sync¶
The fugue sync
command enables you to sync files to your account. fugue sync rules
allows you to upload custom rule .rego
files to your organization to create and update custom rules. It does not delete rules. (To delete a rule, use fugue delete rule [rule_id].)
To learn more about custom rules, see Custom Rules.
sync¶
Sync files to your account Usage: fugue sync [command] Available Commands: rules Sync rules to the organization Flags: -h, --help help for sync Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue sync [command] --help" for more information about a command.
sync rules¶
Arguments:
[directory]
Sync rules to the organization
Usage:
fugue sync rules [directory] [flags]
Flags:
-h, --help help for rules
--target-rule-family string Comma separated list of UUID of families
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Examples¶
Syncing custom rules to your tenant¶
To sync a directory of custom rule .rego
files to your Fugue tenant, use the fugue sync rules command. The [directory]
argument is required:
fugue sync rules custom-rules/
You’ll see output like this:
Creating rule AWS.EC2.SecurityGroup-NoIngressPort9200
Creating rule AWS.RDS.Instance-RequireMultiAZ
Updating rule AWS.TaggedResource-RequireTags
Creating rule Azure.Compute.VirtualMachine-RequireAvailabilitySet
Note that each Rego file must include metadata in a specific format, documented below.
Syncing custom rules into a custom compliance family¶
To sync a directory of custom rule .rego
files to your Fugue tenant and assign them to a custom family, use the fugue sync rules command with the --target-rule-family
flag. The example command below syncs the directory of rules into two custom families with the IDs 49bb5ab8-f3df-4f04-8b28-3b0691811819
and fdeaf30d-7a42-487a-b477-8fa2193211e8
:
fugue sync rules custom-rules/ --target-rule-family "49bb5ab8-f3df-4f04-8b28-3b0691811819","fdeaf30d-7a42-487a-b477-8fa2193211e8"
You’ll see output like this:
Creating rule VPCs require Application:Portal tags
To find your custom family’s ID, see fugue list families.
Custom rule file format¶
Each rule file must have the extension
.rego
.Each rule file must contain a resource_type declaration (e.g.,
aws_s3_bucket
for simple rules,MULTIPLE
for advanced rules)Each rule file must contain metadata. There are two ways to provide metadata:
__rego__metadoc__ statement (recommended)
HTTP headers (deprecated but still supported for backwards compatibility)
Each rule should use one method of providing metadata; do not use both methods within the same rule. Different rules can use different methods.
__rego__metadoc__ metadata format¶
The __rego__metadoc__
metadata format supports the fields title
(rule name), description
, custom.providers
, and custom.severity
. See the Custom Rules Reference for more information.
Here’s an example of metadata for a simple rule:
package rules.buckettags
__rego__metadoc__ := {
"title": "AWS S3 buckets must be tagged",
"description": "S3 buckets must have the tag key 'stage' and value 'prod'",
"custom": {
"providers": ["AWS", "REPOSITORY"],
"severity": "Medium"
}
}
input_type = "tf"
resource_type = "aws_s3_bucket"
default allow = false
allow {
input.tags.stage == "prod"
}
Here’s an example of metadata for an advanced rule:
package rules.filterbuckets
import data.fugue
__rego__metadoc__ := {
"title": "AWS S3 buckets tagged 'stage:prod' must have private ACLs",
"description": "S3 buckets with the tag key 'stage' and value 'prod' must have private ACLs",
"custom": {
"providers": ["AWS", "REPOSITORY"],
"severity": "High"
}
}
input_type = "tf"
resource_type = "MULTIPLE"
buckets = fugue.resources("aws_s3_bucket")
policy[r] {
bucket = buckets[_]
bucket.tags.stage == "prod"
bucket.acl == "private"
r = fugue.allow_resource(bucket)
} {
bucket = buckets[_]
bucket.tags.stage == "prod"
not bucket.acl == "private"
r = fugue.deny_resource(bucket)
}
Note that fugue sync rules
does not support comments within the __rego__metadoc__
. You may add comments outside of the __rego__metadoc__
.
For more information about custom rules, see Writing Rules.
Deprecated metadata format
The HTTP header metadata format is deprecated. Though you can continue to use it, we recommend you use the __rego__metadoc__ metadata format instead, which supports multiple providers.
In the deprecated metadata format, the CLI uses the filename (minus extension) as the name of the custom rule. Underscores are converted to hyphens. For example, the file My_Custom_Rule.rego
will result in a rule with the name My-Custom-Rule
.
HTTP header metadata is provided in Rego comments, following this format:
# Provider: goes here
# Resource-Type: goes here
# Description: goes here
# Severity: goes here
rule text (code) goes here
Note
If you’re switching from the old HTTP header metadata format to the new __rego__metadoc__ format, make sure the title
field in __rego__metadoc__
matches the name of the rule in Fugue. The old format used the filename as the name.
If the title
does not match the name, fugue sync rules
will create new rules instead of updating the existing ones.
Creating vs. updating rules¶
The CLI uses the rule name to determine whether a custom rule should be created or updated. If the rule name exists, the rule is updated. Otherwise, a new rule is created. This means renaming a custom rule and running fugue sync rules
creates a second copy of the rule using the new name.
Note
The fugue sync rules
command does not delete rules. It only creates or updates them. To delete a rule, use fugue delete rule [rule_id].