feat: backstage example

Author: johanneswuerbach

.github/workflows/ci.yaml

@@ -1,15 +1,41 @@
-name: ci
-permissions:
-  contents: read
+name: CI
 on:
   push:
+    branches: [main]
+  pull_request:
+    branches: [main]
 jobs:
-  job:
-    runs-on: ubuntu-22.04
+  test:
+    runs-on: ubuntu-latest
     steps:
-      - name: checkout code
-        uses: actions/checkout@v4
-      - name: terraform validate
+      - uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ~1.5
+
+      - name: Terraform Version
+        run: terraform -version
+
+      - name: Install terraform-docs
         run: |
-          terraform init -backend=false
-          terraform validate
+          WORK_DIR=$(mktemp -d)
+          curl -Lo ${WORK_DIR}/terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
+          cd ${WORK_DIR}
+          tar -xzf terraform-docs.tar.gz
+          chmod +x terraform-docs
+          mv terraform-docs /usr/local/bin/terraform-docs
+      - name: Generate docs
+        run: make docs
+
+      - name: Check git diff is clean (all files generated should be committed)
+        run: git diff --exit-code
+
+      - name: Terraform Format Check
+        run: make fmt-check
+
+      - name: Stub Github App credentials (required for validation)
+        run: cd ./examples/with-backstage && STUB_FILE=1 node create-gh-app/index.js
+
+      - name: Terraform Validate
+        run: make validate

Makefile

@@ -0,0 +1,29 @@
+TF_DIRS = $(patsubst %/main.tf, %, $(shell find . -type d -name .terraform -prune -o -name 'main.tf' -print))
+VALIDATE_TF_DIRS = $(addprefix validate-,$(TF_DIRS))
+
+# Generate docs
+.PHONY: docs
+docs:
+	# terraform-docs --lockfile=false ./modules/base
+	terraform-docs --config docs/.terraform-docs.yaml .
+	terraform-docs --config docs/.terraform-docs-example.yaml .
+	terraform-docs --config docs/.terraform-docs.yaml ./examples/with-backstage
+	terraform-docs --config docs/.terraform-docs-example.yaml ./examples/with-backstage
+
+# Format all terraform files
+fmt:
+	terraform fmt -recursive
+
+# Check if all terraform files are formatted
+fmt-check:
+	terraform fmt -recursive -check
+
+# Validate a terraform directories
+$(VALIDATE_TF_DIRS): validate-%:
+	@echo "Validate $*"
+	terraform -chdir="$*" init -upgrade
+	terraform -chdir="$*" validate
+
+# Validate all terraform directories
+validate: $(VALIDATE_TF_DIRS)
+	@echo "All validated"

README.md

@@ -2,6 +2,10 @@
 
 This repo contains an implementation of part of the Humanitec Reference Architecture for an Internal Developer Platform.
 
+To install an implementation containing add-ons, follow the separate README. We currently feature these add-ons:
+
+* [Base layer plus Backstage](examples/with-backstage/)
+
 ![Google Cloud reference architecture Humanitec](docs/images/Reference-Architecture-Google-Cloud-Humanitec.png)
 
 This repo covers the base layer of the implementation for Google Cloud (GCP).
@@ -68,7 +72,7 @@ The following variables are required and so need to be set:
 | `region` | `string` | The GCP region to provision the infrastructure in. | `"us-west1"` |
 | `humanitec_org_id` | `string` | The ID of the Humanitec Organization the cluster should be associated with. | `"my-org"` |
 
-There are many other optional inputs that can be set. The full list is described in [Optional input variables](#optional-input-variables).
+There are many other optional inputs that can be set. The full list is described in [Inputs](#inputs).
 
 ## Verify your result
 
@@ -118,14 +122,30 @@ Once you are finished with the reference architecture, you can remove all provis
    terraform destroy
    ```
 
-## Advanced usage
 
-### Optional input variables
+<!-- BEGIN_TF_DOCS -->
+### Requirements
 
-In addition to the 3 required input variables described in [Required input variables](#required-input-variables), this implementation supports many more that change the behavior of the provisioning of infrastructure. 
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| google | ~> 5.1 |
+| humanitec | ~> 0.13 |
 
-### Tagging & ID generation
+### Modules
 
-| Variable | Type | Description | Default |
-| --- | --- | --- | --- |
-| `humanitec_prefix` | `string` | A prefix that will be attached to all IDs created in Humanitec | `""` |
+| Name | Source | Version |
+|------|--------|---------|
+| base | ./modules/base | n/a |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| humanitec\_org\_id | ID of the Humanitec Organization to associate resources with. | `string` | n/a | yes |
+| project\_id | GCP Project ID to provision resources in. | `string` | n/a | yes |
+| region | GCP Region to provision resources in. | `string` | n/a | yes |
+| environment | The environment to associate the reference architecture with. | `string` | `null` | no |
+| environment\_type | The environment type to associate the reference architecture with. | `string` | `"development"` | no |
+| humanitec\_prefix | A prefix that will be attached to all IDs created in Humanitec. | `string` | `"htc-ref-arch-"` | no |
+<!-- END_TF_DOCS -->

docs/.terraform-docs-example.yaml

@@ -0,0 +1,9 @@
+formatter: "tfvars hcl"
+
+output:
+  file: "./terraform.tfvars.example"
+  mode: replace
+  template: "{{ .Content }}"
+
+settings:
+  description: true

docs/.terraform-docs.yaml

@@ -0,0 +1,15 @@
+formatter: "markdown table"
+
+output:
+  file: "./README.md"
+
+sort:
+  enabled: true
+  by: required
+
+
+settings:
+  anchor: false
+  indent: 3
+  hide-empty: true
+  lockfile: false

examples/with-backstage/README.md

@@ -0,0 +1,141 @@
+# GCP reference architecture with Backstage
+
+Provisions the GCP reference architecture connected to Humanitec and installs Backstage.
+
+## Prerequisites
+
+* The same prerequisites as the [base reference architecture](../../README.md#prerequisites), plus the following items.
+* A GitHub organization and permission to create new repositories in it. Go to https://github.com/account/organizations/new to create a new org (the "Free" option is fine). Note: is has to be an organization, a free account is not sufficient.
+* Create a classic github personal access token with `repo`, `workflow`, `delete_repo` and `admin:org` scope [here](https://github.com/settings/tokens).
+* Set the `GITHUB_TOKEN` environment variable to your token.
+  ```
+  export GITHUB_TOKEN="my-github-token"
+  ```
+* Set the `GITHUB_ORG_ID` environment variable to your GitHub organization ID.
+  ```
+  export GITHUB_ORG_ID="my-github-org-id"
+  ```
+* [Node.js](https://nodejs.org) installed locally.
+* Install the GitHub App for Backstage into your GitHub organization using `node create-gh-app/index.js`. Follow the instructions.
+  * “All repositories” ~> Install
+  * “Okay, […] was installed on the […] account.” ~> You can close the window and server.
+
+## Usage
+
+Follow the same steps as for the [base layer](../../README.md#usage), applying these modifications:
+* Execute `cd ./examples/with-backstage` after cloning the repo. Execute all subsequent commands in this directory.
+* In particular, use the `./examples/with-backstage/terraform.tfvars.example` file as the basis for your `terraform.tfvars` file. It defines additional variables needed to setup and configure Backstage.
+
+## Verify your result
+
+Check for the existence of key elements of the backstage module. This is a subset of all elements only. For a complete list of what was installed, review the Terraform code.
+
+1. Perform the [verification steps of the base installation](../../README.md) if you have not already done so.
+2. Verify the existence of the Backstage Application in your Humanitec Organization:
+   ```
+   curl -s https://api.humanitec.io/orgs/${HUMANITEC_ORG}/apps/backstage \
+     --header "Authorization: Bearer ${HUMANITEC_TOKEN}"
+   ```
+   This should output a JSON formatted representation of the Application like so:
+   ```
+   {"id":"backstage","name":"backstage","created_at":"2023-10-02T13:44:27Z","created_by":"s-d3e94a0e-8b53-29f9-b666-27548b7e06e0","envs":[{"id":"development","name":"Development","type":"development"}]}
+   ```
+   You can also check for the Application in the [Humanitec Platform Orchestrator UI](https://app.humanitec.io).
+
+3. Connect to your GKE cluster via `kubectl`. See the [GKE documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl) or use this command:
+   ```
+   gcloud container clusters get-credentials --location <my-gcp-region> --name ref-arch
+   ```
+4. Get the elements in the newly created Kubernetes namespace:
+   ```
+   kubectl get all -n backstage-development
+   ```
+   You should see
+   - a `deployment`, `replicaset`, running `pod`, and `service` for Backstage
+   - a `statefulset`, running `pod`, and `service` for PostgreSQL database used by Backstage.
+
+   Note: it may take up to ten minutes after the `terraform apply` completed until you actually see those resources. The Backstage application needs to built and deployed via a GitHub action out of the newly created repository in your GitHub organization.
+
+
+## Cleaning up
+
+Once you are finished with the reference architecture, you can remove all provisioned infrastructure and the resource definitions created in Humanitec with the following:
+
+1. Delete all Humanitec applications scaffolded using Backstage, but not the `backstage` app itself.
+
+2. Follow the [base reference architecture cleanup instructions](../../README.md#cleaning-up).
+
+## Terraform docs
+
+<!-- BEGIN_TF_DOCS -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| github | ~> 5.38 |
+| google | ~> 5.1 |
+| humanitec | ~> 0.13 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| github | ~> 5.38 |
+| google | ~> 5.1 |
+| google-beta | n/a |
+| humanitec | ~> 0.13 |
+
+### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| backstage\_mysql | git::https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/mysql/basic | n/a |
+| backstage\_postgres | git::https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/postgres/basic | n/a |
+| base | ../../modules/base | n/a |
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [github_actions_organization_secret.backstage_humanitec_token](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
+| [github_actions_organization_variable.backstage_cloud_provider](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.backstage_gcp_gar_host](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.backstage_gcp_gar_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.backstage_gcp_service_account](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.backstage_gcp_workload_identity_provider](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.backstage_humanitec_org_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_repository.backstage](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
+| [google-beta_google_iam_workload_identity_pool.main](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_iam_workload_identity_pool) | resource |
+| [google-beta_google_iam_workload_identity_pool_provider.main](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_iam_workload_identity_pool_provider) | resource |
+| [google_artifact_registry_repository.repo](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/artifact_registry_repository) | resource |
+| [google_project_iam_member.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account.sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_member.wif-sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
+| [humanitec_application.backstage](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_definition_criteria.backstage_mysql](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.backstage_postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_value.backstage_cloud_provider](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+| [humanitec_value.backstage_github_app_client_id](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+| [humanitec_value.backstage_github_app_client_secret](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+| [humanitec_value.backstage_github_app_id](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+| [humanitec_value.backstage_github_app_private_key](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+| [humanitec_value.backstage_github_app_webhook_secret](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+| [humanitec_value.backstage_github_org_id](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+| [humanitec_value.backstage_humanitec_org](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+| [humanitec_value.backstage_humanitec_token](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| github\_org\_id | GitHub org id | `string` | n/a | yes |
+| humanitec\_ci\_service\_user\_token | Humanitec CI Service User Token | `string` | n/a | yes |
+| humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
+| project\_id | GCP Project ID to provision resources in. | `string` | n/a | yes |
+| region | GCP Region to provision resources in. | `string` | n/a | yes |
+| registry\_location | Region of the Google Artifact Registry. | `string` | n/a | yes |
+| environment | The environment to associate the reference architecture with. | `string` | `null` | no |
+| environment\_type | The environment type to associate the reference architecture with. | `string` | `"development"` | no |
+| humanitec\_prefix | A prefix that will be attached to all IDs created in Humanitec. | `string` | `"htc-ref-arch-"` | no |
+<!-- END_TF_DOCS -->

examples/with-backstage/backstage-github.tf

@@ -0,0 +1,88 @@
+# Configure GitHub variables & secrets for Backstage itself and for all scaffolded apps
+
+locals {
+  github_app_credentials_file = "github-app-credentials.json"
+  github_app_credentials      = jsondecode(file("${path.module}/${local.github_app_credentials_file}"))
+  github_app_id               = local.github_app_credentials["appId"]
+  github_app_client_id        = local.github_app_credentials["clientId"]
+  github_app_client_secret    = local.github_app_credentials["clientSecret"]
+  github_app_private_key      = local.github_app_credentials["privateKey"]
+  github_webhook_secret       = local.github_app_credentials["webhookSecret"]
+}
+
+locals {
+  backstage_repo = "backstage"
+}
+
+resource "github_actions_organization_variable" "backstage_cloud_provider" {
+  variable_name = "CLOUD_PROVIDER"
+  visibility    = "all"
+  value         = "gcp"
+}
+
+resource "github_actions_organization_variable" "backstage_gcp_workload_identity_provider" {
+  variable_name = "GCP_WORKLOAD_IDENTITY_PROVIDER"
+  visibility    = "all"
+  value         = google_iam_workload_identity_pool_provider.main.name
+  # value         = module.gh_oidc.provider_name
+}
+
+resource "github_actions_organization_variable" "backstage_gcp_service_account" {
+  variable_name = "GCP_SERVICE_ACCOUNT"
+  visibility    = "all"
+  value         = google_service_account.sa.email
+}
+
+
+resource "github_actions_organization_variable" "backstage_gcp_gar_host" {
+  variable_name = "GCP_GAR_HOST"
+  visibility    = "all"
+  value         = local.registry_host
+}
+
+
+resource "github_actions_organization_variable" "backstage_gcp_gar_name" {
+  variable_name = "GCP_GAR_NAME"
+  visibility    = "all"
+  value         = local.registry_name
+}
+
+
+resource "github_actions_organization_variable" "backstage_humanitec_org_id" {
+  variable_name = "HUMANITEC_ORG_ID"
+  visibility    = "all"
+  value         = var.humanitec_org_id
+}
+
+resource "github_actions_organization_secret" "backstage_humanitec_token" {
+  secret_name     = "HUMANITEC_TOKEN"
+  visibility      = "all"
+  plaintext_value = var.humanitec_ci_service_user_token
+}
+
+# Backstage repository itself
+
+resource "github_repository" "backstage" {
+  name        = local.backstage_repo
+  description = "Backstage"
+
+  visibility = "public"
+
+  template {
+    # TODO: Replace before merging
+    # owner      = "humanitec-architecture"
+    # repository = "backstage"
+    owner      = "johanneswuerbach"
+    repository = "humanitec-architecture-backstage"
+  }
+
+  depends_on = [
+    module.base,
+    google_artifact_registry_repository.repo,
+    # module.gh_oidc,
+    google_iam_workload_identity_pool_provider.main,
+    humanitec_application.backstage,
+    humanitec_resource_definition_criteria.backstage_postgres,
+    github_actions_organization_secret.backstage_humanitec_token,
+  ]
+}