Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Terraform x OPA/Conftest の tips

Ryo Kubota
July 07, 2021
Technology
0
1k

Terraform x OPA/Conftest の tips

OPA/Conftest で Terraform を扱う際の tips のまとめ

Ryo Kubota

July 07, 2021
Tweet

More Decks by Ryo Kubota

See All by Ryo Kubota
TerraformのレビューをConftestで自動化する
ryokbt
3
1.6k
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.5k

Other Decks in Technology

See All in Technology
CodePipelineのアクション統合から学ぶAWS CDKの抽象化技術 / codepipeline-actions-cdk-abstraction
gotok365
5
210
PagerDuty×ポストモーテムで築く障害対応文化/Building a culture of incident response with PagerDuty and postmortems
aeonpeople
1
320
ソフトウェア開発現代史: "LeanとDevOpsの科学"の「科学」とは何か? - DORA Report 10年の変遷を追って - #DevOpsDaysTokyo
takabow
0
390
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
0
110
Running JavaScript within Ruby
hmsk
3
340
Linuxのパッケージ管理とアップデート基礎知識
go_nishimoto
0
380
SREからゼロイチプロダクト開発へ ー越境する打席の立ち方と期待への応え方ー / Product Engineering Night #8
itkq
2
930
AIエージェント開発手法と業務導入のプラクティス
ykosaka
3
1.5k
より良い開発者体験を実現するために~開発初心者が感じた生成AIの可能性~
masakiokuda
0
200
OpenLane-V2ベンチマークと代表的な手法
kzykmyzw
0
100
AIコーディングの最前線 〜活用のコツと課題〜
pharma_x_tech
3
1.9k
2025-04-24 "Manga AI Understanding & Localization" Furukawa Arata (CyberAgent, Inc)
ornew
2
210

Featured

See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
349
20k
Adopting Sorbet at Scale
ufuk
76
9.3k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.6k
RailsConf 2023
tenderlove
30
1.1k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.1k
For a Future-Friendly Web
brad_frost
176
9.7k
4 Signs Your Business is Dying
shpigford
183
22k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Facilitating Awesome Meetings
lara
54
6.3k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.8k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
VelocityConf: Rendering Performance Case Studies
addyosmani
328
24k

Transcript

  1. 5FSSBGPSNY01"$POGUFTUͷ UJQT Open Policy Agent Rego 
 Knowledge Sharing Meetup

    #2021.07 Ryo Kubota @ryok6t

  2. • Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team

    manager ࣗݾ঺հ

  3. લఏ • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ • ֤αʔϏεͷΠϯϑϥ͸ҎԼͰίʔυ؅ཧ • Kubernetes

    ͷ manifest • Terraform • ֤։ൃνʔϜ͕ࣗ਎Ͱ͜ΕΒͷίʔυΛॻ͍͍ͯΔ • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻

  4. Ҏલͷൃද • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru

  5. ຊ೔ͷ಺༰ • ʢಛʹʣTerraform Ͱ OPA Λ࢖͏৔߹ͷͪΐͬͱͨ͠ίπ • ࣗ෼͕ OPA Λಋೖ͢Δલʹ஌Γ͔ͨͬͨ͜ͱͷ·ͱΊ

  6. ·ͣ͸QMBOΛ+40/ʹ • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β • terraform plan -out

    plan.tfplan • terraform show -json plan.tfplan | conftest test -

  7. 5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷ৘ใ มߋલมߋޙͷঢ়ଶ

  8. ϙϦγʔΛॻ͘ WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ • ʮresource type ͕ security group Ͱɺport ͕


    ϑϧΦʔϓϯͳ΋ͷ͕1ݸͰ΋͋Ε͹ violationʯ

  9. ڞ௨ͷॲཧΛ·ͱΊΔ • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍ • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ •

    ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ • ຖճॻ͘ͷ͸໘౗

  10. GVODUJPOΛ࢖ͬͨڞ௨ॲཧ ड͚औͬͨUZQFʹ
 ౰ͯ͸·Δ΋ͷ͚ͩΛฦ͢

  11. ڞ௨ॲཧΛผͷϑΝΠϧʹ੾Γग़͢ • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘

  12. ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ

  13. ྫ֎έʔεΛѻ͏ • There is no rule without exceptions • ಛఆͷϦιʔε͚ͩϧʔϧͷର৅֎ʹ͍ͨ͠έʔε͕ଘࡏ

  14. lFYDFQUJPOzΛ࢖ͬͯྫ֎ʹରԠ • ྫ֎ͷϩδοΫʹ౰ͯ͸·ͬͨ৔߹ɺrules Ͱࢦఆͨ͠΋ ͷ͸ແࢹ͞ΕΔ • ҎԼͰ͸ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ

  15. ςετΛॻ͘ • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ

  16. ςετͷํ๏ • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ • conftest verify Λ࣮ߦ

  17. ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ
 WJPMBUJPOʹͳΔ͜ͱΛςετ

  18. ςετίʔυͷߏ଄ QMBOͷ+40/ͱಉ͡ߏ଄Ͱ ςετσʔλΛੜ੒ XJUIBTΛ࢖ͬͯ
 ςετσʔλΛ༩͑Δ

  19. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε

  20. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε • not Λ͚ͭΔ͚ͩ

  21. ςετσʔλʹ͍ͭͯ • ެࣜυΩϡϝϯτͰ͸ɺςετίʔυʹ JSON Λ௚઀
 ॻ͍͍ͯΔ • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/

  22. ςετσʔλʹ͍ͭͯ • ͔͠͠ JSON Λ௚઀ॻ͘ͱਏ͍έʔε͕ଟ͍ • ݱࡏ͸ yaml Ͱॻ͍ͯ yaml.unmarshal

    ͍ͯ͠Δ

  23. ࠷ޙʹσόοάʹ͍ͭͯ • policy ΍ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ • ೚ҙͷՕॴʹ trace(string) Λ࢓ࠐΉ͜ͱͰσόοάग़ྗ ͕Մೳ •

    `—trace` Φϓγϣϯ෇͖Ͱ Conftest Λ࣮ߦ