sync

The fugue sync command enables you to sync files to your account. fugue sync rules allows you to upload custom rule .rego files to your organization to create and update custom rules. It does not delete rules. (To delete a rule, use fugue delete rule [rule_id].)

To learn more about custom rules, see Custom Rules.

sync

Sync files to your account

Usage:
  fugue sync [command]

Available Commands:
  rules       Sync rules to the organization

Flags:
  -h, --help   help for sync

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue sync [command] --help" for more information about a command.

sync rules

Sync rules to the organization

Usage:
  fugue sync rules [directory] [flags]

Flags:
  -h, --help   help for rules

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Examples

Syncing custom rules to your organization

To sync a directory of custom rule .rego files to your organization, use the fugue sync rules command. The [directory] argument is required:

fugue sync rules custom-rules/

You’ll see output like this:

Creating rule AWS.EC2.SecurityGroup-NoIngressPort9200
Creating rule AWS.RDS.Instance-RequireMultiAZ
Updating rule AWS.TaggedResource-RequireTags
Creating rule Azure.Compute.VirtualMachine-RequireAvailabilitySet

Custom rule file format

Each rule file must have the extension .rego. The CLI uses the filename (minus extension) as the name of the custom rule. Underscores are converted to hyphens. For example, the file My_Custom_Rule.rego will result in a rule with the name My-Custom-Rule.

Metadata in the comments defines the following:

  • Provider

    • AWS

    • AWS_GOVCLOUD

    • Azure (applies to both Azure and Azure Government environments)

  • Resource type, as listed in Service Coverage - AWS & AWS GovCloud and Service Coverage - Azure & Azure Government; for example, AWS.EC2.Vpc, Azure.Storage.Account

    • Note: AWS and AWS GovCloud resource types use the same names, so for a VPC in AWS GovCloud, you’d use AWS.EC2.Vpc

    • Note: Azure and Azure Government resource types use the same names

    • Note: All advanced rules have the resource type MULTIPLE whether they include one resource type or multiple types

  • Description

  • Rule text

  • Severity

    • Informational

    • Low

    • Medium

    • High (default)

    • Critical

Use this format:

# Provider: goes here
# Resource-Type: Provider.Resource.Type
# Description: goes here
# Severity: goes here

rule text goes here

For more information about simple and advanced custom rules, see Custom Rules.

Custom rule format examples

For example, here are the contents of the simple rule AWS.EC2.SecurityGroup_NoIngressPort9200.rego:

# Provider: AWS
# Resource-Type: AWS.EC2.SecurityGroup
# Description: VPC security groups should not permit ingress from '0.0.0.0/0' to TCP port 9200 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.
# Severity: High

deny {
  input.ingress[i].from_port <= 9200
  input.ingress[i].to_port >= 9200
  input.ingress[i].cidr_blocks[_] == "0.0.0.0/0"
}

Using this file, fugue sync rules [directory] creates a rule with the following properties:

Name

AWS.EC2.SecurityGroup-NoIngressPort9200

Provider

AWS

Resource type

AWS.EC2.SecurityGroup

Description

VPC security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.

Severity

High

Rule text
deny {
   input.ingress[i].from_port <= 9200
   input.ingress[i].to_port >= 9200
   input.ingress[i].cidr_blocks[_] == "0.0.0.0/0"
}

Likewise, here’s an example of an advanced rule with the filename ManagedDisksRunningLinuxRequireTag.rego:

# Provider: Azure
# Resource-Type: MULTIPLE
# Description: Azure managed disks running Linux must have "application" tag
managed_disks = fugue.resources("Azure.Compute.ManagedDisk")
# Severity: Low

valid(disk) {
  disk.tags.application != ""
}

policy[r] {
   managed_disk = managed_disks[_]
   managed_disk.os_type == "Linux"
   valid(managed_disk)
   r = fugue.allow_resource(managed_disk)
} {
   managed_disk = managed_disks[_]
   managed_disk.os_type == "Linux"
   not valid(managed_disk)
   r = fugue.deny_resource(managed_disk)
}

fugue sync rules [directory] creates a rule with the following properties:

Name

ManagedDisksRunningLinuxRequireTag

Provider

Azure

Resource type

MULTIPLE (the resource type is MULTIPLE because this is an advanced rule, even though there’s only one resource type involved; see Custom Rules for more information)

Description

Azure managed disks running Linux must have “application” tag

Severity

Low

Rule text
valid(disk) {
  disk.tags.application != ""
}

policy[r] {
   managed_disk = managed_disks[_]
   managed_disk.os_type == "Linux"
   valid(managed_disk)
   r = fugue.allow_resource(managed_disk)
} {
   managed_disk = managed_disks[_]
   managed_disk.os_type == "Linux"
   not valid(managed_disk)
   r = fugue.deny_resource(managed_disk)
}

Creating vs. updating rules

The CLI uses the rule name to determine whether a custom rule should be created or updated. If the rule name exists, the rule is updated. Otherwise, a new rule is created. This means renaming a custom rule and running fugue sync rules creates a second copy of the rule using the new name.

Note

The fugue sync rules command does not delete rules. It only creates or updates them. To delete a rule, use fugue delete rule [rule_id].