Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Terraform x OPA/Conftest の tips

Terraform x OPA/Conftest の tips

OPA/Conftest で Terraform を扱う際の tips のまとめ

6c366ab6293eb42aec0e6f5f69b50882?s=128

Ryo Kubota

July 07, 2021
Tweet

Transcript

  1. 5FSSBGPSNY01"$POGUFTUͷ UJQT Open Policy Agent Rego 
 Knowledge Sharing Meetup

    #2021.07 Ryo Kubota @ryok6t
  2. • Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team

    manager ࣗݾ঺հ
  3. લఏ • ϚΠΫϩαʔϏεΛ AWS EKS ্ʹσϓϩΠ • ֤αʔϏεͷΠϯϑϥ͸ҎԼͰίʔυ؅ཧ • Kubernetes

    ͷ manifest • Terraform • ֤։ൃνʔϜ͕ࣗ਎Ͱ͜ΕΒͷίʔυΛॻ͍͍ͯΔ • ࣭ͷ୲อͷͨΊʹ Conftest Λར༻
  4. Ҏલͷൃද • https://speakerdeck.com/ryokbt/terraformfalserebiyuwoconftestdezi-dong-hua-suru

  5. ຊ೔ͷ಺༰ • ʢಛʹʣTerraform Ͱ OPA Λ࢖͏৔߹ͷͪΐͬͱͨ͠ίπ • ࣗ෼͕ OPA Λಋೖ͢Δલʹ஌Γ͔ͨͬͨ͜ͱͷ·ͱΊ

  6. ·ͣ͸QMBOΛ+40/ʹ • plan ݁ՌΛ JSON ʹ͢Δͱ͜Ζ͔Β • terraform plan -out

    plan.tfplan • terraform show -json plan.tfplan | conftest test -
  7. 5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷ৘ใ มߋલมߋޙͷঢ়ଶ

  8. ϙϦγʔΛॻ͘ WJPMBUJPOEFOZXBSOͷQSFpYΛ͚ͭΔ • ʮresource type ͕ security group Ͱɺport ͕


    ϑϧΦʔϓϯͳ΋ͷ͕1ݸͰ΋͋Ε͹ violationʯ
  9. ڞ௨ͷॲཧΛ·ͱΊΔ • ڞ௨ͷॲཧΛ͢Δέʔε͕ଟ͍ • e.g. ಛఆͷ resource type ͷ࣌ͷΈద༻͢Δ •

    ઌͷྫͩͱɺsecurity group ͷ͚࣌ͩద༻͢ΔͳͲ • ຖճॻ͘ͷ͸໘౗
  10. GVODUJPOΛ࢖ͬͨڞ௨ॲཧ ड͚औͬͨUZQFʹ
 ౰ͯ͸·Δ΋ͷ͚ͩΛฦ͢

  11. ڞ௨ॲཧΛผͷϑΝΠϧʹ੾Γग़͢ • ڞ௨ॲཧ༻ͷ package Λ࡞͓ͬͯ͘

  12. ڞ௨ॲཧΛผϑΝΠϧ͔Βݺͼग़͢ ڞ௨ॲཧ༻ͷQBDLBHFΛJNQPSU CBTFSFTPVSDFTͰݺͼग़ͤΔΑ͏ʹ

  13. ྫ֎έʔεΛѻ͏ • There is no rule without exceptions • ಛఆͷϦιʔε͚ͩϧʔϧͷର৅֎ʹ͍ͨ͠έʔε͕ଘࡏ

  14. lFYDFQUJPOzΛ࢖ͬͯྫ֎ʹରԠ • ྫ֎ͷϩδοΫʹ౰ͯ͸·ͬͨ৔߹ɺrules Ͱࢦఆͨ͠΋ ͷ͸ແࢹ͞ΕΔ • ҎԼͰ͸ “deny_foo”, “violation_foo” ͳͲ͕ແࢹ͞ΕΔ

  15. ςετΛॻ͘ • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ • Conftest ࣗମͰ؆୯ʹςετ͕Մೳ

  16. ςετͷํ๏ • foo.rego ʹରͯ͠ɺfoo_test.rego ͱ͍͏ϑΝΠϧΛ༻ҙ • conftest verify Λ࣮ߦ

  17. ςετͷྫʢWJPMBUJPOʹͳΔέʔεʣ ϑϧΦʔϓϯʹͳ͍ͬͯΔͷͰ
 WJPMBUJPOʹͳΔ͜ͱΛςετ

  18. ςετίʔυͷߏ଄ QMBOͷ+40/ͱಉ͡ߏ଄Ͱ ςετσʔλΛੜ੒ XJUIBTΛ࢖ͬͯ
 ςετσʔλΛ༩͑Δ

  19. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε

  20. ςετͷྫ WJPMBUJPOʹͳΒͳ͍έʔε • not Λ͚ͭΔ͚ͩ

  21. ςετσʔλʹ͍ͭͯ • ެࣜυΩϡϝϯτͰ͸ɺςετίʔυʹ JSON Λ௚઀
 ॻ͍͍ͯΔ • Ҿ༻: https://www.openpolicyagent.org/docs/latest/policy-testing/

  22. ςετσʔλʹ͍ͭͯ • ͔͠͠ JSON Λ௚઀ॻ͘ͱਏ͍έʔε͕ଟ͍ • ݱࡏ͸ yaml Ͱॻ͍ͯ yaml.unmarshal

    ͍ͯ͠Δ
  23. ࠷ޙʹσόοάʹ͍ͭͯ • policy ΍ͦͷςετΛॻ͍͍ͯΔͱσόοά͕ͨ͘͠ͳΔ • ೚ҙͷՕॴʹ trace(string) Λ࢓ࠐΉ͜ͱͰσόοάग़ྗ ͕Մೳ •

    `—trace` Φϓγϣϯ෇͖Ͱ Conftest Λ࣮ߦ