Ignore resources for drift

The .snyk policy file can be used to exclude resources from being considered IaC drift by snyk iac describe. See the .snyk policy file doc for general information.

If you need to exclude only a set of resources, use .snyk. If you have more complex requirements, consider using filter rules. For more information see Filter rules.

Create the .snyk file in the directory where you launch the snyk iac describe command, typically the root of your IaC repo.

Each line must be structured as follows:

• resource_type.resource_id, where resource_id is a wildcard to exclude all resources of a given type

• resource_type.resource_id.path.to.field_name, where resource_id is a wildcard to ignore a drift on a given field for a given type and path, can also contain wildcards.

Examples of IaC ignores

Ignore a single IAM user (aws_iam_user) named "tfc-demo".

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
    - aws_iam_user.tfc-demo

Ignore all S3 buckets drifts.

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
    - aws_s3_bucket.*

The .snyk policy file also supports the negation of rules. This allows you to ignore everything except certain types. In this example, only S3 buckets will not be ignored:

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
    - '*'
    - '!aws_s3_bucket'

Ignore a specific IAM Policy Attachment (AWSServiceRoleForRDS) using its ARN (arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy).

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
    - aws_iam_policy_attachment.AWSServiceRoleForRDS-arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy

Ignore the S3 bucket called my-bucket and so on, as shown.

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.22.1
exclude:
  iac-drift:
      # Will ignore S3 bucket called my-bucket
    - aws_s3_bucket.my-bucket
      # Will ignore every aws_instance resource
    - aws_instance.*
      # Will ignore environment for all lambda functions
    - aws_lambda_function.*.environment
      # Will ignore resources like aws_iam_role.AmazonSSMRoleForInstances and aws_iam_role.AWSServiceRoleForAmazonSSM
    - *role.*Amazon*
      # Will ignore lastModified for my-lambda-name lambda function
    - aws_lambda_function.my-lambda-name.last_modified

Precedence over filter rules​

You can use the means to ignore resources explained on this page in combination with filter rules.

Note: If the same resource is included by a filter rule and excluded inside the .snyk file, snyk iac describe ignores this resource.

Automatically generate drift exclusion rules​

For details, runsnyk iac update-exclude-policy --help.

This command helps to generate a .snyk policy file, adding all the detected drifts to it in order to ignore them all.

For example, to ignore all the unmanaged resources at once, run the following command:

$ snyk iac describe --json | snyk iac update-exclude-policy