Merge pull request #1 from humanitec-architecture/secretrefs

feat(backstage): use secret refs
humanitec-architecture · Jun 10, 2024 · 06b9a94 · 06b9a94
2 parents 2472284 + af78e3f
commit 06b9a94
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 53 deletions.
diff --git a/modules/portal-backstage/README.md b/modules/portal-backstage/README.md
@@ -21,14 +21,12 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git
 |------|---------|
 | github | ~> 5.38 |
 | humanitec | ~> 1.0 |
-| random | ~> 3.5 |
 
 ### Resources
 
 | Name | Type |
 |------|------|
 | [github_repository.backstage](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
-| [humanitec_value.app_config_backend_auth_keys](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_cloud_provider](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_github_app_client_id](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_github_app_client_secret](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
@@ -38,20 +36,21 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git
 | [humanitec_value.backstage_github_org_id](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_humanitec_org](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_humanitec_token](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
-| [random_bytes.backstage_service_to_service_auth_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/bytes) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | cloud\_provider | Used cloud provider. Possible values: aws, azure, gcp | `string` | n/a | yes |
-| github\_app\_client\_id | GitHub App Client ID | `string` | n/a | yes |
-| github\_app\_client\_secret | GitHub App Client Secret | `string` | n/a | yes |
+| github\_app\_client\_id\_ref | GitHub App Client ID (Secret Store reference) | <pre>object({<br>    ref     = optional(string)<br>    store   = optional(string)<br>    value   = optional(string)<br>    version = optional(string)<br>  })</pre> | n/a | yes |
+| github\_app\_client\_secret\_ref | GitHub App Client Secret (Secret Store reference) | <pre>object({<br>    ref     = optional(string)<br>    store   = optional(string)<br>    value   = optional(string)<br>    version = optional(string)<br>  })</pre> | n/a | yes |
 | github\_app\_id | GitHub App ID | `string` | n/a | yes |
-| github\_app\_private\_key | GitHub App Private Key | `string` | n/a | yes |
+| github\_app\_private\_key\_ref | GitHub App Private Key (Secret Store reference) | <pre>object({<br>    ref     = optional(string)<br>    store   = optional(string)<br>    value   = optional(string)<br>    version = optional(string)<br>  })</pre> | n/a | yes |
 | github\_org\_id | GitHub org id | `string` | n/a | yes |
-| github\_webhook\_secret | GitHub Webhook Secret | `string` | n/a | yes |
+| github\_webhook\_secret\_ref | GitHub Webhook Secret (Secret Store reference) | <pre>object({<br>    ref     = optional(string)<br>    store   = optional(string)<br>    value   = optional(string)<br>    version = optional(string)<br>  })</pre> | n/a | yes |
 | humanitec\_app\_id | Humanitec Application ID | `string` | n/a | yes |
-| humanitec\_ci\_service\_user\_token | Humanitec CI Service User Token | `string` | n/a | yes |
+| humanitec\_ci\_service\_user\_token\_ref | Humanitec CI Service User Token (Secret Store reference) | <pre>object({<br>    ref     = optional(string)<br>    store   = optional(string)<br>    value   = optional(string)<br>    version = optional(string)<br>  })</pre> | n/a | yes |
 | humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
+| backstage\_template\_owner | Backstage template owner | `string` | `"humanitec-architecture"` | no |
+| backstage\_template\_repository | Backstage template repository | `string` | `"backstage"` | no |
 <!-- END_TF_DOCS -->
diff --git a/modules/portal-backstage/backstage-github.tf b/modules/portal-backstage/backstage-github.tf
@@ -11,7 +11,7 @@ resource "github_repository" "backstage" {
   visibility = "public"
 
   template {
-    owner      = "humanitec-architecture"
-    repository = "backstage"
+    owner      = var.backstage_template_owner
+    repository = var.backstage_template_repository
   }
 }
diff --git a/modules/portal-backstage/main.tf b/modules/portal-backstage/main.tf
@@ -20,31 +20,31 @@ resource "humanitec_value" "backstage_github_app_client_id" {
   app_id      = var.humanitec_app_id
   key         = "GITHUB_APP_CLIENT_ID"
   description = ""
-  value       = var.github_app_client_id
+  secret_ref  = var.github_app_client_id_ref
   is_secret   = true
 }
 
 resource "humanitec_value" "backstage_github_app_client_secret" {
   app_id      = var.humanitec_app_id
   key         = "GITHUB_APP_CLIENT_SECRET"
   description = ""
-  value       = var.github_app_client_secret
+  secret_ref  = var.github_app_client_secret_ref
   is_secret   = true
 }
 
 resource "humanitec_value" "backstage_github_app_private_key" {
   app_id      = var.humanitec_app_id
   key         = "GITHUB_APP_PRIVATE_KEY"
   description = ""
-  value       = indent(2, var.github_app_private_key)
+  secret_ref  = var.github_app_private_key_ref
   is_secret   = true
 }
 
 resource "humanitec_value" "backstage_github_app_webhook_secret" {
   app_id      = var.humanitec_app_id
   key         = "GITHUB_APP_WEBHOOK_SECRET"
   description = ""
-  value       = var.github_webhook_secret
+  secret_ref  = var.github_webhook_secret_ref
   is_secret   = true
 }
 
@@ -60,7 +60,7 @@ resource "humanitec_value" "backstage_humanitec_token" {
   app_id      = var.humanitec_app_id
   key         = "HUMANITEC_TOKEN"
   description = ""
-  value       = var.humanitec_ci_service_user_token
+  secret_ref  = var.humanitec_ci_service_user_token_ref
   is_secret   = true
 }
 
@@ -71,17 +71,3 @@ resource "humanitec_value" "backstage_cloud_provider" {
   value       = var.cloud_provider
   is_secret   = false
 }
-
-resource "random_bytes" "backstage_service_to_service_auth_key" {
-  length = 24
-}
-
-resource "humanitec_value" "app_config_backend_auth_keys" {
-  app_id      = var.humanitec_app_id
-  key         = "APP_CONFIG_backend_auth_keys"
-  description = "Backstage service-to-service-auth keys"
-  value = jsonencode([{
-    secret = random_bytes.backstage_service_to_service_auth_key.base64
-  }])
-  is_secret = true
-}
diff --git a/modules/portal-backstage/terraform.tfvars.example b/modules/portal-backstage/terraform.tfvars.example
@@ -1,30 +1,36 @@
 
+# Backstage template owner
+backstage_template_owner = "humanitec-architecture"
+
+# Backstage template repository
+backstage_template_repository = "backstage"
+
 # Used cloud provider. Possible values: aws, azure, gcp
 cloud_provider = ""
 
-# GitHub App Client ID
-github_app_client_id = ""
+# GitHub App Client ID (Secret Store reference)
+github_app_client_id_ref = ""
 
-# GitHub App Client Secret
-github_app_client_secret = ""
+# GitHub App Client Secret (Secret Store reference)
+github_app_client_secret_ref = ""
 
 # GitHub App ID
 github_app_id = ""
 
-# GitHub App Private Key
-github_app_private_key = ""
+# GitHub App Private Key (Secret Store reference)
+github_app_private_key_ref = ""
 
 # GitHub org id
 github_org_id = ""
 
-# GitHub Webhook Secret
-github_webhook_secret = ""
+# GitHub Webhook Secret (Secret Store reference)
+github_webhook_secret_ref = ""
 
 # Humanitec Application ID
 humanitec_app_id = ""
 
-# Humanitec CI Service User Token
-humanitec_ci_service_user_token = ""
+# Humanitec CI Service User Token (Secret Store reference)
+humanitec_ci_service_user_token_ref = ""
 
 # Humanitec Organization ID
 humanitec_org_id = ""
diff --git a/modules/portal-backstage/variables.tf b/modules/portal-backstage/variables.tf
@@ -13,38 +13,74 @@ variable "humanitec_app_id" {
   type        = string
 }
 
-variable "humanitec_ci_service_user_token" {
-  description = "Humanitec CI Service User Token"
-  type        = string
-  sensitive   = true
+variable "humanitec_ci_service_user_token_ref" {
+  description = "Humanitec CI Service User Token (Secret Store reference)"
+  type = object({
+    ref     = optional(string)
+    store   = optional(string)
+    value   = optional(string)
+    version = optional(string)
+  })
 }
 
 variable "github_org_id" {
   description = "GitHub org id"
   type        = string
 }
 
-variable "github_app_client_id" {
-  description = "GitHub App Client ID"
-  type        = string
+variable "github_app_client_id_ref" {
+  description = "GitHub App Client ID (Secret Store reference)"
+  type = object({
+    ref     = optional(string)
+    store   = optional(string)
+    value   = optional(string)
+    version = optional(string)
+  })
 }
 
-variable "github_app_client_secret" {
-  description = "GitHub App Client Secret"
-  type        = string
+variable "github_app_client_secret_ref" {
+  description = "GitHub App Client Secret (Secret Store reference)"
+  type = object({
+    ref     = optional(string)
+    store   = optional(string)
+    value   = optional(string)
+    version = optional(string)
+  })
 }
 
 variable "github_app_id" {
   description = "GitHub App ID"
   type        = string
 }
 
-variable "github_webhook_secret" {
-  description = "GitHub Webhook Secret"
+variable "github_webhook_secret_ref" {
+  description = "GitHub Webhook Secret (Secret Store reference)"
+  type = object({
+    ref     = optional(string)
+    store   = optional(string)
+    value   = optional(string)
+    version = optional(string)
+  })
+}
+
+variable "github_app_private_key_ref" {
+  description = "GitHub App Private Key (Secret Store reference)"
+  type = object({
+    ref     = optional(string)
+    store   = optional(string)
+    value   = optional(string)
+    version = optional(string)
+  })
+}
+
+variable "backstage_template_owner" {
+  description = "Backstage template owner"
   type        = string
+  default     = "humanitec-architecture"
 }
 
-variable "github_app_private_key" {
-  description = "GitHub App Private Key"
+variable "backstage_template_repository" {
+  description = "Backstage template repository"
   type        = string
+  default     = "backstage"
 }