test

Tip

For more information on writing and testing custom rules, see Managing Custom Rules - CLI.

The fugue test command enables you to test a custom rule by providing Fugue with a scan ID from a selected point in time. The scan ID points to a “snapshot” of the resource configuration at the time of the scan, which is the test data your rule is evaluated against.

To learn more about custom rules, see Writing Rules.

test

Test custom rules

Usage:
  fugue test [command]

 Available Commands:
  rule        Test a custom rule

Flags:
  -h, --help   help for test

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue test [command] --help" for more information about a command.

test rule

• Example

• Output attributes

• Accepted parameter values

• Arguments:

  • [rego file]

• Required flags:

  • --resource-type

  • --scan

Test a custom rule

Usage:
  fugue test rule [rego file] [flags]

Flags:
  -h, --help                   help for rule
      --resource-type string   Resource type
      --scan string            Scan ID

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Output Attributes

Test Rule Output

The fugue test rule output includes the following attributes:

ID

ID of the tested resource.

RESULT

Whether the resource passed (is compliant with the rule) or failed (is noncompliant). Values - PASS, FAIL

TYPE

Tested resource type (Terraform name — see service coverage pages for AWS, Azure, and Google)

Examples

Testing a rule

Tip

For more detailed information on using the CLI to test rules, see Managing Custom Rules - CLI.

To test a rule, use the fugue test rule command. The [rego filename] argument, --resource-type flag, and --scan flag are required:

fugue test rule vpc-cidr-size.rego --resource-type "AWS.EC2.Vpc" \
  --scan 8576a1b3-2f72-4e1d-902a-c81f22222222

You’ll see output like this:

========================================
ID                    | RESULT | TYPE
========================================
vpc-05621851a2b3c4d5e | PASS   | aws_vpc
vpc-07f46019987654321 | FAIL   | aws_vpc

To learn how to find your scan ID, see fugue list scans.

Setting the resource type

If the resource type is defined in the Rego file (as it must be when syncing custom rules, writing rules for multiple providers, or writing rules for the REPOSITORY provider), set the --resource-type flag to DEFINED_IN_CODE:

fugue test rule vpc-cidr-size.rego \
  --resource-type "DEFINED_IN_CODE" --scan 8576a1b3-2f72-4e1d-902a-c81f22222222

Otherwise, if the rule is a simple rule, use the actual name of the resource type. Rules for the REPOSITORY provider (or REPOSITORY + runtime) use the Terraform name. Runtime-only rules use the Fugue name:

fugue test rule vpc-cidr-size.rego \
  --resource-type "AWS.EC2.Vpc" --scan 8576a1b3-2f72-4e1d-902a-c81f22222222

Otherwise, if the rule is an advanced rule, use MULTIPLE:

fugue test rule vpc-cidr-size.rego \
  --resource-type "MULTIPLE" --scan 8576a1b3-2f72-4e1d-902a-c81f22222222

To learn how to find the correct resource type name (both Fugue and Terraform), see the service coverage pages for AWS & AWS GovCloud, Azure & Azure Government, and Google.