Guardrails
Last updated
Last updated
Guardrails enforce policies and best practices within your IaC workspaces. By establishing specific rules, they ensure your deployments adhere to organizational standards, preventing non-compliant changes from being applied. Guardrails block deployments that violate these rules, maintaining the integrity and security of your cloud infrastructure.
There are three types of rules to enforce policies in your Workspaces. The following table outlines the different types and their functions:
| Rule type | Function | Example |
|---|---|---|
Select Workflows > Guardrails > + Add New.
Select the Rule Type.
Enter the Rule Name.
Define the scope of your Guardrail by specifying the relevant Workspaces, Repositories, Branches, and Labels.
Use wildcards (*) to match patterns.
Leave fields blank to apply to all by default.
For Cost rules, under Criteria:
Specify the amount that, if exceeded by cost change, triggers this Guardrail. Select either an exact amount or a percentage.
In the field, define the cost change limit.
For Policy rules, under Criteria:
Select the policies to which this Guardrail applies. Leave blank to apply to all policies.
Select any policies to exclude from this Guardrail. Leave blank if there are no exclusions.
Select the minimum severity level this Guardrail enforces.
For Resource rules, under Criteria:
This rule allows you to block actions such as creation, deletion, or modification of resources based on asset type, region, or specific resource address. Use the fields to define the scope of actions to block resource modifications.
For Tag rules, under Criteria:
Select whether to block deployments if resources are missing any tags (tag missing entirely) or specific tag name (specific tag missing).
If you selected specific tag missing, specify the required tags. Use wildcards (*) to match patterns.
Select the notification destination (e.g., Slack, email, PagerDuty) from the available options. After you select the notification destination, the system automatically sends alerts to the specified channels whenever the guardrail rule is violated.
When a deployment violates one or more Guardrails, it reaches the Guardrails Step. In Firefly, a list of specific violations that caused the deployment to be blocked, along with detailed feedback on what needs to be corrected to proceed is displayed. Additionally, you can see which Guardrails rules were checked and passed, providing a comprehensive view of the deployment's compliance status.
If a deployment is blocked due to Guardrail violations, a comment detailing all violations is automatically be added to the associated PR. This ensures that the team is immediately informed about the issues that need to be addressed before the deployment can be approved.
The following filters offer various options to help you manage and navigate your Guardrails effectively:
| Type of Guardrail | Rule Name | Scope | Criteria |
|---|---|---|---|
| Filter | |
|---|---|
Cost
Manage and control cloud costs by setting limits on cost changes. Monitor cost changes and block deployments that exceed the specified amount or percentage.
A cost rule can be set to block any deployment that results in a cost increase of more than $100. If a proposed change exceeds this limit, the deployment is blocked.
Policy
Ensures adherence to predefined guidelines. Verify violations within the specified scope and prevent deployments that do not meet organizational standards.
Ensure resources have encryption enabled. If a deployment attempts to create a resource without encryption, the Guardrail blocks the deployment.
Resource
Control modifications to cloud resources. Block actions such as creating, deleting, or modifying resources based on asset type, region, or specific resource address.
A resource rule can prevent the creation of resources in a specific region. If a deployment attempts to create resources in an excluded region, such as us-west-2, the Guardrail blocks the change to enforce regional compliance policies.
Tag
Ensure all resources have tags and/or specific tag names to enforce consistent tagging standards. Block deployments with non-compliant resources.
A tag rule can block any deployment where resources are missing required tags. For example, if a resource lacks the Environment tag, the deployment is blocked to ensure compliance with tagging policies.
Cost
Limit cost increases
Specific workspace (e.g., Development)
Block any deployment with a cost increase over $100
Policy
Encrypt all resources
All workspaces
Enforce encryption policy on all resources
Resource
Disallow resources in us-west-2
All workspaces except specific workspace (e.g., Development)
Block the creation of resources in the us-west-2 region. This ensures that resources are not deployed in a restricted region, maintaining compliance with regional policies or avoiding certain geographic restrictions.
Tag
Ensure environment tag
All workspaces
Block deployments where resources are missing the Environment tag, ensuring all resources are properly tagged for easier management and compliance.
Creator
Filter Guardrails by the creator
Type
Filter Guardrails by rule type (Policy, Cost, or Resource)
Label
Filter Guardrails that apply to the label
Repository
Filter Guardrails that apply to the repository
Workspace
Filter Guardrails that apply to the workspace