Fugue Transcriber is a command-line tool that scans your AWS account for existing infrastructure and generates a Ludwig composition representing your resources.
Transcriber auto-generates compositions. As with all code-generation tools, it can be a challenge to manage lots of automatically generated compositions from a large environment. There are some features, like filtering, that make it easier to scale down the transcribed environment. For help with transcribing large or complex environments, contact firstname.lastname@example.org.
Transcriber is packaged with the Fugue Client Tools. Create a Fugue account, if you haven’t already, to download the Fugue Client Tools from the Customer Portal. Find installation instructions at the Fugue Quick Setup.
Note: If you prefer to work in a GUI, Fugue Composer has a “Generate Composition” feature that offers the same major options as the Transcriber command-line tool. Find more information at Fugue Composer.
fugue-transcriber [OPTIONS] OUT
- Region value to substitute for AWS::Region. Defaults to profile
- Specify an AWS profile for credentials and region. Uses environment defaults if not specified.
- Limit scan to AWS resources that have this tag key. Use one of
- Two arguments to limit scan to AWS resources that have this tag key
and value. Example:
--tag-pair Name my-vpc. Use one of
- Include only this service when querying the cloud. May be used more than once.
- Exclude this service when querying the cloud. May be used more than once.
- EXPERIMENTAL: Load a filter file to specify the included services and resources when querying the cloud.
- Include AWS resources that are managed by Fugue. (Excluded by default.)
- Include AWS resources that are part of the Fugue runtime. (Excluded by default.)
- Quiet mode
- Debug mode
- Print the current version number and exit.
- List services covered by Transcriber and exit.
- Set the port number for the Fugue API Server.
Use this option or
FUGUE_API_PORTenvironment variable. Default is 8080.
- Show help message and exit.
Transcriber generates Ludwig compositions from AWS account resources. Each resource declaration in the composition is preceded by a comment that indicates the type and ID of the resource that it represents.
By default, Transcriber ignores AWS resources that belong to the Fugue
runtime. To include resources that are part of the Conductor, use
By default, Transcriber uses the Fugue API Server,
if available, to filter out Fugue-managed AWS resources. The server port
number defaults to 8080, but a different port may be specified with the
--server-port option or with the
environment variable. If the server is running and you wish to include
resources managed by Fugue, use the option
--include-fugue-resources. If no server is available, Transcriber
includes Fugue-managed resources in the generated composition.
Transcriber scans the resources in the default AWS region, which is
specified in your AWS CLI configuration file (usually located at
~/.aws/config on macOS or Linux or at
C:\Users\USERNAME\.aws\config on Windows). To specify a different
region, use the
--region option. You can also use the aws
command to update your default region.
Transcriber output is sent to
OUT, use a filename to
save to that file or
- to send results to standard output.
To view available services and for a list of valid services for the
--exclude-service options, use the
Currently supported services include:
|Name of service||Usage for Transcriber|
|ASG AutoScaling Groups||
|ASG AutoScaling Launch Configurations||
|ASG AutoScaling Scaling Policies||
|CloudFront Web Distribution||
|CloudWatch Metric Filters||
|EC2 Customer Gateways||
|EC2 DHCP Options||
|EC2 Elastic IPs||
|EC2 Internet Gateways||
|EC2 Nat Gateway||
|EC2 Network ACLs||
|EC2 Network Interfaces||
|EC2 Route Tables||
|EC2 Security Groups||
|EC2 VPC Endpoints||
|EC2 VPC Peering*||
|EC2 VPN Connections||
|EC2 VPN Gateways||
|ECS Task Definition||
|Elasticache Cache Cluster||
|Elasticache Cache Subnet Group||
|Elasticache Replication Group||
|ELB Load Balancers||
|ELBv2 Load Balancers||
|ELBv2 Target Groups||
|IAM Instance Profiles||
|IAM Managed Policies||
|Lambda Event Source Mappings||
|RDS Cluster Parameter Group||
|RDS Subnet Groups||
|Route53 Resource Record Set||
More services are forthcoming.
*Refer to notes below for known issues and exceptions.
Note: EC2 instances¶
EC2 Instances require additional steps to transcribe when custom instance stores are used. Read more about the details here.
Note: VPC peering connections¶
Transcriber does not support managed VPC peering connections. If a managed VPC peer is transcribed, it will be transcribed as an unmanaged VPC peer using an external reference, even if the peer VPC has been transcribed in the same composition. It will need to be manually updated with the correct reference.
Note: RDS databases¶
For configurations that include an RDS database some details around password management should be considered. Read more about those details here.
Database name validations¶
Validations for RDS database names follow the constraints in AWS documentation. However, in certain cases the documented constraints are overly strict, and a transcribed RDS database with a valid name in the dbName field may trigger a validation error:
Invalid database name for MariaDB. Must contain 1 to 64 letters or numbers. Cannot be a word reserved by the specified database engine
If you see an error message similar to the above after transcribing an RDS instance and compiling the composition, contact email@example.com.
Note: VPCs with a secondary CidrBlock¶
Transcriber does not currently support configurations that include a
VPC with a secondary CidrBlock. Configurations containing these
components will result in a
Validation failed/Invalid subnet
message. Support for this functionality will be implemented in a
subsequent release, timing is still TBD.
Transcriber and AWS credentials¶
Transcriber scans the AWS account associated with the values of
AWS_SECRET_ACCESS_KEY, if those
environment variables are set. Otherwise, Transcriber scans the account
associated with the
default profile of the AWS CLI credentials file
(generally located at
~/.aws/credentials), and if that profile is
not present, it uses the
default profile of the AWS CLI
configuration file (generally located at
To have Transcriber scan an account using a different
--profile option to specify the profile name as it appears
in the AWS CLI credentials file or configuration file.
Alternatively, export the
AWS_SECRET_ACCESS_KEY environment variables associated with the
desired account. Or, make another profile the default account by setting
AWS_DEFAULT_PROFILE environment variable:
$ export AWS_DEFAULT_PROFILE=user2
The order of precedence for credential sources is:
- Environment variables
defaultprofile in AWS CLI credentials file (
defaultprofile in AWS CLI configuration file (
IAM Policies for Transcriber¶
The AWS credentials used to run Transcriber simply need read-only permissions for each AWS service to be scanned. The two IAM policies created when installing the Fugue Conductor are not used by Transcriber.
If you prefer, you may create a new IAM user to use with Transcriber. To
do so, visit the IAM Management
and select “Add user.” Enter a name, check the box to enable
programmatic access, and select the read-only policies for the services
you want Transcriber to scan. (For example, the AWS-managed policy
AmazonEC2ReadOnlyAccess enables read-only access to EC2, and
ReadOnlyAccess enables read-only access to all AWS services.)
Once you’ve created the user, download the auto-generated credentials and set them as described above. When you execute a Transcriber command, Transcriber will use the permissions associated with those credentials to scan your account.
What is Transcriber?
Fugue Transcriber is a command-line tool, packaged with the Fugue Client Tools that scans your AWS account for existing infrastructure and generates a Ludwig composition representing your resources.
How do I install Transcriber?
After you select the package for your platform the Fugue Transcriber is installed as part of the Fugue Client Tools. Complete installation details are available in the Fugue Quick Setup.
How do I uninstall Transcriber?
Fugue Transcriber can be uninstalled along with the Fugue Client Tools. Details about removing Fugue are available here.
How do I upgrade Transcriber?
Fugue Transcriber will be upgraded as part of the Fugue Client Tools, and any feature announcements, upgrades, or new releases of Fugue are available through our Customer Portal.
What platforms are Transcriber supported on?
Transcriber is currently supported on the same platforms as the Fugue Client Tools and includes:
- macOS El Capitan (10.11.*), macOS Sierra (10.12.*), macOS High Sierra (10.13.*)
- Ubuntu (14.04 LTS, 16.04 LTS)
- Amazon Linux (2016.03.3)
- RHEL 6 & 7.2 (Yum/RPM)
- Microsoft Windows (Windows 7, 10) Note: For Windows users we
recommend using PowerShell 5 and
$env:varsyntax. To determine your version of PowerShell you can use
echo $PSVersionTable.PSVersion. If you have additional questions reach out to firstname.lastname@example.org.
Do I need to have a Conductor installed before I can use Transcriber?
No, Fugue Transcriber does not require a Conductor to operate. You will only need the Fugue CLI to issue commands for Transcriber.
What services can I transcribe?
To see the full list of supported services simply issue the
fugue-transcriber --list-services command. You can also see the full
list at Supported Services.
What determines which services I have permission to transcribe?
Aside from simply using the
--exclude options, the
scope of the services Transcriber has permission to scan or transcribe
is determined by the permissions granted by the AWS credentials used.
For more information about IAM policies for Transcriber, see
Transcriber and AWS credentials. Further details about AWS permissions are
What if I have comments or questions?
You can reach out to us at email@example.com.