Ignore resources
The .snyk policy file can be used to exclude resources from being considered IaC drift by snyk iac describe. See the .snyk policy file doc for more general information.
If you need only to exclude a set of resources, use .snyk. If you have more complex requirements, consider using filter rules. For more information see Filter results.
Create the .snyk file in the directory where you launch the snyk iac describe command, typically the root of your IaC repo.
Each line must be structured as follows:
  • resource_type.resource_id, where resource_id is a wildcard to exclude all resources of a given type
  • resource_type.resource_id.path.to.field_name, where resource_id is a wildcard to ignore a drift on given field for a given type and path can also contain wildcards.

Examples

Ignore a single IAM user (aws_iam_user) named "tfc-demo".
.snyk
1
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
2
version: v1.22.1
3
exclude:
4
iac-drift:
5
- aws_iam_user.tfc-demo
Copied!
Ignore all S3 buckets drifts.
.snyk
1
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
2
version: v1.22.1
3
exclude:
4
iac-drift:
5
- aws_s3_bucket.*
Copied!
The .snyk policy file also supports negation of rules. This allows you to ignore everything except certain types. In this example, only S3 buckets will not be ignored:
.snyk
1
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
2
version: v1.22.1
3
exclude:
4
iac-drift:
5
- '*'
6
- '!aws_s3_bucket'
Copied!
Ignore a specific IAM Policy Attachment (AWSServiceRoleForRDS) using its ARN (arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy).
.snyk
1
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
2
version: v1.22.1
3
exclude:
4
iac-drift:
5
- aws_iam_policy_attachment.AWSServiceRoleForRDS-arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy
Copied!
Ignore S3 bucket called my-bucket and so on as shown.
1
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
2
version: v1.22.1
3
exclude:
4
iac-drift:
5
# Will ignore S3 bucket called my-bucket
6
- aws_s3_bucket.my-bucket
7
# Will ignore every aws_instance resource
8
- aws_instance.*
9
# Will ignore environment for all lambda functions
10
- aws_lambda_function.*.environment
11
# Will ignore resources like aws_iam_role.AmazonSSMRoleForInstances and aws_iam_role.AWSServiceRoleForAmazonSSM
12
- *role.*Amazon*
13
# Will ignore lastModified for my-lambda-name lambda function
14
- aws_lambda_function.my-lambda-name.last_modified
Copied!

Precedence over filter rules

You can use the means to ignore resources explained on this page in combination with filter rules.
Note: If the same resource is included by a filter rule and excluded inside the .snyk file, snyk iac describe ignores this resource.

Automatically generate drift exclusion rules

For details, see snyk iac update-exclude-policy --help.
This command helps to generate a .snyk policy file, adding all the detected drifts to it, in order to ignore them all.
For example, to ignore all the unmanaged resources at once:
1
$ snyk iac describe --json --only-unmanaged | snyk iac update-exclude-policy
Copied!