Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Terraform x OPA/Conftest の tips
Search
Ryo Kubota
July 07, 2021
Technology
0
990
Terraform x OPA/Conftest の tips
OPA/Conftest で Terraform を扱う際の tips のまとめ
Ryo Kubota
July 07, 2021
Tweet
Share
More Decks by Ryo Kubota
See All by Ryo Kubota
TerraformのレビューをConftestで自動化する
ryokbt
3
1.6k
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.5k
Other Decks in Technology
See All in Technology
データエンジニアリング領域におけるDuckDBのユースケース
chanyou0311
9
2.2k
Two Blades, One Journey: Engineering While Managing
ohbarye
4
1.9k
RayでPHPのデバッグをちょっと快適にする
muno92
PRO
0
190
ウォンテッドリーのデータパイプラインを支える ETL のための analytics, rds-exporter / analytics, rds-exporter for ETL to support Wantedly's data pipeline
unblee
0
120
OCI Success Journey OCIの何が評価されてる?疑問に答える事例セミナー(2025年2月実施)
oracle4engineer
PRO
2
140
IAMポリシーのAllow/Denyについて、改めて理解する
smt7174
2
200
LINE NEWSにおけるバックエンド開発
lycorptech_jp
PRO
0
230
設計を積み重ねてシステムを刷新する
sansantech
PRO
0
160
株式会社Awarefy(アウェアファイ)会社説明資料 / Awarefy-Company-Deck
awarefy
3
11k
Aurora PostgreSQLがCloudWatch Logsに 出力するログの課金を削減してみる #jawsdays2025
non97
1
190
Goで作って学ぶWebSocket
ryuichi1208
3
2.7k
【内製開発Summit 2025】イオンスマートテクノロジーの内製化組織の作り方/In-house-development-summit-AST
aeonpeople
2
620
Featured
See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k
4 Signs Your Business is Dying
shpigford
182
22k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
100
18k
Bash Introduction
62gerente
611
210k
Rebuilding a faster, lazier Slack
samanthasiow
80
8.9k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
1k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.5k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.6k
Designing for humans not robots
tammielis
250
25k
Music & Morning Musume
bryan
46
6.4k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Transcript
5FSSBGPSNY01"$POGUFTUͷ UJQT Open Policy Agent Rego Knowledge Sharing Meetup
#2021.07 Ryo Kubota @ryok6t
• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager ࣗݾհ
લఏ • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ • ֤αʔϏεͷΠϯϑϥҎԼͰίʔυཧ • Kubernetes
ͷ manifest • Terraform • ֤։ൃνʔϜ͕ࣗͰ͜ΕΒͷίʔυΛॻ͍͍ͯΔ • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻
Ҏલͷൃද • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru
ຊͷ༰ • ʢಛʹʣTerraform Ͱ OPA Λ͏߹ͷͪΐͬͱͨ͠ίπ • ͕ࣗ OPA Λಋೖ͢ΔલʹΓ͔ͨͬͨ͜ͱͷ·ͱΊ
·ͣQMBOΛ+40/ʹ • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β • terraform plan -out
plan.tfplan • terraform show -json plan.tfplan | conftest test -
5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷใ มߋલมߋޙͷঢ়ଶ
ϙϦγʔΛॻ͘ WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ • ʮresource type ͕ security group Ͱɺport ͕
ϑϧΦʔϓϯͳͷ͕1ݸͰ͋Ε violationʯ
ڞ௨ͷॲཧΛ·ͱΊΔ • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍ • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ •
ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ • ຖճॻ͘ͷ໘
GVODUJPOΛͬͨڞ௨ॲཧ ड͚औͬͨUZQFʹ ͯ·Δͷ͚ͩΛฦ͢
ڞ௨ॲཧΛผͷϑΝΠϧʹΓग़͢ • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘
ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ
ྫ֎έʔεΛѻ͏ • There is no rule without exceptions • ಛఆͷϦιʔε͚ͩϧʔϧͷର֎ʹ͍ͨ͠έʔε͕ଘࡏ
lFYDFQUJPOzΛͬͯྫ֎ʹରԠ • ྫ֎ͷϩδοΫʹͯ·ͬͨ߹ɺrules Ͱࢦఆͨ͠ ͷແࢹ͞ΕΔ • ҎԼͰ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ
ςετΛॻ͘ • Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ
ςετͷํ๏ • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ • conftest verify Λ࣮ߦ
ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ WJPMBUJPOʹͳΔ͜ͱΛςετ
ςετίʔυͷߏ QMBOͷ+40/ͱಉ͡ߏͰ ςετσʔλΛੜ XJUIBTΛͬͯ ςετσʔλΛ༩͑Δ
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε • not Λ͚ͭΔ͚ͩ
ςετσʔλʹ͍ͭͯ • ެࣜυΩϡϝϯτͰɺςετίʔυʹ JSON Λ ॻ͍͍ͯΔ • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/
ςετσʔλʹ͍ͭͯ • ͔͠͠ JSON Λॻ͘ͱਏ͍έʔε͕ଟ͍ • ݱࡏ yaml Ͱॻ͍ͯ yaml.unmarshal
͍ͯ͠Δ
࠷ޙʹσόοάʹ͍ͭͯ • policy ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ • ҙͷՕॴʹ trace(string) ΛࠐΉ͜ͱͰσόοάग़ྗ ͕Մೳ •
`—trace` Φϓγϣϯ͖Ͱ Conftest Λ࣮ߦ