test¶
Tip
For more information on writing and testing custom rules, see Managing Custom Rules - CLI.
The fugue test
command enables you to test a custom rule by providing Fugue with a scan ID from a selected point in time. The scan ID points to a “snapshot” of the resource configuration at the time of the scan, which is the test data your rule is evaluated against.
To learn more about custom rules, see Writing Rules.
test¶
Test custom rules Usage: fugue test [command] Available Commands: rule Test a custom rule Flags: -h, --help help for test Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue test [command] --help" for more information about a command.
test rule¶
Arguments:
[rego file]
Required flags:
--resource-type
--scan
Test a custom rule
Usage:
fugue test rule [rego file] [flags]
Flags:
-h, --help help for rule
--resource-type string Resource type
--scan string Scan ID
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Output Attributes¶
Test Rule Output¶
The fugue test rule output includes the following attributes:
Examples¶
Testing a rule¶
Tip
For more detailed information on using the CLI to test rules, see Managing Custom Rules - CLI.
To test a rule, use the fugue test rule command. The [rego filename]
argument, --resource-type
flag, and --scan
flag are required:
fugue test rule vpc-cidr-size.rego --resource-type "AWS.EC2.Vpc" \
--scan 8576a1b3-2f72-4e1d-902a-c81f22222222
You’ll see output like this:
========================================
ID | RESULT | TYPE
========================================
vpc-05621851a2b3c4d5e | PASS | aws_vpc
vpc-07f46019987654321 | FAIL | aws_vpc
To learn how to find your scan ID, see fugue list scans.
Setting the resource type¶
If the resource type is defined in the Rego file (as it must be when syncing custom rules, writing rules for multiple providers, or writing rules for the REPOSITORY
provider), set the --resource-type
flag to DEFINED_IN_CODE
:
fugue test rule vpc-cidr-size.rego \
--resource-type "DEFINED_IN_CODE" --scan 8576a1b3-2f72-4e1d-902a-c81f22222222
Otherwise, if the rule is a simple rule, use the actual name of the resource type. Rules for the REPOSITORY
provider (or REPOSITORY
+ runtime) use the Terraform name. Runtime-only rules use the Fugue name:
fugue test rule vpc-cidr-size.rego \
--resource-type "AWS.EC2.Vpc" --scan 8576a1b3-2f72-4e1d-902a-c81f22222222
Otherwise, if the rule is an advanced rule, use MULTIPLE
:
fugue test rule vpc-cidr-size.rego \
--resource-type "MULTIPLE" --scan 8576a1b3-2f72-4e1d-902a-c81f22222222
To learn how to find the correct resource type name (both Fugue and Terraform), see the service coverage pages for AWS & AWS GovCloud, Azure & Azure Government, and Google.