Terraform x OPA/Conftest の tips

5FSSBGPSNY01"$POGUFTUͷ UJQT Open Policy Agent Rego   Knowledge Sharing Meetup
#2021.07 Ryo Kubota @ryok6t

• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager ࣗݾ঺հ

લఏ • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ • ֤αʔϏεͷΠϯϑϥ͸ҎԼͰίʔυ؅ཧ • Kubernetes
ͷ manifest • Terraform • ֤։ൃνʔϜ͕ࣗ਎Ͱ͜ΕΒͷίʔυΛॻ͍͍ͯΔ • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻

Ҏલͷൃද • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru

ຊ೔ͷ಺༰ • ʢಛʹʣTerraform Ͱ OPA Λ࢖͏৔߹ͷͪΐͬͱͨ͠ίπ • ࣗ෼͕ OPA Λಋೖ͢Δલʹ஌Γ͔ͨͬͨ͜ͱͷ·ͱΊ

·ͣ͸QMBOΛ+40/ʹ • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β • terraform plan -out
plan.tfplan • terraform show -json plan.tfplan | conftest test -

5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷ৘ใ มߋલมߋޙͷঢ়ଶ

ϙϦγʔΛॻ͘ WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ • ʮresource type ͕ security group Ͱɺport ͕ 
ϑϧΦʔϓϯͳ΋ͷ͕1ݸͰ΋͋Ε͹ violationʯ

ڞ௨ͷॲཧΛ·ͱΊΔ • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍ • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ •
ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ • ຖճॻ͘ͷ͸໘౗

GVODUJPOΛ࢖ͬͨڞ௨ॲཧ ड͚औͬͨUZQFʹ  ౰ͯ͸·Δ΋ͷ͚ͩΛฦ͢

ڞ௨ॲཧΛผͷϑΝΠϧʹ੾Γग़͢ • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘

ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ

ྫ֎έʔεΛѻ͏ • There is no rule without exceptions • ಛఆͷϦιʔε͚ͩϧʔϧͷର৅֎ʹ͍ͨ͠έʔε͕ଘࡏ

lFYDFQUJPOzΛ࢖ͬͯྫ֎ʹରԠ • ྫ֎ͷϩδοΫʹ౰ͯ͸·ͬͨ৔߹ɺrules Ͱࢦఆͨ͠΋ ͷ͸ແࢹ͞ΕΔ • ҎԼͰ͸ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ

ςετΛॻ͘ • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ

ςετͷํ๏ • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ • conftest verify Λ࣮ߦ

ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ  WJPMBUJPOʹͳΔ͜ͱΛςετ

ςετίʔυͷߏ଄ QMBOͷ+40/ͱಉ͡ߏ଄Ͱ ςετσʔλΛੜ੒ XJUIBTΛ࢖ͬͯ  ςετσʔλΛ༩͑Δ

ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε

ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε • not Λ͚ͭΔ͚ͩ

ςετσʔλʹ͍ͭͯ • ެࣜυΩϡϝϯτͰ͸ɺςετίʔυʹ JSON Λ௚઀  ॻ͍͍ͯΔ • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/

ςετσʔλʹ͍ͭͯ • ͔͠͠ JSON Λ௚઀ॻ͘ͱਏ͍έʔε͕ଟ͍ • ݱࡏ͸ yaml Ͱॻ͍ͯ yaml.unmarshal
͍ͯ͠Δ

࠷ޙʹσόοάʹ͍ͭͯ • policy ΍ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ • ೚ҙͷՕॴʹ trace(string) Λ࢓ࠐΉ͜ͱͰσόοάग़ྗ ͕Մೳ •
`—trace` Φϓγϣϯ෇͖Ͱ Conftest Λ࣮ߦ

Terraform x OPA/Conftest の tips

Terraform x OPA/Conftest の tips

Ryo Kubota

More Decks by Ryo Kubota

Other Decks in Technology

Featured

Transcript

5FSSBGPSNY01"$POGUFTUͷ UJQT Open Policy Agent Rego   Knowledge Sharing Meetup

• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team

લఏ • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ • ֤αʔϏεͷΠϯϑϥ͸ҎԼͰίʔυ؅ཧ • Kubernetes

Ҏલͷൃද • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru

ຊ೔ͷ಺༰ • ʢಛʹʣTerraform Ͱ OPA Λ࢖͏৔߹ͷͪΐͬͱͨ͠ίπ • ࣗ෼͕ OPA Λಋೖ͢Δલʹ஌Γ͔ͨͬͨ͜ͱͷ·ͱΊ

·ͣ͸QMBOΛ+40/ʹ • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β • terraform plan -out

5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷ৘ใ มߋલมߋޙͷঢ়ଶ

ϙϦγʔΛॻ͘ WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ • ʮresource type ͕ security group Ͱɺport ͕

ڞ௨ͷॲཧΛ·ͱΊΔ • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍ • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ •

GVODUJPOΛ࢖ͬͨڞ௨ॲཧ ड͚औͬͨUZQFʹ  ౰ͯ͸·Δ΋ͷ͚ͩΛฦ͢

ڞ௨ॲཧΛผͷϑΝΠϧʹ੾Γग़͢ • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘

ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ

ྫ֎έʔεΛѻ͏ • There is no rule without exceptions • ಛఆͷϦιʔε͚ͩϧʔϧͷର৅֎ʹ͍ͨ͠έʔε͕ଘࡏ

lFYDFQUJPOzΛ࢖ͬͯྫ֎ʹରԠ • ྫ֎ͷϩδοΫʹ౰ͯ͸·ͬͨ৔߹ɺrules Ͱࢦఆͨ͠΋ ͷ͸ແࢹ͞ΕΔ • ҎԼͰ͸ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ

ςετΛॻ͘ • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ

ςετͷํ๏ • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ • conftest verify Λ࣮ߦ

ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ  WJPMBUJPOʹͳΔ͜ͱΛςετ

ςετίʔυͷߏ଄ QMBOͷ+40/ͱಉ͡ߏ଄Ͱ ςετσʔλΛੜ੒ XJUIBTΛ࢖ͬͯ  ςετσʔλΛ༩͑Δ

ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε

ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε • not Λ͚ͭΔ͚ͩ

ςετσʔλʹ͍ͭͯ • ެࣜυΩϡϝϯτͰ͸ɺςετίʔυʹ JSON Λ௚઀  ॻ͍͍ͯΔ • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/

ςετσʔλʹ͍ͭͯ • ͔͠͠ JSON Λ௚઀ॻ͘ͱਏ͍έʔε͕ଟ͍ • ݱࡏ͸ yaml Ͱॻ͍ͯ yaml.unmarshal

࠷ޙʹσόοάʹ͍ͭͯ • policy ΍ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ • ೚ҙͷՕॴʹ trace(string) Λ࢓ࠐΉ͜ͱͰσόοάग़ྗ ͕Մೳ •