This repository contains a terraform module to facilitate building an image with apko and signing the supply chain metadata with ambient credentials (e.g. github actions workload identity).
Currently the following supply chain metadata is surfaced:
- The images are signed by the workload,
- The SPDX SBOM are attestated by the workload.
No requirements.
| Name | Version |
|---|---|
| apko | n/a |
| cosign | n/a |
| null | n/a |
No modules.
| Name | Type |
|---|---|
| apko_build.this | resource |
| cosign_attest.this | resource |
| cosign_sign.signature | resource |
| null_resource.check-sbom-spdx | resource |
| apko_config.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| check_sbom | Whether to run the NTIA conformance checker on the SBOMs we are attesting. | bool |
true |
no |
| config | The apko configuration file contents to build and publish. | string |
n/a | yes |
| default_annotations | Default annotations to apply to this image. | map(string) |
{} |
no |
| extra_packages | Additional packages to install into this image. | list(string) |
[] |
no |
| skip_attest | If true, skip the attestations step. This is NOT RECOMMENDED, and should only be used when attestations may be too big for Rekor. | bool |
false |
no |
| spdx_image | The SPDX checker image to use to validate SBOMs. | string |
"cgr.dev/chainguard/spdx-tools:latest" |
no |
| target_repository | The docker repo into which the image and attestations should be published. | string |
n/a | yes |
| Name | Description |
|---|---|
| arch_to_image | n/a |
| archs | n/a |
| config | n/a |
| image_ref | n/a |