$30 off During Our Annual Pro Sale. View Details »

Terraform x OPA/Conftest の tips

Ryo Kubota
July 07, 2021
Technology
0
780

Terraform x OPA/Conftest の tips

OPA/Conftest で Terraform を扱う際の tips のまとめ

Ryo Kubota

July 07, 2021
Tweet

More Decks by Ryo Kubota

See All by Ryo Kubota
TerraformのレビューをConftestで自動化する
ryokbt
3
1.2k
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.4k

Other Decks in Technology

See All in Technology
cloudflare-workersを使ってslack上に匿名チャットを作った話
sugawani
0
120
分散型SNS最新状況
kojira
0
170
太田博三
otanet
0
160
visionOSについてGlobeeが取り組んでいること
toshi0383
0
190
噂の Amazon Bedrock を Java から使ってみる #javado
tacck
1
120
DMBOKを参考にしたデータマネジメントの取り組み
ttccddtoki
3
1k
RDBを使う単体テストの前に 用意しておきたい環境を考え てみたの
bun913
0
390
急成長スタートアップにおける技術的負債とトレードオフ・スライダー / Technical Debt and Trade-off Sliders in Fast-Growing Startups
codenote
2
1.8k
GPT APIを使ったテキスト生成コンペ@YANS2023に参加した話
naohachi89
2
300
APIテスト導入から2年。アジャイルな組織で見えてきたmabl活用の道
bengo4com
0
1.9k
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
470
IAMAccessAnalyzer_Security-JAWS
koheiawa
PRO
1
270

Featured

See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
52
19k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9.8k
How to name files
jennybc
59
87k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Infographics Made Easy
chrislema
236
17k
Designing Experiences People Love
moore
133
23k
A Tale of Four Properties
chriscoyier
150
22k
Intergalactic Javascript Robots from Outer Space
tanoku
264
26k
The Language of Interfaces
destraynor
149
22k
The World Runs on Bad Software
bkeepers
PRO
59
6.1k

Transcript

  1. 5FSSBGPSNY01"$POGUFTUͷ
    UJQT
    Open Policy Agent Rego 

    Knowledge Sharing Meetup #2021.07
    Ryo Kubota @ryok6t

    View Slide

  2. • Ryo Kubota (@ryok6t)
    • FiNC Technologies
    • SRE Team manager
    ࣗݾ঺հ

    View Slide

  3. લఏ
    • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ
    • ֤αʔϏεͷΠϯϑϥ͸ҎԼͰίʔυ؅ཧ
    • Kubernetes ͷ manifest
    • Terraform
    • ֤։ൃνʔϜ͕ࣗ਎Ͱ͜ΕΒͷίʔυΛॻ͍͍ͯΔ
    • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻

    View Slide

  4. Ҏલͷൃද
    • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru

    View Slide

  5. ຊ೔ͷ಺༰
    • ʢಛʹʣTerraform Ͱ OPA Λ࢖͏৔߹ͷͪΐͬͱͨ͠ίπ
    • ࣗ෼͕ OPA Λಋೖ͢Δલʹ஌Γ͔ͨͬͨ͜ͱͷ·ͱΊ

    View Slide

  6. ·ͣ͸QMBOΛ+40/ʹ
    • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β
    • terraform plan -out plan.tfplan
    • terraform show -json plan.tfplan | conftest test -

    View Slide

  7. 5FSSBGPSNQMBOͷ+40/
    ϦιʔεͱͦΕʹର͢ΔมߋҰཡ
    Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ
    Ϧιʔεͷ৘ใ
    มߋલมߋޙͷঢ়ଶ

    View Slide

  8. ϙϦγʔΛॻ͘
    WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ
    • ʮresource type ͕ security group Ͱɺport ͕

    ϑϧΦʔϓϯͳ΋ͷ͕1ݸͰ΋͋Ε͹ violationʯ

    View Slide

  9. ڞ௨ͷॲཧΛ·ͱΊΔ
    • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍
    • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ
    • ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ
    • ຖճॻ͘ͷ͸໘౗

    View Slide

  10. GVODUJPOΛ࢖ͬͨڞ௨ॲཧ
    ड͚औͬͨUZQFʹ

    ౰ͯ͸·Δ΋ͷ͚ͩΛฦ͢

    View Slide

  11. ڞ௨ॲཧΛผͷϑΝΠϧʹ੾Γग़͢
    • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘

    View Slide

  12. ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢
    ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU
    CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ

    View Slide

  13. ྫ֎έʔεΛѻ͏
    • There is no rule without exceptions
    • ಛఆͷϦιʔε͚ͩϧʔϧͷର৅֎ʹ͍ͨ͠έʔε͕ଘࡏ

    View Slide

  14. lFYDFQUJPOzΛ࢖ͬͯྫ֎ʹରԠ
    • ྫ֎ͷϩδοΫʹ౰ͯ͸·ͬͨ৔߹ɺrules Ͱࢦఆͨ͠΋
    ͷ͸ແࢹ͞ΕΔ
    • ҎԼͰ͸ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ

    View Slide

  15. ςετΛॻ͘
    • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ
    • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ

    View Slide

  16. ςετͷํ๏
    • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ
    • conftest verify Λ࣮ߦ

    View Slide

  17. ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ
    ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ

    WJPMBUJPOʹͳΔ͜ͱΛςετ

    View Slide

  18. ςετίʔυͷߏ଄
    QMBOͷ+40/ͱಉ͡ߏ଄Ͱ
    ςετσʔλΛੜ੒
    XJUIBTΛ࢖ͬͯ

    ςετσʔλΛ༩͑Δ

    View Slide

  19. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε

    View Slide

  20. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε

    • not Λ͚ͭΔ͚ͩ

    View Slide

  21. ςετσʔλʹ͍ͭͯ
    • ެࣜυΩϡϝϯτͰ͸ɺςετίʔυʹ JSON Λ௚઀

    ॻ͍͍ͯΔ
    • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/

    View Slide

  22. ςετσʔλʹ͍ͭͯ
    • ͔͠͠ JSON Λ௚઀ॻ͘ͱਏ͍έʔε͕ଟ͍
    • ݱࡏ͸ yaml Ͱॻ͍ͯ yaml.unmarshal ͍ͯ͠Δ

    View Slide

  23. ࠷ޙʹσόοάʹ͍ͭͯ
    • policy ΍ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ
    • ೚ҙͷՕॴʹ trace(string) Λ࢓ࠐΉ͜ͱͰσόοάग़ྗ
    ͕Մೳ
    • `—trace` Φϓγϣϯ෇͖Ͱ Conftest Λ࣮ߦ

    View Slide