Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TerraformのレビューをConftestで自動化する

Avatar for Ryo Kubota Ryo Kubota
February 10, 2021
Programming
3
1.7k

 TerraformのレビューをConftestで自動化する

Avatar for Ryo Kubota

Ryo Kubota

February 10, 2021
Tweet

More Decks by Ryo Kubota

See All by Ryo Kubota
Terraform x OPA/Conftest の tips
Avatar for Ryo Kubota ryokbt
0
1.1k
Handling TV Ad Traffic Influx with Microservices
Avatar for Ryo Kubota ryokbt
0
1.6k

Other Decks in Programming

See All in Programming
LM Linkで(非力な!)ノートPCでローカルLLM
Avatar for 瀬尾佳隆 seosoft
0
270
AI Assistants for Your Angular Solutions
Avatar for Manfred Steyer manfredsteyer
PRO
0
160
OTP を自動で入力する裏技
Avatar for Megabits_mzq megabitsenmzq
0
130
野球解説AI Agentを開発してみた - 2026/02/27 LayerX社内LT会資料
Avatar for Shinichi Nakagawa shinyorke
PRO
0
370
条件判定に名前、つけてますか? #phperkaigi #c
Avatar for Hiromi Hishida 77web
2
860
Ruby and LLM Ecosystem 2nd
Avatar for Koichi ITO koic
1
1.4k
Reactive ❤️ Loom: A Forbidden Love Story
Avatar for Francesco Nigro franz1981
2
190
Understanding Apache Lucene - More than just full-text search
Avatar for Alexander Reelsen spinscale
0
140
存在論的プログラミング: 時間と存在を記述する
Avatar for Akihito Koriyama koriym
5
570
Symfony + NelmioApiDocBundle を使った スキーマ駆動開発 / Schema Driven Development with NelmioApiDocBundle
Avatar for Shohei Okada okashoi
0
250
「効かない!」依存性注入(DI)を活用したAPI Platformのエラーハンドリング奮闘記
Avatar for Maki Hayashi mkmk884
0
270
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
1.1k

Featured

See All Featured
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
61
9.8k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
61k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
120k
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
690
How to build an LLM SEO readiness audit: a practical framework
Avatar for Nick Samuel nmsamuel
1
700
Exploring anti-patterns in Rails
Avatar for Elle Meredith aemeredith
2
300
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
75
5.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1.2k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
1
1.9k
Evolving SEO for Evolving Search Engines
Avatar for Ryan Jones ryanjones
0
170
SEO Brein meetup: CTRL+C is not how to scale international SEO
Avatar for Linda Hogenes lindahogenes
1
2.5k
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k

Transcript

  1. 5FSSBGPSNͷϨϏϡʔΛ $POGUFTUͰࣗಈԽ͢Δ Terraform meetup ONLINE #2021.02 Ryo Kubota @ryok6t

  2. • Ryo Kubota (@ryok6t) • FiNC Technologies • SRE Team

    manager • Terraformྺ͸1೥൒΄Ͳ ࣗݾ঺հ

  3. • ໿50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱ؅ཧ • αʔϏεͱ؀ڥ͝ͱʹಠཱͨ͠

    state Λอ༗ લఏ 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε" 4UBHJOH UGTUBUF 1SPEVDUJPO UGTUBUF αʔϏε# ʜ

  4. • ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍ ͏ࢥ૝͔Β Terraform Λಋೖ • ໿2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ
 શͯ import ͠ɺαʔϏεͱ؀ڥ͝ͱʹ෼ׂ

    ೥൒લ͸*B$ͳͲແ͔ͬͨ

  5. • Terraform Λಋೖ͠ɺ։ൃऀ͸ HCL Λॻ͍ͯ
 ϓϧϦΫΤετΛग़ͤ͹ΠϯϑϥʹมߋΛՃ͑ΒΕΔ Α͏ʹͳͬͨ • ࢥ૝ʹҰาۙ෇͍ͨ എܠ

  6. • ࣭ͷ୲อͷͨΊɺϨϏϡʔ͸΄ͱΜͲ SRE ͕୲౰ • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ ݟ͖͑ͯͨ৽ͨͳ՝୊

  7. • ຊདྷͷϚΠΫϩαʔϏεͷ఩ֶͱͯ͠͸ɺ֤νʔϜ͕ Πϯϑϥͷมߋ΋ؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠ ͚Δ΂͖ • ϨϏϡʔ΋ؚΊͯҕৡ͍͖͍ͯͨ͠ ຊདྷͷࢥ૝ʹཱͪฦΔͱʜ

  8. • ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε΋ • Ճ͑ͯɺTerraform/AWS ͷ஌ࣝ͸ݸਓ/νʔϜʹΑͬ ͯҟͳΔ ҕৡ͸؆୯Ͱ͸ͳ͍

  9. • FiNC Ͱ͸αʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/ SQS Λ࢖༻ • ΍΍ෳࡶͳઃఆ͕ඞཁ "NB[PO4/4424ͷྫ

  10. • αʔϏεA ʹ SNS topic Λ࡞੒ • αʔϏεA ͷ IAM

    policy ʹ SNS topic ͷݖݶΛ௥Ճ • αʔϏεB ʹ SQS queue Λ࡞੒ • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛ௥Ճ • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛ௥Ճ • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource Λ௥Ճ 4/4424ͷઃఆ߲໨͸ଟ͍

  11. • ίετूܭ΍ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ຿ Խ͍ͯ͠Δ • λά෇͚ͳͲͷϕετϓϥΫςΟε΋શһ͕೺Ѳͯ͠ ͍ΔΘ͚Ͱ͸ͳ͍

    5BHͷྫ

  12. • શαʔϏεͰͷ࣭ͷ୲อ͕ࠔ೉ʹ • HCL ͷߏจ্͸໰୊ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform Ͱ͸ݕ஌Ͱ͖ͳ͍ • ͋͘·Ͱҙຯ্ͷ໰୊ • e.g.

    tag ͕ແͯ͘΋౰વ apply ͸Մೳ ϨϏϡʔΛҕৡ͢Δͱʜ

  13. • ֤αʔϏεͷࣗ཯Խͱશମͷ࣭ͷτϨʔυΦϑʹ • ϨϏϡʔ͸ҕৡ͍ͨ͠ʢࣗ཯Խ͍ͨ͠ʣ͕ɺ
 ࣭΋୲อ͍ͨ͠ • ͳΜΒ͔ͷ࢓૊ΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ ࣭ͱࣗ཯ԽͷτϨʔυΦϑʁ

  14. • CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ໰୊͕ ແ͍͔ΛࣗಈͰνΣοΫ͢Δ • Open Policy

    Agent(OPA) Λར༻ͯ͜͠ΕΛୡ੒ ղܾࡦ

  15. • OSS ͷϙϦγʔΤϯδϯ • CNCF ͷ Graduation project • Rego

    ͱݺ͹ΕΔϙϦγʔهड़ݴޠΛ࢖ͬͯϙϦγʔ Λఆٛ 01"ͱ͸ʁ

  16. 01"ͷΠϝʔδ :".-+40/ ͳͲͷ σʔλ 3FHP 1PMJDZ ೖྗ ൑ఆ

  17. • ηϚϯςΟΫεతͳ໰୊ͷݕ஌ΛࣗಈԽՄೳ • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ • Policy as Code ͕࣮ݱՄೳ

    • ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ • ϙϦγʔ΋ίʔυͱͯ͠։ൃՄೳ 01"Λ࢖͏ͱԿ͕خ͍͠ͷ͔

  18. • CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ • Conftest ͱ͸ʁ

    • ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε • ࣮ࡍͷ࡞ۀ͸΄΅ OPA ͕࣮ߦ ࣮ࡍͲ͏࢖͍ͬͯΔͷ͔

  19. • plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ • terraform plan -out plan.tfplan •

    terraform show -json plan.tfplan | conftest test - 5FSSBGPSNͰͷ$POGUFTU

  20. 5FSSBGPSNQMBOͷ+40/ ϦιʔεͱͦΕʹର͢ΔมߋҰཡ Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ Ϧιʔεͷ৘ใ มߋલมߋޙͷঢ়ଶ

  21. ϙϦγʔͷྫʢUBHʣ ඞਢʹ͍ͨ͠UBH SFTPVSDF@DIBOHFTΛϧʔϓ ҰͭͰ΋ຬ͍ͨͯ͠ͳ͍΋ͷ͕ ͋Ε͹WJPMBUJPO

  22. • action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ ଞʹ΋͜Μͳ͜ͱ΋ʜ

  23. • Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏ • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ • OPA

    Ͱ͸ϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ ͠ɺ؆୯ʹςετ͕Մೳ ϙϦγʔ͸ςετՄೳ

  24. • ϚΠΫϩαʔϏεʹ͓͍ͯ͸αʔϏεͷࣗ཯ੑͱશମ ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ΍͍͢ • ҆શͰߴ଎ͳ։ൃͷͨΊʹ͸ɺPolicy as Code ʹΑΔ ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ •

    Conftest Λ࢖͏͜ͱͰ͜ΕΛ࣮ݱՄೳ ·ͱΊ

  25. • Sentinel Ͱ΋ Terraform ͷ Policy as Code ͕Մೳ •

    FiNC Ͱ͸ Kubernetes ͷ manifest ͷνΣοΫʹ΋ Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻ ͪͳΈʹʜ