forked from chainguard-dev/terraform-provider-cosign
/
resource_sign.go
112 lines (97 loc) · 2.99 KB
/
resource_sign.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
package provider
import (
"context"
"github.com/google/go-containerregistry/pkg/name"
"github.com/hashicorp/go-cty/cty"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
"github.com/sigstore/cosign/v2/pkg/providers"
)
func resourceCosignSign() *schema.Resource {
return &schema.Resource{
Description: "This signs the provided image digest with cosign.",
CreateContext: resourceCosignSignCreate,
ReadContext: resourceCosignSignRead,
DeleteContext: resourceCosignSignDelete,
Schema: map[string]*schema.Schema{
"image": {
Description: "The digest of the container image to sign.",
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateDiagFunc: func(data interface{}, _ cty.Path) diag.Diagnostics {
raw, ok := data.(string)
if !ok {
return diag.Errorf("%v is a %T, wanted a string", data, data)
}
_, err := name.NewDigest(raw)
return diag.FromErr(err)
},
},
"signed_ref": {
Description: "This always matches the input digest, but is a convenience for composition.",
Type: schema.TypeString,
Computed: true,
},
},
}
}
func resourceCosignSignCreate(ctx context.Context, d *schema.ResourceData, _ interface{}) diag.Diagnostics {
digest, err := name.NewDigest(d.Get("image").(string))
if err != nil {
return diag.FromErr(err)
}
if !providers.Enabled(ctx) {
return diag.Errorf("no ambient credentials are available to sign with.")
}
// TODO(mattmoor): Move these to be configuration options.
const (
fulcioURL = "https://fulcio.sigstore.dev"
rekorURL = "https://rekor.sigstore.dev"
)
ropts := &options.RootOptions{
Timeout: options.DefaultTimeout,
}
kopts := options.KeyOpts{
FulcioURL: fulcioURL,
RekorURL: rekorURL,
SkipConfirmation: true,
}
sopts := options.SignOptions{
SkipConfirmation: true,
Fulcio: options.FulcioOptions{
URL: fulcioURL,
},
Rekor: options.RekorOptions{
URL: rekorURL,
},
Recursive: true,
Upload: true,
TlogUpload: true,
Registry: options.RegistryOptions{
KubernetesKeychain: true,
},
}
if err := sign.SignCmd(ropts, kopts, sopts, []string{digest.String()}); err != nil {
return diag.FromErr(err)
}
d.Set("signed_ref", digest.String())
d.SetId(digest.String())
return nil
}
func resourceCosignSignRead(ctx context.Context, d *schema.ResourceData, _ interface{}) diag.Diagnostics {
digest, err := name.NewDigest(d.Get("image").(string))
if err != nil {
return diag.FromErr(err)
}
// TODO(mattmoor): should we check that the signature didn't disappear?
d.Set("signed_ref", digest.String())
d.SetId(digest.String())
return nil
}
func resourceCosignSignDelete(ctx context.Context, d *schema.ResourceData, _ interface{}) diag.Diagnostics {
// TODO: If we ever want to delete the image from the registry, we can do it here.
return nil
}