AWS
Amazon Web Services (AWS) integration can be set up using either CloudFormation or Terraform. This guide covers both methods and best practices for integrating your AWS account with Firefly.
Integration Methods
When integrating an AWS account, you have two primary methods:
Both methods create a cross-account IAM Role with read-only access (security audit permissions) to your resources. The integration may also set up an Amazon SNS notifications for tfstate files event-driven scanning.
Best Practices
Use a dedicated AWS account (or at least a separate IAM role) for Firefly's access.
Grant only the minimum read permissions (Firefly's provided template covers what's needed).
Monitor the Firefly integration user/role in AWS to ensure it's not being used elsewhere.
Integration Methods
Using Terraform
Prerequisites
Terraform v0.13 or later.
AWS CLI installed and configured.
IAM user with necessary roles.
Selected AWS region(s).
To verify prerequisites, run:
cat ~/.aws/credentials && terraform init && terraform --version
Setup Procedure
In Firefly, go to Settings > Integrations.
Select Add New > AWS > Terraform.
Enter a descriptive name in Integration Nickname field.
(Optional) Select Mark as Production if you want to use the integration to be flagged as production in Firefly.
Click Generate Terraform Snippet.
Copy the generated details into your Terraform code file.
Run:
terraform init terraform plan terraform apply
Select Done.
Additional setup instructions and information about the Firefly onboarding Terraform module are available in Firefly AWS Integration.
Using CloudFormation
Firefly offers two CloudFormation integration options:
Single Account Integration: Use CloudFormation to integrate individual AWS accounts.
AWS Organization Integration: Use CloudFormation StackSet to integrate multiple accounts across your AWS Organization.
Setup Procedure
Log in to AWS with permissions for CloudFormation and IAM.
Copy your AWS account ID from the AWS console.
In Firefly, go to Settings > Integrations.
Select Add New > AWS.
Select Single Account Integration CloudFormation or AWS Organization CloudFormation.
Paste your AWS account ID.
Select Launch Stack.
Event-Driven Integration
Event-driven mode ensures near real-time updates of your assets in the inventory. To use this feature:
Enable CloudTrail in your AWS account.
Select Enable IaC Auto-Discovery to scan for new Terraform state files.
Upgrading to Event-Driven Mode
For Terraform Integrations
Add these lines to your module call and run terraform apply
:
is_event_driven = true
exist_integration = true
For CloudFormation Integrations
Generate Firefly access and secret key (Settings > Users > Create key pair).
Copy the external ID of the Firefly IAM role from AWS console.
Use the same integration nickname as in Firefly.
Apply the following code:
module "firefly {
source = "github.com/gofireflyio/terraform-firefly-aws-onboarding"
firefly_access_key = "YOUR_ACCESS_KEY"
firefly_secret_key = "YOUR_SECRET_KEY"
role_external_id = "YOUR_EXTERNAL_ID"
is_prod = false/true
is_event_driven = true
event_driven_regions = ["us-east-1","us-east-2"] //choose relevant region
}
AWS Discovery Status
To scan your integration for changes:
Go to Settings > Integrations > AWS.
Find the integration you want to scan.
For assets changes, on the integration menu, select Scan Assets.
For IaC stacks changes, on the integration menu, select Scan Stacks.
View changes in the Inventory and/or IaC Explorer after several minutes.
Last updated
Was this helpful?