Version: 0.10.0

Filter Rules

info

Filter rules can be used not only to scan resources, but also to ignore resources.

You can indeed use both inclusion and exclusion logics.

Filter rules allow you to build complex expression to include and exclude a set of resources in your workflow. Powered by expression language JMESPath you could build a complex include and exclude expression.

Filter rules could be passed to scan cmd with --filter flag. You could also use the environment variable DCTL_FILTER. Filter rules syntax in use is actually JMESPath.

Filter are applied on a normalized struct which contains the following fields:

  • Type: Type of the resource, e.g. aws_s3_bucket
  • Id: Id of the resource, e.g. my-bucket-name
  • Attr: Contains every resource attributes (check pkg/resource/aws/aws_s3_bucket.go for a full list of supported attributes of a bucket)

Examples#

# Will include only S3 bucket in the search
$ driftctl scan --filter "Type=='aws_s3_bucket'"
# OR (beware of escape your shell special chars between double quotes)
$ driftctl scan --filter $'Type==\'aws_s3_bucket\''
# Excludes only s3 bucket named 'my-bucket-name'
$ driftctl scan --filter $'Type==\'aws_s3_bucket\' && Id!=\'my-bucket-name\''
# Ignore buckets that have tags terraform equal to 'false'
$ driftctl scan --filter $'!(Type==\'aws_s3_bucket\' && Attr.Tags.terraform==\'false\')'
# Ignore buckets that don't have tag terraform
$ driftctl scan --filter $'!(Type==\'aws_s3_bucket\' && Attr.Tags != null && !contains(keys(Attr.Tags), \'terraform\'))'
# Ignore buckets with an ID prefix of 'terraform-'
$ driftctl scan --filter $'!(Type==\'aws_s3_bucket\' && starts_with(Id, \'terraform-\'))'
# Ignore buckets with an ID suffix of '-test'
$ driftctl scan --filter $'!(Type==\'aws_s3_bucket\' && ends_with(Id, \'-test\'))'
# Ignore GitHub archived repositories
driftctl scan --to github+tf --filter '!(Attr.Archived)'