Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TerraformのレビューをConftestで自動化する

6c366ab6293eb42aec0e6f5f69b50882?s=47 Ryo Kubota
February 10, 2021
Programming
3
780

 TerraformのレビューをConftestで自動化する

6c366ab6293eb42aec0e6f5f69b50882?s=128

Ryo Kubota

February 10, 2021
Tweet

More Decks by Ryo Kubota

See All by Ryo Kubota
Terraform x OPA/Conftest の tips
6c366ab6293eb42aec0e6f5f69b50882?s=48 ryokbt
0
510
Handling TV Ad Traffic Influx with Microservices
6c366ab6293eb42aec0e6f5f69b50882?s=48 ryokbt
0
1.3k

Other Decks in Programming

See All in Programming
Lookerとdbtの共存
739b3e6644385d832834f6d4db498642?s=48 ttccddtoki
0
640
リーダブルテストコード / #vstat
48a913a2e3bb5e68aae6f73079648e84?s=48 jnchito
48
36k
Regular expressions basics/正規表現の基本
9bf923e39671cde83584e3e926296c13?s=48 kishikawakatsumi
6
260
FullStack eXchange, July 2022
6f3ec7315ad0715ae2a5f89a52877218?s=48 brucel
0
200
Pythonで鉄道指向プログラミング
Cc15f7fbb06e96bdb56992e3d42ea8cd?s=48 usabarashi
0
130
パスワードに関する最近の動向
8fd1ae6548d5ab14139c8d8032b76ee1?s=48 kenchan0130
1
330
10歳の minne から、これから長く続くプロダクトを作るすべての人へ
Dd21eeb4e9dc073f37239571b85fd2ab?s=48 tsumichan
9
3.7k
Recap CDN, Edge, WebAssembly | ワインと鍋.js#1
33ef4c1ebe619115b552db9a9f9a3509?s=48 sadnessojisan
2
1.2k
フロントエンドエンジニアが変える現場のモデリング意識/modeling-awareness-changed-by-front-end-engineers
F122773bb8d506a4f38a94bfeff45945?s=48 uggds
32
13k
このタイミングで知っておきたい 開発生産性の高いエンジニア組織の特徴とは / dev-sumi-20220721-productivity-features
6f425ca5b796b421dca359b95046184f?s=48 findyinc
7
2.7k
atama plusの開発チームはどのように「不確実性」に向き合ってきたか〜2022夏版〜
F0a8d07597a19192791bf663504d2a17?s=48 atamaplus
3
620
Getting Started With Data Structures
Fbe54abf4094d19f1548783d072a7fa7?s=48 adoranwodo
1
260

Featured

See All Featured
Dealing with People You Can't Stand - Big Design 2015
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
351
21k
Reflections from 52 weeks, 52 projects
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
337
17k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
173
8.6k
What the flash - Photography Introduction
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
62
10k
From Idea to $5000 a Month in 5 Months
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
373
44k
Writing Fast Ruby
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
612
57k
10 Git Anti Patterns You Should be Aware of
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
638
52k
Designing with Data
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
91
4k
Learning to Love Humans: Emotional Interface Design
5f50f94346fbcb23706f0707169317a4?s=48 aarron
261
37k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
237
19k
A Modern Web Designer's Workflow
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
689
180k
How to name files
0a4f62e90c976eeb44d33add75cca5af?s=48 jennybc
40
63k

Transcript

  1. 5FSSBGPSNͷϨϏϡʔΛ $POGUFTUͰࣗಈԽ͢Δ Terraform meetup ONLINE #2021.02 Ryo Kubota @ryok6t

  2. • Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team

    manager • Terraformྺ͸1೥൒΄Ͳ ࣗݾ঺հ

  3. • ໿50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱ؅ཧ • αʔϏεͱ؀ڥ͝ͱʹಠཱͨ͠

    state Λอ༗ લఏ 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε" 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε# ʜ

  4. • ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍ ͏ࢥ૝͔Β Terraform Λಋೖ • ໿2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ
 શͯ import ͠ɺαʔϏεͱ؀ڥ͝ͱʹ෼ׂ

    ೥൒લ͸*B$ͳͲແ͔ͬͨ

  5. • Terraform Λಋೖ͠ɺ։ൃऀ͸ HCL Λॻ͍ͯ
 ϓϧϦΫΤετΛग़ͤ͹ΠϯϑϥʹมߋΛՃ͑ΒΕΔ Α͏ʹͳͬͨ • ࢥ૝ʹҰาۙ෇͍ͨ എܠ

  6. • ࣭ͷ୲อͷͨΊɺϨϏϡʔ͸΄ͱΜͲ SRE ͕୲౰ • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ ݟ͖͑ͯͨ৽ͨͳ՝୊

  7. • ຊདྷͷϚΠΫϩαʔϏεͷ఩ֶͱͯ͠͸ɺ֤νʔϜ͕ Πϯϑϥͷมߋ΋ؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠ ͚Δ΂͖ • ϨϏϡʔ΋ؚΊͯҕৡ͍͖͍ͯͨ͠ ຊདྷͷࢥ૝ʹཱͪฦΔͱʜ

  8. • ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε΋ • Ճ͑ͯɺTerraform/AWS ͷ஌ࣝ͸ݸਓ/νʔϜʹΑͬ ͯҟͳΔ ҕৡ͸؆୯Ͱ͸ͳ͍

  9. • FiNC Ͱ͸αʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/ SQS Λ࢖༻ • ΍΍ෳࡶͳઃఆ͕ඞཁ "NB[PO4/4424ͷྫ

  10. • αʔϏεA ʹ SNS topic Λ࡞੒ • αʔϏεA ͷ IAM

    policy ʹ SNS topic ͷݖݶΛ௥Ճ • αʔϏεB ʹ SQS queue Λ࡞੒ • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛ௥Ճ • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛ௥Ճ • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource Λ௥Ճ 4/4424ͷઃఆ߲໨͸ଟ͍

  11. • ίετूܭ΍ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ຿ Խ͍ͯ͠Δ • λά෇͚ͳͲͷϕετϓϥΫςΟε΋શһ͕೺Ѳͯ͠ ͍ΔΘ͚Ͱ͸ͳ͍

    5BHͷྫ

  12. • શαʔϏεͰͷ࣭ͷ୲อ͕ࠔ೉ʹ • HCL ͷߏจ্͸໰୊ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform Ͱ͸ݕ஌Ͱ͖ͳ͍ • ͋͘·Ͱҙຯ্ͷ໰୊ • e.g.

    tag ͕ແͯ͘΋౰વ apply ͸Մೳ ϨϏϡʔΛҕৡ͢Δͱʜ

  13. • ֤αʔϏεͷࣗ཯Խͱશମͷ࣭ͷτϨʔυΦϑʹ • ϨϏϡʔ͸ҕৡ͍ͨ͠ʢࣗ཯Խ͍ͨ͠ʣ͕ɺ
 ࣭΋୲อ͍ͨ͠ • ͳΜΒ͔ͷ࢓૊ΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ ࣭ͱࣗ཯ԽͷτϨʔυΦϑʁ

  14. • CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ໰୊͕ ແ͍͔ΛࣗಈͰνΣοΫ͢Δ • Open Policy

    Agent(OPA) Λར༻ͯ͜͠ΕΛୡ੒ ղܾࡦ

  15. • OSS ͷϙϦγʔΤϯδϯ • CNCF ͷ Graduation project • Rego

    ͱݺ͹ΕΔϙϦγʔهड़ݴޠΛ࢖ͬͯϙϦγʔ Λఆٛ 01"ͱ͸ʁ

  16. 01"ͷΠϝʔδ :".-+40/ ͳͲͷ σʔλ 3FHP 1PMJDZ ೖྗ ൑ఆ

  17. • ηϚϯςΟΫεతͳ໰୊ͷݕ஌ΛࣗಈԽՄೳ • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ • Policy as Code ͕࣮ݱՄೳ

    • ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ • ϙϦγʔ΋ίʔυͱͯ͠։ൃՄೳ 01"Λ࢖͏ͱԿ͕خ͍͠ͷ͔

  18. • CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ • Conftest ͱ͸ʁ

    • ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε • ࣮ࡍͷ࡞ۀ͸΄΅ OPA ͕࣮ߦ ࣮ࡍͲ͏࢖͍ͬͯΔͷ͔

  19. • plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ • terraform plan -out plan.tfplan •

    terraform show -json plan.tfplan | conftest test - 5FSSBGPSNͰͷ$POGUFTU

  20. 5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷ৘ใ มߋલมߋޙͷঢ়ଶ

  21. ϙϦγʔͷྫʢUBHʣ ඞਢʹ͍ͨ͠UBH SFTPVSDF@DIBOHFTΛϧʔϓ ҰͭͰ΋ຬ͍ͨͯ͠ͳ͍΋ͷ͕ ͋Ε͹WJPMBUJPO

  22. • action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ ଞʹ΋͜Μͳ͜ͱ΋ʜ

  23. • Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏ • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ • OPA

    Ͱ͸ϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ ͠ɺ؆୯ʹςετ͕Մೳ ϙϦγʔ͸ςετՄೳ

  24. • ϚΠΫϩαʔϏεʹ͓͍ͯ͸αʔϏεͷࣗ཯ੑͱશମ ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ΍͍͢ • ҆શͰߴ଎ͳ։ൃͷͨΊʹ͸ɺPolicy as Code ʹΑΔ ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ •

    Conftest Λ࢖͏͜ͱͰ͜ΕΛ࣮ݱՄೳ ·ͱΊ

  25. • Sentinel Ͱ΋ Terraform ͷ Policy as Code ͕Մೳ •

    FiNC Ͱ͸ Kubernetes ͷ manifest ͷνΣοΫʹ΋ Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻ ͪͳΈʹʜ