diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f58e975..c35c40f 100755 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,7 +31,7 @@ repos: - --hook-config=--create-file-if-not-exist=false - repo: https://github.com/bridgecrewio/checkov.git - rev: 3.2.345 + rev: 3.2.346 hooks: - id: checkov files: Dockerfile diff --git a/README.md b/README.md index 76ee553..1f3c833 100755 --- a/README.md +++ b/README.md @@ -40,6 +40,20 @@ Links to documentation and other resources required to develop and iterate in th - [backstage](https://backstage.io/docs) +### 🔍 Tests + +A local instance of Backstage can be used to test some of the changes made to the repository. You can go to the application +directory and start the app using the `yarn dev` command. The `yarn dev` command will run both the frontend and backend as separate +processes (named `[0]` and `[1]`) in the same window. + +```none +cd app +``` + +```none +yarn dev +``` + ### 📓 Terraform Documentation - [main](deployments/README.md) diff --git a/app/app-config.production.yaml b/app/app-config.production.yaml deleted file mode 100644 index 5715c57..0000000 --- a/app/app-config.production.yaml +++ /dev/null @@ -1,55 +0,0 @@ -app: - # Should be the same as backend.baseUrl when using the `app-backend` plugin. - baseUrl: https://backstage.gcp.osinfra.io - -backend: - # Note that the baseUrl should be the URL that the browser and other clients - # should use when communicating with the backend, i.e. it needs to be - # reachable not just from within the backend host, but from all of your - # callers. When its value is "http://localhost:7007", it's strictly private - # and can't be reached by others. - baseUrl: http://localhost:7007 - # The listener can also be expressed as a single : string. In this case we bind to - # all interfaces, the most permissive setting. The right value depends on your specific deployment. - listen: ':7007' - - # config options: https://node-postgres.com/apis/client - database: - client: pg - connection: - host: localhost - port: 5432 - user: ${POSTGRES_USER} - password: ${POSTGRES_PASSWORD} - # https://node-postgres.com/features/ssl - # you can set the sslmode configuration option via the `PGSSLMODE` environment variable - # see https://www.postgresql.org/docs/current/libpq-ssl.html Table 33.1. SSL Mode Descriptions (e.g. require) - # ssl: - # ca: # if you have a CA file and want to verify it you can uncomment this section - # $file: /ca/server.crt - -auth: - providers: - guest: {} - -catalog: - # Overrides the default list locations from app-config.yaml as these contain example data. - # See https://backstage.io/docs/features/software-catalog/#adding-components-to-the-catalog for more details - # on how to get entities into the catalog. - locations: - # Local example data, replace this with your production config, these are intended for demo use only. - # File locations are relative to the backend process, typically in a deployed context, such as in a Docker container, this will be the root - - type: file - target: ./examples/entities.yaml - - # Local example template - - type: file - target: ./examples/template/template.yaml - rules: - - allow: [Template] - - # Local example organizational data - - type: file - target: ./examples/org.yaml - rules: - - allow: [User, Group] diff --git a/app/app-config.sandbox.yaml b/app/app-config.sandbox.yaml deleted file mode 100644 index 7301069..0000000 --- a/app/app-config.sandbox.yaml +++ /dev/null @@ -1,55 +0,0 @@ -app: - # Should be the same as backend.baseUrl when using the `app-backend` plugin. - baseUrl: http://localhost:7007 - -backend: - # Note that the baseUrl should be the URL that the browser and other clients - # should use when communicating with the backend, i.e. it needs to be - # reachable not just from within the backend host, but from all of your - # callers. When its value is "http://localhost:7007", it's strictly private - # and can't be reached by others. - baseUrl: http://localhost:7007 - # The listener can also be expressed as a single : string. In this case we bind to - # all interfaces, the most permissive setting. The right value depends on your specific deployment. - listen: ':7007' - - # config options: https://node-postgres.com/apis/client - database: - client: pg - connection: - host: localhost - port: 5432 - user: ${POSTGRES_USER} - password: ${POSTGRES_PASSWORD} - # https://node-postgres.com/features/ssl - # you can set the sslmode configuration option via the `PGSSLMODE` environment variable - # see https://www.postgresql.org/docs/current/libpq-ssl.html Table 33.1. SSL Mode Descriptions (e.g. require) - # ssl: - # ca: # if you have a CA file and want to verify it you can uncomment this section - # $file: /ca/server.crt - -auth: - providers: - guest: {} - -catalog: - # Overrides the default list locations from app-config.yaml as these contain example data. - # See https://backstage.io/docs/features/software-catalog/#adding-components-to-the-catalog for more details - # on how to get entities into the catalog. - locations: - # Local example data, replace this with your production config, these are intended for demo use only. - # File locations are relative to the backend process, typically in a deployed context, such as in a Docker container, this will be the root - - type: file - target: ./examples/entities.yaml - - # Local example template - - type: file - target: ./examples/template/template.yaml - rules: - - allow: [Template] - - # Local example organizational data - - type: file - target: ./examples/org.yaml - rules: - - allow: [User, Group] diff --git a/app/app-config.yaml b/app/app-config.yaml index c0f6b3e..1cd44c9 100644 --- a/app/app-config.yaml +++ b/app/app-config.yaml @@ -1,5 +1,5 @@ app: - title: Backstage + title: Backstage (Local Development) baseUrl: http://localhost:3000 organization: diff --git a/app/examples/admin.yaml b/app/examples/admin.yaml new file mode 100644 index 0000000..200a653 --- /dev/null +++ b/app/examples/admin.yaml @@ -0,0 +1,20 @@ +--- +# https://backstage.io/docs/features/software-catalog/descriptor-format#kind-user +apiVersion: backstage.io/v1alpha1 +kind: User +metadata: + name: admin +spec: + profile: + displayName: Brett Curtis + email: brett@osinfra.io + memberOf: [admins] +--- +# https://backstage.io/docs/features/software-catalog/descriptor-format#kind-group +apiVersion: backstage.io/v1alpha1 +kind: Group +metadata: + name: admins +spec: + type: team + children: [] diff --git a/app/packages/app/src/App.tsx b/app/packages/app/src/App.tsx index 15e0a16..4885854 100644 --- a/app/packages/app/src/App.tsx +++ b/app/packages/app/src/App.tsx @@ -29,6 +29,7 @@ import { Root } from './components/Root'; import { AlertDisplay, OAuthRequestDialog, + ProxiedSignInPage, SignInPage, } from '@backstage/core-components'; import { createApp } from '@backstage/app-defaults'; @@ -60,8 +61,11 @@ const app = createApp({ catalogIndex: catalogPlugin.routes.catalogIndex, }); }, + components: { - SignInPage: props => , + SignInPage: props => process.env.NODE_ENV !== 'development' + ? + : , }, themes: [{ diff --git a/app/packages/backend/package.json b/app/packages/backend/package.json index a460b55..e28e82b 100644 --- a/app/packages/backend/package.json +++ b/app/packages/backend/package.json @@ -20,6 +20,7 @@ "@backstage/config": "backstage:^", "@backstage/plugin-app-backend": "backstage:^", "@backstage/plugin-auth-backend": "backstage:^", + "@backstage/plugin-auth-backend-module-gcp-iap-provider": "backstage:^", "@backstage/plugin-auth-backend-module-github-provider": "backstage:^", "@backstage/plugin-auth-backend-module-guest-provider": "backstage:^", "@backstage/plugin-auth-node": "backstage:^", diff --git a/app/packages/backend/src/index.ts b/app/packages/backend/src/index.ts index 6d0a6f4..82a52d1 100644 --- a/app/packages/backend/src/index.ts +++ b/app/packages/backend/src/index.ts @@ -21,6 +21,7 @@ backend.add(import('@backstage/plugin-auth-backend')); // See https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin backend.add(import('@backstage/plugin-auth-backend-module-guest-provider')); // See https://backstage.io/docs/auth/guest/provider +backend.add(import('@backstage/plugin-auth-backend-module-gcp-iap-provider')); // catalog plugin backend.add(import('@backstage/plugin-catalog-backend')); diff --git a/app/yarn.lock b/app/yarn.lock index 5ebde77..3ba2d95 100644 --- a/app/yarn.lock +++ b/app/yarn.lock @@ -14037,6 +14037,7 @@ __metadata: "@backstage/config": "backstage:^" "@backstage/plugin-app-backend": "backstage:^" "@backstage/plugin-auth-backend": "backstage:^" + "@backstage/plugin-auth-backend-module-gcp-iap-provider": "backstage:^" "@backstage/plugin-auth-backend-module-github-provider": "backstage:^" "@backstage/plugin-auth-backend-module-guest-provider": "backstage:^" "@backstage/plugin-auth-node": "backstage:^" diff --git a/deployments/README.md b/deployments/README.md index 34515cd..f5df925 100755 --- a/deployments/README.md +++ b/deployments/README.md @@ -7,7 +7,9 @@ No requirements. ## Providers -No providers. +| Name | Version | +|------|---------| +| [google](#provider\_google) | 6.14.1 | ## Modules @@ -19,7 +21,11 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [google_iap_brand.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_brand) | resource | +| [google_iap_client.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_client) | resource | +| [google_project_iam_member.cloud_sql_proxy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | ## Inputs @@ -28,6 +34,7 @@ No resources. | [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes | | [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog APP key | `string` | n/a | yes | | [datadog\_enable](#input\_datadog\_enable) | Enable Datadog integration | `bool` | `false` | no | +| [k8s\_workload\_identity\_service\_account](#input\_k8s\_workload\_identity\_service\_account) | The service account to use for the workload identity | `string` | n/a | yes | | [project\_billing\_account](#input\_project\_billing\_account) | The alphanumeric ID of the billing account this project belongs to | `string` | `"01C550-A2C86B-B8F16B"` | no | | [project\_cis\_2\_2\_logging\_sink\_project\_id](#input\_project\_cis\_2\_2\_logging\_sink\_project\_id) | The CIS 2.2 logging sink benchmark project ID | `string` | n/a | yes | | [project\_folder\_id](#input\_project\_folder\_id) | The numeric ID of the folder this project should be created under. Only one of `org_id` or `folder_id` may be specified | `string` | n/a | yes | @@ -35,5 +42,8 @@ No resources. ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [backstage\_iap\_client\_id](#output\_backstage\_iap\_client\_id) | n/a | +| [backstage\_iap\_client\_secret](#output\_backstage\_iap\_client\_secret) | n/a | diff --git a/deployments/main.tf b/deployments/main.tf index 83cb447..7ee1fdb 100755 --- a/deployments/main.tf +++ b/deployments/main.tf @@ -33,8 +33,44 @@ module "project" { "compute.googleapis.com", "container.googleapis.com", "iam.googleapis.com", + "iap.googleapis.com", "monitoring.googleapis.com", "servicenetworking.googleapis.com", "sqladmin.googleapis.com" ] } + +# IAP Client Brand Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_brand + +# Brands can only be created once for a Google Cloud project and the underlying Google API doesn't not support DELETE or PATCH methods. +# Destroying a Terraform-managed Brand will remove it from state but will not delete it from Google Cloud. +# If you need to delete the Brand, you must do so manually in the Google Cloud Console. + +resource "google_iap_brand" "this" { + application_title = "Backstage" + project = module.project.id + + # This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address, + # they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner + # of a Google Group. + + support_email = "iap@osinfra.io" +} + +# IAP Client Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_client + +resource "google_iap_client" "this" { + brand = google_iap_brand.this.name + display_name = "Backstage" +} + +# Project IAM Member Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member + +resource "google_project_iam_member" "cloud_sql_proxy" { + member = "serviceAccount:${var.k8s_workload_identity_service_account}" + project = module.project.id + role = "roles/cloudsql.client" +} diff --git a/deployments/outputs.tf b/deployments/outputs.tf new file mode 100644 index 0000000..35c0f90 --- /dev/null +++ b/deployments/outputs.tf @@ -0,0 +1,11 @@ +# Output Values +# https://www.terraform.io/language/values/outputs + +output "backstage_iap_client_id" { + value = google_iap_client.this.client_id +} + +output "backstage_iap_client_secret" { + value = google_iap_client.this.secret + sensitive = true +} diff --git a/deployments/regional/README.md b/deployments/regional/README.md index 26d7952..150a30f 100755 --- a/deployments/regional/README.md +++ b/deployments/regional/README.md @@ -14,6 +14,7 @@ No requirements. | [helm](#provider\_helm) | 2.17.0 | | [kubernetes](#provider\_kubernetes) | 2.35.1 | | [random](#provider\_random) | 3.6.3 | +| [terraform](#provider\_terraform) | n/a | ## Modules @@ -27,10 +28,15 @@ No requirements. | Name | Type | |------|------| | [datadog_synthetics_test.this](https://registry.terraform.io/providers/datadog/datadog/latest/docs/resources/synthetics_test) | resource | +| [google_dns_record_set.backstage_a_record](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource | | [google_sql_database.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database) | resource | | [google_sql_user.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user) | resource | | [helm_release.backstage](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [kubernetes_ingress_v1.backstage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource | +| [kubernetes_manifest.backstage_backend_config](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | +| [kubernetes_manifest.backstage_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | | [kubernetes_secret.postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [kubernetes_secret_v1.iap](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource | | [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | | [google_client_config.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source | | [google_container_cluster.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_cluster) | data source | @@ -38,6 +44,7 @@ No requirements. | [google_project.k8s](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | | [google_projects.backstage](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/projects) | data source | | [google_projects.k8s](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/projects) | data source | +| [terraform_remote_state.main](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs @@ -49,9 +56,10 @@ No requirements. | [backstage\_resources\_requests\_cpu](#input\_backstage\_resources\_requests\_cpu) | The CPU request for the audit container | `string` | `"10m"` | no | | [backstage\_resources\_requests\_memory](#input\_backstage\_resources\_requests\_memory) | The memory request for the audit container | `string` | `"32Mi"` | no | | [backstage\_version](#input\_backstage\_version) | The version of the Backstage deployment | `string` | n/a | yes | -| [cloud\_sql\_host\_project\_id](#input\_cloud\_sql\_host\_project\_id) | Host project ID for the shared VPC | `string` | n/a | yes | | [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes | | [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog APP key | `string` | n/a | yes | +| [networking\_project\_id](#input\_networking\_project\_id) | The project ID for the shared VPC | `string` | n/a | yes | +| [remote\_bucket](#input\_remote\_bucket) | The remote bucket the `terraform_remote_state` data source retrieves the state from | `string` | n/a | yes | ## Outputs diff --git a/deployments/regional/helm/backstage.yml b/deployments/regional/helm/backstage.yml index 3967b35..c8e30a8 100644 --- a/deployments/regional/helm/backstage.yml +++ b/deployments/regional/helm/backstage.yml @@ -1,21 +1,18 @@ backstage: - args: - - "app-config.yaml" - extraContainers: - name: cloud-sql-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.2 args: - - "--private-ip" - - "--port=5432" + - --private-ip + - --port=5432 securityContext: runAsNonRoot: true resources: limits: - memory: "1Gi" - cpu: "100m" + memory: 1Gi + cpu: 100m requests: - memory: "128Mi" + memory: 128Mi cpu: 10m extraEnvVarsSecrets: @@ -59,3 +56,64 @@ backstage: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 2 + + appConfig: + app: + title: Backstage (Sandbox) + baseUrl: https://backstage-us-east1.sb.gcp.osinfra.io + + organization: + name: Open Source Infrastructure (as Code) + + backend: + baseUrl: https://backstage-us-east1.sb.gcp.osinfra.io + + database: + client: pg + connection: + host: localhost + port: 5432 + user: ${POSTGRES_USER} + password: ${POSTGRES_PASSWORD} + + techdocs: + builder: 'local' + generator: + runIn: 'docker' + publisher: + type: 'local' + + auth: + providers: + gcpIap: + audience: /projects/362793201562/global/backendServices/7413458338808744263 + signIn: + resolvers: + - resolver: emailMatchingUserEntityProfileEmail + + permissions: + rules: + - name: backstage-admin-rule + resourceType: all + policy: allow + conditions: + - type: group + group: admins + + catalog: + locations: + - type: file + target: ./examples/admin.yaml + rules: + - allow: [User, Group] + + permission: + enable: true + +service: + annotations: + cloud.google.com/backend-config: '{"default": "backstage-backend"}' + type: NodePort + +serviceAccount: + name: backstage-workload-identity-sa diff --git a/deployments/regional/locals.tf b/deployments/regional/locals.tf index bfebae2..bdd3999 100755 --- a/deployments/regional/locals.tf +++ b/deployments/regional/locals.tf @@ -28,7 +28,6 @@ locals { } : {} helm_values = { - "backstage.args[1]" = "app-config.${module.helpers.environment}.yaml" "backstage.extraContainers[0].args[2]" = "${data.google_project.backstage.project_id}:${module.helpers.region}:${module.cloud_sql.instance}" "backstage.image.registry" = local.registry "backstage.image.tag" = var.backstage_version @@ -41,6 +40,9 @@ locals { # "backstage.resources.requests.memory" = var.backstage_resources_requests_memory } + hostname = module.helpers.environment == "production" ? "backstage-${module.helpers.region}.gcp.osinfra.io" : "backstage-${module.helpers.region}.${module.helpers.env}.gcp.osinfra.io" kubernetes_project = module.helpers.environment == "sandbox" ? "plt-k8s-tf39-sb" : module.helpers.environment == "production" ? "plt-k8s-tf10-prod" : "plt-k8s-tf33-nonprod" + managed_zone = module.helpers.environment == "production" ? "gcp-osinfra-io" : "${module.helpers.env}-gcp-osinfra-io" + main = data.terraform_remote_state.main.outputs registry = module.helpers.environment == "sandbox" ? "us-docker.pkg.dev/plt-lz-services-tf7f-sb/plt-docker-virtual" : "us-docker.pkg.dev/plt-lz-services-tf79-prod/plt-docker-virtual" } diff --git a/deployments/regional/main.tf b/deployments/regional/main.tf index 03a1aef..ced7e26 100755 --- a/deployments/regional/main.tf +++ b/deployments/regional/main.tf @@ -1,3 +1,17 @@ +# Terraform Remote State Datasource +# https://www.terraform.io/docs/language/state/remote-state-data.html + +data "terraform_remote_state" "main" { + backend = "gcs" + + config = { + bucket = var.remote_bucket + prefix = module.helpers.repository + } + + workspace = "main-${module.helpers.environment}" +} + # Google Cloud SQL Module (osinfra.io) # https://github.com/osinfra-io/terraform-google-cloud-sql @@ -5,7 +19,7 @@ module "cloud_sql" { source = "github.com/osinfra-io/terraform-google-cloud-sql//regional?ref=v0.2.1" deletion_protection = false - host_project_id = var.cloud_sql_host_project_id + host_project_id = var.networking_project_id instance_name = "backstage" labels = module.helpers.labels network = "standard-shared" @@ -69,6 +83,19 @@ resource "datadog_synthetics_test" "this" { type = "api" } +# DNS Record Set Resource +# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set + +resource "google_dns_record_set" "backstage_a_record" { + project = var.networking_project_id + name = "${local.hostname}." # Trailing dot is required + managed_zone = local.managed_zone + type = "A" + ttl = 300 + + rrdatas = [kubernetes_ingress_v1.backstage.status.0.load_balancer.0.ingress.0.ip] +} + # Cloud SQL Database Resource # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database @@ -117,9 +144,95 @@ resource "helm_release" "backstage" { ] } +# Kubernetes Ingress Resource +# https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1 + +resource "kubernetes_ingress_v1" "backstage" { + metadata { + name = "backstage" + namespace = "backstage" + + annotations = { + "kubernetes.io/ingress.allow-http" = "false" + "networking.gke.io/managed-certificates" = kubernetes_manifest.backstage_tls.manifest.metadata.name + } + } + spec { + rule { + host = local.hostname + + http { + path { + backend { + service { + name = "backstage" + port { + number = 7007 + } + } + } + } + } + } + } + wait_for_load_balancer = true +} + +# Kubernetes Manifest Resource +# https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest + +resource "kubernetes_manifest" "backstage_backend_config" { + manifest = { + "apiVersion" = "cloud.google.com/v1" + "kind" = "BackendConfig" + "metadata" = { + "name" = "backstage-backend" + "namespace" = "backstage" + } + "spec" = { + "iap" = { + "enabled" = true + "oauthclientCredentials" = { + "secretName" = kubernetes_secret_v1.iap.metadata.0.name + } + } + } + } +} + +resource "kubernetes_manifest" "backstage_tls" { + manifest = { + "apiVersion" = "networking.gke.io/v1" + "kind" = "ManagedCertificate" + "metadata" = { + "name" = "backstage-tls" + "namespace" = "backstage" + } + "spec" = { + "domains" = [ + local.hostname, + ] + } + } +} + # Kubernetes Secret Resource # https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret +resource "kubernetes_secret_v1" "iap" { + + data = { + client_id = local.main.backstage_iap_client_id + client_secret = local.main.backstage_iap_client_secret + } + + metadata { + name = "iap" + namespace = "backstage" + } + +} + resource "kubernetes_secret" "postgres" { metadata { name = "postgres-secrets" diff --git a/deployments/regional/tfvars/us-east1-b-production.tfvars b/deployments/regional/tfvars/us-east1-b-production.tfvars index dcea92b..38f7e3f 100755 --- a/deployments/regional/tfvars/us-east1-b-production.tfvars +++ b/deployments/regional/tfvars/us-east1-b-production.tfvars @@ -1 +1,2 @@ -cloud_sql_host_project_id = "plt-lz-networking-tfcb-prod" +networking_project_id = "plt-lz-networking-tfcb-prod" +remote_bucket = "plt-backstage-53a5-prod" diff --git a/deployments/regional/tfvars/us-east1-b-sandbox.tfvars b/deployments/regional/tfvars/us-east1-b-sandbox.tfvars index 6897936..eb8485b 100755 --- a/deployments/regional/tfvars/us-east1-b-sandbox.tfvars +++ b/deployments/regional/tfvars/us-east1-b-sandbox.tfvars @@ -1 +1,2 @@ -cloud_sql_host_project_id = "plt-lz-networking-tfd8-sb" +networking_project_id = "plt-lz-networking-tfd8-sb" +remote_bucket = "plt-backstage-4312-sb" diff --git a/deployments/regional/variables.tf b/deployments/regional/variables.tf index 8ae79f7..163ddd1 100755 --- a/deployments/regional/variables.tf +++ b/deployments/regional/variables.tf @@ -33,11 +33,6 @@ variable "backstage_version" { type = string } -variable "cloud_sql_host_project_id" { - description = "Host project ID for the shared VPC" - type = string -} - variable "datadog_api_key" { description = "Datadog API key" type = string @@ -49,3 +44,13 @@ variable "datadog_app_key" { type = string sensitive = true } + +variable "networking_project_id" { + description = "The project ID for the shared VPC" + type = string +} + +variable "remote_bucket" { + description = "The remote bucket the `terraform_remote_state` data source retrieves the state from" + type = string +} diff --git a/deployments/shared/helpers.tf b/deployments/shared/helpers.tf index 932941a..da76aef 100755 --- a/deployments/shared/helpers.tf +++ b/deployments/shared/helpers.tf @@ -6,6 +6,6 @@ module "helpers" { cost_center = "x001" data_classification = "public" - repository = "google-cloud-kubernetes" - team = "platform-google-cloud-kubernetes" + repository = "backstage" + team = "platform-backstage" } diff --git a/deployments/tfvars/sandbox.tfvars b/deployments/tfvars/sandbox.tfvars index d3da909..0ff5698 100755 --- a/deployments/tfvars/sandbox.tfvars +++ b/deployments/tfvars/sandbox.tfvars @@ -1,3 +1,4 @@ +k8s_workload_identity_service_account = "gke-tfd1617e-workload-identity@plt-k8s-tf39-sb.iam.gserviceaccount.com" project_cis_2_2_logging_sink_project_id = "plt-lz-audit01-tf92-sb" project_folder_id = "779017192334" project_monthly_budget_amount = 10 diff --git a/deployments/variables.tf b/deployments/variables.tf index 672af41..3da0c91 100755 --- a/deployments/variables.tf +++ b/deployments/variables.tf @@ -16,6 +16,11 @@ variable "datadog_enable" { default = false } +variable "k8s_workload_identity_service_account" { + description = "The service account to use for the workload identity" + type = string +} + variable "project_billing_account" { description = "The alphanumeric ID of the billing account this project belongs to" type = string diff --git a/gimp/osinfra-full.xcf b/gimp/osinfra-full.xcf deleted file mode 100644 index 46ce801..0000000 Binary files a/gimp/osinfra-full.xcf and /dev/null differ diff --git a/gimp/osinfra-mirko.xcf b/gimp/osinfra-mirko.xcf deleted file mode 100644 index 10dec39..0000000 Binary files a/gimp/osinfra-mirko.xcf and /dev/null differ