This example shows you how Fugue automatically enforces your infrastructure configuration, by restoring a manually deleted security group egress rule and removing a manually added ingress rule.
What We’ll Do In This Example¶
We’ll cover how to run a basic composition, and then we’ll mess around with our infrastructure in the AWS Management Console to demonstrate how Fugue automatically restores its configuration.
What We’ll Have When We’re Done¶
- 1 VPC
- 1 security group
- 2 security group ingress rules
How Long It Will Take¶
About 15 minutes.
Get editor plug-ins here.
Running the Composition¶
First, we’re going to run the
composition. As long as a process is running, the Fugue Conductor
maintains and monitors the infrastructure.
fugue run Enforcement.lw -a enforce
Fugue enforces your infrastructure by comparing it to the declarations in your Ludwig code. If there’s an untracked difference between the Ludwig and the state of your infrastructure, Fugue reverts the changes, restoring your infrastructure to the declared state.
We’re going to demonstrate this enforcement by logging into the AWS Management Console and messing around with some security group rules.
There are two types of enforcement actions: mutate and create/delete.
An enforcement to counter mutation is when a resource’s configuration is changed out of band and Fugue changes (or mutates) the configuration to return it to its declared state. One example is if you manually create a rule in a security group declared in your composition, Fugue will delete it. That’s the kind of enforcement you’ll see in this example.
An enforcement to counter deletion is when a resource itself is deleted out of band, and Fugue recreates it to return your infrastructure to its declared state. One example is if you manually delete a VPC declared in your composition, Fugue will recreate it.
These two different types of actions are handled differently, with different timing. Enforcement to counter mutation typically happens quickly. Enforcement to counter deletion, however, takes a little longer. Fugue relies upon API describe calls to AWS to get an accurate picture of your infrastructure, and AWS’s API is eventually consistent, meaning it can take time for changes to be distributed. Fugue caches the results of these describe calls for at least 10 minutes to hedge against performance and reliability issues in AWS. Therefore, it takes at least 10 minutes for Fugue to consider a resource to be deleted and recreate it. The time may be longer depending on the performance of Fugue and AWS.
First, verify that your process spun up successfully:
The “Last Message” field should say “SUCCEEDED.”
Manually Adding an Ingress Rule¶
Log into the AWS Management Console and head to the VPC Dashboard in the Oregon region.
Click on “Security Groups” and highlight
mySecurityGroup, then click
the “Inbound Rules” tab.
Click “Edit” and add a new inbound rule:
Save the changes.
Wait a moment and then refresh the page. Fugue has restored our infrastructure to its original configuration – the ingress rule we added out of band is gone!
Manually Removing an Egress Rule¶
Click on the “Outbound Rules” tab.
Click “Edit” and remove the sole rule, then save the changes.
Wait a moment and then refresh the page. Once again, Fugue has restored our infrastructure to its original configuration. The egress rule we deleted is back!
Want to try something a little different? How about checking out our Kubernetes The Hard Way example? Or, you can browse the other examples listed in the fugue-example-omnibus on Github. If you want to get back to basics, review the Hello World! examples. And as always, reach out to email@example.com with any questions.