Add support for multiple attestations at once (#76)

Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
chainguard-dev · Sep 20, 2023 · 4769c9e · 4769c9e
1 parent 4fcd2e2
commit 4769c9e
Show file tree

Hide file tree

Showing 5 changed files with 448 additions and 143 deletions.
diff --git a/README.md b/README.md
@@ -46,10 +46,22 @@ resource "cosign_sign" "example" {
 
 resource "cosign_attest" "example" {
   image          = cosign_sign.example.signed_ref
-  predicate_type = "https://example.com/my/predicate/type"
-  predicate      = jsonencode({
-    // Your claim here!
-  })
+
+  predicates {
+    type = "https://example.com/my/predicate/type"
+    json = jsonencode({
+      // Your claim here!
+    })
+  }
+
+  // Inlining e.g. huge SBOMs will slow down terraform a lot, so reference a file.
+  predicates {
+    type = "https://example.com/my/predicate/too-big-for-terraform.tfstate"
+    file = {
+      path   = "/tmp/giant-file.json"
+      sha256 = "74af7407b59f9021f76a6f9ee66149c5df1ef6442617a805a7860ce18074158d"
+    }
+  }
 }
 
 # Reference cosign_attest.example.attested_ref to ensure we wait for all of the

diff --git a/docs/resources/attest.md b/docs/resources/attest.md
@@ -18,13 +18,14 @@ This attests the provided image digest with cosign.
 ### Required
 
 - `image` (String) The digest of the container image to attest.
-- `predicate_type` (String) The in-toto predicate type of the claim being attested.
 
 ### Optional
 
 - `fulcio_url` (String) Address of sigstore PKI server (default https://fulcio.sigstore.dev).
-- `predicate` (String) The JSON body of the in-toto predicate's claim.
-- `predicate_file` (Block List) The path and sha256 hex of the predicate to attest. (see [below for nested schema](#nestedblock--predicate_file))
+- `predicate` (String, Deprecated) The JSON body of the in-toto predicate's claim.
+- `predicate_file` (Block List, Deprecated) The path and sha256 hex of the predicate to attest. (see [below for nested schema](#nestedblock--predicate_file))
+- `predicate_type` (String, Deprecated) The in-toto predicate type of the claim being attested.
+- `predicates` (Block List) The path and sha256 hex of the predicate to attest. (see [below for nested schema](#nestedblock--predicates))
 - `rekor_url` (String) Address of rekor transparency log server (default https://rekor.sigstore.dev).
 
 ### Read-Only
@@ -41,3 +42,24 @@ Optional:
 - `sha256` (String) The sha256 hex hash of the predicate body.
 
 
+<a id="nestedblock--predicates"></a>
+### Nested Schema for `predicates`
+
+Required:
+
+- `type` (String) The in-toto predicate type of the claim being attested.
+
+Optional:
+
+- `file` (Block List) The path and sha256 hex of the predicate to attest. (see [below for nested schema](#nestedblock--predicates--file))
+- `json` (String) The JSON body of the in-toto predicate's claim.
+
+<a id="nestedblock--predicates--file"></a>
+### Nested Schema for `predicates.file`
+
+Optional:
+
+- `path` (String) The path to a file containing the predicate to attest.
+- `sha256` (String) The sha256 hex hash of the predicate body.
+
+