Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TerraformのレビューをConftestで自動化する

Avatar for Ryo Kubota Ryo Kubota
February 10, 2021
Programming
3
1.7k

 TerraformのレビューをConftestで自動化する

Avatar for Ryo Kubota

Ryo Kubota

February 10, 2021
Tweet

More Decks by Ryo Kubota

See All by Ryo Kubota
Terraform x OPA/Conftest の tips
Avatar for Ryo Kubota ryokbt
0
1k
Handling TV Ad Traffic Influx with Microservices
Avatar for Ryo Kubota ryokbt
0
1.5k

Other Decks in Programming

See All in Programming
A full stack side project webapp all in Kotlin (KotlinConf 2025)
Avatar for Dan Kim dankim
0
150
新メンバーも今日から大活躍!SREが支えるスケールし続ける組織のオンボーディング
Avatar for HonMarkHunt honmarkhunt
5
8.7k
코딩 에이전트 체크리스트: Claude Code ver.
Avatar for nacyot nacyot
0
930
Vibe Codingの幻想を超えて-生成AIを現場で使えるようにするまでの泥臭い話.ai
Avatar for Kuu fumiyakume
10
4.3k
Git Sync を超える!OSS で実現する CDK Pull 型デプロイ / Deploying CDK with PipeCD in Pull-style
Avatar for Tetsuya Kikuchi tkikuc
4
350
AI時代のソフトウェア開発を考える(2025/07版) / Agentic Software Engineering Findy 2025-07 Edition
Avatar for Takuto Wada twada
PRO
99
37k
ニーリーにおけるプロダクトエンジニア
Avatar for Nealle nealle
0
950
React は次の10年を生き残れるか:3つのトレンドから考える
Avatar for Yuka O’oka oukayuka
12
3.7k
AI駆動のマルチエージェントによる業務フロー自動化の設計と実践
Avatar for 岡本秀明 h_okkah
0
230
“いい感じ“な定量評価を求めて - Four Keysとアウトカムの間の探求 -
Avatar for Nealle nealle
2
12k
フロントエンドのパフォーマンスチューニング
Avatar for kouki.miura koukimiura
5
2k
リバースエンジニアリング新時代へ!
GhidraとClaude DesktopをMCPで繋ぐ/findy202507
Avatar for @tkmru tkmru
3
970

Featured

See All Featured
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
278
23k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
30
5.9k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
32
1k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.4k
Faster Mobile Websites
Avatar for Dean Hume deanohume
308
31k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
10
700
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
22k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
18
990

Transcript

  1. 5FSSBGPSNͷϨϏϡʔΛ $POGUFTUͰࣗಈԽ͢Δ Terraform meetup ONLINE #2021.02 Ryo Kubota @ryok6t

  2. • Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team

    manager • Terraformྺ͸1೥൒΄Ͳ ࣗݾ঺հ

  3. • ໿50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱ؅ཧ • αʔϏεͱ؀ڥ͝ͱʹಠཱͨ͠

    state Λอ༗ લఏ 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε" 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε# ʜ

  4. • ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍ ͏ࢥ૝͔Β Terraform Λಋೖ • ໿2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ
 શͯ import ͠ɺαʔϏεͱ؀ڥ͝ͱʹ෼ׂ

    ೥൒લ͸*B$ͳͲແ͔ͬͨ

  5. • Terraform Λಋೖ͠ɺ։ൃऀ͸ HCL Λॻ͍ͯ
 ϓϧϦΫΤετΛग़ͤ͹ΠϯϑϥʹมߋΛՃ͑ΒΕΔ Α͏ʹͳͬͨ • ࢥ૝ʹҰาۙ෇͍ͨ എܠ

  6. • ࣭ͷ୲อͷͨΊɺϨϏϡʔ͸΄ͱΜͲ SRE ͕୲౰ • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ ݟ͖͑ͯͨ৽ͨͳ՝୊

  7. • ຊདྷͷϚΠΫϩαʔϏεͷ఩ֶͱͯ͠͸ɺ֤νʔϜ͕ Πϯϑϥͷมߋ΋ؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠ ͚Δ΂͖ • ϨϏϡʔ΋ؚΊͯҕৡ͍͖͍ͯͨ͠ ຊདྷͷࢥ૝ʹཱͪฦΔͱʜ

  8. • ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε΋ • Ճ͑ͯɺTerraform/AWS ͷ஌ࣝ͸ݸਓ/νʔϜʹΑͬ ͯҟͳΔ ҕৡ͸؆୯Ͱ͸ͳ͍

  9. • FiNC Ͱ͸αʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/ SQS Λ࢖༻ • ΍΍ෳࡶͳઃఆ͕ඞཁ "NB[PO4/4424ͷྫ

  10. • αʔϏεA ʹ SNS topic Λ࡞੒ • αʔϏεA ͷ IAM

    policy ʹ SNS topic ͷݖݶΛ௥Ճ • αʔϏεB ʹ SQS queue Λ࡞੒ • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛ௥Ճ • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛ௥Ճ • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource Λ௥Ճ 4/4424ͷઃఆ߲໨͸ଟ͍

  11. • ίετूܭ΍ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ຿ Խ͍ͯ͠Δ • λά෇͚ͳͲͷϕετϓϥΫςΟε΋શһ͕೺Ѳͯ͠ ͍ΔΘ͚Ͱ͸ͳ͍

    5BHͷྫ

  12. • શαʔϏεͰͷ࣭ͷ୲อ͕ࠔ೉ʹ • HCL ͷߏจ্͸໰୊ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform Ͱ͸ݕ஌Ͱ͖ͳ͍ • ͋͘·Ͱҙຯ্ͷ໰୊ • e.g.

    tag ͕ແͯ͘΋౰વ apply ͸Մೳ ϨϏϡʔΛҕৡ͢Δͱʜ

  13. • ֤αʔϏεͷࣗ཯Խͱશମͷ࣭ͷτϨʔυΦϑʹ • ϨϏϡʔ͸ҕৡ͍ͨ͠ʢࣗ཯Խ͍ͨ͠ʣ͕ɺ
 ࣭΋୲อ͍ͨ͠ • ͳΜΒ͔ͷ࢓૊ΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ ࣭ͱࣗ཯ԽͷτϨʔυΦϑʁ

  14. • CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ໰୊͕ ແ͍͔ΛࣗಈͰνΣοΫ͢Δ • Open Policy

    Agent(OPA) Λར༻ͯ͜͠ΕΛୡ੒ ղܾࡦ

  15. • OSS ͷϙϦγʔΤϯδϯ • CNCF ͷ Graduation project • Rego

    ͱݺ͹ΕΔϙϦγʔهड़ݴޠΛ࢖ͬͯϙϦγʔ Λఆٛ 01"ͱ͸ʁ

  16. 01"ͷΠϝʔδ :".-+40/ ͳͲͷ σʔλ 3FHP 1PMJDZ ೖྗ ൑ఆ

  17. • ηϚϯςΟΫεతͳ໰୊ͷݕ஌ΛࣗಈԽՄೳ • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ • Policy as Code ͕࣮ݱՄೳ

    • ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ • ϙϦγʔ΋ίʔυͱͯ͠։ൃՄೳ 01"Λ࢖͏ͱԿ͕خ͍͠ͷ͔

  18. • CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ • Conftest ͱ͸ʁ

    • ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε • ࣮ࡍͷ࡞ۀ͸΄΅ OPA ͕࣮ߦ ࣮ࡍͲ͏࢖͍ͬͯΔͷ͔

  19. • plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ • terraform plan -out plan.tfplan •

    terraform show -json plan.tfplan | conftest test - 5FSSBGPSNͰͷ$POGUFTU

  20. 5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷ৘ใ มߋલมߋޙͷঢ়ଶ

  21. ϙϦγʔͷྫʢUBHʣ ඞਢʹ͍ͨ͠UBH SFTPVSDF@DIBOHFTΛϧʔϓ ҰͭͰ΋ຬ͍ͨͯ͠ͳ͍΋ͷ͕ ͋Ε͹WJPMBUJPO

  22. • action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ ଞʹ΋͜Μͳ͜ͱ΋ʜ

  23. • Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏ • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ • OPA

    Ͱ͸ϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ ͠ɺ؆୯ʹςετ͕Մೳ ϙϦγʔ͸ςετՄೳ

  24. • ϚΠΫϩαʔϏεʹ͓͍ͯ͸αʔϏεͷࣗ཯ੑͱશମ ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ΍͍͢ • ҆શͰߴ଎ͳ։ൃͷͨΊʹ͸ɺPolicy as Code ʹΑΔ ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ •

    Conftest Λ࢖͏͜ͱͰ͜ΕΛ࣮ݱՄೳ ·ͱΊ

  25. • Sentinel Ͱ΋ Terraform ͷ Policy as Code ͕Մೳ •

    FiNC Ͱ͸ Kubernetes ͷ manifest ͷνΣοΫʹ΋ Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻ ͪͳΈʹʜ