Guardrails enforce policies and best practices within your IaC workspaces. By establishing specific rules, they ensure your deployments adhere to organizational standards, preventing non-compliant changes from being applied. Guardrails block deployments that violate these rules, maintaining the integrity and security of your cloud infrastructure.

Rule types

There are three types of rules to enforce policies in your Workspaces. The following table outlines the different types and their functions:

Rule typeFunctionExample


Ensures adherence to predefined guidelines. Verify violations within the specified scope and prevent deployments that do not meet organizational standards.

Ensure resources have encryption enabled. If a deployment attempts to create a resource without encryption, the Guardrail blocks the deployment.


Manage and control cloud costs by setting limits on cost changes. Monitor cost changes and block deployments that exceed the specified amount or percentage.

A cost rule can be set to block any deployment that results in a cost increase of more than $100. If a proposed change exceeds this limit, the deployment is blocked.


Control modifications to cloud resources. Block actions such as creating, deleting, or modifying resources based on asset type, region, or specific resource address.

A resource rule can prevent the creation of resources in a specific region. If a deployment attempts to create resources in an excluded region, such as us-west-2, the Guardrail blocks the change to enforce regional compliance policies.

Creating a new Guardrail


  1. Select Workflows > Guardrails > + Add New.

  2. Select the Rule Type.

  3. Enter the Rule Name.

  4. Define the scope of your Guardrail by specifying the relevant Workspaces, Repositories, Branches, and Labels.

    • Use wildcards (*) to match patterns.

    • Leave fields blank to apply to all by default.

For Policy rules, under Criteria:

  1. Select the policies to which this Guardrail applies. Leave blank to apply to all policies.

  2. Select any policies to exclude from this Guardrail. Leave blank if there are no exclusions.

  3. Select the minimum severity level this Guardrail enforces.

For Cost rules, under Criteria:

  1. Specify the amount that, if exceeded by cost change, triggers this Guardrail. Select either an exact amount or a percentage.

  2. In the field, define the cost change limit.

For Resource rules, under Criteria:

This rule allows you to block actions such as creation, deletion, or modification of resources based on asset type, region, or specific resource address. Use the fields to define the scope of actions to block resource modifications.

Examples of Guardrail rules

Type of GuardrailRule NameScopeCriteria


Encrypt all resources

All workspaces

Enforce encryption policy on all resources


Limit cost increases

Specific workspace (e.g., Development)

Block any deployment with a cost increase over $100


Disallow Resources in us-west-2

All workspaces except specific workspace (e.g., Development)

Block the creation of resources in the us-west-2 region. This ensures that resources are not deployed in a restricted region, maintaining compliance with regional policies or avoiding certain geographic restrictions.

Additional features and functionalities

Block Step

When a deployment violates one or more Guardrails, it reaches the Block Step. In the Firefly platform, you will see a list of specific violations that caused the deployment to be blocked. This provides detailed feedback on what needs to be corrected to proceed with the deployment.

Pull Request (PR) Comment

If a deployment is blocked due to Guardrail violations, a comment detailing all violations will automatically be added to the associated PR. This ensures that the team is immediately informed about the issues that need to be addressed before the deployment can be approved.


The following filters offer various options to help you manage and navigate your Guardrails effectively:



Filter Guardrails by the creator


Filter Guardrails by rule type (Policy, Cost, or Resource)


Filter Guardrails that apply to the label


Filter Guardrails that apply to the repository


Filter Guardrails that apply to the workspace

Last updated