Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Terraform x OPA/Conftest の tips

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Ryo Kubota Ryo Kubota
July 07, 2021
Technology
1.1k
0

Terraform x OPA/Conftest の tips

OPA/Conftest で Terraform を扱う際の tips のまとめ

Avatar for Ryo Kubota

Ryo Kubota

July 07, 2021

More Decks by Ryo Kubota

See All by Ryo Kubota
TerraformのレビューをConftestで自動化する
Avatar for Ryo Kubota ryokbt
3
1.8k
Handling TV Ad Traffic Influx with Microservices
Avatar for Ryo Kubota ryokbt
0
1.6k

Other Decks in Technology

See All in Technology
可視化から活用へ — Mesh化・Segmentation・アライメントの研究動向
Avatar for GPU UNITE gpuunite_official
0
240
論文紹介:Pixal3D (SIGGRAPH 2026)
Avatar for TakatoYoshikawa tenten0727
0
640
DI コンテナ自動生成ツールを実装してみた / intro-autodi
Avatar for uhzz uhzz
0
710
業務に残された「良くない型」で考える「TypeScriptの難しさ」
Avatar for Saji sajikix
2
870
CARTA HOLDINGS エンジニア向け 採用ピッチ資料 / CARTA-GUIDE-for-Engineers
Avatar for CARTA Engineering carta_engineering
0
47k
The Bag-of-Documents Model for Query Understanding and Retrieval
Avatar for Daniel Tunkelang dtunkelang
0
180
Directions Asia 2026 | Beyond Buildable AI Agents: Let’s Visualize Partner Value in the AI Era
Avatar for Dynamics Ryo ryoheig0405
0
130
社内RAGの導入で気を付けたポイント
Avatar for やくも yakumo
1
130
React Compiler導入から21ヶ月、いま始めるならこうやる
Avatar for Tatsuya Asami astatsuya
2
280
Terragrunt x Snowflake + dbt で作るマルチテナントなデータ基盤構築プラットフォーム
Avatar for Gaku TASHIRO gak_t12
0
510
ECSのTerraformモジュールにコントリビュートした話
Avatar for Haruka Sakihara harukasakihara
0
260
その英語学習、AWSで代替できませんか?
Avatar for Tatsuya suzutatsu
1
160

Featured

See All Featured
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
331
21k
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
23k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.9k
Visual Storytelling: How to be a Superhuman Communicator
Avatar for David Neal reverentgeek
2
530
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
281
24k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
28
3.5k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
530
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
9
1.9k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1033
470k
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
Avatar for Tech SEO Connect techseoconnect
PRO
0
180

Transcript

  1. 5FSSBGPSNY01"$POGUFTUͷ UJQT Open Policy Agent Rego 
 Knowledge Sharing Meetup

    #2021.07 Ryo Kubota @ryok6t

  2. • Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team

    manager ࣗݾ঺հ

  3. લఏ • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ • ֤αʔϏεͷΠϯϑϥ͸ҎԼͰίʔυ؅ཧ • Kubernetes

    ͷ manifest • Terraform • ֤։ൃνʔϜ͕ࣗ਎Ͱ͜ΕΒͷίʔυΛॻ͍͍ͯΔ • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻

  4. Ҏલͷൃද • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru

  5. ຊ೔ͷ಺༰ • ʢಛʹʣTerraform Ͱ OPA Λ࢖͏৔߹ͷͪΐͬͱͨ͠ίπ • ࣗ෼͕ OPA Λಋೖ͢Δલʹ஌Γ͔ͨͬͨ͜ͱͷ·ͱΊ

  6. ·ͣ͸QMBOΛ+40/ʹ • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β • terraform plan -out

    plan.tfplan • terraform show -json plan.tfplan | conftest test -

  7. 5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷ৘ใ มߋલมߋޙͷঢ়ଶ

  8. ϙϦγʔΛॻ͘ WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ • ʮresource type ͕ security group Ͱɺport ͕


    ϑϧΦʔϓϯͳ΋ͷ͕1ݸͰ΋͋Ε͹ violationʯ

  9. ڞ௨ͷॲཧΛ·ͱΊΔ • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍ • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ •

    ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ • ຖճॻ͘ͷ͸໘౗

  10. GVODUJPOΛ࢖ͬͨڞ௨ॲཧ ड͚औͬͨUZQFʹ
 ౰ͯ͸·Δ΋ͷ͚ͩΛฦ͢

  11. ڞ௨ॲཧΛผͷϑΝΠϧʹ੾Γग़͢ • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘

  12. ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ

  13. ྫ֎έʔεΛѻ͏ • There is no rule without exceptions • ಛఆͷϦιʔε͚ͩϧʔϧͷର৅֎ʹ͍ͨ͠έʔε͕ଘࡏ

  14. lFYDFQUJPOzΛ࢖ͬͯྫ֎ʹରԠ • ྫ֎ͷϩδοΫʹ౰ͯ͸·ͬͨ৔߹ɺrules Ͱࢦఆͨ͠΋ ͷ͸ແࢹ͞ΕΔ • ҎԼͰ͸ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ

  15. ςετΛॻ͘ • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ

  16. ςετͷํ๏ • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ • conftest verify Λ࣮ߦ

  17. ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ
 WJPMBUJPOʹͳΔ͜ͱΛςετ

  18. ςετίʔυͷߏ଄ QMBOͷ+40/ͱಉ͡ߏ଄Ͱ ςετσʔλΛੜ੒ XJUIBTΛ࢖ͬͯ
 ςετσʔλΛ༩͑Δ

  19. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε

  20. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε • not Λ͚ͭΔ͚ͩ

  21. ςετσʔλʹ͍ͭͯ • ެࣜυΩϡϝϯτͰ͸ɺςετίʔυʹ JSON Λ௚઀
 ॻ͍͍ͯΔ • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/

  22. ςετσʔλʹ͍ͭͯ • ͔͠͠ JSON Λ௚઀ॻ͘ͱਏ͍έʔε͕ଟ͍ • ݱࡏ͸ yaml Ͱॻ͍ͯ yaml.unmarshal

    ͍ͯ͠Δ

  23. ࠷ޙʹσόοάʹ͍ͭͯ • policy ΍ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ • ೚ҙͷՕॴʹ trace(string) Λ࢓ࠐΉ͜ͱͰσόοάग़ྗ ͕Մೳ •

    `—trace` Φϓγϣϯ෇͖Ͱ Conftest Λ࣮ߦ