Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TerraformのレビューをConftestで自動化する

Avatar for Ryo Kubota Ryo Kubota
February 10, 2021
Programming
3
1.7k

 TerraformのレビューをConftestで自動化する

Avatar for Ryo Kubota

Ryo Kubota

February 10, 2021
Tweet

More Decks by Ryo Kubota

See All by Ryo Kubota
Terraform x OPA/Conftest の tips
Avatar for Ryo Kubota ryokbt
0
1.1k
Handling TV Ad Traffic Influx with Microservices
Avatar for Ryo Kubota ryokbt
0
1.5k

Other Decks in Programming

See All in Programming
私達はmodernize packageに夢を見るか feat. go/analysis, go/ast / Go Conference 2025
Avatar for m_t_tion1 kaorumuta
2
550
Goで実践するドメイン駆動開発 AIと歩み始めた新規プロダクト開発の現在地
Avatar for imkaoru imkaoru
4
830
CSC509 Lecture 03
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
330
Catch Up: Go Style Guide Update
Avatar for ANDPAD inc andpad
0
220
Go言語の特性を活かした公式MCP SDKの設計
Avatar for hond hond0413
1
230
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
330
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
300
Foundation Modelsを実装日本語学習アプリを作ってみた!
Avatar for 蛋白(たんぱく・TANPACT) hypebeans
0
110
CSC305 Lecture 04
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
270
Web Components で実現する Hotwire とフロントエンドフレームワークの橋渡し / Bridging with Web Components
Avatar for Daichi KUDO da1chi
3
2.3k
株式会社 Sun terras カンパニーデック
Avatar for Sun terras.Inc sunterras
0
290
コードとあなたと私の距離 / The Distance Between Code, You, and I
Avatar for YAMAOKA Hiroyuki hiro_y
0
160

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
273
27k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
59
9.6k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
132
19k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
37
2.9k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
209
24k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
11k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
25k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
36
6.9k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
9
590
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.6k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
54
11k

Transcript

  1. 5FSSBGPSNͷϨϏϡʔΛ $POGUFTUͰࣗಈԽ͢Δ Terraform meetup ONLINE #2021.02 Ryo Kubota @ryok6t

  2. • Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team

    manager • Terraformྺ͸1೥൒΄Ͳ ࣗݾ঺հ

  3. • ໿50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱ؅ཧ • αʔϏεͱ؀ڥ͝ͱʹಠཱͨ͠

    state Λอ༗ લఏ 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε" 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε# ʜ

  4. • ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍ ͏ࢥ૝͔Β Terraform Λಋೖ • ໿2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ
 શͯ import ͠ɺαʔϏεͱ؀ڥ͝ͱʹ෼ׂ

    ೥൒લ͸*B$ͳͲແ͔ͬͨ

  5. • Terraform Λಋೖ͠ɺ։ൃऀ͸ HCL Λॻ͍ͯ
 ϓϧϦΫΤετΛग़ͤ͹ΠϯϑϥʹมߋΛՃ͑ΒΕΔ Α͏ʹͳͬͨ • ࢥ૝ʹҰาۙ෇͍ͨ എܠ

  6. • ࣭ͷ୲อͷͨΊɺϨϏϡʔ͸΄ͱΜͲ SRE ͕୲౰ • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ ݟ͖͑ͯͨ৽ͨͳ՝୊

  7. • ຊདྷͷϚΠΫϩαʔϏεͷ఩ֶͱͯ͠͸ɺ֤νʔϜ͕ Πϯϑϥͷมߋ΋ؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠ ͚Δ΂͖ • ϨϏϡʔ΋ؚΊͯҕৡ͍͖͍ͯͨ͠ ຊདྷͷࢥ૝ʹཱͪฦΔͱʜ

  8. • ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε΋ • Ճ͑ͯɺTerraform/AWS ͷ஌ࣝ͸ݸਓ/νʔϜʹΑͬ ͯҟͳΔ ҕৡ͸؆୯Ͱ͸ͳ͍

  9. • FiNC Ͱ͸αʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/ SQS Λ࢖༻ • ΍΍ෳࡶͳઃఆ͕ඞཁ "NB[PO4/4424ͷྫ

  10. • αʔϏεA ʹ SNS topic Λ࡞੒ • αʔϏεA ͷ IAM

    policy ʹ SNS topic ͷݖݶΛ௥Ճ • αʔϏεB ʹ SQS queue Λ࡞੒ • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛ௥Ճ • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛ௥Ճ • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource Λ௥Ճ 4/4424ͷઃఆ߲໨͸ଟ͍

  11. • ίετूܭ΍ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ຿ Խ͍ͯ͠Δ • λά෇͚ͳͲͷϕετϓϥΫςΟε΋શһ͕೺Ѳͯ͠ ͍ΔΘ͚Ͱ͸ͳ͍

    5BHͷྫ

  12. • શαʔϏεͰͷ࣭ͷ୲อ͕ࠔ೉ʹ • HCL ͷߏจ্͸໰୊ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform Ͱ͸ݕ஌Ͱ͖ͳ͍ • ͋͘·Ͱҙຯ্ͷ໰୊ • e.g.

    tag ͕ແͯ͘΋౰વ apply ͸Մೳ ϨϏϡʔΛҕৡ͢Δͱʜ

  13. • ֤αʔϏεͷࣗ཯Խͱશମͷ࣭ͷτϨʔυΦϑʹ • ϨϏϡʔ͸ҕৡ͍ͨ͠ʢࣗ཯Խ͍ͨ͠ʣ͕ɺ
 ࣭΋୲อ͍ͨ͠ • ͳΜΒ͔ͷ࢓૊ΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ ࣭ͱࣗ཯ԽͷτϨʔυΦϑʁ

  14. • CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ໰୊͕ ແ͍͔ΛࣗಈͰνΣοΫ͢Δ • Open Policy

    Agent(OPA) Λར༻ͯ͜͠ΕΛୡ੒ ղܾࡦ

  15. • OSS ͷϙϦγʔΤϯδϯ • CNCF ͷ Graduation project • Rego

    ͱݺ͹ΕΔϙϦγʔهड़ݴޠΛ࢖ͬͯϙϦγʔ Λఆٛ 01"ͱ͸ʁ

  16. 01"ͷΠϝʔδ :".-+40/ ͳͲͷ σʔλ 3FHP 1PMJDZ ೖྗ ൑ఆ

  17. • ηϚϯςΟΫεతͳ໰୊ͷݕ஌ΛࣗಈԽՄೳ • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ • Policy as Code ͕࣮ݱՄೳ

    • ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ • ϙϦγʔ΋ίʔυͱͯ͠։ൃՄೳ 01"Λ࢖͏ͱԿ͕خ͍͠ͷ͔

  18. • CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ • Conftest ͱ͸ʁ

    • ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε • ࣮ࡍͷ࡞ۀ͸΄΅ OPA ͕࣮ߦ ࣮ࡍͲ͏࢖͍ͬͯΔͷ͔

  19. • plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ • terraform plan -out plan.tfplan •

    terraform show -json plan.tfplan | conftest test - 5FSSBGPSNͰͷ$POGUFTU

  20. 5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷ৘ใ มߋલมߋޙͷঢ়ଶ

  21. ϙϦγʔͷྫʢUBHʣ ඞਢʹ͍ͨ͠UBH SFTPVSDF@DIBOHFTΛϧʔϓ ҰͭͰ΋ຬ͍ͨͯ͠ͳ͍΋ͷ͕ ͋Ε͹WJPMBUJPO

  22. • action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ ଞʹ΋͜Μͳ͜ͱ΋ʜ

  23. • Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏ • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ • OPA

    Ͱ͸ϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ ͠ɺ؆୯ʹςετ͕Մೳ ϙϦγʔ͸ςετՄೳ

  24. • ϚΠΫϩαʔϏεʹ͓͍ͯ͸αʔϏεͷࣗ཯ੑͱશମ ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ΍͍͢ • ҆શͰߴ଎ͳ։ൃͷͨΊʹ͸ɺPolicy as Code ʹΑΔ ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ •

    Conftest Λ࢖͏͜ͱͰ͜ΕΛ࣮ݱՄೳ ·ͱΊ

  25. • Sentinel Ͱ΋ Terraform ͷ Policy as Code ͕Մೳ •

    FiNC Ͱ͸ Kubernetes ͷ manifest ͷνΣοΫʹ΋ Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻ ͪͳΈʹʜ