sync

The fugue sync command enables you to sync files to your account.

fugue sync rules allows you to upload custom rule files to your organization to create and update custom rules. It does not delete rules.

sync

Sync files to your account

Usage:
  fugue sync [command]

Available Commands:
  rules       Sync rules to the organization

Flags:
  -h, --help   help for sync

Use "fugue sync [command] --help" for more information about a command.

sync rules

Sync rules to the organization

Usage:
  fugue sync rules [directory] [flags]

Flags:
  -h, --help   help for rules

Examples

Syncing custom rules to your organization

To sync custom rules to your organization, use the fugue sync rules command. The [directory] argument is required:

fugue sync rules custom-rules/

You’ll see output like this:

Creating rule AWS.EC2.SecurityGroup_NoIngressPort9200
Creating rule AWS.RDS.Instance_RequireMultiAZ
Updating rule AWS.TaggedResource_RequireTags
Creating rule Azure.Compute.VirtualMachine_RequireAvailabilitySet

Custom rule file format

The CLI uses the filename as the name of the custom rule. The file contents define the resource type, description, and rule text. Use this format:

# Provider.Resource.Type
# Description goes here

rule text goes here

For example, here are the contents of AWS.EC2.SecurityGroup_NoIngressPort9200.rego:

# AWS.EC2.SecurityGroup
# VPC security groups should not permit ingress from '0.0.0.0/0' to TCP port 9200 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.

deny {
  input.ingress[i].from_port <= 9200
  input.ingress[i].to_port >= 9200
  input.ingress[i].cidr_blocks[_] == "0.0.0.0/0"
}

Using this file, fugue sync rules [directory] creates a rule with the following properties:

Name

AWS.EC2.SecurityGroup_NoIngressPort9200

Resource type

AWS.EC2.SecurityGroup

Description

VPC security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.

Rule text
deny {
   input.ingress[i].from_port <= 9200
   input.ingress[i].to_port >= 9200
   input.ingress[i].cidr_blocks[_] == "0.0.0.0/0"
}

Creating vs. updating rules

The CLI uses the rule name to determine whether a custom rule should be created or updated. If the rule name exists, the rule is updated. Otherwise, a new rule is created. This means renaming a custom rule and running fugue sync rules creates a second copy of the rule using the new name.

Note

The fugue sync rules command does not delete rules. It only creates or updates them.