Merge pull request #24 from htc-demo-00/cleanup

chore: tflint and cleanup

.github/workflows/ci.yaml

@@ -20,7 +20,7 @@ jobs:
       - name: Install terraform-docs
         run: |
           WORK_DIR=$(mktemp -d)
-          curl -Lo ${WORK_DIR}/terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
+          curl -Lo ${WORK_DIR}/terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz
           cd ${WORK_DIR}
           tar -xzf terraform-docs.tar.gz
           chmod +x terraform-docs
@@ -31,11 +31,14 @@ jobs:
       - name: Check git diff is clean (all files generated should be committed)
         run: git diff --exit-code
 
-      - name: Terraform Format Check
-        run: make fmt-check
+      - uses: terraform-linters/setup-tflint@v4
+        with:
+          tflint_version: v0.51.1
+      - name: Terraform Lint
+        run: make lint
 
       - name: Stub GitHub App credentials (required for validation)
-        run: cd ./examples/with-backstage && STUB_FILE=1 node create-gh-app/index.js
+        run: cd ./examples/with-backstage && docker run --rm -e STUB_FILE=1 -v $(pwd):/pwd ghcr.io/humanitec-architecture/create-gh-app
 
       - name: Terraform Validate
         run: make validate

.tflint.hcl

@@ -0,0 +1,10 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+plugin "aws" {
+  enabled = true
+  version = "0.31.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}

Makefile

@@ -1,14 +1,18 @@
 TF_DIRS = $(patsubst %/main.tf, %, $(shell find . -type d -name .terraform -prune -o -name 'main.tf' -print))
 VALIDATE_TF_DIRS = $(addprefix validate-,$(TF_DIRS))
+LINT_TF_DIRS = $(addprefix lint-,$(TF_DIRS))
+DOCS_TF_DIRS = $(addprefix docs-,$(TF_DIRS))
+
+# Generate docs for a terraform directories
+$(DOCS_TF_DIRS): docs-%:
+	@echo "Docs $*"
+	terraform-docs --config docs/.terraform-docs.yaml $*
+	terraform-docs --config docs/.terraform-docs-example.yaml $*
 
 # Generate docs
 .PHONY: docs
-docs:
-	terraform-docs --lockfile=false ./modules/base
-	terraform-docs --config docs/.terraform-docs.yaml .
-	terraform-docs --config docs/.terraform-docs-example.yaml .
-	terraform-docs --config docs/.terraform-docs.yaml ./examples/with-backstage
-	terraform-docs --config docs/.terraform-docs-example.yaml ./examples/with-backstage
+docs: $(DOCS_TF_DIRS)
+	@echo "All docs generated"
 
 # Format all terraform files
 fmt:
@@ -27,3 +31,16 @@ $(VALIDATE_TF_DIRS): validate-%:
 # Validate all terraform directories
 validate: $(VALIDATE_TF_DIRS)
 	@echo "All validated"
+
+# Lint a terraform directories
+$(LINT_TF_DIRS): lint-%:
+	@echo "Lint $*"
+	tflint --config "$(PWD)/.tflint.hcl" --chdir="$*"
+
+# Initialize tflint
+lint-init:
+	tflint --init
+
+# Lint all terraform directories
+lint: lint-init $(LINT_TF_DIRS) fmt-check
+	@echo "All linted"

README.md

@@ -184,7 +184,9 @@ Once you are finished with the reference architecture, you can remove all provis
 |------|---------|
 | terraform | >= 1.3.0 |
 | aws | ~> 5.17 |
+| helm | ~> 2.12 |
 | humanitec | ~> 1.0 |
+| kubernetes | ~> 2.25 |
 
 ### Modules
 

examples/with-backstage/README.md

@@ -5,24 +5,30 @@ Provisions the AWS reference architecture connected to Humanitec and installs Ba
 ## Prerequisites
 
 * The same prerequisites as the [base reference architecture](../../README.md#prerequisites), plus the following items.
-* A GitHub organization and permission to create new repositories in it. Go to https://github.com/account/organizations/new to create a new org (the "Free" option is fine). Note: is has to be an organization, a free account is not sufficient.
+* A GitHub organization and permission to create new repositories in it. Go to <https://github.com/account/organizations/new> to create a new org (the "Free" option is fine). Note: is has to be an organization, a free account is not sufficient.
 * Create a classic github personal access token with `repo`, `workflow`, `delete_repo` and `admin:org` scope [here](https://github.com/settings/tokens).
 * Set the `GITHUB_TOKEN` environment variable to your token.
-  ```
+
+  ```bash
   export GITHUB_TOKEN="my-github-token"
   ```
+
 * Set the `GITHUB_ORG_ID` environment variable to your GitHub organization ID.
-  ```
+
+  ```bash
   export GITHUB_ORG_ID="my-github-org-id"
   ```
+
 * [Node.js](https://nodejs.org) installed locally.
-* Install the GitHub App for Backstage into your GitHub organization using `node create-gh-app/index.js`. Follow the instructions.
-  * “All repositories” ~> Install
-  * “Okay, […] was installed on the […] account.” ~> You can close the window and server.
+* Install the GitHub App for Backstage into your GitHub organization
+  * Run `docker run --rm -it -e GITHUB_ORG_ID -v $(pwd):/pwd -p 127.0.0.1:3000:3000 ghcr.io/humanitec-architecture/create-gh-app` ([image source](https://github.com/humanitec-architecture/create-gh-app/)) and follow the instructions:
+    * “All repositories” ~> Install
+    * “Okay, […] was installed on the […] account.” ~> You can close the window and server.
 
 ## Usage
 
 Follow the same steps as for the [base layer](../../README.md#usage), applying these modifications:
+
 * Execute `cd ./examples/with-backstage` after cloning the repo. Execute all subsequent commands in this directory.
 * In particular, use the `./examples/with-backstage/terraform.tfvars.example` file as the basis for your `terraform.tfvars` file. It defines additional variables needed to setup and configure Backstage.
 
@@ -32,31 +38,38 @@ Check for the existence of key elements of the backstage module. This is a subse
 
 1. Perform the [verification steps of the base installation](../../README.md) if you have not already done so.
 2. Verify the existence of the Backstage Application in your Humanitec Organization:
+
    ```
    curl -s https://api.humanitec.io/orgs/${HUMANITEC_ORG}/apps/backstage \
      --header "Authorization: Bearer ${HUMANITEC_TOKEN}"
    ```
+
    This should output a JSON formatted representation of the Application like so:
+
    ```
    {"id":"backstage","name":"backstage","created_at":"2023-10-02T13:44:27Z","created_by":"s-d3e94a0e-8b53-29f9-b666-27548b7e06e0","envs":[{"id":"development","name":"Development","type":"development"}]}
    ```
+
    You can also check for the Application in the [Humanitec Platform Orchestrator UI](https://app.humanitec.io).
 
 3. Connect to your EKS cluster via `kubectl`. See the [AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html) or use this command:
+
    ```
    aws eks update-kubeconfig --region <my-aws-region> --name ref-arch
    ```
+
 4. Get the elements in the newly created Kubernetes namespace:
+
    ```
    kubectl get all -n backstage-development
    ```
+
    You should see
-   - a `deployment`, `replicaset`, running `pod`, and `service` for Backstage
-   - a `statefulset`, running `pod`, and `service` for PostgreSQL database used by Backstage.
+   * a `deployment`, `replicaset`, running `pod`, and `service` for Backstage
+   * a `statefulset`, running `pod`, and `service` for PostgreSQL database used by Backstage.
 
    Note: it may take up to ten minutes after the `terraform apply` completed until you actually see those resources. The Backstage application needs to built and deployed via a GitHub action out of the newly created repository in your GitHub organization.
 
-
 ## Cleaning up
 
 Once you are finished with the reference architecture, you can remove all provisioned infrastrcuture and the resource definitions created in Humanitec with the following:
@@ -75,7 +88,9 @@ Once you are finished with the reference architecture, you can remove all provis
 | terraform | >= 1.3.0 |
 | aws | ~> 5.17 |
 | github | ~> 5.38 |
+| helm | ~> 2.12 |
 | humanitec | ~> 1.0 |
+| kubernetes | ~> 2.25 |
 | random | ~> 3.5 |
 
 ### Providers
@@ -92,12 +107,8 @@ Once you are finished with the reference architecture, you can remove all provis
 | Name | Source | Version |
 |------|--------|---------|
 | backstage\_ecr | terraform-aws-modules/ecr/aws | ~> 1.6 |
-| backstage\_iam\_policy\_ecr\_create\_repository | git::https://github.com/humanitec-architecture/resource-packs-aws.git//humanitec-resource-defs/iam-policy/ecr-create-repository | n/a |
-| backstage\_iam\_role\_service\_account | git::https://github.com/humanitec-architecture/resource-packs-aws.git//humanitec-resource-defs/iam-role/service-account | n/a |
-| backstage\_k8s\_service\_account | git::https://github.com/humanitec-architecture/resource-packs-aws.git//humanitec-resource-defs/k8s/service-account | n/a |
-| backstage\_mysql | git::https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/mysql/basic | n/a |
-| backstage\_postgres | git::https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/postgres/basic | n/a |
-| backstage\_workload | git::https://github.com/humanitec-architecture/resource-packs-aws.git//humanitec-resource-defs/workload/service-account | n/a |
+| backstage\_mysql | github.com/humanitec-architecture/resource-packs-in-cluster | v2024-06-05//humanitec-resource-defs/mysql/basic |
+| backstage\_postgres | github.com/humanitec-architecture/resource-packs-in-cluster | v2024-06-05//humanitec-resource-defs/postgres/basic |
 | base | ../../modules/base | n/a |
 | iam\_github\_oidc\_provider | terraform-aws-modules/iam/aws//modules/iam-github-oidc-provider | ~> 5.30 |
 | iam\_github\_oidc\_role | terraform-aws-modules/iam/aws//modules/iam-github-oidc-role | ~> 5.30 |
@@ -114,12 +125,8 @@ Once you are finished with the reference architecture, you can remove all provis
 | [github_actions_organization_variable.backstage_humanitec_org_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_repository.backstage](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
 | [humanitec_application.backstage](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
-| [humanitec_resource_definition_criteria.backstage_iam_policy_ecr_create_repository](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.backstage_iam_role_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.backstage_k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.backstage_mysql](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.backstage_postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.backstage_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_value.app_config_backend_auth_keys](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.aws_default_region](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
 | [humanitec_value.backstage_cloud_provider](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/value) | resource |
@@ -144,5 +151,4 @@ Once you are finished with the reference architecture, you can remove all provis
 | humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
 | disk\_size | Disk size in GB to use for EKS nodes | `number` | `20` | no |
 | instance\_types | List of EC2 instances types to use for EKS nodes | `list(string)` | <pre>[<br>  "t3.large"<br>]</pre> | no |
-| resource\_packs\_aws\_rev | Revision of the resource-packs-aws repository to use | `string` | `"refs/heads/main"` | no |
 <!-- END_TF_DOCS -->

examples/with-backstage/backstage-humanitec.tf

@@ -108,7 +108,7 @@ locals {
 # in-cluster postgres
 
 module "backstage_postgres" {
-  source = "git::https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/postgres/basic"
+  source = "github.com/humanitec-architecture/resource-packs-in-cluster?ref=v2024-06-05//humanitec-resource-defs/postgres/basic"
 
   prefix = local.res_def_prefix
 }
@@ -120,84 +120,12 @@ resource "humanitec_resource_definition_criteria" "backstage_postgres" {
   force_delete = true
 }
 
-# k8s service account (to assume an AWS role)
-
-module "backstage_k8s_service_account" {
-  source = "git::https://github.com/humanitec-architecture/resource-packs-aws.git//humanitec-resource-defs/k8s/service-account"
-
-  prefix = local.res_def_prefix
-}
-
-resource "humanitec_resource_definition_criteria" "backstage_k8s_service_account" {
-  resource_definition_id = module.backstage_k8s_service_account.id
-  app_id                 = humanitec_application.backstage.id
-
-  force_delete = true
-}
-
-# AWS policy to create ECR repositories (required to scaffold apps)
-
-module "backstage_iam_policy_ecr_create_repository" {
-  source = "git::https://github.com/humanitec-architecture/resource-packs-aws.git//humanitec-resource-defs/iam-policy/ecr-create-repository"
-
-  driver_account         = module.base.humanitec_resource_account_id
-  resource_packs_aws_rev = var.resource_packs_aws_rev
-  region                 = var.aws_region
-
-  prefix = local.res_def_prefix
-}
-
-resource "humanitec_resource_definition_criteria" "backstage_iam_policy_ecr_create_repository" {
-  resource_definition_id = module.backstage_iam_policy_ecr_create_repository.id
-  app_id                 = humanitec_application.backstage.id
-
-  force_delete = true
-}
-
-# AWS role assumable by the k8s service account
-
-module "backstage_iam_role_service_account" {
-  source = "git::https://github.com/humanitec-architecture/resource-packs-aws.git//humanitec-resource-defs/iam-role/service-account"
-
-  driver_account         = module.base.humanitec_resource_account_id
-  resource_packs_aws_rev = var.resource_packs_aws_rev
-  region                 = var.aws_region
-
-  policy_classes = ["default"]
-
-  cluster_name = module.base.eks_cluster_name
-  prefix       = local.res_def_prefix
-}
-
-resource "humanitec_resource_definition_criteria" "backstage_iam_role_service_account" {
-  resource_definition_id = module.backstage_iam_role_service_account.id
-  app_id                 = humanitec_application.backstage.id
-
-  force_delete = true
-}
-
-# Workload resource that sets the service account
-
-module "backstage_workload" {
-  source = "git::https://github.com/humanitec-architecture/resource-packs-aws.git//humanitec-resource-defs/workload/service-account"
-
-  prefix = local.res_def_prefix
-}
-
-resource "humanitec_resource_definition_criteria" "backstage_workload" {
-  resource_definition_id = module.backstage_workload.id
-  app_id                 = humanitec_application.backstage.id
-
-  force_delete = true
-}
-
-
 # Configure required resources for scaffolded apps
 
 # in-cluster mysql
 
 module "backstage_mysql" {
-  source = "git::https://github.com/humanitec-architecture/resource-packs-in-cluster.git//humanitec-resource-defs/mysql/basic"
+  source = "github.com/humanitec-architecture/resource-packs-in-cluster?ref=v2024-06-05//humanitec-resource-defs/mysql/basic"
 
   prefix = local.res_def_prefix
 }