Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
TerraformのレビューをConftestで自動化する
Search
Ryo Kubota
February 10, 2021
Programming
1.8k
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
TerraformのレビューをConftestで自動化する
Ryo Kubota
February 10, 2021
More Decks by Ryo Kubota
See All by Ryo Kubota
Terraform x OPA/Conftest の tips
ryokbt
0
1.2k
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.6k
Other Decks in Programming
See All in Programming
コンテキストの使い捨てをやめる — ビジネスルール駆動開発と miko —
ioki
0
250
どこまでゆるくて許されるのか
tk3fftk
0
280
Creating Composable Callables in Contemporary C++
rollbear
0
170
Hatena Engineer Seminar #37「言語モデルの活用に関する研究」
slashnephy
0
370
Signal Forms: Details & Live Coding @enterJS 2026 in Mannheim
manfredsteyer
PRO
0
200
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
x5gtrn
PRO
0
1.3k
生成AI時代にこそ効くGo | Why Go Works in the Age of Generative AI
mom0tomo
8
3.4k
SREは、MCPとSRE Agentをこう使え!
kazumax55
0
130
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
560
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
yusukebe
7
1.5k
メソッドのジェネリクスでGoの夢は広がるか? / Kyoto.go #65
utgwkk
3
990
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
140
Featured
See All Featured
Automating Front-end Workflow
addyosmani
1370
210k
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
490
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
12
1.2k
30 Presentation Tips
portentint
PRO
1
330
Fashionably flexible responsive web design (full day workshop)
malarkey
408
66k
Marketing to machines
jonoalderson
1
5.5k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
davidcarrasco
3
170
Navigating Team Friction
lara
192
16k
Unsuck your backbone
ammeep
672
58k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
chikuwait
0
620
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.5k
Un-Boring Meetings
codingconduct
0
330
Transcript
5FSSBGPSNͷϨϏϡʔΛ $POGUFTUͰࣗಈԽ͢Δ Terraform meetup ONLINE #2021.02 Ryo Kubota @ryok6t
• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager • Terraformྺ1΄Ͳ ࣗݾհ
• 50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱཧ • αʔϏεͱڥ͝ͱʹಠཱͨ͠
state Λอ༗ લఏ 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε" 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε# ʜ
• ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍ ͏ࢥ͔Β Terraform Λಋೖ • 2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ શͯ import ͠ɺαʔϏεͱڥ͝ͱʹׂ
લ*B$ͳͲແ͔ͬͨ
• Terraform Λಋೖ͠ɺ։ൃऀ HCL Λॻ͍ͯ ϓϧϦΫΤετΛग़ͤΠϯϑϥʹมߋΛՃ͑ΒΕΔ Α͏ʹͳͬͨ • ࢥʹҰา͍ۙͨ എܠ
• ࣭ͷ୲อͷͨΊɺϨϏϡʔ΄ͱΜͲ SRE ͕୲ • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ ݟ͖͑ͯͨ৽ͨͳ՝
• ຊདྷͷϚΠΫϩαʔϏεͷֶͱͯ͠ɺ֤νʔϜ͕ ΠϯϑϥͷมߋؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠ ͚Δ͖ • ϨϏϡʔؚΊͯҕৡ͍͖͍ͯͨ͠ ຊདྷͷࢥʹཱͪฦΔͱʜ
• ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε • Ճ͑ͯɺTerraform/AWS ͷࣝݸਓ/νʔϜʹΑͬ ͯҟͳΔ ҕৡ؆୯Ͱͳ͍
• FiNC ͰαʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/ SQS Λ༻ • ෳࡶͳઃఆ͕ඞཁ "NB[PO4/4424ͷྫ
• αʔϏεA ʹ SNS topic Λ࡞ • αʔϏεA ͷ IAM
policy ʹ SNS topic ͷݖݶΛՃ • αʔϏεB ʹ SQS queue Λ࡞ • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛՃ • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛՃ • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource ΛՃ 4/4424ͷઃఆ߲ଟ͍
• ίετूܭ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ Խ͍ͯ͠Δ • λά͚ͳͲͷϕετϓϥΫςΟεશһ͕Ѳͯ͠ ͍ΔΘ͚Ͱͳ͍
5BHͷྫ
• શαʔϏεͰͷ࣭ͷ୲อ͕ࠔʹ • HCL ͷߏจ্ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform ͰݕͰ͖ͳ͍ • ͋͘·Ͱҙຯ্ͷ • e.g.
tag ͕ແͯ͘વ apply Մೳ ϨϏϡʔΛҕৡ͢Δͱʜ
• ֤αʔϏεͷࣗԽͱશମͷ࣭ͷτϨʔυΦϑʹ • ϨϏϡʔҕৡ͍ͨ͠ʢࣗԽ͍ͨ͠ʣ͕ɺ ࣭୲อ͍ͨ͠ • ͳΜΒ͔ͷΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ ࣭ͱࣗԽͷτϨʔυΦϑʁ
• CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ͕ ແ͍͔ΛࣗಈͰνΣοΫ͢Δ • Open Policy
Agent(OPA) Λར༻ͯ͜͠ΕΛୡ ղܾࡦ
• OSS ͷϙϦγʔΤϯδϯ • CNCF ͷ Graduation project • Rego
ͱݺΕΔϙϦγʔهड़ݴޠΛͬͯϙϦγʔ Λఆٛ 01"ͱʁ
01"ͷΠϝʔδ :".-+40/ ͳͲͷ σʔλ 3FHP 1PMJDZ ೖྗ ఆ
• ηϚϯςΟΫεతͳͷݕΛࣗಈԽՄೳ • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ • Policy as Code ͕࣮ݱՄೳ
• ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ • ϙϦγʔίʔυͱͯ͠։ൃՄೳ 01"Λ͏ͱԿ͕خ͍͠ͷ͔
• CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ • Conftest ͱʁ
• ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε • ࣮ࡍͷ࡞ۀ΄΅ OPA ͕࣮ߦ ࣮ࡍͲ͏͍ͬͯΔͷ͔
• plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ • terraform plan -out plan.tfplan •
terraform show -json plan.tfplan | conftest test - 5FSSBGPSNͰͷ$POGUFTU
5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷใ มߋલมߋޙͷঢ়ଶ
ϙϦγʔͷྫʢUBHʣ ඞਢʹ͍ͨ͠UBH SFTPVSDF@DIBOHFTΛϧʔϓ ҰͭͰຬ͍ͨͯ͠ͳ͍ͷ͕ ͋ΕWJPMBUJPO
• action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ ଞʹ͜Μͳ͜ͱʜ
• Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏ • Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ • OPA
ͰϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ ͠ɺ؆୯ʹςετ͕Մೳ ϙϦγʔςετՄೳ
• ϚΠΫϩαʔϏεʹ͓͍ͯαʔϏεͷࣗੑͱશମ ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ͍͢ • ҆શͰߴͳ։ൃͷͨΊʹɺPolicy as Code ʹΑΔ ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ •
Conftest Λ͏͜ͱͰ͜ΕΛ࣮ݱՄೳ ·ͱΊ
• Sentinel Ͱ Terraform ͷ Policy as Code ͕Մೳ •
FiNC Ͱ Kubernetes ͷ manifest ͷνΣοΫʹ Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻ ͪͳΈʹʜ