Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Terraform x OPA/Conftest の tips
Search
Ryo Kubota
July 07, 2021
Technology
0
1k
Terraform x OPA/Conftest の tips
OPA/Conftest で Terraform を扱う際の tips のまとめ
Ryo Kubota
July 07, 2021
Tweet
Share
More Decks by Ryo Kubota
See All by Ryo Kubota
TerraformのレビューをConftestで自動化する
ryokbt
3
1.7k
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.5k
Other Decks in Technology
See All in Technology
自作JSエンジンに推しプロポーザルを実装したい!
sajikix
1
170
実践!カスタムインストラクション&スラッシュコマンド
puku0x
0
370
AI開発ツールCreateがAnythingになったよ
tendasato
0
120
Platform開発が先行する Platform Engineeringの違和感
kintotechdev
4
550
下手な強制、ダメ!絶対! 「ガードレール」を「檻」にさせない"ガバナンス"の取り方とは?
tsukaman
2
430
Django's GeneratedField by example - DjangoCon US 2025
pauloxnet
0
140
AIのグローバルトレンド2025 #scrummikawa / global ai trend
kyonmm
PRO
1
270
20250910_障害注入から効率的復旧へ_カオスエンジニアリング_生成AIで考えるAWS障害対応.pdf
sh_fk2
3
240
Evolución del razonamiento matemático de GPT-4.1 a GPT-5 - Data Aventura Summit 2025 & VSCode DevDays
lauchacarro
0
170
5年目から始める Vue3 サイト改善 #frontendo
tacck
PRO
3
220
CDK CLIで使ってたあの機能、CDK Toolkit Libraryではどうやるの?
smt7174
4
140
La gouvernance territoriale des données grâce à la plateforme Terreze
bluehats
0
160
Featured
See All Featured
Optimizing for Happiness
mojombo
379
70k
The Art of Programming - Codeland 2020
erikaheidi
56
13k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Designing for Performance
lara
610
69k
Building Better People: How to give real-time feedback that sticks.
wjessup
368
19k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
112
20k
RailsConf 2023
tenderlove
30
1.2k
Documentation Writing (for coders)
carmenintech
74
5k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.9k
Making Projects Easy
brettharned
117
6.4k
How to Ace a Technical Interview
jacobian
279
23k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
13k
Transcript
5FSSBGPSNY01"$POGUFTUͷ UJQT Open Policy Agent Rego Knowledge Sharing Meetup
#2021.07 Ryo Kubota @ryok6t
• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager ࣗݾհ
લఏ • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ • ֤αʔϏεͷΠϯϑϥҎԼͰίʔυཧ • Kubernetes
ͷ manifest • Terraform • ֤։ൃνʔϜ͕ࣗͰ͜ΕΒͷίʔυΛॻ͍͍ͯΔ • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻
Ҏલͷൃද • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru
ຊͷ༰ • ʢಛʹʣTerraform Ͱ OPA Λ͏߹ͷͪΐͬͱͨ͠ίπ • ͕ࣗ OPA Λಋೖ͢ΔલʹΓ͔ͨͬͨ͜ͱͷ·ͱΊ
·ͣQMBOΛ+40/ʹ • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β • terraform plan -out
plan.tfplan • terraform show -json plan.tfplan | conftest test -
5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷใ มߋલมߋޙͷঢ়ଶ
ϙϦγʔΛॻ͘ WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ • ʮresource type ͕ security group Ͱɺport ͕
ϑϧΦʔϓϯͳͷ͕1ݸͰ͋Ε violationʯ
ڞ௨ͷॲཧΛ·ͱΊΔ • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍ • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ •
ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ • ຖճॻ͘ͷ໘
GVODUJPOΛͬͨڞ௨ॲཧ ड͚औͬͨUZQFʹ ͯ·Δͷ͚ͩΛฦ͢
ڞ௨ॲཧΛผͷϑΝΠϧʹΓग़͢ • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘
ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ
ྫ֎έʔεΛѻ͏ • There is no rule without exceptions • ಛఆͷϦιʔε͚ͩϧʔϧͷର֎ʹ͍ͨ͠έʔε͕ଘࡏ
lFYDFQUJPOzΛͬͯྫ֎ʹରԠ • ྫ֎ͷϩδοΫʹͯ·ͬͨ߹ɺrules Ͱࢦఆͨ͠ ͷແࢹ͞ΕΔ • ҎԼͰ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ
ςετΛॻ͘ • Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ
ςετͷํ๏ • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ • conftest verify Λ࣮ߦ
ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ WJPMBUJPOʹͳΔ͜ͱΛςετ
ςετίʔυͷߏ QMBOͷ+40/ͱಉ͡ߏͰ ςετσʔλΛੜ XJUIBTΛͬͯ ςετσʔλΛ༩͑Δ
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε
ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε • not Λ͚ͭΔ͚ͩ
ςετσʔλʹ͍ͭͯ • ެࣜυΩϡϝϯτͰɺςετίʔυʹ JSON Λ ॻ͍͍ͯΔ • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/
ςετσʔλʹ͍ͭͯ • ͔͠͠ JSON Λॻ͘ͱਏ͍έʔε͕ଟ͍ • ݱࡏ yaml Ͱॻ͍ͯ yaml.unmarshal
͍ͯ͠Δ
࠷ޙʹσόοάʹ͍ͭͯ • policy ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ • ҙͷՕॴʹ trace(string) ΛࠐΉ͜ͱͰσόοάग़ྗ ͕Մೳ •
`—trace` Φϓγϣϯ͖Ͱ Conftest Λ࣮ߦ