create

The fugue create command enables you to create an AWS, AWS GovCloud, or Azure environment or a custom rule.

create

Create a resource

Usage:
  fugue create [command]

Available Commands:
  aws         AWS subcommands
  azure       Azure subcommands
  rule        Create a custom rule

Flags:
  -h, --help   help for create

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue create [command] --help" for more information about a command.

create aws

AWS subcommands

Usage:
  fugue create aws [command]

Available Commands:
  environment environment Create an AWS environment

Flags:
  -h, --help   help for aws

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue create aws [command] --help" for more information about a command.

create aws environment

Create an AWS environment

Usage:
  fugue create aws environment [flags]

Aliases:
  environment, env

Flags:
      --compliance-families strings          Compliance families
  -h, --help                                 help for environment
      --name string                          Environment name
      --provider string                      Provider if cannot be resolved from regions
      --region string                        AWS region (deprecated)
      --regions strings                      AWS regions (default all regions)
      --remediation-resource-types strings   Baseline enforcement resource types
      --role string                          AWS IAM role arn
      --scan-interval int                    Scan interval (seconds) (default 86400)
      --survey-resource-types strings        Survey resource types (defaults to all available types)

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

create azure

Azure subcommands

Usage:
  fugue create azure [command]

Available Commands:
  environment Create an Azure environment

Flags:
  -h, --help   help for azure

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue create azure [command] --help" for more information about a command.

create azure environment

Create an Azure environment

Usage:
  fugue create azure environment [flags]

Aliases:
  environment, env

Flags:
      --app string                            Azure Application ID
      --compliance-families strings           Compliance families
  -h, --help                                  help for environment
      --name string                           Environment name
      --remediation-resource-groups strings   Baseline enforcement resource groups
      --scan-interval int                     Scan interval (seconds) (default 86400)
      --secret string                         Azure Client Secret
      --sub string                            Azure Subscription ID
      --survey-resource-groups strings        Survey resource groups
      --tenant string                         Azure Tenant ID

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

create rule

Create a custom rule

Usage:
  fugue create rule [flags]

Flags:
      --description string     Description
  -h, --help                   help for rule
      --name string            Rule name
      --provider string        Provider
      --resource-type string   Resource type
      --text string            Rule text

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Output Attributes

Create environment output

The fugue create aws environment and fugue create azure environment output includes the following attributes:

ENVIRONMENT_ID

ID of the environment.

NAME

Name of the environment.

PROVIDER

Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure

SCAN_INTERVAL

Time in seconds between the end of one scan to the start of the next.

LAST_SCAN_AT

When the current or most recently completed scan for the environment started, Unix time.

NEXT_SCAN_AT

When the next scan will start, Unix time.

SCAN_STATUS

Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

COMPLIANCE_FAMILIES

List of compliance families validated against the environment.

DRIFT

Indicates whether drift detection is enabled for the environment.

REMEDIATION

Indicates whether baseline enforcement is enabled for the environment.

Create rule output

The fugue create rule output includes the following attributes:

NAME

ID of the custom rule.

DESCRIPTION

Description of the custom rule.

PROVIDER

Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE

RESOURCE_TYPE

Resource type to which the custom rule applies.

STATUS

The current status of the rule. Values - ENABLED, DISABLED, INVALID

Examples

Creating an AWS environment

To create an AWS environment, use the fugue create aws environment command. The required flags are:

  • --name

  • At least one of --regions or --provider

  • --role

If you omit --regions, you must specify --provider. (Defaults to all regions for that provider.) If you omit --provider, you must specify --regions.

Here’s an example command to create an AWS environment:

fugue create aws environment --name "AWS CLI Example" \
--regions "us-west-1","us-west-2" \
--role arn:aws:iam::123456789012:role/FugueRole1567991234 \
--survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup" \
--remediation-resource-types "AWS.EC2.Vpc" \
--compliance-families "CIS","GDPR" \
--scan-interval 3600

The above command uses these settings:

Name, --name

"AWS CLI Example"

AWS regions, --regions

"us-west-2" and "us-east-1"

IAM role, --role

"arn:aws:iam::123456789012:role/FugueRole1567991234"

Scanned resources, --survey-resource-types

"AWS.EC2.Vpc" and "AWS.EC2.SecurityGroup"

Enforced resources, --remediation-resource-types

"AWS.EC2.Vpc"

Compliance standards, --compliance-families

"CIS" (CIS AWS) and "GDPR"

Scan interval in seconds, --scan-interval

3600 (1 hour)

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | 693bb694-292b-4e23-9061-1a2b3c4d5e6f
NAME                | AWS CLI Example
PROVIDER            | aws
SCAN_INTERVAL       | 3600
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-18T13:12:04-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS,GDPR
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.

Creating an AWS GovCloud environment

To create an AWS GovCloud environment, use the fugue create aws environment command. The required flags are:

  • --name

  • At least one of --regions or --provider

  • --role

If you omit --regions, you must specify --provider. (Defaults to all regions for that provider.) If you omit --provider, you must specify --regions.

Here’s an example command to create an AWS GovCloud environment:

fugue create aws environment --name "AWS CLI GovCloud Example" \
--provider "aws_govcloud" \
--role "arn:aws-us-gov:iam::123456789012:role/FugueRole1568129084" \
--compliance-families "SOC2"

The above command uses these settings:

Name, --name

"AWS CLI GovCloud Example"

Provider, --provider

AWS GovCloud

AWS regions, --regions

All regions for provider (default)

IAM role, --role

"arn:aws:iam::123456789012:role/FugueRole1568129084"

Scanned resources, --survey-resource-types

All available types (default)

Enforced resources, --remediation-resource-types

None (default)

Compliance standards, --compliance-families

"SOC2"

Scan interval in seconds, --scan-interval

86400 (default – 1 day)

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | 966377d6-2914-4f2a-8283-999999999999
NAME                | AWS CLI GovCloud Example
PROVIDER            | aws_govcloud
SCAN_INTERVAL       | 86400
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-18T13:56:46-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | SOC2
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.

Creating an Azure environment

To create an Azure environment, use the fugue create azure environment command. The required flags are:

  • --app

  • --name

  • --secret

  • --sub

  • --survey-resource-groups

  • --tenant

fugue create azure environment \
--app "7caf2fea-725f-49cc-0000-123456789012" \
--compliance-families "CISAZURE" \
--name "CLI Azure Example" \
--secret "-b/-6oTtKT*c11223344556677889900" \
--sub "20a3dcf5-ce6c-42fa-0000-123456789012" \
--survey-resource-groups "dev-centralus","dev-eastus" \
--tenant "83ad8c73-5f20-4172-0000-123456789012"

The above command uses these settings:

Application ID (client ID), --app

"7caf2fea-725f-49cc-0000-123456789012"

Compliance standards, --compliance-families

"CISAZURE"

Name, --name

"CLI Azure Example"

Client secret, --secret

"-b/-6oTtKT*c11223344556677889900"

Enforced resource groups, --remediation-resource-groups

None (default)

Subscription ID, --sub

"20a3dcf5-ce6c-42fa-0000-123456789012"

Scan interval in seconds, scan-interval

86400 (default – 1 day)

Scanned resource groups, --survey-resource-groups

"dev-centralus" and "dev-eastus"

Tenant ID (directory ID), --tenant

"83ad8c73-5f20-4172-0000-123456789012"

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | bb69bea7-d33d-421c-0000-098765432109
NAME                | CLI Azure Example
PROVIDER            | azure
SCAN_INTERVAL       | 86400
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-10T11:55:14-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | CISAZURE
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.

Creating a custom rule

To create a custom rule for your organization, use the fugue create rule command. The required flags are:

  • --description

  • --name

  • --provider

  • --resource-type

  • --text

Here’s an example command to create a custom rule requiring AWS RDS instances to be deployed in multiple availability zones:

fugue create rule \
--description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data." \
--name "Require RDS instance multi-AZ" \
--provider "AWS_GOVCLOUD" \
--resource-type "AWS.RDS.Instance" \
--text "allow { input.multi_az == true }"

The above command uses these settings:

Description, --description

"RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data."

Name, --name

"Require RDS instance multi-AZ"

Provider, --provider

"AWS_GOVCLOUD"

Resource type, --resource-type

"AWS.RDS.Instance"

Rule text, --text

"allow { input.multi_az == true }"

You’ll see output like this:

===============================================================================================================================
ATTRIBUTE     | VALUE
===============================================================================================================================
NAME          | Require RDS instance multi-AZ
DESCRIPTION   | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER      | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
STATUS        | ENABLED

See Output Attributes for details.