-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathmain.tf
110 lines (92 loc) · 3.28 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
/*
Copyright 2023 Chainguard, Inc.
SPDX-License-Identifier: Apache-2.0
*/
terraform {
required_providers {
apko = { source = "chainguard-dev/apko" }
cosign = { source = "chainguard-dev/cosign" }
}
}
data "apko_config" "this" {
config_contents = var.config
extra_packages = var.extra_packages
default_annotations = var.default_annotations
}
resource "apko_build" "this" {
repo = var.target_repository
config = data.apko_config.this.config
configs = data.apko_config.this.configs
}
# NOTE: The Diff API vulnerability scan generator depends on signature push events to happen on daily basis for every rebuilt image.
resource "cosign_sign" "signature" {
image = apko_build.this.image_ref
# Only keep the latest signature. We use these to ensure we regularly rebuild.
conflict = "REPLACE"
}
locals { archs = toset(concat(["index"], data.apko_config.this.config.archs)) }
resource "null_resource" "check-sbom-spdx" {
for_each = var.check_sbom ? local.archs : []
triggers = {
digest = apko_build.this.sboms[each.key].digest
}
provisioner "local-exec" {
# Run the supplied SPDX checker over the SBOM file mounted into the image in a readonly mode.
# We run as root to avoid permission issues reading the SBOM as the default nonroot user.
command = <<EOF
docker run --rm --user 0 \
-v ${apko_build.this.sboms[each.key].predicate_path}:/sbom.json:ro \
${var.spdx_image} \
Verify /sbom.json
EOF
}
}
resource "cosign_attest" "this" {
for_each = var.skip_attest ? [] : local.archs
depends_on = [null_resource.check-sbom-spdx]
image = apko_build.this.sboms[each.key].digest
# Do not re-attest things that have not changed.
conflict = "SKIPSAME"
# Create SBOM attestations for each architecture.
predicates {
type = apko_build.this.sboms[each.key].predicate_type
file {
path = apko_build.this.sboms[each.key].predicate_path
sha256 = apko_build.this.sboms[each.key].predicate_sha256
}
}
# Create attestations for each architecture holding the "locked"
# configuration used to perform the build.
predicates {
type = "https://apko.dev/image-configuration"
json = jsonencode(data.apko_config.this.configs[each.key].config)
}
# Create attestations for each architecture holding the SLSA
# provenance of the build.
predicates {
type = "https://slsa.dev/provenance/v1"
json = jsonencode({
buildDefinition = {
buildType = "https://apko.dev/slsa-build-type@v1"
# TODO(mattmoor): consider putting variables into `externalParameters`?
# TODO(mattmoor): how do we fit into the shape of `resolvedDependencies`?
# Use internal parameters to document the package resolution.
internalParameters = {
for k in data.apko_config.this.configs[each.key].config.contents.packages : split("=", k)[0] => split("=", k)[1]
}
# TODO(mattmoor): Use an extension to encode the fully resolved apko configuration.
}
runDetails = {
builder = {
id = "https://github.com/chainguard-dev/terraform-provider-apko"
version = {
# TODO(mattmoor): How do we get the version of tf-apko?
}
}
metadata = {
invocationId = apko_build.this.id
}
}
})
}
}