tasks
    • Creating a key pair
    • SSO Configuration
    • Firefly API Documentation
    • Support Matrix
    • Data privacy and AI usage
  • Firefly MCP
  • Firefly Backstage Plugin
Powered by GitBook
On this page
  • Rule types
  • Creating a new Guardrail
  • Examples of Guardrail rules
  • Guardrails Override Controls
  • Guardrails Violation Behavior
  • Overriding Guardrail Violations
  • Applying an Override
  • Tracking and Notifications for Overrides
  • Additional features and functionalities
  • Guardrails Step
  • Using AI-Generated Guardrails Violations Remediation Suggestions
  • Pull Request (PR) Comment
  • Page Filters

Was this helpful?

  1. User Guides
  2. Workflows

Guardrails

Guardrails enforce policies and best practices within your IaC workspaces. By establishing specific rules, they ensure your deployments adhere to organizational standards, preventing non-compliant changes from being applied. Guardrails block deployments that violate these rules, maintaining the integrity and security of your cloud infrastructure.

Rule types

There are four types of rules to enforce policies in your Workspaces. The following table outlines the different types and their functions:

Rule type
Function
Example

Cost

Manage and control cloud costs by setting limits on cost changes. Monitor cost changes and block deployments that exceed the specified amount or percentage.

A cost rule can be set to block any deployment that results in a cost increase of more than $100. If a proposed change exceeds this limit, the deployment is blocked.

Policy

Ensures adherence to predefined guidelines. Verify violations within the specified scope and prevent deployments that do not meet organizational standards.

Ensure resources have encryption enabled. If a deployment attempts to create a resource without encryption, the Guardrail blocks the deployment.

Resource

Control modifications to cloud resources. Block actions such as creating, deleting, or modifying resources based on asset type, region, or specific resource address.

A resource rule can prevent the creation of resources in a specific region. If a deployment attempts to create resources in an excluded region, such as us-west-2, the Guardrail blocks the change to enforce regional compliance policies.

Tag

Ensure all resources have tags, specific tag names, and approved tag values to enforce consistent tagging standards. Block deployments with non-compliant resources.

A tag rule can block any deployment where resources are missing required tags or using unauthorized values. For example, if a resource lacks the Environment tag or uses a value outside the approved list (like "prod", "stage", "dev"), the deployment is blocked to ensure compliance with tagging policies.

Creating a new Guardrail

Procedure

  1. Select Workflows > Guardrails > + Add New.

  2. Select the Rule Type.

  3. Enter the Rule Name.

  4. Under Violation Behavior, choose one of the following options:

    • Strict Block: Prevents any override.

    • Flexible Block: Allows authorized users to override violations.

  5. Define the scope of your Guardrail by specifying the relevant Workspaces, Repositories, Branches, and Labels.

    • Use wildcards (*) to match patterns.

    • Leave fields blank to apply to all by default.

For Cost rules, under Criteria:

  1. Specify the amount that, if exceeded by cost change, triggers this Guardrail. Select either an exact amount or a percentage.

  2. In the field, define the cost change limit.

For Policy rules, under Criteria:

  1. Select the policies to which this Guardrail applies. Leave blank to apply to all policies.

  2. Select any policies to exclude from this Guardrail. Leave blank if there are no exclusions.

  3. Select the minimum severity level this Guardrail enforces.

For Resource rules, under Criteria:

This rule allows you to block actions such as creation, deletion, or modification of resources based on asset type, region, or specific resource address. Use the fields to define the scope of actions to block resource modifications.

For Tag rules, under Criteria:

  • Select whether to block deployments if resources are missing any tags (tag missing entirely) or specific tag name (specific tag missing).

  • If you selected specific tag missing, specify the required tags. Use wildcards (*) to match patterns.

Adding Notifications

Select the notification destination (e.g., Slack, email, PagerDuty) from the available options. After you select the notification destination, the system automatically sends alerts to the specified channels whenever the guardrail rule is violated.

Examples of Guardrail rules

Type of Guardrail
Rule Name
Scope
Criteria

Cost

Limit cost increases

Specific workspace (e.g., Development)

Block any deployment with a cost increase over $100

Policy

Encrypt all resources

All workspaces

Enforce encryption policy on all resources

Resource

Disallow resources in us-west-2

All workspaces except specific workspace (e.g., Development)

Block the creation of resources in the us-west-2 region. This ensures that resources are not deployed in a restricted region, maintaining compliance with regional policies or avoiding certain geographic restrictions.

Tag

Ensure environment tag

All workspaces

Block deployments where resources are missing the Environment tag, ensuring all resources are properly tagged for easier management and compliance.

Guardrails Override Controls

Guardrails Override Controls provide flexibility in managing policy violations while ensuring compliance and security during IaC deployments. When a Guardrail violation occurs, authorized users can override specific violations to proceed with the deployment under controlled conditions.

Guardrails Violation Behavior

Guardrails enforce policies by evaluating deployments against predefined rules. If a violation is detected, the deployment is blocked based on the configured violation behavior:

  • Strict Block: Deployments are automatically blocked when a violation occurs, with no option to override.

  • Flexible Block: Deployments are blocked, but authorized users have the option to override specific violations and continue the deployment.

Overriding Guardrail Violations

When a Guardrail set to Flexible Block is violated during a deployment, authorized users can take the following actions:

Override Types

  1. One-time Override

    • Grants an exception for a single pipeline run.

    • The violation will still be enforced in future deployments unless overridden again.

  2. Permanent Override

    • Exempts the violation from enforcement in future deployments.

    • The exception remains in place unless manually revoked or the Guardrail is modified.

Re-running the Pipeline After an Override

After applying an override, users can choose to rerun the pipeline to continue the deployment. This ensures that the pipeline progresses without needing to trigger a new deployment manually.

Applying an Override

  1. When a deployment is blocked due to a Guardrail violation, it appears in the Guardrails Step, in the PR as a comment, and in a notification if set.

  2. Review the list of violations and the associated Guardrail rules.

  3. If the Guardrail is set to Flexible Block, authorized users will see an Override option.

  4. Choose the appropriate override action:

    • One-time Override (valid for the current pipeline run only).

    • Permanent Override (exempts the violation from future enforcement).

  5. (Optional) Select Rerun Pipeline to resume deployment immediately after applying the override.

  6. Confirm the override action.

Tracking and Notifications for Overrides

When an override is applied, it is visible in multiple locations:

  • Guardrails Step: Displays overridden violations and their status.

  • Pull Request (PR) Comments: If a deployment is linked to a PR, an automatic comment detailing the overridden violations is added.

Workspace Overriden Violations

The Workspace Overridden Violations pop-up lists all overridden violations. Users can review and delete existing overrides if necessary.

Override Notifications

If a Guardrail rule is configured with notifications, an event is triggered whenever a violation is overridden. This ensures visibility across teams through Slack, email, PagerDuty, or other configured channels.

Additional features and functionalities

Guardrails Step

When a deployment violates one or more Guardrails, it reaches the Guardrails Step, where Firefly displays the specific violations, checked and passed rules, and detailed feedback on necessary corrections. Users receive remediation guidance with suggested fixes to align deployments with organizational policies. If the Guardrail is set to Flexible Block, authorized users can apply a One-time or Permanent Override and choose to rerun the pipeline to proceed. This step ensures compliance while allowing flexibility for justified exceptions and efficient resolution of policy violations.

Using AI-Generated Guardrails Violations Remediation Suggestions

Use this tool when a Guardrail violation is detected in your Terraform/OpenTofu plan. When a violation occurs, a Tinkerbell icon appears next to the violation message. To view AI-generated remediation suggestions, including detailed explanations and proposed code changes, select the Tinkerbell icon.

Pull Request (PR) Comment

If a deployment is blocked due to Guardrail violations, a comment detailing all violations is automatically be added to the associated PR. This ensures that the team is immediately informed about the issues that need to be addressed before the deployment can be approved.

Page Filters

The following filters offer various options to help you manage and navigate your Guardrails effectively:

Filter

Creator

Filter Guardrails by the creator

Type

Filter Guardrails by rule type (Policy, Cost, or Resource)

Label

Filter Guardrails that apply to the label

Repository

Filter Guardrails that apply to the repository

Workspace

Filter Guardrails that apply to the workspace

PreviousWorkflowsNextIntegrations

Last updated 1 month ago

Was this helpful?