update¶

The fugue update command enables you to update an AWS, AWS GovCloud, Azure, Azure Government, Google, or repository environment; a custom family; a custom rule; a user’s RBAC groups; or a rule waiver.

update¶

Update a resource

Usage:
  fugue update [command]

Available Commands:
  environment  Update environment settings
  family         Update family settings
  rule         Update rule settings
  rule-waiver  Update rule waiver settings
  users-groups Batch update group assignments for multiple users

Flags:
  -h, --help   help for update

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue update [command] --help" for more information about a command.

update environment¶

Example
Output attributes
Accepted parameter values
Arguments:
- [environment_id]

Update environment settings

Usage:
  fugue update environment [environment_id] [flags]

Aliases:
  environment, env

Flags:
     --baseline-id string                 Baseline scan ID
     --branch string                      Repository environment branch
     --compliance-families strings        Compliance families
 -h, --help                               help for environment
     --name string                        Environment name
     --regions strings                    AWS regions (SEE NOTE)
     --remediate-resource-types strings   Remediation resource types (AWS and AWS GovCloud only)
     --remediation                        Enable automatic remediation (AWS and AWS GovCloud only)
     --scan-interval int                  Scan interval (seconds)
     --scan-schedule-enabled              Enable automatic scanning schedule (default true)
     --service-account-email string       Google service account email
     --survey-resource-types strings      Survey resource types
     --url string                         URL for repository environment

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

update family¶

Example
Output attributes
Accepted parameter values
Arguments:
- family_id

Update family settings

Usage:
  fugue update family [family_id] [flags]

Flags:
      --always-enabled       If the family will automatically be enabled on all environments within the tenant
      --description string   Description
  -h, --help                 help for family
      --name string          Family name
      --recommended          If the family is recommended for all new environments (default true)
      --rule-ids strings     List of rule IDs to associate with the family (e.g. FG_R00217,<UUID Custom Rule ID>)

update rule¶

Example
Output attributes
Accepted parameter values
Arguments:
- [rule_id]

Update rule settings

Usage:
  fugue update rule [rule_id] [flags]

Flags:
      --description string     Description
      --families strings       Families
  -h, --help                   help for rule
      --name string            Rule name
      --resource-type string   Resource type
      --severity string        Severity
      --text string            Rule text

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

update rule-waiver¶

Example
Output attributes
Accepted parameter values
Arguments:
- [rule_waiver_id]

Update rule waiver settings

Usage:
  fugue update rule-waiver [rule_waiver_id] [flags]

Aliases:
  rule-waiver, waiver, rule_waiver

Flags:
      --comment string         Rule waiver comment
      --expires-at string   Expires at in RFC3339 representation, Unix timestamp (e.g. '2020-01-01T00:00:00Z' or '1577836800') or at duration in ISO 8601 format (e.g. 'P3Y6M4DT12H') or '4d', 1d12h, etc.
  -h, --help                   help for rule-waiver
      --name string            Rule waiver name

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

update users-groups¶

Example
Accepted parameter values
Required flags:
- --group-ids
- --user-ids

Batch update group assignments for multiple users

Usage:
  fugue update users-groups [flags]

Aliases:
  users-groups, users_groups

Flags:
      --group-ids strings   Groups to assign to provided users
  -h, --help                help for users-groups
      --user-ids strings    Users to update

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Output Attributes¶

Update environment output¶

The fugue update environment output includes the following attributes:

ENVIRONMENT_ID: ID of the environment.
NAME: Name of the environment.
PROVIDER: Name of the cloud service provider for the environment. Values - AWS, AWS_GOVCLOUD, AZURE (applies to both Azure and Azure Government environments), GOOGLE, REPOSITORY
SCAN_INTERVAL: Time in seconds between the end of one scan to the start of the next. Learn more about scan intervals.
BASELINE_ID: Scan ID of the baseline if baseline is enabled.
LAST_SCAN_AT: When the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_AT: When the next scan will start, Unix time.
SCAN_STATUS: Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED
COMPLIANCE_FAMILIES: List of compliance families validated against the environment.
DRIFT: Indicates whether drift detection is enabled for the environment.
REMEDIATION: Indicates whether baseline enforcement is enabled for the environment.
ROLE: AWS IAM Role ARN that will be assumed to scan and enforce infrastructure. AWS and AWS GovCloud only
REGION: Deprecated. The AWS or AWS GovCloud region to scan and enforce infrastructure in. AWS and AWS GovCloud only
REGIONS: The AWS or AWS GovCloud region(s) to scan and enforce infrastructure in. Values - see Service Coverage. "*" denotes all regions. AWS and AWS GovCloud only
SUBSCRIPTION_ID: The subscription ID of the Azure subscription to be used. Azure & Azure Government only
APPLICATION_ID: The application ID/client ID of the service principal to be used. Azure & Azure Government only
PROJECT_ID: The project ID of the Google project to be used. Google Only
SERVICE_ACCOUNT_EMAIL: Fugue securely scans your resources by assuming a properly permissioned service account and generating credentials that are valid for an hour. Refer to Google Service accounts for more information. Google Only
URL: URL of the repository. Repository environments only
BRANCH: Branch of the repository. Repository environments only

Update custom family output¶

The fugue update family output includes the following attributes:

FAMILY_ID: ID of the custom compliance family.
NAME: The name of the compliance family.
DESCRIPTION: Lists the description for the compliance family
RECOMMENDED: Lists whether the compliance family is included in the recommended compliance family list. true or false
ALWAYS_ENABLED: Lists whether the compliance family is set to always run in your tenant. true, t, false, or f
RULE_IDS: IDs of the rules associated with the compliance family.
CREATED_AT: When the rule was created.
CREATED_BY: Lists the ID of the user that created the rule.
CREATED_BY_DISPLAY_NAME: Lists the name of the user that created the rule.
UPDATED_AT: When the rule was last updated.
UPDATED_BY: Lists the ID of the user that updated the rule.
UPDATED_BY_DISPLAY_NAME: Lists the name of the user that updated the rule.

Update rule output¶

The fugue update rule output includes the following attributes:

NAME: ID of the custom rule.
DESCRIPTION: Description of the custom rule.
PROVIDER: Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE (applies to both Azure and Azure Government environments), GOOGLE, REPOSITORY
RESOURCE_TYPE: Resource type to which the custom rule applies.
SEVERITY: Rule severity. Values - Informational, Low, Medium, High, Critical
STATUS: The current status of the rule. Values - ENABLED, DISABLED, INVALID
FAMILIES: List of compliance families associated with the rule.
CREATED_AT: When the rule was created.
CREATED_BY: Lists the ID of the user that created the rule.
CREATED_BY_DISPLAY_NAME: Lists the name of the user that created the rule.
UPDATED_AT: When the rule was last updated.
UPDATED_BY: Lists the ID of the user that updated the rule.
UPDATED_BY_DISPLAY_NAME: Lists the name of the user that updated the rule.

Update rule waiver output¶

The fugue update rule-waiver output includes the following attributes:

RULE_WAIVER_ID: ID of the rule waiver.
NAME: Name of the rule waiver.
COMMENT: Comment on why the rule waiver was created.
ENVIRONMENT_ID: ID of the environment in which the rule waiver was created.
ENVIRONMENT_NAME: Name of the environment in which the rule waiver was created.
RULE_ID: ID of the rule to which the rule waiver applies.
RESOURCE_ID: ID of the resource to which the rule waiver applies.
RESOURCE_TYPE: Type of the resource to which the rule waiver applies.
RESOURCE_PROVIDER: Provider of the resource to which the rule waiver applies.
RESOURCE_TAG: Tag of the resource to which the rule waiver applies.
EXPIRES_AT: Date the waiver expires. If no date is set, the waiver never expires. Accepted date/time formats include: Unix timestamp, RFC3339 formatted date, and a duration in ISO 8601 format.
CREATED_AT: Create date and time of the rule waiver.
CREATED_BY: ID of the API client or user that created the rule waiver.
CREATED_BY_DISPLAY_NAME: Name of the user that created the rule waiver. Blank for API clients.
UPDATED_AT: Last update date and time of the rule waiver.
UPDATED_BY: ID of the API client or user that last updated the rule waiver.
UPDATED_BY_DISPLAY_NAME: Name of the user that last updated the rule waiver. Blank for API clients.

Examples¶

Updating an environment¶

To update an environment, use the fugue update environment command. The [environment_id] argument is required. You can specify one or more flags.

Note

Azure and Azure Government resource groups cannot be updated through the CLI. Instead, use the API to change which resource groups are scanned.

The following example changes the name to “Updated CLI Example” and the scan interval to 1 hour for AWS GovCloud environment a3130ff0-5c32-43e2-1111-112233445566:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
  --name "Updated CLI Example" --scan-interval 3600

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | a3130ff0-5c32-43e2-1111-112233445566
NAME                | Updated CLI Example
PROVIDER            | aws_govcloud
SCAN_INTERVAL       | 3600
BASELINE_ID         | -
LAST_SCAN_AT        | 2019-09-11T11:29:22-04:00
NEXT_SCAN_AT        | 2019-09-14T12:34:25-04:00
SCAN_STATUS         | SUCCESS
COMPLIANCE_FAMILIES | SOC-2_v2017
DRIFT               | true
REMEDIATION         | false
ROLE                | arn:aws-us-gov:iam::123456789012:role/FugueRole1568823736
REGION              | us-gov-west-1

For more information about updating scan intervals, see the API User Guide.

To find your environment ID, use the fugue list environments command.

See Output Attributes for details.

Updating the regions for an AWS environment¶

Only environments with certain conditions support region updates. See our note here.

To update the regions for an environment, use the --regions flag, which allows you to select one or more regions.

If us-east-1 is currently scanned but you also want to scan us-east-2, you’ll need to specify both:

fugue update environment 19d77f18-cf71-47b5-8003-112233445566 --regions "us-east-1","us-east-2"

You can specify all regions by using "*":

fugue update environment 19d77f18-cf71-47b5-8003-112233445566 --regions "*"

For a list of supported regions, see Service Coverage.

Updating the baseline ID for an environment¶

To update the baseline ID for an environment, you’ll first need to find the scan ID to use as a baseline. Then, specify it with the --baseline-id flag:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
  --baseline-id "8627293b-af89-47c8-b7d0-9cf6c7559b7f"

You can disable the baseline (and therefore drift detection) by passing an empty string:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
  --baseline-id ""

For more information about baselines, see the API User Guide.

Updating resource types or compliance standards¶

To update the list of scanned/enforced resource types or compliance standards for an environment, you’ll need to list all desired items. For example, if AWS.EC2.Vpc is currently scanned but you also want to scan AWS.EC2.SecurityGroup, you’ll need to specify both:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
  --survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup"

Similarly, if you want to change your compliance standards from CIS AWS (v1.3.0) and GDPR (v2016) to just CIS AWS (v1.3.0), specify only the standard you want:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
  --compliance-families "CIS-AWS_v1.3.0"

Note

The --survey-resource-types and --remediate-resource-types flags are only for AWS and AWS GovCloud environments. To update an Azure or Azure Government environment’s scanned or enforced resource groups, use the UI or API.

Updating a repository environment’s branch¶

Note

Currently, the only flags you can use to update repository environments are --branch, --compliance-families, --name, and --url.

To update the branch name for a repository environment, use the --branch flag:

fugue update environment af2394cd-ecab-4ae4-abcd-1234abcd1234 \
  --branch "develop"

You’ll see output like this:

============================================================
ATTRIBUTE           | VALUE
============================================================
ENVIRONMENT_ID      | af2394cd-ecab-4ae4-abcd-1234abcd1234
NAME                | My Repository Environment
PROVIDER            | repository
SCAN_INTERVAL       | 0
BASELINE_ID         | -
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | -
SCAN_STATUS         |
COMPLIANCE_FAMILIES | CIS-AWS_v1.3.0, Custom
DRIFT               | false
REMEDIATION         | false
URL                 | https://github.com/my-username/my-repo
BRANCH              | develop

Note that after you execute this command, you must execute regula run --sync --upload to scan the environment again with the desired branch checked out in order to update the resources in your environment.

Updating a family¶

To update a family for an organization, use the fugue update family command. The family_id argument is required. You can specify one or more other flags.

The following example changes the custom family’s name, description, and associated rules:

fugue update family e4792832-62a0-468f-8d91-3b5d80407abe --name "MegaBank Production Policy" \
  --description "High, critical rules applicable to production" \
  --rule-ids "FG_R00004,FG_R00252,FG_R00049,FG_R00028"

You’ll see output like this:

=========================================================================
ATTRIBUTE               | VALUE
=========================================================================
NAME                    | MegaBank Production Policy
DESCRIPTION             | High, critical rules applicable to production
RECOMMENDED             | false
ALWAYS_ENABLED          | true
RULE_IDS                | FG_R00004, FG_R00028, FG_R00049, FG_R00252
CREATED_AT              | 2021-07-27T18:27:32-04:00
CREATED_BY              | user:b8e52141-f9ce-43b8-8ee5-933bc4ccf4ad
CREATED_BY_DISPLAY_NAME | Amelia Smith
UPDATED_AT              | 2021-08-04T14:18:49-04:00
UPDATED_BY              | api_client:dc26df6e-xxxx-xxxx-xxxx-xxxxxxxxxxxx
UPDATED_BY_DISPLAY_NAME |

To find your family ID, use the fugue list families command.

See Output Attributes for details.

Note

You can update always_enabled and recommended values for Fugue-defined families.

Updating a custom rule¶

Note

Custom rule providers cannot be updated via the CLI. Instead, use the UI or API.

To update a custom rule for an organization, use the fugue update rule command. The [rule_id] argument and --text flag are required. You can specify one or more other flags.

The following example changes rule ee9c69ba-d484-40cf-9c92-123456789012 to have the name “Updated - Require RDS instance multi-AZ” and the rule text (code) "allow { input.multi_az == true }":

fugue update rule ee9c69ba-d484-40cf-9c92-123456789012 \
  --name "Updated - Require RDS instance multi-AZ" \
  --text "allow { input.multi_az == true }"

You’ll see output like this:

===============================================================================================================================
ATTRIBUTE     | VALUE
===============================================================================================================================
NAME          | Updated - Require RDS instance multi-AZ
DESCRIPTION   | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER      | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
SEVERITY      | High
STATUS        | ENABLED

For information about specifying the --resource-type flag, see Custom Rules Reference.

To find your rule ID, use the fugue list rules command.

See Output Attributes for details.

Updating a rule waiver¶

To update a rule waiver for an organization, use the fugue update rule-waiver command. The [rule_waiver_id] argument is required. You can use either the --name flag, the --comment flag, the --expires-at flag, or all three, to change the name, the comment, or the expiration date of the rule waiver.

Note

Be aware that you cannot add an expiration date to waivers created before expiration was introduced (March 17, 2022).

The following example updates rule waiver 36283aca-b747-43cf-8af2-ee20b7b51b9c to have the name “Waive CMK for frontend-security-function”, the comment “KMS CMK is not required in test environments.”, and expiration date of 2022-11-05T20:00:00-04:00:

fugue update rule-waiver 36283aca-b747-43cf-8af2-ee20b7b51b9c \
  --name "Waive CMK for frontend-security-function" \
  --comment "KMS CMK is not required in test environments." \
  --expires-at "2022-11-05T20:00:00-04:00"

You’ll see output like this:

================================================================================================
ATTRIBUTE               | VALUE
================================================================================================
RULE_WAIVER_ID          | 36283aca-b747-43cf-8af2-ee20b7b51b9c
NAME                    | Waive CMK for frontend-security-function
COMMENT                 | KMS CMK is not required in test environments.
ENVIRONMENT_ID          | 95705e29-3605-4b5f-b8cb-35a7af93ba06
ENVIRONMENT_NAME        | Demo 3
RULE_ID                 | FG_R00068
RULE_DESCRIPTION        | CloudWatch log groups should be encrypted with KMS CMKs. CloudWatch
                          log groups are encrypted by default. However, utilizing KMS CMKs gives
                          you more control over key rotation and provides auditing visibility
                          into key usage.
RULE_COMPLIANCE_MAPPING |
RESOURCE_ID             | /aws/lambda/us-east-1.frontend-security-function
RESOURCE_TYPE           | AWS.CloudWatchLogs.LogGroup
RESOURCE_PROVIDER       | aws.us-west-2
RESOURCE_TAG            | *
EXPIRES_AT              | 2022-11-05T20:00:00-04:00
CREATED_AT              | 2021-02-19T00:51:43-05:00
CREATED_BY              | api_client:343b807b-019a-484b-9bce-c774270efb5e
CREATED_BY_DISPLAY_NAME |
UPDATED_AT              | 2022-04-25T19:24:25-05:00
UPDATED_BY              | api_client:343b807b-019a-484b-9bce-c774270efb5e
UPDATED_BY_DISPLAY_NAME |

To find your rule waiver ID, use the fugue list rule-waivers command.

See Output Attributes for details.

Updating users’ groups¶

To assign one or more users to one or more groups, use the fugue update users-groups command. The --user-ids and --group-ids flags are required. Ensure you list all the desired groups for the users. For instance, if user afc92650-7ada-4c43-ad64-5a1d85e3c298 is already part of group a1754afd-15ac-4454-8f94-9cf7be3bd1e8 but you want them to also be part of group f579689a-0a1e-48cf-a8a7-8d723d4d4b63, list both IDs:

fugue update users-groups \
  --user-ids afc92650-7ada-4c43-ad64-5a1d85e3c298 \
  --group-ids "a1754afd-15ac-4454-8f94-9cf7be3bd1e8","f579689a-0a1e-48cf-a8a7-8d723d4d4b63"

You’ll see output like this:

Successfully updated user(s) group assignments

To find your user ID, use the fugue list users command.

To find your group ID, use the fugue list groups command.