Note

Fugue Console is available to existing Fugue customers. If you’re not an existing customer and you’re interested in access to Console and Fugue, contact us at sales@fugue.co.

Fugue Console

Fugue Console is a web interface for managing Fugue. Fugue, including Console, enables the provisioning and managing of cloud infrastructure, and detects security and compliance violations in your infrastructure. It also automatically detects and corrects configuration drift by reverting any unauthorized change to what was originally provisioned. Console enables users to view, create, and manage infrastructure with an informative visual interface.

Usage

fugue console [OPTIONS] COMMAND [ARGS]

Subcommands

install
Installs Fugue Console.
uninstall
Uninstalls Fugue Console.
upgrade
Upgrades Fugue Console.

Note

For users on a beta version of the Fugue Console (prior to Fugue 1.8), additional steps need to be performed to upgrade the Console to the released version. Contact support@fugue.co for assistance.

Options

Global options are detailed here.

-h | --help
Show help text. The help flag is available throughout the CLI in both an application-level and command-level context. It enables a user to view help text for any command within the Fugue CLI.

Definition

Console is accessible through the web for users with a running Conductor on Fugue Platform. It includes the ability to:

  • Deploy compositions as instances of cloud infrastructure. Each instance is known as a “process,” similar to an operating system process.
  • Take a deep-dive into the health of running processes. Allows users to view the status, created date, process resources, process activity, and more.
  • View the activity of a particular process and export the data as a JSON file.
  • Manage processes by starting, suspending, releasing, killing, updating, and locking them.
  • Deploy policies (validations) to enforce your specific requirements on processes.
  • Create and manage users through Role-Based Access Control.

To review details on installing and configuring Fugue you can take a look here. Once your Fugue installation is complete Console is accessible through the configured URL supplied during the installation process, for example https://console.yourdomain.com.

Installing Console

Console is available to install using either Route 53 or Manual DNS. Due to AWS Fargate restrictions it can only be deployed in the following AWS regions:

  • us-east-1
  • us-east-2
  • us-west-2
  • eu-west-1
  • eu-central-1
  • ap-northeast-1
  • ap-southeast-1
  • ap-southeast-2

Installing Console for GovCloud

While we do not support launching Console in an AWS GovCloud region, you do have the ability to use Console to manage a GovCloud Conductor. To do this launch the Conductor in a supported commercial AWS region, start Console with that Conductor, and then configure Console to manage the GovCloud Conductor. Details on setting up Console are here.

Note: If you are attempting to install Console after making changes with the Fugue runtime command, it is recommended you wait several minutes for any runtime changes to take effect. Refer to details here.

Note for Windows Users: When installing on a Windows machine via PowerShell, Fugue will temporarily disable QuickEdit mode to prevent issues during the setup. QuickEdit mode will re-enable automatically when the process is complete.

Manually Setting Availability Zones in Console

The Console install process automatically detects two Availability Zones (AZ) within the region you select for the Console infrastructure. If you have problems installing Console due to the AZs being unavailable for new resources in your account, or you wish to customize the AZs used by Console, you can manually specify the AZs that will be used through an environment variable.

For example:

export FUGUE_CONSOLE_INSTALLAZ=us-east-1c,us-east-1d

Two things to keep in mind:

  • You must specify two AZs. If you only specify a single AZ the Console installation will fail. If you specify more than two, only the first two will be used and all subsequent entries will be ignored.
  • Console will assume the AZs you provide are valid. If you provide an invalid or unavailable AZ for your account, installation will fail.

You can get a list of AZs available to you using the AWS CLI command describe-availability-zones, but this is the same command that Fugue uses, and it sometimes returns unreliable data. We recommend looking for a pair of AZs that are listed as available to you, but that you don’t heavily utilize. For questions contact support@fugue.co.

Automated Install with Route 53

Fugue Console can be installed into an account automatically if the user has a Route 53 hosted zone available in the same account as Console. The install process will create all of the DNS records for the user, and the Console will be available at the console.example.com subdomain.

Note: If you do not have a domain available in your account, refer to the Automated Install with Manual DNS.

We recommend installing Console in the same account as the Conductor without any additional infrastructure running. This will avoid triggering any AWS resource limitations during the installation process.

Console will install in the same region as your Conductor by default, for example:

$ fugue console install yourdomain.com

You have the option to modify the install location by including the --region flag as follows:

$ fugue console install yourdomain.com --region us-west-2

After issuing the fugue console install command you should see output similar to the following. Confirm with y to proceed with the install.

[ console install ] Installing Fugue Console
Install Details:
   AWS Account: user/012345678987
   Region: us-east-1
   Alias: fugue-console
   Console URL https://console.yourdomain.com
   Console API URL https://console-api.yourdomain.com

Would you like to proceed with installing Console?

After accepting the installation the system will pass through a number of stages to deploy and configure the required infrastructure. Once installation is complete you should receive the following confirmation.

Installing Fugue Console into AWS account  user/012345678987.

Initialization                        Complete
Verifying Console Certificate         Complete
Verifying Console API Certificate     Complete
Adding Database Password to VARS      Complete
Creating the Fugue Console Process    Complete
------------------------------------------------
Overall Progress [##########################]  100%

The Fugue Console process has been created:
  Alias: fugue-console
  FID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Console resources are being provisioned. Please wait as this may take between 10-30 minutes...

[ HELP ] The Console needs to finish provisioning before it is ready. Exiting the install command while in progress (CTRL+C) will only stop progress tracking and *not* the provisioning process.

[ OK ] Fugue Console installed.

  Console URL: https://console.yourdomain.com
  Console API URL: https://console-api.yourdomain.com

Note

The Console installation process can take up to 30 minutes to complete. If you encounter issues or you have questions about your installation reach out to us at support@fugue.co.

Automated Install with Manual DNS

Fugue Console can also be installed into an account without a Route 53 hosted zone. The Fugue CLI will prompt the user to manually create two CNAME records to verify the ACM certificates created in the install process, as well as one CNAME record for the UI at console.example.com and one for the API at console-api.example.com.

We recommend installing Console in the same account as the Conductor without any additional infrastructure running. This will avoid triggering any AWS resource limitations during the installation process.

Console will install in the same region as your Conductor by default, for example:

$ fugue console install yourdomain.com

You have the option to modify the install location by including the --region flag as follows:

$ fugue console install yourdomain.com --region us-west-2

After issuing the fugue console install command you should see output similar to the following. Confirm with y to proceed with the install.

[ console install ] Installing Fugue Console
Install Details:
   AWS Account: user/012345678987
   Region: us-east-1
   Alias: fugue-console
   Console URL https://console.yourdomain.com
   Console API URL https://console-api.yourdomain.com

Would you like to proceed with installing Console?

You will be prompted to create CNAME records in your third party DNS service provider account (Namecheap, GoDaddy, etc.). AWS will use these records to verify domain ownership for the ACM certificates created in the initialization step.

You should see something similiar to the following:

Add the following records to the DNS configuration for your domain. The procedure for adding CNAME records depends on your DNS service provider.

   Record type: CNAME
   Record host/label: _1c448db1d4555e01cd7723539a011c8c.console.yourdomain.com.
   Record destination/target: _b2658b61a3c1a1a60eb0740384d6b8a8.acm-validations.aws.

   Record type: CNAME
   Record host/label: _cc5496cf1be8c2e51a58d5cdca94c4b7.console-api.yourdomain.com.
   Record destination/target: _3ffcb590832c6fc2e65e2d8cdc073037.acm-validations.aws.

[ WARN ] Please enter "y" once you have created the records, or "N" to exit the install. [y/N]:

After you have created those records, select y to continue with the installation. Once installation is complete you should receive the following confirmation.

Installing Fugue Console into AWS account  user/012345678987.

Initialization                        Complete
Verifying Console Certificate         Complete
Verifying Console API Certificate     Complete
Adding Database Password to VARS      Complete
Creating the Fugue Console Process    Complete
------------------------------------------------
Overall Progress [##########################]  100%

The Fugue Console process has been created:
  Alias: fugue-console
  FID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Console resources are being provisioned. Please wait as this may take between 10-30 minutes...

[ HELP ] The Console needs to finish provisioning before it is ready. Exiting the install command while in progress (CTRL+C) will only stop progress tracking and *not* the provisioning process.

[ OK ] Fugue Console installed.

  Console URL: https://console.yourdomain.com
  Console API URL: https://console-api.yourdomain.com

Note

The Console installation process can take up to 30 minutes to complete. If you encounter issues or you have questions about your installation reach out to us at support@fugue.co.

Console Setup

After the installation through the command line there are a few steps you will need to complete to finalize the setup of Console. Launch Console in your browser and select from one of the two available options, “Same Account” or “Different Account”. The first option “Same Account” is for users that have configured Console in the same AWS account as their Conductor.

Note: For GovCloud users, select your GovCloud account under the region section with the “Different Account” option.

Console setup with the same account.

Console setup with the same account

The second option for “Different Account” is for users that have configured Console for a different account. For this you will need to input your AWS credentials.

Console setup with a different account.

Console setup with a different account

Once you have completed “Step 1”, “Step 2” for either scenario (Different Account or Same Account) is to configure an administrator for Console. This enables you to create additional users, or to configure access to Console via SAML.

Console setup Step 2.

Console setup Step 2.

As usual if you have questions about installation or run into any issues reach out to us at support@fugue.co.

Using Console

Application Settings

Application Settings for Console are available on the top right of the navigation panel and include configuration settings for the Conductor, User Authentication (SAML), and Email.

Where are the application settings located?

Where are the application settings located?

Conductor

Conductor credentials are stored and edited through the application settings. The credentials that were created when you installed Fugue will be populated here by default.

Authentication Settings

Authentication Settings store SAML Configuration details and enables administrators to view and modify these settings. SAML configuration is also linked from the Users page (Configuration → Users) through the “Manage SAML” button at the top right of the page.

Email (SMTP Configuration)

SMTP Configuration enables administrators to configure an SMTP server for email communications. Configuring the SMTP settings enables users to reset their passwords through an email.

Configuration

The Configuration section of Console enables users to view, create, and manage validations. You can also create and administrate users (for access to Console), configure SAML, and attach an RBAC policy.

Note: Users will only be able to view features and functionality for which they have been granted permission.

Validations

Validations allow users to create a function that tests a property of your code, and if any portion of the code fails that test, it will not compile locally (design-time validations), or on the Conductor (runtime validations). A composition that fails validation cannot be executed. Check out this page for an example on writing your own runtime validation.

Within Console users with the appropriate permissions have the ability to view, remove, and add new validations. Once you have a validation that you would like to apply to Console refer to the following steps:

  1. Under Configuration on the main menu, select Validations.
  2. Select Add New Validation on the top right of the page.
  3. Provide a name for your validation and browse to the .lw file you created.
  4. Click Add Validation.

Users

The Users portion of Console enables administrators to view, create, and manage users. The table displays the email for each user, their admin status, the associated RBAC permissions, and the created/updated dates and times.

  • Administrators can edit user permissions, change passwords, and remove users.
  • Users can be added via the “Add New User” button.
  • For information on Console users vs. RBAC users see details here.

SAML Configuration

SAML Configuration is accessible through the Configuration Feature, under Users. Look for the Manage SAML button to access this feature. SAML integration is supported through Okta, Google, and Ping Identity. Note: You must have admin access to create a new SAML app.

Warning

It is a best practice to have at least one non-SAML administrative user configured in Console. Failure to maintain this admin user, in the event of SAML configuration issues, will require you to uninstall and reinstall Console.

Before you begin, complete the following steps:

  1. Locate the administrative credentials you used to set up Console (for example “bob”).
  2. Create a new administrator with a non-SAML email address.
  3. Delete the original administrative credentials for “bob” from step 1.
  4. Invite the previous administrator “bob” via the SAML app.

Important Items to Note:

  • Users can log into Console using SAML or an email address and password, but they cannot have access to both.
  • Currently, only email addresses are supported with SAML. If you attempt to configure SAML with a username that is not an email address it will fail to authorize.

SAML General Setup:

  1. Create your application in Okta, Google, or Ping Identity.
  2. Use https://console-api.[yourdomain.name]/saml/callback and replace [yourdomain.name] with your domain. (For example, if your domain is fugue.co, enter https://console-api.fugue.co/saml/callback in the Single sign on URL field.)
  3. Use https://console.[yourdomain.name] and replace [yourdomain.name] with your domain.
  4. Make sure to select an email address for the user login information.
  5. Open Console and navigate to the Application Settings page.
  6. Select the User Authentication Tab and click the Edit SAML Configuration button.
  7. Paste the URL from step 2 into the IDP Entry Point field.
  8. Paste the URL from step 3 into the Identity Provider Cert (PEM) field.
  9. Click Save.

RBAC Policy

Console supports RBAC policy and allows administrators to view current policy, policy status, source details (e.g. the full policy file/configurations), and a table of RBAC users with the name and created/updated dates and times. Administrators can also attach and detach any RBAC policy they would like to apply to Console.

Note: To clarify, if you want to make a new Console user we recommend the “Add New User” button via Users or if you’re using SAML via “Manage SAML”. A Console user is not the same thing as an RBAC user.

To create a new RBAC policy you will need to author a policy outside of Console and have a bundled file .tar.gz available for upload. If you’re new to creating RBAC policy check out How to Use RBAC and consider running through an example like Using the RBAC Feature for a hands-on walkthrough of setting up policy to manage users.

RBAC Policy page.

RBAC Policy page.

Adding an RBAC Policy

Once you’re comfortable that you have a policy you would like to apply to Console refer to the following steps:

  1. Under Configuration on the main menu, select RBAC Policy.
  2. Select Attach New Policy from the two buttons/options on the top right.
  3. Browse to your tar.gz file containing your RBAC policy.
  4. Click Attach Policy.

Note: Both Fugue and Console only support attaching a single RBAC policy file at a time.

Note for GovCloud Users: For users who have configured Console to manage a Fugue Conductor in a GovCloud account, you can attach an RBAC policy. However the initial policy attachment will need to be done via the CLI and then the details for RBAC will display in the Console. Contact support@fugue.co if you need assistance.

Console vs. RBAC

The following table identifies the access control for various Console pages and features. In other words, the access to some features are controlled through the Console itself (the application) and others are access controlled through RBAC. In some instances features or settings can be controlled by both the Console or RBAC as noted below. For questions or concerns reach out to support@fugue.co.

Page/Feature Name Console or RBAC
Processes Page RBAC
Process - Update RBAC
Process - Kill RBAC
Process - Suspend RBAC
Process - Resume RBAC
Process - Release RBAC
Process - Configure RBAC
Process - Set Lock RBAC
History/Ops Table RBAC
Accounts (add/delete) RBAC
RBAC (attach/detach/reattach) RBAC
Validations RBAC
Compositions (add/remove/configure) Console
Compositions (create new process) RBAC
User(s) Page Console
Add User Console + RBAC
Edit User Console + RBAC
Manage SAML Console + RBAC
Settings (Edit SAML) Console + RBAC
Settings (Edit SMTP) Console
Settings (Edit Conductor Creds) Console
Settings (Edit Conductor Account) Console

Note: For items that indicate Console + RBAC, this is because you need to be able to list RBAC users to assign them to Console users.

Console Users and RBAC Users

RBAC can be used to control access to the Process, Account, Validations, and RBAC Policy features of the Console. An RBAC user can be assigned to a Console user to give that user specific access rights. RBAC users are defined by creating and uploading an RBAC policy.

By default, all users you create through the Console interface can be assigned the “root” RBAC user, which will provide full permissions across the Console features (specifically Process, Account, Validations, and RBAC Policy). This “root” RBAC user is available regardless of whether or not you have attached an RBAC policy.

Access to Users, Settings, and Compositions is controlled through Console via the “Administrator Rights” checkbox available via the Users page under “Edit Permissions”.

In general, we recommend utilizing RBAC policy to control user permissions in a more granular fashion. If you have questions or want assistance in building your policy reach out to us at support@fugue.co.

Infrastructure

The Infrastructure section of Console provides access to Processes and Accounts.

Processes

The Processes page displays a table of currently running processes, labelled Managed Process, and includes the following fields: FID, alias, Fugue account, state, last job, created (date/time), and updated (date/time).

Users can “Create New Process” from one of two options:

  • Composition files stored locally within Console
  • Composition files on a local machine. For files selected/uploaded from a local machine users have the option to save the composition as a template for future use on Console.

Here’s an example of the new process page using an existing composition. Note that you the ability to preview a dry-run before you launch the process.

Create a new process

Create a new process.

Viewing Process Details

Selecting the FID for any managed process provides access to additional details and management capabilities.

By selecting an individual process a user can view:

  • Additional process details (enforcement status, lock status)
  • Detailed resource information (e.g. dhcpOptions)
  • Activity history including the requestor, and an option to export these details

By selecting an individual process a user can perform actions including:

  • Locking a process
  • Updating a process
  • Suspending a process
  • Killing a process
  • Releasing a process
  • Configuring a process
View details for a single process.

Note: Users will only be able to view features and functionality for which they have been granted permission.

Accounts

Accounts displays the active accounts and allows you to:

  • Remove existing accounts (via the ellipsis option for each displayed account)
  • Add accounts through the “Add New Account” button.
    • You will need to provide a name and the associated AWS IAM Policy information for the account
    • Take a look here for more details on adding accounts with Fugue

Templates

Templates enables users to store composition files for reuse within Console. Templates will display details for each item including the composition name, description, filename, created (date/time), and updated (date/time).

Note: Users will only be able to view features and functionality for which they have been granted permission.

Users also have the ability to:

  • Revise the name or description of an existing composition (through the ellipsis menu)
  • Remove a composition (through the ellipsis menu)
  • Add/upload a new composition (via the button on the top right)
  • Create a new process. You can also create a new process from the Processes page.

FAQ

What is Console?

Console is a web interface for managing Fugue. It enables users to interact with Fugue’s capabilities, including the provisioning and managing of cloud infrastructure, through a visual web based tool.

How do I install Console?

Details on installing Console are listed on this page here. Remember that you will need to have a Fugue Conductor to install and run Console. If you need information on installing the Conductor refer to the Fugue Quick Setup. If you have questions or need assistance with the installation process for Console, or Fugue, contact us at support@fugue.co.

How do I uninstall Console?

To remove Console and the associated external resources run the fugue console uninstall command.

How do I upgrade Console?

To upgrade Console you will need to run fugue console upgrade from the command line.

Note

For users on a beta version of the Fugue Console (prior to Fugue 1.8), additional steps need to be performed to upgrade the Console to the released version. Contact support@fugue.co for assistance.

What platforms support Console?

Console is currently supported on the same platforms as the Fugue Client Tools and includes:

  • macOS El Capitan (10.11.*), macOS Sierra (10.12.*), macOS High Sierra (10.13.*)
  • Ubuntu (14.04 LTS, 16.04 LTS)
  • Amazon Linux (2016.03.3)
  • RHEL 6 & 7.2 (Yum/RPM)
  • Microsoft Windows (Windows 7, 10) Note: For Windows users we recommend using PowerShell 5 and $env:var syntax. To determine your version of PowerShell you can use echo$PSVersionTable.PSVersion.

If you have additional questions reach out to support@fugue.co.

Do I need to have Fugue installed before I can use Console?

Yes, you will need to have the Conductor up and running.

What permissions are required for Console? And how do those differ from RBAC permissions?

Permissions apply to both Console and RBAC, refer to those details in the table here.

What if I have comments or questions?

You can reach out to us at support@fugue.co. Alternatively if you’re a new user looking to launch Console and you do not have a Fugue Platform account contact sales@fugue.co.