Configuration (Platform 2.0 Beta)

Configuration Options

In Fugue Platform 2.0 beta, configuration information may be stored in the following ways:

  • In an optional fugue2.yaml field in the user’s home directory
  • In environment variables

If the user prefers to configure settings via fugue2.yaml rather than having the CLI detect settings at installation, they must manually create the file in a ./fugue directory at the following path prior to installation:

  • ~/.fugue/fugue2.yaml on macOS and Linux
  • %USERPROFILE%\.fugue\fugue2.yaml or %HOMEDRIVE%\%HOMEPATH%\.fugue\fugue2.yaml on Windows

Alternatively, the user may omit fugue2.yaml and configure settings via environment variables. In this case, the CLI creates the fugue2.yaml file itself using the settings detected at install. Note: Credential keys are not written to fugue2.yaml.

Platform 2.0 Beta Config

The following table lists configurable settings for Platform 2.0 beta:

fugue2.yaml Value Environment Variable Definition Example
aws_region FUGUE_AWS_REGION Instructs the Fugue and AWS CLIs to target this region for API calls. May also be set at the command line: --aws-region Default: N/A us-gov-west-1
aws_profile FUGUE_AWS_PROFILE AWS credentials to use for authentication/authorization. Default: N/A mygovprofile
azure_location FUGUE_AZURE_LOCATION Instructs the Fugue and Azure CLIs to target this region for API calls. Default: usgovvirginia usgovvirginia
azure_cloud FUGUE_AZURE_CLOUD Instructs the Fugue and Azure CLIs to target this partition for API calls. Default: N/A AzureUSGovernment
azure_subscription FUGUE_AZURE_SUBSCRIPTION The Azure subscription to target. Default: N/A e142a3cb-bfab-444f-a154-7f3b9example

Detected Values

If certain settings are not detected in environment variables or in fugue2.yaml, the Platform 2.0 beta CLI uses other methods of sourcing configuration:

Configuration value Source if not found in environment variables or fugue2.yaml Reference
aws-region The CLI supports aws-sdk-go resolution rules. https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html
aws-profile The CLI supports aws-sdk-go resolution rules. https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html
azure-cloud The CLI retrieves your default account information via az account show https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-show
azure-subscription The CLI retrieves your default account information via az account show https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-show

Credentials File

In Platform 2.0 beta, Fugue user credentials are stored in the fugue2-credentials.yaml file. Though it is similar to Fugue Platform’s credentials file, each contains slightly different fields.

The fugue2-credentials.yaml file is stored in the user’s home directory:

  • ~/.fugue/fugue2-credentials.yaml on macOS and Linux
  • %USERPROFILE%\.fugue\fugue2-credentials.yaml or %HOMEDRIVE%\%HOMEPATH%\.fugue\fugue2-credentials.yaml on Windows

fugue2-credentials.yaml contains three fields:

api-url
The URL of the Fugue Platform API in AWS
user
The Fugue user, root
secret
The access token that authenticates the Fugue user to the Conductor

These credentials can be regenerated with fugue support reset-secret.

Source Order of Precedence

The CLI sources the user and secret in the following order:

  1. Global options --user and --secret
  2. Environment variables FUGUE_USER and FUGUE_SECRET
  3. The fugue2-credentials.yaml file

Other Configuration Settings

For other configuration settings, such as API URL or log file, the general order of precedence is this:

  1. Global options
  2. Environment variables
  3. fugue2.yaml

See Global Options Preceding Commands for a list of settings.

Configuring Notifications

Platform 2.0 beta supports subscriber-based activity notifications for drift and enforcement events through the following SNS topics:

  • fugue-platform-notifications-drift
  • fugue-platform-notifications-enforcement

You can sign up through the AWS Console or the AWS CLI.

Subscribing to Notifications via the AWS Console

To subscribe to Platform 2.0 beta notifications through the AWS Management Console, follow these steps:

  1. Access the SNS Dashboard in the region in which the Conductor is running.
  2. Select the fugue-platform-notifications-* SNS topic you wish to subscribe to.
  3. Select “Subscribe to topic” from the “Action” drop-down menu.
  4. Change the protocol to “Email.”
  5. Enter your email address as an endpoint and click “Create Subscription.”
  6. Check your email for a subscription confirmation, and confirm your subscription by clicking on the link.

Subscribing to Notifications via the AWS CLI

To subscribe to Platform 2.0 beta notifications through the AWS CLI, run the following command, replacing...

  • <region> with your Conductor’s region
  • <account> with your AWS account ID
  • <topic_name> with the desired fugue-platform-notifications-* topic
  • <email_addr> with your email address
aws sns subscribe --topic-arn arn:aws:sns:<region>:<account>:<topic_name> \
                      --protocol email \
                      --notification-endpoint <email_addr>

Check your email for a subscription confirmation, and confirm your subscription by clicking on the link.

Sample Email

This sample enforcement notification was received after a process security group rule was manually changed in the Azure Portal. It indicates that Fugue successfully changed the “Allow” rule back to “Deny”:

From: Fugue Notifications
Subject: Fugue Enforcement Notification

Fugue Platform has taken enforcement action to remediate drift in your environment.

Account:
Process FID: e3ece4c7-fd5c-4e73-b1fc-9a0bf33c8bd3
Process Alias: sg
Job ID: e3ece4c7-fd5c-4e73-b1fc-9a0bf33c8bd3-0-1545331610

Resources Impacted:
/subscriptions/bf980d0c-5671-4b82-b969-000000000000/resourceGroups/fugue-platform-rg/providers/Microsoft.Network/networkSecurityGroups/nsg/securityRules/DenySSH

Enforcement Actions Taken:

NetworkSecurityRule.lw_fca857c9-5509-58c0-b7eb-03e6dcb80e0f.access: "Allow" => "Deny"

How to Unsubscribe

To unsubscribe from any SNS notification, click on the “Unsubscribe” link at the bottom of the email, delete the subscription through the SNS Dashboard in the AWS Management Console, or use the following AWS CLI command:

aws sns unsubscribe --subscription-arn <subscription_arn>

Uninstalling Fugue

These instructions are to uninstall the Platform 2.0 beta release. First, you’ll need to uninstall the Conductor, then the CLI.

Uninstalling the Conductor

To uninstall the Conductor from your cloud environments, issue the following command:

fugue2 uninstall

To see the full details on available flags you can run fugue2 uninstall --help or view the uninstall page.

Note

Note: During fugue2 uninstall the service principal that is created during fugue2 install is left on Azure. This is due to a limitation with Microsoft Active Directory where too many creates/deletes will result in an account being unusable. During subsequent fugue2 install commands, Fugue will reuse the existing service principal and not create a new one.

To manually remove the service principal, use the Azure CLI’s az ad sp list command to view a list of service principals in your account, then execute the az ad sp delete command with the desired service principal ID or subscription ID. You can also do this through the Azure Portal: All services -> Subscriptions -> <my subscription> -> Access Control (IAM) -> Role assignments.

Uninstalling the CLI

To uninstall the Platform 2.0 beta CLI, issue the following command:

sudo /opt/fugue/bin/uninstall.sh

When the uninstall is completed, you’ll see the following message:

Successfully Uninstalled Fugue

Warning

This command will also remove the fugue CLI if it is installed.