bring back tf reporting

cyber-dojo · Apr 2, 2024 · bf0c6ff · bf0c6ff
1 parent 093f5f4
commit bf0c6ff
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 3 deletions.
diff --git a/...b/workflows/old/attest_beta_artifacts.yml → .github/workflows/attest_beta_artifacts.yml b/...b/workflows/old/attest_beta_artifacts.yml → .github/workflows/attest_beta_artifacts.yml
diff --git a/...b/workflows/old/attest_prod_artifacts.yml → .github/workflows/attest_prod_artifacts.yml b/...b/workflows/old/attest_prod_artifacts.yml → .github/workflows/attest_prod_artifacts.yml
diff --git a/.github/workflows/deploy-manually-to-aws-beta-and-aws-prod.yml b/.github/workflows/deploy-manually-to-aws-beta-and-aws-prod.yml
@@ -13,7 +13,19 @@ jobs:
     with:
       IMAGE_TAG: ${{ github.event.inputs.image_tag }}
 
+  attest_beta_artifacts:
+    needs: [deploy_to_beta]
+    uses: ./.github/workflows/attest_beta_artifacts.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+
   deploy_to_prod:
     uses: ./.github/workflows/sub_deploy_to_prod.yml
     with:
       IMAGE_TAG: ${{ github.event.inputs.image_tag }}
+
+  attest_prod_artifacts:
+    needs: [deploy_to_prod]
+    uses: ./.github/workflows/attest_prod_artifacts.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
diff --git a/.github/workflows/deploy-manually-to-aws-beta.yml b/.github/workflows/deploy-manually-to-aws-beta.yml
@@ -12,3 +12,9 @@ jobs:
     uses: ./.github/workflows/sub_deploy_to_beta.yml
     with:
       IMAGE_TAG: ${{ github.event.inputs.image_tag }}
+
+  attest_beta_artifacts:
+    needs: [deploy_to_beta]
+    uses: ./.github/workflows/attest_beta_artifacts.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -314,8 +314,15 @@ jobs:
       IMAGE_TAG: ${{ needs.kosli-trail.outputs.image_tag }}
 
 
+  attest-beta-artifacts:
+    needs: [deploy-to-beta]
+    uses: ./.github/workflows/attest_beta_artifacts.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+
+
   approve-deployment-to-prod:
-    needs: [deploy-to-beta, kosli-trail, build-image]
+    needs: [attest-beta-artifacts, kosli-trail, build-image]
     runs-on: ubuntu-latest
     environment:
       name: production
@@ -347,6 +354,13 @@ jobs:
       IMAGE_TAG: ${{ needs.kosli-trail.outputs.image_tag }}
 
 
+  attest-prod-artifacts:
+    needs: [deploy-to-prod]
+    uses: ./.github/workflows/attest_prod_artifacts.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+
+
   # The cyberdojo/versioner refresh-env.sh script
   # https://github.com/cyber-dojo/versioner/blob/master/sh/refresh-env.sh
   # relies on being able to:
@@ -355,7 +369,7 @@ jobs:
   #   - use the 1st 7 chars of the SHA as a latest-equivalent tag
 
   push-latest:
-    needs: [deploy-to-prod, kosli-trail]
+    needs: [attest-prod-artifacts, kosli-trail]
     runs-on: ubuntu-latest
     env:
       IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}

diff --git a/.kosli.yml b/.kosli.yml
@@ -2,9 +2,15 @@ version: 1
 
 trail:
   attestations:
+    - name: tf-plan-beta
+      type: generic
+    - name: tf-plan-prod
+      type: generic
     - name: pull-request
       type: pull_request
   artifacts:
+    - name: tf-state-beta
+    - name: tf-state-prod
     - name: differ
       attestations:
         - name: lint

diff --git a/deployment/terraform/environment-reporter/deployment.tf b/deployment/terraform/environment-reporter/deployment.tf
@@ -14,7 +14,7 @@ module "lambda_reporter" {
   kosli_environment_type            = "s3"
   kosli_host                        = each.value
   kosli_cli_version                 = "v2.7.8"
-  kosli_environment_name            = "terraform-state-${var.env}"
+  kosli_environment_name            = "terraform-state-differ-${var.env}"
   kosli_org                         = "cyber-dojo"
   reported_aws_resource_name        = local.state_bucket_name
   kosli_command_optional_parameters = "--include terraform/differ/differ.tfstate"