Support for Google Identity-Aware Proxy Provider

.pre-commit-config.yaml

@@ -31,7 +31,7 @@ repos:
           - --hook-config=--create-file-if-not-exist=false
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.2.345
+    rev: 3.2.346
     hooks:
       - id: checkov
         files: Dockerfile

README.md

@@ -40,6 +40,20 @@ Links to documentation and other resources required to develop and iterate in th
 
 - [backstage](https://backstage.io/docs)
 
+### 🔍 Tests
+
+A local instance of Backstage can be used to test some of the changes made to the repository. You can go to the application
+directory and start the app using the `yarn dev` command. The `yarn dev` command will run both the frontend and backend as separate
+processes (named `[0]` and `[1]`) in the same window.
+
+```none
+cd app
+```
+
+```none
+yarn dev
+```
+
 ### 📓 Terraform Documentation
 
 - [main](deployments/README.md)

app/app-config.yaml

@@ -1,5 +1,5 @@
 app:
-  title: Backstage
+  title: Backstage (Local Development)
   baseUrl: http://localhost:3000
 
 organization:

app/examples/admin.yaml

@@ -0,0 +1,20 @@
+---
+# https://backstage.io/docs/features/software-catalog/descriptor-format#kind-user
+apiVersion: backstage.io/v1alpha1
+kind: User
+metadata:
+  name: admin
+spec:
+  profile:
+    displayName: Brett Curtis
+    email: [email protected]
+  memberOf: [admins]
+---
+# https://backstage.io/docs/features/software-catalog/descriptor-format#kind-group
+apiVersion: backstage.io/v1alpha1
+kind: Group
+metadata:
+  name: admins
+spec:
+  type: team
+  children: []

app/packages/app/src/App.tsx

@@ -29,6 +29,7 @@ import { Root } from './components/Root';
 import {
   AlertDisplay,
   OAuthRequestDialog,
+  ProxiedSignInPage,
   SignInPage,
 } from '@backstage/core-components';
 import { createApp } from '@backstage/app-defaults';
@@ -60,8 +61,11 @@ const app = createApp({
       catalogIndex: catalogPlugin.routes.catalogIndex,
     });
   },
+
   components: {
-    SignInPage: props => <SignInPage {...props} auto providers={['guest']} />,
+    SignInPage: props => process.env.NODE_ENV !== 'development'
+      ? <ProxiedSignInPage {...props} provider="gcpiap" />
+      : <SignInPage {...props} auto providers={['guest']} />,
   },
 
   themes: [{

app/packages/backend/package.json

@@ -20,6 +20,7 @@
     "@backstage/config": "backstage:^",
     "@backstage/plugin-app-backend": "backstage:^",
     "@backstage/plugin-auth-backend": "backstage:^",
+    "@backstage/plugin-auth-backend-module-gcp-iap-provider": "backstage:^",
     "@backstage/plugin-auth-backend-module-github-provider": "backstage:^",
     "@backstage/plugin-auth-backend-module-guest-provider": "backstage:^",
     "@backstage/plugin-auth-node": "backstage:^",

app/packages/backend/src/index.ts

@@ -21,6 +21,7 @@ backend.add(import('@backstage/plugin-auth-backend'));
 // See https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
 backend.add(import('@backstage/plugin-auth-backend-module-guest-provider'));
 // See https://backstage.io/docs/auth/guest/provider
+backend.add(import('@backstage/plugin-auth-backend-module-gcp-iap-provider'));
 
 // catalog plugin
 backend.add(import('@backstage/plugin-catalog-backend'));

app/yarn.lock

@@ -14037,6 +14037,7 @@ __metadata:
     "@backstage/config": "backstage:^"
     "@backstage/plugin-app-backend": "backstage:^"
     "@backstage/plugin-auth-backend": "backstage:^"
+    "@backstage/plugin-auth-backend-module-gcp-iap-provider": "backstage:^"
     "@backstage/plugin-auth-backend-module-github-provider": "backstage:^"
     "@backstage/plugin-auth-backend-module-guest-provider": "backstage:^"
     "@backstage/plugin-auth-node": "backstage:^"

deployments/README.md

@@ -7,7 +7,9 @@ No requirements.
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 6.14.1 |
 
 ## Modules
 
@@ -19,7 +21,11 @@ No providers.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [google_iap_brand.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_brand) | resource |
+| [google_iap_client.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_client) | resource |
+| [google_project_iam_member.cloud_sql_proxy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 
 ## Inputs
 
@@ -28,12 +34,16 @@ No resources.
 | <a name="input_datadog_api_key"></a> [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes |
 | <a name="input_datadog_app_key"></a> [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog APP key | `string` | n/a | yes |
 | <a name="input_datadog_enable"></a> [datadog\_enable](#input\_datadog\_enable) | Enable Datadog integration | `bool` | `false` | no |
+| <a name="input_k8s_workload_identity_service_account"></a> [k8s\_workload\_identity\_service\_account](#input\_k8s\_workload\_identity\_service\_account) | The service account to use for the workload identity | `string` | n/a | yes |
 | <a name="input_project_billing_account"></a> [project\_billing\_account](#input\_project\_billing\_account) | The alphanumeric ID of the billing account this project belongs to | `string` | `"01C550-A2C86B-B8F16B"` | no |
 | <a name="input_project_cis_2_2_logging_sink_project_id"></a> [project\_cis\_2\_2\_logging\_sink\_project\_id](#input\_project\_cis\_2\_2\_logging\_sink\_project\_id) | The CIS 2.2 logging sink benchmark project ID | `string` | n/a | yes |
 | <a name="input_project_folder_id"></a> [project\_folder\_id](#input\_project\_folder\_id) | The numeric ID of the folder this project should be created under. Only one of `org_id` or `folder_id` may be specified | `string` | n/a | yes |
 | <a name="input_project_monthly_budget_amount"></a> [project\_monthly\_budget\_amount](#input\_project\_monthly\_budget\_amount) | The monthly budget amount in USD to set for the project | `number` | `5` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_backstage_iap_client_id"></a> [backstage\_iap\_client\_id](#output\_backstage\_iap\_client\_id) | n/a |
+| <a name="output_backstage_iap_client_secret"></a> [backstage\_iap\_client\_secret](#output\_backstage\_iap\_client\_secret) | n/a |
 <!-- END_TF_DOCS -->

deployments/main.tf

@@ -33,8 +33,44 @@ module "project" {
     "compute.googleapis.com",
     "container.googleapis.com",
     "iam.googleapis.com",
+    "iap.googleapis.com",
     "monitoring.googleapis.com",
     "servicenetworking.googleapis.com",
     "sqladmin.googleapis.com"
   ]
 }
+
+# IAP Client Brand Resource
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_brand
+
+# Brands can only be created once for a Google Cloud project and the underlying Google API doesn't not support DELETE or PATCH methods.
+# Destroying a Terraform-managed Brand will remove it from state but will not delete it from Google Cloud.
+# If you need to delete the Brand, you must do so manually in the Google Cloud Console.
+
+resource "google_iap_brand" "this" {
+  application_title = "Backstage"
+  project           = module.project.id
+
+  # This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address,
+  # they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner
+  # of a Google Group.
+
+  support_email = "[email protected]"
+}
+
+# IAP Client Resource
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_client
+
+resource "google_iap_client" "this" {
+  brand        = google_iap_brand.this.name
+  display_name = "Backstage"
+}
+
+# Project IAM Member Resource
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member
+
+resource "google_project_iam_member" "cloud_sql_proxy" {
+  member  = "serviceAccount:${var.k8s_workload_identity_service_account}"
+  project = module.project.id
+  role    = "roles/cloudsql.client"
+}

deployments/outputs.tf

@@ -0,0 +1,11 @@
+# Output Values
+# https://www.terraform.io/language/values/outputs
+
+output "backstage_iap_client_id" {
+  value = google_iap_client.this.client_id
+}
+
+output "backstage_iap_client_secret" {
+  value     = google_iap_client.this.secret
+  sensitive = true
+}

deployments/regional/README.md

@@ -14,6 +14,7 @@ No requirements.
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.17.0 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.35.1 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
+| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
 ## Modules
 
@@ -27,17 +28,23 @@ No requirements.
 | Name | Type |
 |------|------|
 | [datadog_synthetics_test.this](https://registry.terraform.io/providers/datadog/datadog/latest/docs/resources/synthetics_test) | resource |
+| [google_dns_record_set.backstage_a_record](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |
 | [google_sql_database.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database) | resource |
 | [google_sql_user.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user) | resource |
 | [helm_release.backstage](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_ingress_v1.backstage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
+| [kubernetes_manifest.backstage_backend_config](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.backstage_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_secret.postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret_v1.iap](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [google_client_config.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 | [google_container_cluster.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_cluster) | data source |
 | [google_project.backstage](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 | [google_project.k8s](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 | [google_projects.backstage](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/projects) | data source |
 | [google_projects.k8s](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/projects) | data source |
+| [terraform_remote_state.main](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
 
 ## Inputs
 
@@ -49,9 +56,10 @@ No requirements.
 | <a name="input_backstage_resources_requests_cpu"></a> [backstage\_resources\_requests\_cpu](#input\_backstage\_resources\_requests\_cpu) | The CPU request for the audit container | `string` | `"10m"` | no |
 | <a name="input_backstage_resources_requests_memory"></a> [backstage\_resources\_requests\_memory](#input\_backstage\_resources\_requests\_memory) | The memory request for the audit container | `string` | `"32Mi"` | no |
 | <a name="input_backstage_version"></a> [backstage\_version](#input\_backstage\_version) | The version of the Backstage deployment | `string` | n/a | yes |
-| <a name="input_cloud_sql_host_project_id"></a> [cloud\_sql\_host\_project\_id](#input\_cloud\_sql\_host\_project\_id) | Host project ID for the shared VPC | `string` | n/a | yes |
 | <a name="input_datadog_api_key"></a> [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes |
 | <a name="input_datadog_app_key"></a> [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog APP key | `string` | n/a | yes |
+| <a name="input_networking_project_id"></a> [networking\_project\_id](#input\_networking\_project\_id) | The project ID for the shared VPC | `string` | n/a | yes |
+| <a name="input_remote_bucket"></a> [remote\_bucket](#input\_remote\_bucket) | The remote bucket the `terraform_remote_state` data source retrieves the state from | `string` | n/a | yes |
 
 ## Outputs