Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Terraform x OPA/Conftest の tips
Ryo Kubota
July 07, 2021
Technology
0
610
Terraform x OPA/Conftest の tips
OPA/Conftest で Terraform を扱う際の tips のまとめ
Ryo Kubota
July 07, 2021
Tweet
Share
More Decks by Ryo Kubota
See All by Ryo Kubota
TerraformのレビューをConftestで自動化する
ryokbt
3
980
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.3k
Other Decks in Technology
See All in Technology
20230123_FinJAWS
takuyay0ne
0
110
それでもどうしてRecoilを使うのか / Harajuku.ts Meetup Recoil
okunokentaro
13
3.6k
20230121_データ分析系コミュニティ_サテライト企画
doradora09
0
510
GraphQLスキーマ設計の勘所
yukukotani
26
6k
AI Builderについて
miyakemito
0
760
Kubernetes_EKSに入門してみる
toru_kubota
0
230
OpenShiftのリリースノートを整理してみた
loftkun
2
220
DID/VCを用いた自己主権型アイデンティティの実現
sbtechnight
0
370
Pentesting Password Reset Functionality
anugrahsr
0
200
アムロは成長しているのか AIから分析する
miyakemito
1
350
本社オフィスを移転し、 オフィスファシリティ・コーポレートIT を刷新した話
rotomx
3
1.2k
Virtual Thread - 導入の背景と、効果的な使い方 -
skrb
3
250
Featured
See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.6k
Done Done
chrislema
178
14k
Building Your Own Lightsaber
phodgson
96
4.9k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
182
15k
Atom: Resistance is Futile
akmur
256
24k
Mobile First: as difficult as doing things right
swwweet
213
7.8k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Music & Morning Musume
bryan
36
4.6k
Into the Great Unknown - MozCon
thekraken
2
280
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
120
29k
Transcript
5FSSBGPSNY01"$POGUFTUͷ UJQT Open Policy Agent Rego Knowledge Sharing Meetup
#2021.07 Ryo Kubota @ryok6t
• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager ࣗݾհ
લఏ • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ • ֤αʔϏεͷΠϯϑϥҎԼͰίʔυཧ • Kubernetes
ͷ manifest • Terraform • ֤։ൃνʔϜ͕ࣗͰ͜ΕΒͷίʔυΛॻ͍͍ͯΔ • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻
Ҏલͷൃද • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru
ຊͷ༰ • ʢಛʹʣTerraform Ͱ OPA Λ͏߹ͷͪΐͬͱͨ͠ίπ • ͕ࣗ OPA Λಋೖ͢ΔલʹΓ͔ͨͬͨ͜ͱͷ·ͱΊ
·ͣQMBOΛ+40/ʹ • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β • terraform plan -out
plan.tfplan • terraform show -json plan.tfplan | conftest test -
5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷใ มߋલมߋޙͷঢ়ଶ
ϙϦγʔΛॻ͘ WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ • ʮresource type ͕ security group Ͱɺport ͕
ϑϧΦʔϓϯͳͷ͕1ݸͰ͋Ε violationʯ
ڞ௨ͷॲཧΛ·ͱΊΔ • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍ • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ •
ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ • ຖճॻ͘ͷ໘
GVODUJPOΛͬͨڞ௨ॲཧ ड͚औͬͨUZQFʹ ͯ·Δͷ͚ͩΛฦ͢
ڞ௨ॲཧΛผͷϑΝΠϧʹΓग़͢ • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘
ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ
ྫ֎έʔεΛѻ͏ • There is no rule without exceptions • ಛఆͷϦιʔε͚ͩϧʔϧͷର֎ʹ͍ͨ͠έʔε͕ଘࡏ
lFYDFQUJPOzΛͬͯྫ֎ʹରԠ • ྫ֎ͷϩδοΫʹͯ·ͬͨ߹ɺrules Ͱࢦఆͨ͠ ͷແࢹ͞ΕΔ • ҎԼͰ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ
ςετΛॻ͘ • Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ
ςετͷํ๏ • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ • conftest verify Λ࣮ߦ
ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ WJPMBUJPOʹͳΔ͜ͱΛςετ
ςετίʔυͷߏ QMBOͷ+40/ͱಉ͡ߏͰ ςετσʔλΛੜ XJUIBTΛͬͯ ςετσʔλΛ༩͑Δ
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε • not Λ͚ͭΔ͚ͩ
ςετσʔλʹ͍ͭͯ • ެࣜυΩϡϝϯτͰɺςετίʔυʹ JSON Λ ॻ͍͍ͯΔ • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/
ςετσʔλʹ͍ͭͯ • ͔͠͠ JSON Λॻ͘ͱਏ͍έʔε͕ଟ͍ • ݱࡏ yaml Ͱॻ͍ͯ yaml.unmarshal
͍ͯ͠Δ
࠷ޙʹσόοάʹ͍ͭͯ • policy ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ • ҙͷՕॴʹ trace(string) ΛࠐΉ͜ͱͰσόοάग़ྗ ͕Մೳ •
`—trace` Φϓγϣϯ͖Ͱ Conftest Λ࣮ߦ