Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
TerraformのレビューをConftestで自動化する
Search
Ryo Kubota
February 10, 2021
Programming
3
1.7k
TerraformのレビューをConftestで自動化する
Ryo Kubota
February 10, 2021
Tweet
Share
More Decks by Ryo Kubota
See All by Ryo Kubota
Terraform x OPA/Conftest の tips
ryokbt
0
1k
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.5k
Other Decks in Programming
See All in Programming
AI時代のUIはどこへ行く?
yusukebe
13
7.7k
アプリの "かわいい" を支えるアニメーションツールRiveについて
uetyo
0
110
Updates on MLS on Ruby (and maybe more)
sylph01
1
180
Honoアップデート 2025年夏
yusukebe
1
910
AIレビュアーをスケールさせるには / Scaling AI Reviewers
technuma
2
240
Protocol Buffersの型を超えて拡張性を得る / Beyond Protocol Buffers Types Achieving Extensibility
linyows
0
110
モバイルアプリからWebへの横展開を加速した話_Claude_Code_実践術.pdf
kazuyasakamoto
0
300
AIを活用し、今後に備えるための技術知識 / Basic Knowledge to Utilize AI
kishida
20
4.9k
Ruby×iOSアプリ開発 ~共に歩んだエコシステムの物語~
temoki
0
210
[FEConf 2025] 모노레포 절망편, 14개 레포로 부활하기까지 걸린 1년
mmmaxkim
0
1.4k
CloudflareのChat Agent Starter Kitで簡単!AIチャットボット構築
syumai
2
400
Laravel Boost 超入門
fire_arlo
2
190
Featured
See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.5k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
Testing 201, or: Great Expectations
jmmastey
45
7.6k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.8k
Reflections from 52 weeks, 52 projects
jeffersonlam
352
21k
Embracing the Ebb and Flow
colly
87
4.8k
Typedesign – Prime Four
hannesfritz
42
2.8k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.6k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
Building Applications with DynamoDB
mza
96
6.6k
Transcript
5FSSBGPSNͷϨϏϡʔΛ $POGUFTUͰࣗಈԽ͢Δ Terraform meetup ONLINE #2021.02 Ryo Kubota @ryok6t
• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager • Terraformྺ1΄Ͳ ࣗݾհ
• 50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱཧ • αʔϏεͱڥ͝ͱʹಠཱͨ͠
state Λอ༗ લఏ 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε" 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε# ʜ
• ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍ ͏ࢥ͔Β Terraform Λಋೖ • 2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ શͯ import ͠ɺαʔϏεͱڥ͝ͱʹׂ
લ*B$ͳͲແ͔ͬͨ
• Terraform Λಋೖ͠ɺ։ൃऀ HCL Λॻ͍ͯ ϓϧϦΫΤετΛग़ͤΠϯϑϥʹมߋΛՃ͑ΒΕΔ Α͏ʹͳͬͨ • ࢥʹҰา͍ۙͨ എܠ
• ࣭ͷ୲อͷͨΊɺϨϏϡʔ΄ͱΜͲ SRE ͕୲ • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ ݟ͖͑ͯͨ৽ͨͳ՝
• ຊདྷͷϚΠΫϩαʔϏεͷֶͱͯ͠ɺ֤νʔϜ͕ ΠϯϑϥͷมߋؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠ ͚Δ͖ • ϨϏϡʔؚΊͯҕৡ͍͖͍ͯͨ͠ ຊདྷͷࢥʹཱͪฦΔͱʜ
• ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε • Ճ͑ͯɺTerraform/AWS ͷࣝݸਓ/νʔϜʹΑͬ ͯҟͳΔ ҕৡ؆୯Ͱͳ͍
• FiNC ͰαʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/ SQS Λ༻ • ෳࡶͳઃఆ͕ඞཁ "NB[PO4/4424ͷྫ
• αʔϏεA ʹ SNS topic Λ࡞ • αʔϏεA ͷ IAM
policy ʹ SNS topic ͷݖݶΛՃ • αʔϏεB ʹ SQS queue Λ࡞ • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛՃ • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛՃ • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource ΛՃ 4/4424ͷઃఆ߲ଟ͍
• ίετूܭ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ Խ͍ͯ͠Δ • λά͚ͳͲͷϕετϓϥΫςΟεશһ͕Ѳͯ͠ ͍ΔΘ͚Ͱͳ͍
5BHͷྫ
• શαʔϏεͰͷ࣭ͷ୲อ͕ࠔʹ • HCL ͷߏจ্ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform ͰݕͰ͖ͳ͍ • ͋͘·Ͱҙຯ্ͷ • e.g.
tag ͕ແͯ͘વ apply Մೳ ϨϏϡʔΛҕৡ͢Δͱʜ
• ֤αʔϏεͷࣗԽͱશମͷ࣭ͷτϨʔυΦϑʹ • ϨϏϡʔҕৡ͍ͨ͠ʢࣗԽ͍ͨ͠ʣ͕ɺ ࣭୲อ͍ͨ͠ • ͳΜΒ͔ͷΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ ࣭ͱࣗԽͷτϨʔυΦϑʁ
• CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ͕ ແ͍͔ΛࣗಈͰνΣοΫ͢Δ • Open Policy
Agent(OPA) Λར༻ͯ͜͠ΕΛୡ ղܾࡦ
• OSS ͷϙϦγʔΤϯδϯ • CNCF ͷ Graduation project • Rego
ͱݺΕΔϙϦγʔهड़ݴޠΛͬͯϙϦγʔ Λఆٛ 01"ͱʁ
01"ͷΠϝʔδ :".-+40/ ͳͲͷ σʔλ 3FHP 1PMJDZ ೖྗ ఆ
• ηϚϯςΟΫεతͳͷݕΛࣗಈԽՄೳ • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ • Policy as Code ͕࣮ݱՄೳ
• ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ • ϙϦγʔίʔυͱͯ͠։ൃՄೳ 01"Λ͏ͱԿ͕خ͍͠ͷ͔
• CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ • Conftest ͱʁ
• ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε • ࣮ࡍͷ࡞ۀ΄΅ OPA ͕࣮ߦ ࣮ࡍͲ͏͍ͬͯΔͷ͔
• plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ • terraform plan -out plan.tfplan •
terraform show -json plan.tfplan | conftest test - 5FSSBGPSNͰͷ$POGUFTU
5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷใ มߋલมߋޙͷঢ়ଶ
ϙϦγʔͷྫʢUBHʣ ඞਢʹ͍ͨ͠UBH SFTPVSDF@DIBOHFTΛϧʔϓ ҰͭͰຬ͍ͨͯ͠ͳ͍ͷ͕ ͋ΕWJPMBUJPO
• action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ ଞʹ͜Μͳ͜ͱʜ
• Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏ • Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ • OPA
ͰϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ ͠ɺ؆୯ʹςετ͕Մೳ ϙϦγʔςετՄೳ
• ϚΠΫϩαʔϏεʹ͓͍ͯαʔϏεͷࣗੑͱશମ ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ͍͢ • ҆શͰߴͳ։ൃͷͨΊʹɺPolicy as Code ʹΑΔ ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ •
Conftest Λ͏͜ͱͰ͜ΕΛ࣮ݱՄೳ ·ͱΊ
• Sentinel Ͱ Terraform ͷ Policy as Code ͕Մೳ •
FiNC Ͱ Kubernetes ͷ manifest ͷνΣοΫʹ Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻ ͪͳΈʹʜ