In this article, you'll deploy an Azure Key Vault and Azure Container Registry instance with Terraform.
Terraform is an infrastructure as code tool that lets you define your infrastructure resources with readable configuration files. You'll use it to deploy the necessary Azure infrastructure that your GitHub workflow depends on for signing container images.
By the end of this article, you'll have deployed all the Azure resources needed to digitally sign container images with Notary.
Your GitHub workflow and Terraform both need an service principal for authenticating with Azure.
Create a new service principal by running the following
az ad sp create-for-rbac --name notary-gh-sp --role contributor \ --scopes /subscriptions/<subscriptionId> --sdk-auth
subscriptionId with your Azure subscriptions Id.
TIP Store the JSON object in a secure place. You'll use it to create a credential to authenticate to Azure with the Azure Login GitHub Action.
One of several ways to pass credentials to Terraform is through environment variables, without these variables Terraform will failed to authenticate to Azure.
Use the following
export commands to set the necessary environment variables for the Azure Terraform provider.
export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000" export ARM_CLIENT_SECRET="00000000-0000-0000-0000-000000000000" export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000" export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000"
00000000 with the values provided in the JSON from the
az ad sp create-for-rbac command.
With the service principal created and the environment variable set, you're now ready to apply the Terraform configuration.
Change directories to the
Apply the Terraform configuration
When prompted type
yesinto the terminal and hit enter.
Your last task in this tutorial is to create a token that Notation, the command-line tool for Notary, will use to authenticate to the registry when signing images.
Run the following command to create an ACR token:
az acr token create \ --name exampleToken \ --registry <registryName> \ --scope-map _repositories_admin \ --query 'credentials.passwords.value' \ --only-show-errors \ --output tsv
TIP Store the password value in a secure place. You'll need to store it as a GitHub secret later in the demo.