Configuration (Platform 2.0 Beta)¶
In Fugue Platform 2.0 beta, configuration information may be stored in the following ways:
- In an optional
fugue2.yamlfield in the user’s home directory
- In environment variables
If the user prefers to configure settings via
than having the CLI detect settings at installation, they must manually
create the file in a
./fugue directory at the following path prior
~/.fugue/fugue2.yamlon macOS and Linux
Alternatively, the user may omit
fugue2.yaml and configure settings
via environment variables. In this case, the CLI creates the
fugue2.yaml file itself using the settings detected at install.
Note: Credential keys are not written to
Platform 2.0 Beta Config¶
The following table lists configurable settings for Platform 2.0 beta:
||Instructs the Fugue and AWS CLIs to target this region for API calls. May also be set at the command line:
||AWS credentials to use for authentication/authorization. Default: N/A||
||Instructs the Fugue and Azure CLIs to target this region for API calls. Default:
||Instructs the Fugue and Azure CLIs to target this partition for API calls. Default: N/A||
||The Azure subscription to target. Default: N/A||
If certain settings are not detected in environment variables or in
fugue2.yaml, the Platform 2.0 beta CLI uses other methods of
|Configuration value||Source if not found in environment variables or
|aws-region||The CLI supports aws-sdk-go resolution rules.||https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html|
|aws-profile||The CLI supports aws-sdk-go resolution rules.||https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html|
|azure-cloud||The CLI retrieves your default account information via
|azure-subscription||The CLI retrieves your default account information via
In Platform 2.0 beta, Fugue user credentials are stored in the
fugue2-credentials.yaml file. Though it is similar to Fugue
credentials file, each contains slightly different
fugue2-credentials.yaml file is stored in the user’s home
~/.fugue/fugue2-credentials.yamlon macOS and Linux
fugue2-credentials.yaml contains three fields:
- The URL of the Fugue Platform API in AWS
- The Fugue user,
- The access token that authenticates the Fugue user to the Conductor
These credentials can be regenerated with fugue support reset-secret.
Other Configuration Settings¶
For other configuration settings, such as API URL or log file, the general order of precedence is this:
- Global options
- Environment variables
See Global Options Preceding Commands for a list of settings.
Platform 2.0 beta supports subscriber-based activity notifications for drift and enforcement events through the following SNS topics:
You can sign up through the AWS Console or the AWS CLI.
Subscribing to Notifications via the AWS Console¶
To subscribe to Platform 2.0 beta notifications through the AWS Management Console, follow these steps:
- Access the SNS Dashboard in the region in which the Conductor is running.
- Select the
fugue-platform-notifications-*SNS topic you wish to subscribe to.
- Select “Subscribe to topic” from the “Action” drop-down menu.
- Change the protocol to “Email.”
- Enter your email address as an endpoint and click “Create Subscription.”
- Check your email for a subscription confirmation, and confirm your subscription by clicking on the link.
Subscribing to Notifications via the AWS CLI¶
To subscribe to Platform 2.0 beta notifications through the AWS CLI, run the following command, replacing...
<region>with your Conductor’s region
<account>with your AWS account ID
<topic_name>with the desired
<email_addr>with your email address
aws sns subscribe --topic-arn arn:aws:sns:<region>:<account>:<topic_name> \ --protocol email \ --notification-endpoint <email_addr>
Check your email for a subscription confirmation, and confirm your subscription by clicking on the link.
This sample enforcement notification was received after a process security group rule was manually changed in the Azure Portal. It indicates that Fugue successfully changed the “Allow” rule back to “Deny”:
From: Fugue Notifications Subject: Fugue Enforcement Notification Fugue Platform has taken enforcement action to remediate drift in your environment. Account: Process FID: e3ece4c7-fd5c-4e73-b1fc-9a0bf33c8bd3 Process Alias: sg Job ID: e3ece4c7-fd5c-4e73-b1fc-9a0bf33c8bd3-0-1545331610 Resources Impacted: /subscriptions/bf980d0c-5671-4b82-b969-000000000000/resourceGroups/fugue-platform-rg/providers/Microsoft.Network/networkSecurityGroups/nsg/securityRules/DenySSH Enforcement Actions Taken: NetworkSecurityRule.lw_fca857c9-5509-58c0-b7eb-03e6dcb80e0f.access: "Allow" => "Deny"
These instructions are to uninstall the Platform 2.0 beta release. First, you’ll need to uninstall the Conductor, then the CLI.
Uninstalling the Conductor¶
To uninstall the Conductor from your cloud environments, issue the following command:
To see the full details on available flags you can run
fugue2 uninstall --help or view the
fugue2 uninstall the service principal that is created during
fugue2 install is left on Azure. This is due to a limitation with Microsoft Active Directory where too many creates/deletes will result in an account being unusable. During subsequent
fugue2 install commands, Fugue will reuse the existing service principal and not create a new one.
To manually remove the service principal, use the Azure CLI’s az ad sp list command to view a list of service principals in your account, then execute the az ad sp delete command with the desired service principal ID or subscription ID. You can also do this through the Azure Portal: All services -> Subscriptions -> <my subscription> -> Access Control (IAM) -> Role assignments.