Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
TerraformのレビューをConftestで自動化する
Search
Ryo Kubota
February 10, 2021
Programming
3
1.4k
TerraformのレビューをConftestで自動化する
Ryo Kubota
February 10, 2021
Tweet
Share
More Decks by Ryo Kubota
See All by Ryo Kubota
Terraform x OPA/Conftest の tips
ryokbt
0
900
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.4k
Other Decks in Programming
See All in Programming
Architectures with Lightweight Stores: New Rules and Options
manfredsteyer
PRO
0
100
AWS CDKにおける「再利用性」を考える / aws-cdk-reusability
gotok365
6
1.3k
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
81k
Clean Architecture by TypeScript & NestJS
ryounasso
0
150
ぼっちを避けて楽しむためのアノテコノテ / Various Tips and Tricks to Avoid Loneliness and Have Fun
nrslib
3
1.7k
Javaの現状2024夏 / Java current status 2024 summer
kishida
4
1.4k
Xcode 16のPreviewModifierと@Previewableを活用した効率的なプレビュー方法の考察
ojun9
2
160
Harnessing Large Language Models for Training-free Video Anomaly Detection
tereka114
1
1.3k
Cloudflare Workers x AWS Lambdaの組み合わせユースケース / Cloudflare Workers x AWS Lambda Combination Use Case
seike460
PRO
2
310
実用的かつリーズナブルな 「Azure × Gemini × LINE」~キャラクターBot 実装ライブデモ~
tomodo_ysys
1
170
Temporalを取り巻く仕様を整理する
sajikix
0
120
TiDB Serverless ~理想のServerless DBを考える~
soso_15315
1
160
Featured
See All Featured
Into the Great Unknown - MozCon
thekraken
20
1.3k
How to name files
jennybc
67
96k
Building an army of robots
kneath
301
42k
Large-scale JavaScript Application Architecture
addyosmani
506
110k
Documentation Writing (for coders)
carmenintech
63
4.2k
Building Your Own Lightsaber
phodgson
101
5.9k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
34
1.9k
4 Signs Your Business is Dying
shpigford
178
21k
It's Worth the Effort
3n
181
27k
Rebuilding a faster, lazier Slack
samanthasiow
78
8.5k
Mobile First: as difficult as doing things right
swwweet
219
8.8k
Transcript
5FSSBGPSNͷϨϏϡʔΛ $POGUFTUͰࣗಈԽ͢Δ Terraform meetup ONLINE #2021.02 Ryo Kubota @ryok6t
• Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team
manager • Terraformྺ1΄Ͳ ࣗݾհ
• 50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱཧ • αʔϏεͱڥ͝ͱʹಠཱͨ͠
state Λอ༗ લఏ 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε" 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε# ʜ
• ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍ ͏ࢥ͔Β Terraform Λಋೖ • 2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ શͯ import ͠ɺαʔϏεͱڥ͝ͱʹׂ
લ*B$ͳͲແ͔ͬͨ
• Terraform Λಋೖ͠ɺ։ൃऀ HCL Λॻ͍ͯ ϓϧϦΫΤετΛग़ͤΠϯϑϥʹมߋΛՃ͑ΒΕΔ Α͏ʹͳͬͨ • ࢥʹҰา͍ۙͨ എܠ
• ࣭ͷ୲อͷͨΊɺϨϏϡʔ΄ͱΜͲ SRE ͕୲ • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ ݟ͖͑ͯͨ৽ͨͳ՝
• ຊདྷͷϚΠΫϩαʔϏεͷֶͱͯ͠ɺ֤νʔϜ͕ ΠϯϑϥͷมߋؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠ ͚Δ͖ • ϨϏϡʔؚΊͯҕৡ͍͖͍ͯͨ͠ ຊདྷͷࢥʹཱͪฦΔͱʜ
• ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε • Ճ͑ͯɺTerraform/AWS ͷࣝݸਓ/νʔϜʹΑͬ ͯҟͳΔ ҕৡ؆୯Ͱͳ͍
• FiNC ͰαʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/ SQS Λ༻ • ෳࡶͳઃఆ͕ඞཁ "NB[PO4/4424ͷྫ
• αʔϏεA ʹ SNS topic Λ࡞ • αʔϏεA ͷ IAM
policy ʹ SNS topic ͷݖݶΛՃ • αʔϏεB ʹ SQS queue Λ࡞ • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛՃ • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛՃ • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource ΛՃ 4/4424ͷઃఆ߲ଟ͍
• ίετूܭ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ Խ͍ͯ͠Δ • λά͚ͳͲͷϕετϓϥΫςΟεશһ͕Ѳͯ͠ ͍ΔΘ͚Ͱͳ͍
5BHͷྫ
• શαʔϏεͰͷ࣭ͷ୲อ͕ࠔʹ • HCL ͷߏจ্ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform ͰݕͰ͖ͳ͍ • ͋͘·Ͱҙຯ্ͷ • e.g.
tag ͕ແͯ͘વ apply Մೳ ϨϏϡʔΛҕৡ͢Δͱʜ
• ֤αʔϏεͷࣗԽͱશମͷ࣭ͷτϨʔυΦϑʹ • ϨϏϡʔҕৡ͍ͨ͠ʢࣗԽ͍ͨ͠ʣ͕ɺ ࣭୲อ͍ͨ͠ • ͳΜΒ͔ͷΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ ࣭ͱࣗԽͷτϨʔυΦϑʁ
• CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ͕ ແ͍͔ΛࣗಈͰνΣοΫ͢Δ • Open Policy
Agent(OPA) Λར༻ͯ͜͠ΕΛୡ ղܾࡦ
• OSS ͷϙϦγʔΤϯδϯ • CNCF ͷ Graduation project • Rego
ͱݺΕΔϙϦγʔهड़ݴޠΛͬͯϙϦγʔ Λఆٛ 01"ͱʁ
01"ͷΠϝʔδ :".-+40/ ͳͲͷ σʔλ 3FHP 1PMJDZ ೖྗ ఆ
• ηϚϯςΟΫεతͳͷݕΛࣗಈԽՄೳ • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ • Policy as Code ͕࣮ݱՄೳ
• ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ • ϙϦγʔίʔυͱͯ͠։ൃՄೳ 01"Λ͏ͱԿ͕خ͍͠ͷ͔
• CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ • Conftest ͱʁ
• ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε • ࣮ࡍͷ࡞ۀ΄΅ OPA ͕࣮ߦ ࣮ࡍͲ͏͍ͬͯΔͷ͔
• plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ • terraform plan -out plan.tfplan •
terraform show -json plan.tfplan | conftest test - 5FSSBGPSNͰͷ$POGUFTU
5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷใ มߋલมߋޙͷঢ়ଶ
ϙϦγʔͷྫʢUBHʣ ඞਢʹ͍ͨ͠UBH SFTPVSDF@DIBOHFTΛϧʔϓ ҰͭͰຬ͍ͨͯ͠ͳ͍ͷ͕ ͋ΕWJPMBUJPO
• action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ ଞʹ͜Μͳ͜ͱʜ
• Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏ • Rego ͷจ๏ʹΫη͕͋ΔͨΊɺςετ͕ॏཁ • OPA
ͰϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ ͠ɺ؆୯ʹςετ͕Մೳ ϙϦγʔςετՄೳ
• ϚΠΫϩαʔϏεʹ͓͍ͯαʔϏεͷࣗੑͱશମ ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ͍͢ • ҆શͰߴͳ։ൃͷͨΊʹɺPolicy as Code ʹΑΔ ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ •
Conftest Λ͏͜ͱͰ͜ΕΛ࣮ݱՄೳ ·ͱΊ
• Sentinel Ͱ Terraform ͷ Policy as Code ͕Մೳ •
FiNC Ͱ Kubernetes ͷ manifest ͷνΣοΫʹ Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻ ͪͳΈʹʜ