Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
TerraformのレビューをConftestで自動化する
Search
Ryo Kubota
February 10, 2021
Programming
3
1.7k
TerraformのレビューをConftestで自動化する
Ryo Kubota
February 10, 2021
Tweet
Share
More Decks by Ryo Kubota
See All by Ryo Kubota
Terraform x OPA/Conftest の tips
ryokbt
0
1.1k
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.5k
Other Decks in Programming
See All in Programming
AIエージェント時代における TypeScriptスキーマ駆動開発の新たな役割
bicstone
4
1.5k
ИИ-Агенты в каждый дом – Алексей Порядин, PythoNN
sobolevn
0
150
いま中途半端なSwift 6対応をするより、Default ActorやApproachable Concurrencyを有効にしてからでいいんじゃない?
yimajo
2
330
overlayPreferenceValue で実現する ピュア SwiftUI な AdMob ネイティブ広告
uhucream
0
110
Railsだからできる 例外業務に禍根を残さない 設定設計パターン
ei_ei_eiichi
0
170
Serena MCPのすすめ
wadakatu
4
890
実践AIチャットボットUI実装入門
syumai
7
2.4k
開発生産性を上げるための生成AI活用術
starfish719
1
160
デミカツ切り抜きで面倒くさいことはPythonにやらせよう
aokswork3
0
180
なぜあの開発者はDevRelに伴走し続けるのか / Why Does That Developer Keep Running Alongside DevRel?
nrslib
3
370
Back to the Future: Let me tell you about the ACP protocol
terhechte
0
130
プロダクト開発をAI 1stに変革する〜SaaS is dead時代で生き残るために〜 / AI 1st Product Development
kobakei
0
490
Featured
See All Featured
Building Applications with DynamoDB
mza
96
6.6k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.7k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
51k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
Bash Introduction
62gerente
615
210k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
How STYLIGHT went responsive
nonsquared
100
5.8k
The Cult of Friendly URLs
andyhume
79
6.6k
Music & Morning Musume
bryan
46
6.8k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
890
Transcript
5FSSBGPSNͷϨϏϡʔΛ $POGUFTUͰࣗಈԽ͢Δ Terraform meetup ONLINE #2021.02 Ryo Kubota @ryok6t
• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager • Terraformྺ1΄Ͳ ࣗݾհ
• 50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱཧ • αʔϏεͱڥ͝ͱʹಠཱͨ͠
state Λอ༗ લఏ 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε" 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε# ʜ
• ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍ ͏ࢥ͔Β Terraform Λಋೖ • 2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ શͯ import ͠ɺαʔϏεͱڥ͝ͱʹׂ
લ*B$ͳͲແ͔ͬͨ
• Terraform Λಋೖ͠ɺ։ൃऀ HCL Λॻ͍ͯ ϓϧϦΫΤετΛग़ͤΠϯϑϥʹมߋΛՃ͑ΒΕΔ Α͏ʹͳͬͨ • ࢥʹҰา͍ۙͨ എܠ
• ࣭ͷ୲อͷͨΊɺϨϏϡʔ΄ͱΜͲ SRE ͕୲ • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ ݟ͖͑ͯͨ৽ͨͳ՝
• ຊདྷͷϚΠΫϩαʔϏεͷֶͱͯ͠ɺ֤νʔϜ͕ ΠϯϑϥͷมߋؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠ ͚Δ͖ • ϨϏϡʔؚΊͯҕৡ͍͖͍ͯͨ͠ ຊདྷͷࢥʹཱͪฦΔͱʜ
• ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε • Ճ͑ͯɺTerraform/AWS ͷࣝݸਓ/νʔϜʹΑͬ ͯҟͳΔ ҕৡ؆୯Ͱͳ͍
• FiNC ͰαʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/ SQS Λ༻ • ෳࡶͳઃఆ͕ඞཁ "NB[PO4/4424ͷྫ
• αʔϏεA ʹ SNS topic Λ࡞ • αʔϏεA ͷ IAM
policy ʹ SNS topic ͷݖݶΛՃ • αʔϏεB ʹ SQS queue Λ࡞ • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛՃ • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛՃ • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource ΛՃ 4/4424ͷઃఆ߲ଟ͍
• ίετूܭ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ Խ͍ͯ͠Δ • λά͚ͳͲͷϕετϓϥΫςΟεશһ͕Ѳͯ͠ ͍ΔΘ͚Ͱͳ͍
5BHͷྫ
• શαʔϏεͰͷ࣭ͷ୲อ͕ࠔʹ • HCL ͷߏจ্ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform ͰݕͰ͖ͳ͍ • ͋͘·Ͱҙຯ্ͷ • e.g.
tag ͕ແͯ͘વ apply Մೳ ϨϏϡʔΛҕৡ͢Δͱʜ
• ֤αʔϏεͷࣗԽͱશମͷ࣭ͷτϨʔυΦϑʹ • ϨϏϡʔҕৡ͍ͨ͠ʢࣗԽ͍ͨ͠ʣ͕ɺ ࣭୲อ͍ͨ͠ • ͳΜΒ͔ͷΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ ࣭ͱࣗԽͷτϨʔυΦϑʁ
• CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ͕ ແ͍͔ΛࣗಈͰνΣοΫ͢Δ • Open Policy
Agent(OPA) Λར༻ͯ͜͠ΕΛୡ ղܾࡦ
• OSS ͷϙϦγʔΤϯδϯ • CNCF ͷ Graduation project • Rego
ͱݺΕΔϙϦγʔهड़ݴޠΛͬͯϙϦγʔ Λఆٛ 01"ͱʁ
01"ͷΠϝʔδ :".-+40/ ͳͲͷ σʔλ 3FHP 1PMJDZ ೖྗ ఆ
• ηϚϯςΟΫεతͳͷݕΛࣗಈԽՄೳ • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ • Policy as Code ͕࣮ݱՄೳ
• ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ • ϙϦγʔίʔυͱͯ͠։ൃՄೳ 01"Λ͏ͱԿ͕خ͍͠ͷ͔
• CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ • Conftest ͱʁ
• ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε • ࣮ࡍͷ࡞ۀ΄΅ OPA ͕࣮ߦ ࣮ࡍͲ͏͍ͬͯΔͷ͔
• plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ • terraform plan -out plan.tfplan •
terraform show -json plan.tfplan | conftest test - 5FSSBGPSNͰͷ$POGUFTU
5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷใ มߋલมߋޙͷঢ়ଶ
ϙϦγʔͷྫʢUBHʣ ඞਢʹ͍ͨ͠UBH SFTPVSDF@DIBOHFTΛϧʔϓ ҰͭͰຬ͍ͨͯ͠ͳ͍ͷ͕ ͋ΕWJPMBUJPO
• action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ ଞʹ͜Μͳ͜ͱʜ
• Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏ • Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ • OPA
ͰϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ ͠ɺ؆୯ʹςετ͕Մೳ ϙϦγʔςετՄೳ
• ϚΠΫϩαʔϏεʹ͓͍ͯαʔϏεͷࣗੑͱશମ ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ͍͢ • ҆શͰߴͳ։ൃͷͨΊʹɺPolicy as Code ʹΑΔ ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ •
Conftest Λ͏͜ͱͰ͜ΕΛ࣮ݱՄೳ ·ͱΊ
• Sentinel Ͱ Terraform ͷ Policy as Code ͕Մೳ •
FiNC Ͱ Kubernetes ͷ manifest ͷνΣοΫʹ Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻ ͪͳΈʹʜ