sync

The fugue sync command enables you to sync files to your account. fugue sync rules allows you to upload custom rule .rego files to your organization to create and update custom rules. It does not delete rules. (To delete a rule, use fugue delete rule [rule_id].)

To learn more about custom rules, see Custom Rules.

sync

Sync files to your account

Usage:
  fugue sync [command]

Available Commands:
  rules       Sync rules to the organization

Flags:
  -h, --help   help for sync

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue sync [command] --help" for more information about a command.

sync rules

Sync rules to the organization

Usage:
  fugue sync rules [directory] [flags]

Flags:
  -h, --help                        help for rules
      --target-rule-family string   Comma separated list of UUID of families

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Examples

Syncing custom rules to your tenant

To sync a directory of custom rule .rego files to your Fugue tenant, use the fugue sync rules command. The [directory] argument is required:

fugue sync rules custom-rules/

You’ll see output like this:

Creating rule AWS.EC2.SecurityGroup-NoIngressPort9200
Creating rule AWS.RDS.Instance-RequireMultiAZ
Updating rule AWS.TaggedResource-RequireTags
Creating rule Azure.Compute.VirtualMachine-RequireAvailabilitySet

Note that each Rego file must include metadata in a specific format, documented below.

Syncing custom rules into a custom compliance family

To sync a directory of custom rule .rego files to your Fugue tenant and assign them to a custom family, use the fugue sync rules command with the --target-rule-family flag. The example command below syncs the directory of rules into two custom families with the IDs 49bb5ab8-f3df-4f04-8b28-3b0691811819 and fdeaf30d-7a42-487a-b477-8fa2193211e8:

fugue sync rules custom-rules/ --target-rule-family "49bb5ab8-f3df-4f04-8b28-3b0691811819","fdeaf30d-7a42-487a-b477-8fa2193211e8"

You’ll see output like this:

Creating rule VPCs require Application:Portal tags

To find your custom family’s ID, see fugue list families.

Custom rule file format

  • Each rule file must have the extension .rego.

  • Each rule file must contain a resource_type declaration (e.g., aws_s3_bucket for simple rules, MULTIPLE for advanced rules)

  • Each rule file must contain metadata. There are two ways to provide metadata:

Each rule should use one method of providing metadata; do not use both methods within the same rule. Different rules can use different methods.

__rego__metadoc__ metadata format

The __rego__metadoc__ metadata format supports the fields title (rule name), description, custom.providers, and custom.severity. See the Custom Rules Reference for more information.

Here’s an example of metadata for a simple rule:

package rules.buckettags

__rego__metadoc__ := {
  "title": "AWS S3 buckets must be tagged",
  "description": "S3 buckets must have the tag key 'stage' and value 'prod'",
  "custom": {
    "providers": ["AWS", "REPOSITORY"],
    "severity": "Medium"
  }
}

input_type = "tf"

resource_type = "aws_s3_bucket"

default allow = false

allow {
  input.tags.stage == "prod"
}

Here’s an example of metadata for an advanced rule:

package rules.filterbuckets
import data.fugue

__rego__metadoc__ := {
  "title": "AWS S3 buckets tagged 'stage:prod' must have private ACLs",
  "description": "S3 buckets with the tag key 'stage' and value 'prod' must have private ACLs",
  "custom": {
    "providers": ["AWS", "REPOSITORY"],
    "severity": "High"
  }
}

input_type = "tf"

resource_type = "MULTIPLE"

buckets = fugue.resources("aws_s3_bucket")

policy[r] {
  bucket = buckets[_]
  bucket.tags.stage == "prod"
  bucket.acl == "private"
  r = fugue.allow_resource(bucket)
} {
  bucket = buckets[_]
  bucket.tags.stage == "prod"
  not bucket.acl == "private"
  r = fugue.deny_resource(bucket)
}

Note that fugue sync rules does not support comments within the __rego__metadoc__. You may add comments outside of the __rego__metadoc__.

For more information about custom rules, see Writing Rules.

Deprecated metadata format

The HTTP header metadata format is deprecated. Though you can continue to use it, we recommend you use the __rego__metadoc__ metadata format instead, which supports multiple providers.

In the deprecated metadata format, the CLI uses the filename (minus extension) as the name of the custom rule. Underscores are converted to hyphens. For example, the file My_Custom_Rule.rego will result in a rule with the name My-Custom-Rule.

HTTP header metadata is provided in Rego comments, following this format:

# Provider: goes here
# Resource-Type: goes here
# Description: goes here
# Severity: goes here

rule text (code) goes here

Note

If you’re switching from the old HTTP header metadata format to the new __rego__metadoc__ format, make sure the title field in __rego__metadoc__ matches the name of the rule in Fugue. The old format used the filename as the name.

If the title does not match the name, fugue sync rules will create new rules instead of updating the existing ones.

Creating vs. updating rules

The CLI uses the rule name to determine whether a custom rule should be created or updated. If the rule name exists, the rule is updated. Otherwise, a new rule is created. This means renaming a custom rule and running fugue sync rules creates a second copy of the rule using the new name.

Note

The fugue sync rules command does not delete rules. It only creates or updates them. To delete a rule, use fugue delete rule [rule_id].