$30 off During Our Annual Pro Sale. View Details »

TerraformのレビューをConftestで自動化する

Ryo Kubota
February 10, 2021
Programming
3
1.2k

 TerraformのレビューをConftestで自動化する

Ryo Kubota

February 10, 2021
Tweet

More Decks by Ryo Kubota

See All by Ryo Kubota
Terraform x OPA/Conftest の tips
ryokbt
0
790
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.4k

Other Decks in Programming

See All in Programming
Kyo - Functional Scala 2023
fwbrasil
0
1.7k
Vue & Vite Rustify
kazupon
4
830
Introducing Kotlin Multiplatform in an existing mobile app - Workshop Edition | DevFest Berlin 23
prof18
0
230
リーンスタートアップのリーンな品質の話
techouse
0
490
日時処理の新スタンダード: Synchro によるタイムゾーン安全、楽々開発
codehex
0
420
長年運用されている Web サービスと 通信をするクライアントを Go で作ってみた話
commojun
0
290
エンジニアだけでスポンサーブースを出したら大変なことになった
zakky21
1
430
JavaScript なしで動作するモダンなコードの書き方
azukiazusa1
14
9.6k
Accelerating App Dev with Cloudflare Workers
chimame
1
210
WantedlyでFeature Storeを導入する際に考えたこと
zerebom
1
400
LLMを使ったアプリケーション開発の基本とLangChain超入門
os1ma
16
6.6k
ニジエチューニング2023-12
nijieinfra
0
170

Featured

See All Featured
How GitHub (no longer) Works
holman
299
140k
Web Components: a chance to create the future
zenorocha
304
41k
Music & Morning Musume
bryan
38
5.2k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
31k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
352
21k
Teambox: Starting and Learning
jrom
125
8.2k
Designing for Performance
lara
601
66k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
1
290
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
1
1.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
140k
Raft: Consensus for Rubyists
vanstee
130
6k

Transcript

  1. 5FSSBGPSNͷϨϏϡʔΛ
    $POGUFTUͰࣗಈԽ͢Δ
    Terraform meetup ONLINE #2021.02
    Ryo Kubota @ryok6t

    View Slide

  2. • Ryo Kubota (@ryok6t)
    • FiNC Technologies
    • SRE Team manager
    • Terraformྺ͸1೥൒΄Ͳ
    ࣗݾ঺հ

    View Slide

  3. • ໿50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ
    • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱ؅ཧ
    • αʔϏεͱ؀ڥ͝ͱʹಠཱͨ͠ state Λอ༗
    લఏ
    4UBHJOH
    UGTUBUF
    1SPEVDUJPO
    UGTUBUF
    αʔϏε"
    4UBHJOH
    UGTUBUF
    1SPEVDUJPO
    UGTUBUF
    αʔϏε#
    ʜ

    View Slide

  4. • ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍
    ͏ࢥ૝͔Β Terraform Λಋೖ
    • ໿2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ

    શͯ import ͠ɺαʔϏεͱ؀ڥ͝ͱʹ෼ׂ
    ೥൒લ͸*B$ͳͲແ͔ͬͨ

    View Slide

  5. • Terraform Λಋೖ͠ɺ։ൃऀ͸ HCL Λॻ͍ͯ

    ϓϧϦΫΤετΛग़ͤ͹ΠϯϑϥʹมߋΛՃ͑ΒΕΔ
    Α͏ʹͳͬͨ
    • ࢥ૝ʹҰาۙ෇͍ͨ
    എܠ

    View Slide

  6. • ࣭ͷ୲อͷͨΊɺϨϏϡʔ͸΄ͱΜͲ SRE ͕୲౰
    • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ
    ݟ͖͑ͯͨ৽ͨͳ՝୊

    View Slide

  7. • ຊདྷͷϚΠΫϩαʔϏεͷ఩ֶͱͯ͠͸ɺ֤νʔϜ͕
    Πϯϑϥͷมߋ΋ؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠
    ͚Δ΂͖
    • ϨϏϡʔ΋ؚΊͯҕৡ͍͖͍ͯͨ͠
    ຊདྷͷࢥ૝ʹཱͪฦΔͱʜ

    View Slide

  8. • ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε΋
    • Ճ͑ͯɺTerraform/AWS ͷ஌ࣝ͸ݸਓ/νʔϜʹΑͬ
    ͯҟͳΔ
    ҕৡ͸؆୯Ͱ͸ͳ͍

    View Slide

  9. • FiNC Ͱ͸αʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/
    SQS Λ࢖༻
    • ΍΍ෳࡶͳઃఆ͕ඞཁ
    "NB[PO4/4424ͷྫ

    View Slide

  10. • αʔϏεA ʹ SNS topic Λ࡞੒
    • αʔϏεA ͷ IAM policy ʹ SNS topic ͷݖݶΛ௥Ճ
    • αʔϏεB ʹ SQS queue Λ࡞੒
    • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛ௥Ճ
    • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛ௥Ճ
    • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource Λ௥Ճ
    4/4424ͷઃఆ߲໨͸ଟ͍

    View Slide

  11. • ίετूܭ΍ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ຿
    Խ͍ͯ͠Δ
    • λά෇͚ͳͲͷϕετϓϥΫςΟε΋શһ͕೺Ѳͯ͠
    ͍ΔΘ͚Ͱ͸ͳ͍
    5BHͷྫ

    View Slide

  12. • શαʔϏεͰͷ࣭ͷ୲อ͕ࠔ೉ʹ
    • HCL ͷߏจ্͸໰୊ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform
    Ͱ͸ݕ஌Ͱ͖ͳ͍
    • ͋͘·Ͱҙຯ্ͷ໰୊
    • e.g. tag ͕ແͯ͘΋౰વ apply ͸Մೳ
    ϨϏϡʔΛҕৡ͢Δͱʜ

    View Slide

  13. • ֤αʔϏεͷࣗ཯Խͱશମͷ࣭ͷτϨʔυΦϑʹ
    • ϨϏϡʔ͸ҕৡ͍ͨ͠ʢࣗ཯Խ͍ͨ͠ʣ͕ɺ

    ࣭΋୲อ͍ͨ͠
    • ͳΜΒ͔ͷ࢓૊ΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ
    ࣭ͱࣗ཯ԽͷτϨʔυΦϑʁ

    View Slide

  14. • CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ໰୊͕
    ແ͍͔ΛࣗಈͰνΣοΫ͢Δ
    • Open Policy Agent(OPA) Λར༻ͯ͜͠ΕΛୡ੒
    ղܾࡦ

    View Slide

  15. • OSS ͷϙϦγʔΤϯδϯ
    • CNCF ͷ Graduation project
    • Rego ͱݺ͹ΕΔϙϦγʔهड़ݴޠΛ࢖ͬͯϙϦγʔ
    Λఆٛ
    01"ͱ͸ʁ

    View Slide

  16. 01"ͷΠϝʔδ
    :".-+40/
    ͳͲͷ
    σʔλ
    3FHP
    1PMJDZ
    ೖྗ
    ൑ఆ

    View Slide

  17. • ηϚϯςΟΫεతͳ໰୊ͷݕ஌ΛࣗಈԽՄೳ
    • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ
    • Policy as Code ͕࣮ݱՄೳ
    • ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ
    • ϙϦγʔ΋ίʔυͱͯ͠։ൃՄೳ
    01"Λ࢖͏ͱԿ͕خ͍͠ͷ͔

    View Slide

  18. • CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ
    • Conftest ͱ͸ʁ
    • ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε
    • ࣮ࡍͷ࡞ۀ͸΄΅ OPA ͕࣮ߦ
    ࣮ࡍͲ͏࢖͍ͬͯΔͷ͔

    View Slide

  19. • plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ
    • terraform plan -out plan.tfplan
    • terraform show -json plan.tfplan | conftest test -
    5FSSBGPSNͰͷ$POGUFTU

    View Slide

  20. 5FSSBGPSNQMBOͷ+40/
    ϦιʔεͱͦΕʹର͢ΔมߋҰཡ
    Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ
    Ϧιʔεͷ৘ใ
    มߋલมߋޙͷঢ়ଶ

    View Slide

  21. ϙϦγʔͷྫʢUBHʣ
    ඞਢʹ͍ͨ͠UBH
    SFTPVSDF@DIBOHFTΛϧʔϓ
    ҰͭͰ΋ຬ͍ͨͯ͠ͳ͍΋ͷ͕
    ͋Ε͹WJPMBUJPO

    View Slide

  22. • action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ
    • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ
    ଞʹ΋͜Μͳ͜ͱ΋ʜ

    View Slide

  23. • Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏
    • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ
    • OPA Ͱ͸ϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ
    ͠ɺ؆୯ʹςετ͕Մೳ
    ϙϦγʔ͸ςετՄೳ

    View Slide

  24. • ϚΠΫϩαʔϏεʹ͓͍ͯ͸αʔϏεͷࣗ཯ੑͱશମ
    ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ΍͍͢
    • ҆શͰߴ଎ͳ։ൃͷͨΊʹ͸ɺPolicy as Code ʹΑΔ
    ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ
    • Conftest Λ࢖͏͜ͱͰ͜ΕΛ࣮ݱՄೳ
    ·ͱΊ

    View Slide

  25. • Sentinel Ͱ΋ Terraform ͷ Policy as Code ͕Մೳ
    • FiNC Ͱ͸ Kubernetes ͷ manifest ͷνΣοΫʹ΋
    Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻
    ͪͳΈʹʜ

    View Slide