$30 off During Our Annual Pro Sale. View Details »

Terraform x OPA/Conftest の tips

Terraform x OPA/Conftest の tips

OPA/Conftest で Terraform を扱う際の tips のまとめ

Ryo Kubota

July 07, 2021
Tweet

More Decks by Ryo Kubota

Other Decks in Technology

Transcript

  1. 5FSSBGPSNY01"$POGUFTUͷ
    UJQT
    Open Policy Agent Rego 

    Knowledge Sharing Meetup #2021.07
    Ryo Kubota @ryok6t

    View Slide

  2. • Ryo Kubota (@ryok6t)
    • FiNC Technologies
    • SRE Team manager
    ࣗݾ঺հ

    View Slide

  3. લఏ
    • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ
    • ֤αʔϏεͷΠϯϑϥ͸ҎԼͰίʔυ؅ཧ
    • Kubernetes ͷ manifest
    • Terraform
    • ֤։ൃνʔϜ͕ࣗ਎Ͱ͜ΕΒͷίʔυΛॻ͍͍ͯΔ
    • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻

    View Slide

  4. Ҏલͷൃද
    • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru

    View Slide

  5. ຊ೔ͷ಺༰
    • ʢಛʹʣTerraform Ͱ OPA Λ࢖͏৔߹ͷͪΐͬͱͨ͠ίπ
    • ࣗ෼͕ OPA Λಋೖ͢Δલʹ஌Γ͔ͨͬͨ͜ͱͷ·ͱΊ

    View Slide

  6. ·ͣ͸QMBOΛ+40/ʹ
    • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β
    • terraform plan -out plan.tfplan
    • terraform show -json plan.tfplan | conftest test -

    View Slide

  7. 5FSSBGPSNQMBOͷ+40/
    ϦιʔεͱͦΕʹର͢ΔมߋҰཡ
    Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ
    Ϧιʔεͷ৘ใ
    มߋલมߋޙͷঢ়ଶ

    View Slide

  8. ϙϦγʔΛॻ͘
    WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ
    • ʮresource type ͕ security group Ͱɺport ͕

    ϑϧΦʔϓϯͳ΋ͷ͕1ݸͰ΋͋Ε͹ violationʯ

    View Slide

  9. ڞ௨ͷॲཧΛ·ͱΊΔ
    • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍
    • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ
    • ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ
    • ຖճॻ͘ͷ͸໘౗

    View Slide

  10. GVODUJPOΛ࢖ͬͨڞ௨ॲཧ
    ड͚औͬͨUZQFʹ

    ౰ͯ͸·Δ΋ͷ͚ͩΛฦ͢

    View Slide

  11. ڞ௨ॲཧΛผͷϑΝΠϧʹ੾Γग़͢
    • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘

    View Slide

  12. ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢
    ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU
    CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ

    View Slide

  13. ྫ֎έʔεΛѻ͏
    • There is no rule without exceptions
    • ಛఆͷϦιʔε͚ͩϧʔϧͷର৅֎ʹ͍ͨ͠έʔε͕ଘࡏ

    View Slide

  14. lFYDFQUJPOzΛ࢖ͬͯྫ֎ʹରԠ
    • ྫ֎ͷϩδοΫʹ౰ͯ͸·ͬͨ৔߹ɺrules Ͱࢦఆͨ͠΋
    ͷ͸ແࢹ͞ΕΔ
    • ҎԼͰ͸ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ

    View Slide

  15. ςετΛॻ͘
    • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ
    • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ

    View Slide

  16. ςετͷํ๏
    • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ
    • conftest verify Λ࣮ߦ

    View Slide

  17. ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ
    ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ

    WJPMBUJPOʹͳΔ͜ͱΛςετ

    View Slide

  18. ςετίʔυͷߏ଄
    QMBOͷ+40/ͱಉ͡ߏ଄Ͱ
    ςετσʔλΛੜ੒
    XJUIBTΛ࢖ͬͯ

    ςετσʔλΛ༩͑Δ

    View Slide

  19. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε

    View Slide

  20. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε

    • not Λ͚ͭΔ͚ͩ

    View Slide

  21. ςετσʔλʹ͍ͭͯ
    • ެࣜυΩϡϝϯτͰ͸ɺςετίʔυʹ JSON Λ௚઀

    ॻ͍͍ͯΔ
    • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/

    View Slide

  22. ςετσʔλʹ͍ͭͯ
    • ͔͠͠ JSON Λ௚઀ॻ͘ͱਏ͍έʔε͕ଟ͍
    • ݱࡏ͸ yaml Ͱॻ͍ͯ yaml.unmarshal ͍ͯ͠Δ

    View Slide

  23. ࠷ޙʹσόοάʹ͍ͭͯ
    • policy ΍ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ
    • ೚ҙͷՕॴʹ trace(string) Λ࢓ࠐΉ͜ͱͰσόοάग़ྗ
    ͕Մೳ
    • `—trace` Φϓγϣϯ෇͖Ͱ Conftest Λ࣮ߦ

    View Slide