From 3a777ff2e5a2533ca95194c4bad157641f635052 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= <johannes.wuerbach@googlemail.com>
Date: Wed, 12 Jun 2024 11:26:46 +0200
Subject: [PATCH] feat(portal-backstage): support custom claims

---
 modules/portal-backstage/README.md            |  6 ++++
 modules/portal-backstage/backstage-github.tf  | 35 +++++++++++++++++++
 modules/portal-backstage/providers.tf         |  4 +++
 .../portal-backstage/terraform.tfvars.example |  3 ++
 modules/portal-backstage/variables.tf         |  8 +++++
 5 files changed, 56 insertions(+)

diff --git a/modules/portal-backstage/README.md b/modules/portal-backstage/README.md
index 254bbb4..6c49b5c 100644
--- a/modules/portal-backstage/README.md
+++ b/modules/portal-backstage/README.md
@@ -14,6 +14,7 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git
 | github | ~> 5.38 |
 | humanitec | ~> 1.0 |
 | random | ~> 3.5 |
+| time | ~> 0.11 |
 
 ### Providers
 
@@ -21,12 +22,15 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git
 |------|---------|
 | github | ~> 5.38 |
 | humanitec | ~> 1.0 |
+| time | ~> 0.11 |
 
 ### Resources
 
 | Name | Type |
 |------|------|
+| [github_actions_repository_oidc_subject_claim_customization_template.backstage](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_repository_oidc_subject_claim_customization_template) | resource |
 | [github_repository.backstage](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
+| [github_repository_file.re_deploy](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource |
 | [humanitec_value.backstage_cloud_provider](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_github_app_client_id](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_github_app_client_secret](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
@@ -36,6 +40,7 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git
 | [humanitec_value.backstage_github_org_id](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_humanitec_org](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_humanitec_token](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
+| [time_sleep.wait_after_claims_change](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 
 ### Inputs
 
@@ -51,6 +56,7 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git
 | humanitec\_app\_id | Humanitec Application ID | `string` | n/a | yes |
 | humanitec\_ci\_service\_user\_token\_ref | Humanitec CI Service User Token (Secret Store reference) | <pre>object({<br>    ref     = optional(string)<br>    store   = optional(string)<br>    value   = optional(string)<br>    version = optional(string)<br>  })</pre> | n/a | yes |
 | humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
+| backstage\_repo\_custom\_claim\_keys | Custom claim keys for the OIDC subject claim customization template | `list(string)` | `null` | no |
 | backstage\_template\_owner | Backstage template owner | `string` | `"humanitec-architecture"` | no |
 | backstage\_template\_repository | Backstage template repository | `string` | `"backstage"` | no |
 <!-- END_TF_DOCS -->
diff --git a/modules/portal-backstage/backstage-github.tf b/modules/portal-backstage/backstage-github.tf
index 9563310..2f1c663 100644
--- a/modules/portal-backstage/backstage-github.tf
+++ b/modules/portal-backstage/backstage-github.tf
@@ -15,3 +15,38 @@ resource "github_repository" "backstage" {
     repository = var.backstage_template_repository
   }
 }
+
+# Required as Azure doesn't support wildcards in scopes https://github.com/Azure/azure-workload-identity/issues/373
+# More details in https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims
+resource "github_actions_repository_oidc_subject_claim_customization_template" "backstage" {
+  count = var.backstage_repo_custom_claim_keys != null ? 1 : 0
+
+  repository         = github_repository.backstage.name
+  use_default        = false
+  include_claim_keys = var.backstage_repo_custom_claim_keys
+}
+
+# Wait for the initial post-repo create action run to start
+resource "time_sleep" "wait_after_claims_change" {
+  count = var.backstage_repo_custom_claim_keys != null ? 1 : 0
+
+  create_duration = "30s"
+
+  depends_on = [github_actions_repository_oidc_subject_claim_customization_template.backstage]
+}
+
+# Redeploy after the custom claim keys change
+resource "github_repository_file" "re_deploy" {
+  count = var.backstage_repo_custom_claim_keys != null ? 1 : 0
+
+  repository          = github_repository.backstage.name
+  branch              = "main"
+  file                = ".github/redeploy"
+  content             = "redeploy after claim keys change"
+  commit_message      = "Redeploy after claim keys change"
+  commit_author       = "github-actions[bot]"
+  commit_email        = "41898282+github-actions[bot]@users.noreply.github.com"
+  overwrite_on_create = true
+
+  depends_on = [time_sleep.wait_after_claims_change]
+}
diff --git a/modules/portal-backstage/providers.tf b/modules/portal-backstage/providers.tf
index 30a1f60..6b9dc0a 100644
--- a/modules/portal-backstage/providers.tf
+++ b/modules/portal-backstage/providers.tf
@@ -16,6 +16,10 @@ terraform {
       source  = "hashicorp/random"
       version = "~> 3.5"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = "~> 0.11"
+    }
   }
   required_version = ">= 1.3.0"
 }
diff --git a/modules/portal-backstage/terraform.tfvars.example b/modules/portal-backstage/terraform.tfvars.example
index 1b1eb6c..ebe38ec 100644
--- a/modules/portal-backstage/terraform.tfvars.example
+++ b/modules/portal-backstage/terraform.tfvars.example
@@ -1,4 +1,7 @@
 
+# Custom claim keys for the OIDC subject claim customization template
+backstage_repo_custom_claim_keys = ""
+
 # Backstage template owner
 backstage_template_owner = "humanitec-architecture"
 
diff --git a/modules/portal-backstage/variables.tf b/modules/portal-backstage/variables.tf
index 9175a79..da28ecd 100644
--- a/modules/portal-backstage/variables.tf
+++ b/modules/portal-backstage/variables.tf
@@ -84,3 +84,11 @@ variable "backstage_template_repository" {
   type        = string
   default     = "backstage"
 }
+
+# Required as Azure doesn't support wildcards in scopes https://github.com/Azure/azure-workload-identity/issues/373
+# More details in https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims
+variable "backstage_repo_custom_claim_keys" {
+  description = "Custom claim keys for the OIDC subject claim customization template"
+  type        = list(string)
+  default     = null
+}