Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Terraform x OPA/Conftest の tips
Search
Ryo Kubota
July 07, 2021
Technology
0
840
Terraform x OPA/Conftest の tips
OPA/Conftest で Terraform を扱う際の tips のまとめ
Ryo Kubota
July 07, 2021
Tweet
Share
More Decks by Ryo Kubota
See All by Ryo Kubota
TerraformのレビューをConftestで自動化する
ryokbt
3
1.3k
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.4k
Other Decks in Technology
See All in Technology
.NETの非同期戦略とUnityとの相互運用
neuecc
2
2.4k
長文から長文を生成するLLMツールをオープンソースで作ってみた。
tomohisa
2
140
20240321_生成AI時代のDevOps
kzkmaeda
2
600
単回帰分析について数式を追いながら実装してみた
kentaitakura
0
490
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
7
100k
MongoDB Atlas Vectorsearchではじめる生成AIアプリ開発
chie8842
3
500
Tohoku.Tech #1 「EC-CUBE/AWSの構築をChatGPTに相談してみました」by テンダ
jun2882
0
140
私のRSpecの書き方 / How I write RSpec
tmtms
4
820
大規模なアジャイル開発の現場と技術負債 / Technical Debt
yoshiitaka
20
3.9k
統計的学習理論読み Chapter 1
kmatsui
3
520
LLM + RAG を使った SORACOM Support Bot の裏側の歴史
soracom
PRO
1
630
AMLD 2024 - Build Your Own GPT
donlelef
1
260
Featured
See All Featured
Large-scale JavaScript Application Architecture
addyosmani
501
110k
Designing on Purpose - Digital PM Summit 2013
jponch
109
6.4k
Designing for humans not robots
tammielis
247
25k
Being A Developer After 40
akosma
56
580k
Reflections from 52 weeks, 52 projects
jeffersonlam
343
19k
GraphQLとの向き合い方2022年版
quramy
28
12k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
111
35k
The Invisible Customer
myddelton
114
12k
Faster Mobile Websites
deanohume
296
30k
Robots, Beer and Maslow
schacon
PRO
154
7.9k
Optimizing for Happiness
mojombo
369
69k
What's new in Ruby 2.0
geeforr
335
31k
Transcript
5FSSBGPSNY01"$POGUFTUͷ UJQT Open Policy Agent Rego Knowledge Sharing Meetup
#2021.07 Ryo Kubota @ryok6t
• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager ࣗݾհ
લఏ • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ • ֤αʔϏεͷΠϯϑϥҎԼͰίʔυཧ • Kubernetes
ͷ manifest • Terraform • ֤։ൃνʔϜ͕ࣗͰ͜ΕΒͷίʔυΛॻ͍͍ͯΔ • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻
Ҏલͷൃද • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru
ຊͷ༰ • ʢಛʹʣTerraform Ͱ OPA Λ͏߹ͷͪΐͬͱͨ͠ίπ • ͕ࣗ OPA Λಋೖ͢ΔલʹΓ͔ͨͬͨ͜ͱͷ·ͱΊ
·ͣQMBOΛ+40/ʹ • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β • terraform plan -out
plan.tfplan • terraform show -json plan.tfplan | conftest test -
5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷใ มߋલมߋޙͷঢ়ଶ
ϙϦγʔΛॻ͘ WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ • ʮresource type ͕ security group Ͱɺport ͕
ϑϧΦʔϓϯͳͷ͕1ݸͰ͋Ε violationʯ
ڞ௨ͷॲཧΛ·ͱΊΔ • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍ • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ •
ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ • ຖճॻ͘ͷ໘
GVODUJPOΛͬͨڞ௨ॲཧ ड͚औͬͨUZQFʹ ͯ·Δͷ͚ͩΛฦ͢
ڞ௨ॲཧΛผͷϑΝΠϧʹΓग़͢ • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘
ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ
ྫ֎έʔεΛѻ͏ • There is no rule without exceptions • ಛఆͷϦιʔε͚ͩϧʔϧͷର֎ʹ͍ͨ͠έʔε͕ଘࡏ
lFYDFQUJPOzΛͬͯྫ֎ʹରԠ • ྫ֎ͷϩδοΫʹͯ·ͬͨ߹ɺrules Ͱࢦఆͨ͠ ͷແࢹ͞ΕΔ • ҎԼͰ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ
ςετΛॻ͘ • Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ
ςετͷํ๏ • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ • conftest verify Λ࣮ߦ
ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ WJPMBUJPOʹͳΔ͜ͱΛςετ
ςετίʔυͷߏ QMBOͷ+40/ͱಉ͡ߏͰ ςετσʔλΛੜ XJUIBTΛͬͯ ςετσʔλΛ༩͑Δ
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε • not Λ͚ͭΔ͚ͩ
ςετσʔλʹ͍ͭͯ • ެࣜυΩϡϝϯτͰɺςετίʔυʹ JSON Λ ॻ͍͍ͯΔ • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/
ςετσʔλʹ͍ͭͯ • ͔͠͠ JSON Λॻ͘ͱਏ͍έʔε͕ଟ͍ • ݱࡏ yaml Ͱॻ͍ͯ yaml.unmarshal
͍ͯ͠Δ
࠷ޙʹσόοάʹ͍ͭͯ • policy ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ • ҙͷՕॴʹ trace(string) ΛࠐΉ͜ͱͰσόοάग़ྗ ͕Մೳ •
`—trace` Φϓγϣϯ͖Ͱ Conftest Λ࣮ߦ