$30 off During Our Annual Pro Sale. View Details »

TerraformのレビューをConftestで自動化する

Ryo Kubota
February 10, 2021
Programming
3
1.2k

 TerraformのレビューをConftestで自動化する

Ryo Kubota

February 10, 2021
Tweet

More Decks by Ryo Kubota

See All by Ryo Kubota
Terraform x OPA/Conftest の tips
ryokbt
0
790
Handling TV Ad Traffic Influx with Microservices
ryokbt
0
1.4k

Other Decks in Programming

See All in Programming
コードを読みやすくしよう!〜秒で身に付くよい命名〜 (LT) - NIFTY Tech Day 2023
niftycorp
1
120
JJUG 2023 fall トラブルシューティング・ヒープダンプ・スレッドダンプ解析チューニング
toricky6
1
180
バイナリビューアを使ってクラスファイルを読んでみよう! #jjug_ccc
yujisoftware
1
280
Spring + Localstack : usando aws de forma gratuita
kamilahsantos
2
110
Using AI in Software Design: How ChatGPT Can Help With Creating a Solution Architecture
rdmueller
0
160
Scala Left Fold Parallelisation - Three Approaches
philipschwarz
PRO
0
270
ニジエチューニング2023-12
nijieinfra
0
160
Expert Tech Talk!〜ニフティスペシャリスト対談〜 - NIFTY Tech Day 2023
niftycorp
0
120
TypeScript_コンパイラの内側に片足を入れる
ryounasso
0
210
if 式と switch 式による SwiftUI のプレビューエラー対策
ojun9
1
120
ブランチ運用とデプロイフローを見直してリリースを楽にする
syukai
3
410
フロントエンドエンジニアも知っておきたい HTTP/3 で変わること
yahiru
17
9.7k

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.7k
Art, The Web, and Tiny UX
lynnandtonic
286
19k
The Pragmatic Product Professional
lauravandoore
23
5.4k
Making the Leap to Tech Lead
cromwellryan
120
8.2k
Fireside Chat
paigeccino
18
2.3k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k
Become a Pro
speakerdeck
PRO
8
3.6k
What's in a price? How to price your products and services
michaelherold
236
10k
Designing for Performance
lara
601
66k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k

Transcript

  1. 5FSSBGPSNͷϨϏϡʔΛ
    $POGUFTUͰࣗಈԽ͢Δ
    Terraform meetup ONLINE #2021.02
    Ryo Kubota @ryok6t

    View Slide

  2. • Ryo Kubota (@ryok6t)
    • FiNC Technologies
    • SRE Team manager
    • Terraformྺ͸1೥൒΄Ͳ
    ࣗݾ঺հ

    View Slide

  3. • ໿50ͷϚΠΫϩαʔϏε͕ AWS ্ʹଘࡏ
    • ϚΠΫϩαʔϏεͷΠϯϑϥΛ Terraform Ͱ؅ཧ
    • αʔϏεͱ؀ڥ͝ͱʹಠཱͨ͠ state Λอ༗
    લఏ
    4UBHJOH
    UGTUBUF
    1SPEVDUJPO
    UGTUBUF
    αʔϏε"
    4UBHJOH
    UGTUBUF
    1SPEVDUJPO
    UGTUBUF
    αʔϏε#
    ʜ

    View Slide

  4. • ϚΠΫϩαʔϏεͷΠϯϑϥΛ։ൃऀʹҕৡ͢Δͱ͍
    ͏ࢥ૝͔Β Terraform Λಋೖ
    • ໿2000ݸͷطʹ࡞ΒΕͯ͠·͍ͬͯͨϦιʔεΛ

    શͯ import ͠ɺαʔϏεͱ؀ڥ͝ͱʹ෼ׂ
    ೥൒લ͸*B$ͳͲແ͔ͬͨ

    View Slide

  5. • Terraform Λಋೖ͠ɺ։ൃऀ͸ HCL Λॻ͍ͯ

    ϓϧϦΫΤετΛग़ͤ͹ΠϯϑϥʹมߋΛՃ͑ΒΕΔ
    Α͏ʹͳͬͨ
    • ࢥ૝ʹҰาۙ෇͍ͨ
    എܠ

    View Slide

  6. • ࣭ͷ୲อͷͨΊɺϨϏϡʔ͸΄ͱΜͲ SRE ͕୲౰
    • ϨϏϡʔ͕ແࢹͰ͖ͳ͍ίετʹ
    ݟ͖͑ͯͨ৽ͨͳ՝୊

    View Slide

  7. • ຊདྷͷϚΠΫϩαʔϏεͷ఩ֶͱͯ͠͸ɺ֤νʔϜ͕
    Πϯϑϥͷมߋ΋ؚΊͯ։ൃΛεϐʔσΟʹճ͍ͯ͠
    ͚Δ΂͖
    • ϨϏϡʔ΋ؚΊͯҕৡ͍͖͍ͯͨ͠
    ຊདྷͷࢥ૝ʹཱͪฦΔͱʜ

    View Slide

  8. • ͦΕͳΓʹෳࡶͳઃఆ͕ඞཁʹͳΔέʔε΋
    • Ճ͑ͯɺTerraform/AWS ͷ஌ࣝ͸ݸਓ/νʔϜʹΑͬ
    ͯҟͳΔ
    ҕৡ͸؆୯Ͱ͸ͳ͍

    View Slide

  9. • FiNC Ͱ͸αʔϏεؒͷඇಉظ௨৴ʹ Amazon SNS/
    SQS Λ࢖༻
    • ΍΍ෳࡶͳઃఆ͕ඞཁ
    "NB[PO4/4424ͷྫ

    View Slide

  10. • αʔϏεA ʹ SNS topic Λ࡞੒
    • αʔϏεA ͷ IAM policy ʹ SNS topic ͷݖݶΛ௥Ճ
    • αʔϏεB ʹ SQS queue Λ࡞੒
    • αʔϏεB ͷ IAM policy ʹ SQS queue ͷݖݶΛ௥Ճ
    • SQS queue ͷ policy ʹ SNS topic ͷݖݶΛ௥Ճ
    • SNS topic ͱ SQS queue Λඥ͚ͮΔ resource Λ௥Ճ
    4/4424ͷઃఆ߲໨͸ଟ͍

    View Slide

  11. • ίετूܭ΍ Datadog ͰͷॲཧͷͨΊʹ tag Λٛ຿
    Խ͍ͯ͠Δ
    • λά෇͚ͳͲͷϕετϓϥΫςΟε΋શһ͕೺Ѳͯ͠
    ͍ΔΘ͚Ͱ͸ͳ͍
    5BHͷྫ

    View Slide

  12. • શαʔϏεͰͷ࣭ͷ୲อ͕ࠔ೉ʹ
    • HCL ͷߏจ্͸໰୊ແ͍͜ͱ͕ଟ͍ͷͰɺTerraform
    Ͱ͸ݕ஌Ͱ͖ͳ͍
    • ͋͘·Ͱҙຯ্ͷ໰୊
    • e.g. tag ͕ແͯ͘΋౰વ apply ͸Մೳ
    ϨϏϡʔΛҕৡ͢Δͱʜ

    View Slide

  13. • ֤αʔϏεͷࣗ཯Խͱશମͷ࣭ͷτϨʔυΦϑʹ
    • ϨϏϡʔ͸ҕৡ͍ͨ͠ʢࣗ཯Խ͍ͨ͠ʣ͕ɺ

    ࣭΋୲อ͍ͨ͠
    • ͳΜΒ͔ͷ࢓૊ΈΛ༻͍ͯࣗಈԽ͢Δඞཁ͋Γ
    ࣭ͱࣗ཯ԽͷτϨʔυΦϑʁ

    View Slide

  14. • CircleCI Ͱ terraform plan Λ͢Δࡍʹɺઃఆʹ໰୊͕
    ແ͍͔ΛࣗಈͰνΣοΫ͢Δ
    • Open Policy Agent(OPA) Λར༻ͯ͜͠ΕΛୡ੒
    ղܾࡦ

    View Slide

  15. • OSS ͷϙϦγʔΤϯδϯ
    • CNCF ͷ Graduation project
    • Rego ͱݺ͹ΕΔϙϦγʔهड़ݴޠΛ࢖ͬͯϙϦγʔ
    Λఆٛ
    01"ͱ͸ʁ

    View Slide

  16. 01"ͷΠϝʔδ
    :".-+40/
    ͳͲͷ
    σʔλ
    3FHP
    1PMJDZ
    ೖྗ
    ൑ఆ

    View Slide

  17. • ηϚϯςΟΫεతͳ໰୊ͷݕ஌ΛࣗಈԽՄೳ
    • ஞҰʮtag ͍ͭͯͳ͍Αʂʯͱ͔ࢦఠ͕ෆཁ
    • Policy as Code ͕࣮ݱՄೳ
    • ϙϦγʔΛ໌จԽ 㱻 ଐਓԽ
    • ϙϦγʔ΋ίʔυͱͯ͠։ൃՄೳ
    01"Λ࢖͏ͱԿ͕خ͍͠ͷ͔

    View Slide

  18. • CircleCI ্Ͱ Conftest ͱ͍͏ OPA ͷπʔϧΛ࣮ߦ
    • Conftest ͱ͸ʁ
    • ୯ͳΔ OPA ͷϢʔβʔΠϯλʔϑΣʔε
    • ࣮ࡍͷ࡞ۀ͸΄΅ OPA ͕࣮ߦ
    ࣮ࡍͲ͏࢖͍ͬͯΔͷ͔

    View Slide

  19. • plan ݁ՌΛ JSONʹͯ͠ೖྗ͢Δ
    • terraform plan -out plan.tfplan
    • terraform show -json plan.tfplan | conftest test -
    5FSSBGPSNͰͷ$POGUFTU

    View Slide

  20. 5FSSBGPSNQMBOͷ+40/
    ϦιʔεͱͦΕʹର͢ΔมߋҰཡ
    Ճ͑Δૢ࡞ʢDSFBUF VQEBUFͳͲʣ
    Ϧιʔεͷ৘ใ
    มߋલมߋޙͷঢ়ଶ

    View Slide

  21. ϙϦγʔͷྫʢUBHʣ
    ඞਢʹ͍ͨ͠UBH
    SFTPVSDF@DIBOHFTΛϧʔϓ
    ҰͭͰ΋ຬ͍ͨͯ͠ͳ͍΋ͷ͕
    ͋Ε͹WJPMBUJPO

    View Slide

  22. • action ͱϦιʔεͷछྨ͔ΒมߋͷӨڹൣғΛܭࢉ
    • ͦΕʹΑͬͯϨϏϡϫʔΛมߋ
    ଞʹ΋͜Μͳ͜ͱ΋ʜ

    View Slide

  23. • Policy as Code: ϙϦγʔΛίʔυͱͯ͠ѻ͏
    • Rego ͷจ๏ʹ͸Ϋη͕͋ΔͨΊɺςετ͕ॏཁ
    • OPA Ͱ͸ϙϦγʔͷςετ༻ϑϨʔϜϫʔΫ͕ଘࡏ
    ͠ɺ؆୯ʹςετ͕Մೳ
    ϙϦγʔ͸ςετՄೳ

    View Slide

  24. • ϚΠΫϩαʔϏεʹ͓͍ͯ͸αʔϏεͷࣗ཯ੑͱશମ
    ͷ࣭ͷ୲อ͕τϨʔυΦϑʹͳΓ΍͍͢
    • ҆શͰߴ଎ͳ։ൃͷͨΊʹ͸ɺPolicy as Code ʹΑΔ
    ηϚϯςΟΫεݕূͷࣗಈԽ͕༗ޮ
    • Conftest Λ࢖͏͜ͱͰ͜ΕΛ࣮ݱՄೳ
    ·ͱΊ

    View Slide

  25. • Sentinel Ͱ΋ Terraform ͷ Policy as Code ͕Մೳ
    • FiNC Ͱ͸ Kubernetes ͷ manifest ͷνΣοΫʹ΋
    Conftest Λ༻͍͍ͯΔͨΊ Conftest Λ࠾༻
    ͪͳΈʹʜ

    View Slide