Support for Google Identity-Aware Proxy Provider

Fixes #2
osinfra-io · Dec 31, 2024 · 6ee0103 · 6ee0103
1 parent 0dc3cf9
commit 6ee0103
Show file tree

Hide file tree

Showing 10 changed files with 211 additions and 3 deletions.
diff --git a/deployments/README.md b/deployments/README.md
@@ -7,7 +7,9 @@ No requirements.
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 6.14.1 |
 
 ## Modules
 
@@ -19,7 +21,11 @@ No providers.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [google_iap_brand.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_brand) | resource |
+| [google_iap_client.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_client) | resource |
+| [google_iap_web_iam_binding.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_iam_binding) | resource |
 
 ## Inputs
 
@@ -35,5 +41,8 @@ No resources.
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_backstage_iap_client_id"></a> [backstage\_iap\_client\_id](#output\_backstage\_iap\_client\_id) | n/a |
+| <a name="output_backstage_iap_client_secret"></a> [backstage\_iap\_client\_secret](#output\_backstage\_iap\_client\_secret) | n/a |
 <!-- END_TF_DOCS -->
diff --git a/deployments/main.tf b/deployments/main.tf
@@ -33,8 +33,51 @@ module "project" {
     "compute.googleapis.com",
     "container.googleapis.com",
     "iam.googleapis.com",
+    "iap.googleapis.com",
     "monitoring.googleapis.com",
     "servicenetworking.googleapis.com",
     "sqladmin.googleapis.com"
   ]
 }
+
+# IAP Client Brand Resource
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_brand
+
+# Brands can only be created once for a Google Cloud project and the underlying Google API doesn't not support DELETE or PATCH methods.
+# Destroying a Terraform-managed Brand will remove it from state but will not delete it from Google Cloud.
+# If you need to delete the Brand, you must do so manually in the Google Cloud Console.
+
+resource "google_iap_brand" "this" {
+  application_title = "Backstage (Cloud IAP Protected)"
+  project           = module.project.id
+
+  # This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address,
+  # they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner
+  # of a Google Group.
+
+  support_email = "[email protected]"
+}
+
+# IAP Client Resource
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_client
+
+resource "google_iap_client" "this" {
+  brand        = google_iap_brand.this.name
+  display_name = "Backstage"
+}
+
+# IAP Web IAM Binding Resource
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_iam
+
+resource "google_iap_web_iam_binding" "this" {
+
+  members = [
+    "domain:osinfra.io"
+  ]
+
+  project = module.project.id
+
+  # Authoritative for a given role.
+
+  role = "roles/iap.httpsResourceAccessor"
+}
diff --git a/deployments/outputs.tf b/deployments/outputs.tf
@@ -0,0 +1,11 @@
+# Output Values
+# https://www.terraform.io/language/values/outputs
+
+output "backstage_iap_client_id" {
+  value = google_iap_client.this.client_id
+}
+
+output "backstage_iap_client_secret" {
+  value     = google_iap_client.this.secret
+  sensitive = true
+}
diff --git a/deployments/regional/README.md b/deployments/regional/README.md
@@ -14,6 +14,7 @@ No requirements.
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.17.0 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.35.1 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
+| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
 ## Modules
 
@@ -27,17 +28,23 @@ No requirements.
 | Name | Type |
 |------|------|
 | [datadog_synthetics_test.this](https://registry.terraform.io/providers/datadog/datadog/latest/docs/resources/synthetics_test) | resource |
+| [google_dns_record_set.backstage_a_record](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |
 | [google_sql_database.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database) | resource |
 | [google_sql_user.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user) | resource |
 | [helm_release.backstage](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_ingress_v1.backstage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
+| [kubernetes_manifest.backstage_backend_config](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.backstage_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_secret.postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret_v1.iap](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [google_client_config.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 | [google_container_cluster.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_cluster) | data source |
 | [google_project.backstage](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 | [google_project.k8s](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 | [google_projects.backstage](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/projects) | data source |
 | [google_projects.k8s](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/projects) | data source |
+| [terraform_remote_state.main](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
 
 ## Inputs
 
@@ -52,6 +59,9 @@ No requirements.
 | <a name="input_cloud_sql_host_project_id"></a> [cloud\_sql\_host\_project\_id](#input\_cloud\_sql\_host\_project\_id) | Host project ID for the shared VPC | `string` | n/a | yes |
 | <a name="input_datadog_api_key"></a> [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes |
 | <a name="input_datadog_app_key"></a> [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog APP key | `string` | n/a | yes |
+| <a name="input_dns_project"></a> [dns\_project](#input\_dns\_project) | DNS project ID for the record set | `string` | n/a | yes |
+| <a name="input_dns_zone"></a> [dns\_zone](#input\_dns\_zone) | DNS zone for the record set | `string` | n/a | yes |
+| <a name="input_remote_bucket"></a> [remote\_bucket](#input\_remote\_bucket) | The remote bucket the `terraform_remote_state` data source retrieves the state from | `string` | n/a | yes |
 
 ## Outputs
 

diff --git a/deployments/regional/helm/backstage.yml b/deployments/regional/helm/backstage.yml
@@ -59,3 +59,6 @@ backstage:
     periodSeconds: 10
     successThreshold: 1
     timeoutSeconds: 2
+
+
+# We need to annotate the service for IAP
diff --git a/deployments/regional/locals.tf b/deployments/regional/locals.tf
@@ -41,6 +41,8 @@ locals {
     # "backstage.resources.requests.memory"                = var.backstage_resources_requests_memory
   }
 
+  hostname           = module.helpers.environment == "production" ? "backstage-${module.helpers.region}.gcp.osinfra.io" : "backstage-${module.helpers.region}-${module.helpers.environment}.gcp.osinfra.io"
   kubernetes_project = module.helpers.environment == "sandbox" ? "plt-k8s-tf39-sb" : module.helpers.environment == "production" ? "plt-k8s-tf10-prod" : "plt-k8s-tf33-nonprod"
+  main               = data.terraform_remote_state.main.outputs
   registry           = module.helpers.environment == "sandbox" ? "us-docker.pkg.dev/plt-lz-services-tf7f-sb/plt-docker-virtual" : "us-docker.pkg.dev/plt-lz-services-tf79-prod/plt-docker-virtual"
 }
diff --git a/deployments/regional/main.tf b/deployments/regional/main.tf
@@ -1,3 +1,17 @@
+# Terraform Remote State Datasource
+# https://www.terraform.io/docs/language/state/remote-state-data.html
+
+data "terraform_remote_state" "main" {
+  backend = "gcs"
+
+  config = {
+    bucket = var.remote_bucket
+    prefix = module.helpers.repository
+  }
+
+  workspace = "main-${module.helpers.environment}"
+}
+
 # Google Cloud SQL Module (osinfra.io)
 # https://github.com/osinfra-io/terraform-google-cloud-sql
 
@@ -69,6 +83,19 @@ resource "datadog_synthetics_test" "this" {
   type = "api"
 }
 
+# DNS Record Set Resource
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set
+
+resource "google_dns_record_set" "backstage_a_record" {
+  project      = var.dns_project
+  name         = local.hostname
+  managed_zone = var.dns_zone
+  type         = "A"
+  ttl          = 300
+
+  rrdatas = [kubernetes_ingress_v1.backstage.status.0.load_balancer.0.ingress.0.ip]
+}
+
 # Cloud SQL Database Resource
 # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database
 
@@ -117,9 +144,95 @@ resource "helm_release" "backstage" {
   ]
 }
 
+# Kubernetes Ingress Resource
+# https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1
+
+resource "kubernetes_ingress_v1" "backstage" {
+  metadata {
+    name      = "backstage"
+    namespace = "backstage"
+
+    annotations = {
+      "kubernetes.io/ingress.allow-http"       = "false"
+      "networking.gke.io/managed-certificates" = kubernetes_manifest.backstage_tls.manifest.metadata.name
+    }
+  }
+  spec {
+    rule {
+      host = local.hostname
+
+      http {
+        path {
+          backend {
+            service {
+              name = "backstage"
+              port {
+                number = 7000 # Check this..
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  wait_for_load_balancer = true
+}
+
+# Kubernetes Manifest Resource
+# https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest
+
+resource "kubernetes_manifest" "backstage_backend_config" {
+  manifest = {
+    "apiVersion" = "cloud.google.com/v1"
+    "kind"       = "BackendConfig"
+    "metadata" = {
+      "name"      = "backstage-backend-config"
+      "namespace" = "backstage"
+    }
+    "spec" = {
+      "iap" = {
+        "enabled" = true
+        "oauthclientCredentials" = {
+          "secretName" = kubernetes_secret_v1.iap.metadata.0.name
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_manifest" "backstage_tls" {
+  manifest = {
+    "apiVersion" = "networking.gke.io/v1"
+    "kind"       = "ManagedCertificate"
+    "metadata" = {
+      "name"      = "backstage-tls"
+      "namespace" = "backstage"
+    }
+    "spec" = {
+      "domains" = [
+        local.hostname,
+      ]
+    }
+  }
+}
+
 # Kubernetes Secret Resource
 # https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret
 
+resource "kubernetes_secret_v1" "iap" {
+
+  data = {
+    client_id     = local.main.backstage_iap_client_id
+    client_secret = local.main.backstage_iap_client_secret
+  }
+
+  metadata {
+    name      = "iap"
+    namespace = "backstage"
+  }
+
+}
+
 resource "kubernetes_secret" "postgres" {
   metadata {
     name      = "postgres-secrets"

diff --git a/deployments/regional/tfvars/us-east1-b-production.tfvars b/deployments/regional/tfvars/us-east1-b-production.tfvars
@@ -1 +1,2 @@
 cloud_sql_host_project_id = "plt-lz-networking-tfcb-prod"
+remote_bucket             = "plt-backstage-53a5-prod"
diff --git a/deployments/regional/tfvars/us-east1-b-sandbox.tfvars b/deployments/regional/tfvars/us-east1-b-sandbox.tfvars
@@ -1 +1,2 @@
 cloud_sql_host_project_id = "plt-lz-networking-tfd8-sb"
+remote_bucket             = "plt-backstage-4312-sb"
diff --git a/deployments/regional/variables.tf b/deployments/regional/variables.tf
@@ -49,3 +49,18 @@ variable "datadog_app_key" {
   type        = string
   sensitive   = true
 }
+
+variable "dns_project" {
+  description = "DNS project ID for the record set"
+  type        = string
+}
+
+variable "dns_zone" {
+  description = "DNS zone for the record set"
+  type        = string
+}
+
+variable "remote_bucket" {
+  description = "The remote bucket the `terraform_remote_state` data source retrieves the state from"
+  type        = string
+}
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		cloud_sql_host_project_id = "plt-lz-networking-tfcb-prod"
		remote_bucket = "plt-backstage-53a5-prod"
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		cloud_sql_host_project_id = "plt-lz-networking-tfd8-sb"
		remote_bucket = "plt-backstage-4312-sb"