Demonstrating Enforcement

Overview

This example shows you how Fugue automatically enforces your infrastructure configuration, by restoring a manually deleted security group egress rule and removing a manually added ingress rule.

Prerequisites

You’ll need to have the Fugue CLI set up and the Conductor installed before you can run this example. If you haven’t done so yet, it just takes a few quick steps.

What We’ll Do In This Example

We’ll cover how to run a basic composition, and then we’ll mess around with our infrastructure in the AWS Management Console to demonstrate how Fugue automatically restores its configuration.

What We’ll Have When We’re Done

  • 1 VPC
  • 1 security group
  • 2 security group ingress rules

How Long It Will Take

About 15 minutes.

Download

You can download the source code for this example here. Save it to the directory in which you ran fugue init during the Quick Setup.

Get editor plug-ins here.

Let’s Go!

Running the Composition

First, we’re going to run the Enforcement.lw composition. As long as a process is running, the Fugue Conductor maintains and monitors the infrastructure.

fugue run Enforcement.lw -a enforce

Fugue enforces your infrastructure by comparing it to the declarations in your Ludwig code. If there’s an untracked difference between the Ludwig and the state of your infrastructure, Fugue reverts the changes, restoring your infrastructure to the declared state.

We’re going to demonstrate this enforcement by logging into the AWS Management Console and messing around with some security group rules.

Enforcement Primer

There are two types of enforcement actions: mutate and create/delete.

An enforcement to counter mutation is when a resource’s configuration is changed out of band and Fugue changes (or mutates) the configuration to return it to its declared state. One example is if you manually create a rule in a security group declared in your composition, Fugue will delete it. That’s the kind of enforcement you’ll see in this example.

An enforcement to counter deletion is when a resource itself is deleted out of band, and Fugue recreates it to return your infrastructure to its declared state. One example is if you manually delete a VPC declared in your composition, Fugue will recreate it.

These two different types of actions are handled differently, with different timing. Enforcement to counter mutation typically happens quickly. Enforcement to counter deletion, however, takes a little longer. Fugue relies upon API describe calls to AWS to get an accurate picture of your infrastructure, and AWS’s API is eventually consistent, meaning it can take time for changes to be distributed. Fugue caches the results of these describe calls for at least 10 minutes to hedge against performance and reliability issues in AWS. Therefore, it takes at least 10 minutes for Fugue to consider a resource to be deleted and recreate it. The time may be longer depending on the performance of Fugue and AWS.

First, verify that your process spun up successfully:

fugue status

The “Last Message” field should say “SUCCESS.”

A successful 'fugue run.'

A successful fugue run.

Manually Adding an Ingress Rule

Log into the AWS Management Console and head to the VPC Dashboard in the Oregon region.

Click on “Security Groups” and highlight mySecurityGroup, then click the “Inbound Rules” tab.

Click “Edit” and add a new inbound rule:

  • Type: SSH (22)
  • Protocol: TCP (6)
  • Source: 0.0.0.0/0

Save the changes.

Manually adding an ingress rule in the AWS Console.

Manually adding an ingress rule in the AWS console.

Verifying Results

Wait a moment and then refresh the page. Fugue has restored our infrastructure to its original configuration – the ingress rule we added out of band is gone!

Fugue removes the extraneous ingress rule.

Fugue removes the extraneous ingress rule.

Manually Removing an Egress Rule

Click on the “Outbound Rules” tab.

Click “Edit” and remove the sole rule, then save the changes.

Manually removing the egress rule in the AWS Console.

Manually removing the egress rule in the AWS Console.

Verifying Results

Wait a moment and then refresh the page. Once again, Fugue has restored our infrastructure to its original configuration. The egress rule we deleted is back!

Fugue restores the manually deleted egress rule.

Fugue restores the manually deleted egress rule.

Killing the Fugue Process

When you’re all done, issue the kill command:

fugue kill enforce

This will terminate the process and tear down the infrastructure defined in the composition.

Executing the 'fugue kill' command.

Executing the fugue kill command.

Next Steps

Want to try something a little different? How about checking out our Kubernetes The Hard Way example? Or, you can browse the other examples listed in the fugue-example-omnibus on Github. If you want to get back to basics, review the Hello World! examples. And as always, reach out to support@fugue.co with any questions.