This repository contains a terraform module to facilitate building an image with apko and signing the supply chain metadata with ambient credentials (e.g. github actions workload identity).
Currently the following supply chain metadata is surfaced:
- The images are signed by the workload,
- The SPDX SBOM are attestated by the workload.
No requirements.
Name | Version |
---|---|
apko | n/a |
cosign | n/a |
No modules.
Name | Type |
---|---|
apko_build.this | resource |
cosign_attest.apko-configuration | resource |
cosign_attest.sboms | resource |
cosign_attest.slsa-provenance | resource |
cosign_sign.signature | resource |
apko_config.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
config | The apko configuration file to build and publish. | any |
n/a | yes |
extra_packages | Additional packages to install into this image. | list(string) |
[] |
no |
target_repository | The docker repo into which the image and attestations should be published. | any |
n/a | yes |
Name | Description |
---|---|
arch_to_image | n/a |
archs | n/a |
config | n/a |
image_ref | n/a |