Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
TerraformのレビューをConftestで自動化する
Search
Ryo Kubota
February 10, 2021
Programming
3
1.6k
TerraformのレビューをConftestで自動化する
Ryo Kubota
February 10, 2021
Tweet
Share
More Decks by Ryo Kubota
See All by Ryo Kubota
Terraform x OPA/Conftest の tips
ryokbt
0
980
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.5k
Other Decks in Programming
See All in Programming
rails newと同時に型を書く
aki19035vc
6
760
『改訂新版 良いコード/悪いコードで学ぶ設計入門』活用方法−爆速でスキルアップする!効果的な学習アプローチ / effective-learning-of-good-code
minodriven
29
5k
ASP. NET CoreにおけるWebAPIの最新情報
tomokusaba
0
310
Writing documentation can be fun with plugin system
okuramasafumi
0
110
CloudNativePGがCNCF Sandboxプロジェクトになったぞ! 〜CloudNativePGの仕組みの紹介〜
nnaka2992
0
210
Alba: Why, How and What's So Interesting
okuramasafumi
0
240
GitHub Actions × RAGでコードレビューの検証の結果
sho_000
0
170
chibiccをCILに移植した結果 (NGK2025S版)
kekyo
PRO
0
200
WebDriver BiDiとは何なのか
yotahada3
1
120
TokyoR116_BeginnersSession1_環境構築
kotatyamtema
0
100
JavaScriptツール群「UnJS」を5分で一気に駆け巡る!
k1tikurisu
10
1.7k
2024年のkintone API振り返りと2025年 / kintone API look back in 2024
tasshi
0
190
Featured
See All Featured
Six Lessons from altMBA
skipperchong
27
3.6k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
620
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.5k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
39
1.9k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.5k
Producing Creativity
orderedlist
PRO
343
39k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
Statistics for Hackers
jakevdp
797
220k
Designing on Purpose - Digital PM Summit 2013
jponch
117
7.1k
The Language of Interfaces
destraynor
156
24k
Transcript
5FSSBGPSNͷϨϏϡʔΛ $POGUFTUͰࣗಈԽ͢Δ Terraform meetup ONLINE #2021.02 Ryo Kubota @ryok6t
• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager • Terraformྺ1΄Ͳ ࣗݾհ
• 50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱཧ • αʔϏεͱڥ͝ͱʹಠཱͨ͠
state Λอ༗ લఏ 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε" 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε# ʜ
• ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍ ͏ࢥ͔Β Terraform Λಋೖ • 2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ શͯ import ͠ɺαʔϏεͱڥ͝ͱʹׂ
લ*B$ͳͲແ͔ͬͨ
• Terraform Λಋೖ͠ɺ։ൃऀ HCL Λॻ͍ͯ ϓϧϦΫΤετΛग़ͤΠϯϑϥʹมߋΛՃ͑ΒΕΔ Α͏ʹͳͬͨ • ࢥʹҰา͍ۙͨ എܠ
• ࣭ͷ୲อͷͨΊɺϨϏϡʔ΄ͱΜͲ SRE ͕୲ • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ ݟ͖͑ͯͨ৽ͨͳ՝
• ຊདྷͷϚΠΫϩαʔϏεͷֶͱͯ͠ɺ֤νʔϜ͕ ΠϯϑϥͷมߋؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠ ͚Δ͖ • ϨϏϡʔؚΊͯҕৡ͍͖͍ͯͨ͠ ຊདྷͷࢥʹཱͪฦΔͱʜ
• ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε • Ճ͑ͯɺTerraform/AWS ͷࣝݸਓ/νʔϜʹΑͬ ͯҟͳΔ ҕৡ؆୯Ͱͳ͍
• FiNC ͰαʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/ SQS Λ༻ • ෳࡶͳઃఆ͕ඞཁ "NB[PO4/4424ͷྫ
• αʔϏεA ʹ SNS topic Λ࡞ • αʔϏεA ͷ IAM
policy ʹ SNS topic ͷݖݶΛՃ • αʔϏεB ʹ SQS queue Λ࡞ • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛՃ • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛՃ • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource ΛՃ 4/4424ͷઃఆ߲ଟ͍
• ίετूܭ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ Խ͍ͯ͠Δ • λά͚ͳͲͷϕετϓϥΫςΟεશһ͕Ѳͯ͠ ͍ΔΘ͚Ͱͳ͍
5BHͷྫ
• શαʔϏεͰͷ࣭ͷ୲อ͕ࠔʹ • HCL ͷߏจ্ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform ͰݕͰ͖ͳ͍ • ͋͘·Ͱҙຯ্ͷ • e.g.
tag ͕ແͯ͘વ apply Մೳ ϨϏϡʔΛҕৡ͢Δͱʜ
• ֤αʔϏεͷࣗԽͱશମͷ࣭ͷτϨʔυΦϑʹ • ϨϏϡʔҕৡ͍ͨ͠ʢࣗԽ͍ͨ͠ʣ͕ɺ ࣭୲อ͍ͨ͠ • ͳΜΒ͔ͷΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ ࣭ͱࣗԽͷτϨʔυΦϑʁ
• CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ͕ ແ͍͔ΛࣗಈͰνΣοΫ͢Δ • Open Policy
Agent(OPA) Λར༻ͯ͜͠ΕΛୡ ղܾࡦ
• OSS ͷϙϦγʔΤϯδϯ • CNCF ͷ Graduation project • Rego
ͱݺΕΔϙϦγʔهड़ݴޠΛͬͯϙϦγʔ Λఆٛ 01"ͱʁ
01"ͷΠϝʔδ :".-+40/ ͳͲͷ σʔλ 3FHP 1PMJDZ ೖྗ ఆ
• ηϚϯςΟΫεతͳͷݕΛࣗಈԽՄೳ • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ • Policy as Code ͕࣮ݱՄೳ
• ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ • ϙϦγʔίʔυͱͯ͠։ൃՄೳ 01"Λ͏ͱԿ͕خ͍͠ͷ͔
• CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ • Conftest ͱʁ
• ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε • ࣮ࡍͷ࡞ۀ΄΅ OPA ͕࣮ߦ ࣮ࡍͲ͏͍ͬͯΔͷ͔
• plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ • terraform plan -out plan.tfplan •
terraform show -json plan.tfplan | conftest test - 5FSSBGPSNͰͷ$POGUFTU
5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷใ มߋલมߋޙͷঢ়ଶ
ϙϦγʔͷྫʢUBHʣ ඞਢʹ͍ͨ͠UBH SFTPVSDF@DIBOHFTΛϧʔϓ ҰͭͰຬ͍ͨͯ͠ͳ͍ͷ͕ ͋ΕWJPMBUJPO
• action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ ଞʹ͜Μͳ͜ͱʜ
• Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏ • Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ • OPA
ͰϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ ͠ɺ؆୯ʹςετ͕Մೳ ϙϦγʔςετՄೳ
• ϚΠΫϩαʔϏεʹ͓͍ͯαʔϏεͷࣗੑͱશମ ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ͍͢ • ҆શͰߴͳ։ൃͷͨΊʹɺPolicy as Code ʹΑΔ ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ •
Conftest Λ͏͜ͱͰ͜ΕΛ࣮ݱՄೳ ·ͱΊ
• Sentinel Ͱ Terraform ͷ Policy as Code ͕Մೳ •
FiNC Ͱ Kubernetes ͷ manifest ͷνΣοΫʹ Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻ ͪͳΈʹʜ