OPA/Conftest で Terraform を扱う際の tips のまとめ
5FSSBGPSNY01"$POGUFTUͷUJQTOpen Policy Agent Rego Knowledge Sharing Meetup #2021.07Ryo Kubota @ryok6t
View Slide
• Ryo Kubota (@ryok6t)• FiNC Technologies• SRE Team managerࣗݾհ
લఏ• ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ• ֤αʔϏεͷΠϯϑϥҎԼͰίʔυཧ• Kubernetes ͷ manifest• Terraform• ֤։ൃνʔϜ͕ࣗͰ͜ΕΒͷίʔυΛॻ͍͍ͯΔ• ࣭ͷ୲อͷͨΊʹ Conftest Λར༻
Ҏલͷൃද• https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru
ຊͷ༰• ʢಛʹʣTerraform Ͱ OPA Λ͏߹ͷͪΐͬͱͨ͠ίπ• ͕ࣗ OPA Λಋೖ͢ΔલʹΓ͔ͨͬͨ͜ͱͷ·ͱΊ
·ͣQMBOΛ+40/ʹ• plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β• terraform plan -out plan.tfplan• terraform show -json plan.tfplan | conftest test -
5FSSBGPSNQMBOͷ+40/ϦιʔεͱͦΕʹର͢ΔมߋҰཡՃ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣϦιʔεͷใมߋલมߋޙͷঢ়ଶ
ϙϦγʔΛॻ͘WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ• ʮresource type ͕ security group Ͱɺport ͕ ϑϧΦʔϓϯͳͷ͕1ݸͰ͋Ε violationʯ
ڞ௨ͷॲཧΛ·ͱΊΔ• ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍• e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ• ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ• ຖճॻ͘ͷ໘
GVODUJPOΛͬͨڞ௨ॲཧड͚औͬͨUZQFʹ ͯ·Δͷ͚ͩΛฦ͢
ڞ௨ॲཧΛผͷϑΝΠϧʹΓग़͢• ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘
ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSUCBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ
ྫ֎έʔεΛѻ͏• There is no rule without exceptions• ಛఆͷϦιʔε͚ͩϧʔϧͷର֎ʹ͍ͨ͠έʔε͕ଘࡏ
lFYDFQUJPOzΛͬͯྫ֎ʹରԠ• ྫ֎ͷϩδοΫʹͯ·ͬͨ߹ɺrules Ͱࢦఆͨ͠ͷແࢹ͞ΕΔ• ҎԼͰ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ
ςετΛॻ͘• Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ• Conftest ࣗମͰ؆୯ʹςετ͕Մೳ
ςετͷํ๏• foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ• conftest verify Λ࣮ߦ
ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ WJPMBUJPOʹͳΔ͜ͱΛςετ
ςετίʔυͷߏQMBOͷ+40/ͱಉ͡ߏͰςετσʔλΛੜXJUIBTΛͬͯ ςετσʔλΛ༩͑Δ
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε• not Λ͚ͭΔ͚ͩ
ςετσʔλʹ͍ͭͯ• ެࣜυΩϡϝϯτͰɺςετίʔυʹ JSON Λ ॻ͍͍ͯΔ• Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/
ςετσʔλʹ͍ͭͯ• ͔͠͠ JSON Λॻ͘ͱਏ͍έʔε͕ଟ͍• ݱࡏ yaml Ͱॻ͍ͯ yaml.unmarshal ͍ͯ͠Δ
࠷ޙʹσόοάʹ͍ͭͯ• policy ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ• ҙͷՕॴʹ trace(string) ΛࠐΉ͜ͱͰσόοάग़ྗ͕Մೳ• `—trace` Φϓγϣϯ͖Ͱ Conftest Λ࣮ߦ