Skip to content

Latest commit

 

History

History
100 lines (76 loc) · 3.88 KB

ignore-resources-for-drift.md

File metadata and controls

100 lines (76 loc) · 3.88 KB
Raw

Ignore resources for drift

The .snyk policy file can be used to exclude resources from being considered IaC drift by snyk iac describe. See the .snyk policy file doc for general information.

If you need to exclude only a set of resources, use .snyk. If you have more complex requirements, consider using filter rules. For more information see Filter rules.

Create the .snyk file in the directory where you launch the snyk iac describe command, typically the root of your IaC repo.

Each line must be structured as follows:

  • resource_type.resource_id, where resource_id is a wildcard to exclude all resources of a given type
  • resource_type.resource_id.path.to.field_name, where resource_id is a wildcard to ignore a drift on a given field for a given type and path, can also contain wildcards.

Examples of IaC ignores

Ignore a single IAM user (aws_iam_user) named "tfc-demo".

{% code title=".snyk" %}

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
    - aws_iam_user.tfc-demo

{% endcode %}

Ignore all S3 buckets drifts.

{% code title=".snyk" %}

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
    - aws_s3_bucket.*

{% endcode %}

The .snyk policy file also supports the negation of rules. This allows you to ignore everything except certain types. In this example, only S3 buckets will not be ignored:

{% code title=".snyk" %}

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
    - '*'
    - '!aws_s3_bucket'

{% endcode %}

Ignore a specific IAM Policy Attachment (AWSServiceRoleForRDS) using its ARN (arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy).

{% code title=".snyk" %}

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
    - aws_iam_policy_attachment.AWSServiceRoleForRDS-arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy

{% endcode %}

Ignore the S3 bucket called my-bucket and so on, as shown.

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
      # Will ignore S3 bucket called my-bucket
    - aws_s3_bucket.my-bucket
      # Will ignore every aws_instance resource
    - aws_instance.*
      # Will ignore environment for all lambda functions
    - aws_lambda_function.*.environment
      # Will ignore resources like aws_iam_role.AmazonSSMRoleForInstances and aws_iam_role.AWSServiceRoleForAmazonSSM
    - *role.*Amazon*
      # Will ignore lastModified for my-lambda-name lambda function
    - aws_lambda_function.my-lambda-name.last_modified

Precedence over filter rules

You can use the means to ignore resources explained on this page in combination with filter rules.

Note: If the same resource is included by a filter rule and excluded inside the .snyk file, snyk iac describe ignores this resource.

Automatically generate drift exclusion rules

For details, runsnyk iac update-exclude-policy --help.

This command helps to generate a .snyk policy file, adding all the detected drifts to it in order to ignore them all.

For example, to ignore all the unmanaged resources at once, run the following command:

$ snyk iac describe --json | snyk iac update-exclude-policy