From 91cb768059c719e599d65abe8cc8028921c38421 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= <johannes.wuerbach@googlemail.com>
Date: Wed, 12 Jun 2024 13:33:23 +0200
Subject: [PATCH] feat: create humanitec deploy user

---
 README.md                             | 16 +++++++++--
 main.tf                               | 26 ++++++++++++++----
 modules/portal-backstage/README.md    |  5 +---
 modules/portal-backstage/main.tf      | 38 ++++++++++++++++++---------
 modules/portal-backstage/providers.tf | 12 ---------
 terraform.tfvars.example              |  3 ---
 variables.tf                          |  7 -----
 7 files changed, 62 insertions(+), 45 deletions(-)

diff --git a/README.md b/README.md
index 26c8b7f..10b069c 100644
--- a/README.md
+++ b/README.md
@@ -224,15 +224,28 @@ Once you are finished with the reference architecture, you can remove all provis
 | kubernetes | ~> 2.25 |
 | random | ~> 3.5 |
 
+### Providers
+
+| Name | Version |
+|------|---------|
+| humanitec | ~> 1.0 |
+
 ### Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | base | ./modules/base | n/a |
 | github | ./modules/github | n/a |
-| github\_app | github.com/humanitec-architecture/shared-terraform-modules | v2024-06-06//modules/github-app |
+| github\_app | github.com/humanitec-architecture/shared-terraform-modules | v2024-06-12//modules/github-app |
 | portal\_backstage | ./modules/portal-backstage | n/a |
 
+### Resources
+
+| Name | Type |
+|------|------|
+| [humanitec_service_user_token.deployer](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/service_user_token) | resource |
+| [humanitec_user.deployer](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/user) | resource |
+
 ### Inputs
 
 | Name | Description | Type | Default | Required |
@@ -241,7 +254,6 @@ Once you are finished with the reference architecture, you can remove all provis
 | aws\_region | AWS region | `string` | n/a | yes |
 | disk\_size | Disk size in GB to use for EKS nodes | `number` | `20` | no |
 | github\_org\_id | GitHub org id (required for Backstage) | `string` | `null` | no |
-| humanitec\_ci\_service\_user\_token | Humanitec CI Service User Token (required for Backstage) | `string` | `null` | no |
 | humanitec\_org\_id | Humanitec Organization ID (required for Backstage) | `string` | `null` | no |
 | instance\_types | List of EC2 instances types to use for EKS nodes | `list(string)` | <pre>[<br>  "t3.large"<br>]</pre> | no |
 | with\_backstage | Deploy Backstage | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index 4fc7302..f68e04c 100644
--- a/main.tf
+++ b/main.tf
@@ -8,13 +8,31 @@ module "base" {
   disk_size      = var.disk_size
 }
 
+# User used for scaffolding and deploying apps
+
+resource "humanitec_user" "deployer" {
+  count = var.with_backstage ? 1 : 0
+
+  name = "deployer"
+  role = "administrator"
+  type = "service"
+}
+
+resource "humanitec_service_user_token" "deployer" {
+  count = var.with_backstage ? 1 : 0
+
+  id          = "deployer"
+  user_id     = humanitec_user.deployer[0].id
+  description = "Used by scaffolding and deploying"
+}
+
 module "github" {
   count = var.with_backstage ? 1 : 0
 
   source = "./modules/github"
 
   humanitec_org_id                = var.humanitec_org_id
-  humanitec_ci_service_user_token = var.humanitec_ci_service_user_token
+  humanitec_ci_service_user_token = humanitec_service_user_token.deployer[0].token
   aws_region                      = var.aws_region
   github_org_id                   = var.github_org_id
 
@@ -30,9 +48,7 @@ locals {
 module "github_app" {
   count = var.with_backstage ? 1 : 0
 
-  # Not pinned as we don't have a release yet
-  # tflint-ignore: terraform_module_pinned_source
-  source = "github.com/humanitec-architecture/shared-terraform-modules?ref=v2024-06-06//modules/github-app"
+  source = "github.com/humanitec-architecture/shared-terraform-modules?ref=v2024-06-12//modules/github-app"
 
   credentials_file = "${path.module}/${local.github_app_credentials_file}"
 }
@@ -45,7 +61,7 @@ module "portal_backstage" {
   source = "./modules/portal-backstage"
 
   humanitec_org_id                = var.humanitec_org_id
-  humanitec_ci_service_user_token = var.humanitec_ci_service_user_token
+  humanitec_ci_service_user_token = humanitec_service_user_token.deployer[0].token
 
   github_org_id            = var.github_org_id
   github_app_client_id     = module.github_app[0].client_id
diff --git a/modules/portal-backstage/README.md b/modules/portal-backstage/README.md
index f12ea1d..d489b35 100644
--- a/modules/portal-backstage/README.md
+++ b/modules/portal-backstage/README.md
@@ -10,10 +10,7 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git
 | Name | Version |
 |------|---------|
 | terraform | >= 1.3.0 |
-| aws | ~> 5.17 |
-| github | ~> 5.38 |
 | humanitec | ~> 1.0 |
-| random | ~> 3.5 |
 
 ### Providers
 
@@ -26,7 +23,7 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git
 | Name | Source | Version |
 |------|--------|---------|
 | backstage\_postgres | github.com/humanitec-architecture/resource-packs-in-cluster | v2024-06-05//humanitec-resource-defs/postgres/basic |
-| portal\_backstage | github.com/humanitec-architecture/shared-terraform-modules | v2024-06-06//modules/portal-backstage |
+| portal\_backstage | github.com/humanitec-architecture/shared-terraform-modules | v2024-06-12//modules/portal-backstage |
 
 ### Resources
 
diff --git a/modules/portal-backstage/main.tf b/modules/portal-backstage/main.tf
index 95fcc9d..1fb79be 100644
--- a/modules/portal-backstage/main.tf
+++ b/modules/portal-backstage/main.tf
@@ -3,23 +3,37 @@ resource "humanitec_application" "backstage" {
   name = "backstage"
 }
 
+locals {
+  secrets = {
+    humanitec-token          = var.humanitec_ci_service_user_token
+    github-app-client-id     = var.github_app_client_id
+    github-app-client-secret = var.github_app_client_secret
+    github-app-private-key   = indent(2, var.github_app_private_key)
+    github-webhook-secret    = var.github_webhook_secret
+  }
+
+  secret_refs = {
+    for key, value in local.secrets : key => {
+      value = value
+    }
+  }
+}
+
 module "portal_backstage" {
-  # Not pinned as we don't have a release yet
-  # tflint-ignore: terraform_module_pinned_source
-  source = "github.com/humanitec-architecture/shared-terraform-modules?ref=v2024-06-06//modules/portal-backstage"
+  source = "github.com/humanitec-architecture/shared-terraform-modules?ref=v2024-06-12//modules/portal-backstage"
 
   cloud_provider = "aws"
 
-  humanitec_org_id                = var.humanitec_org_id
-  humanitec_app_id                = humanitec_application.backstage.id
-  humanitec_ci_service_user_token = var.humanitec_ci_service_user_token
+  humanitec_org_id                    = var.humanitec_org_id
+  humanitec_app_id                    = humanitec_application.backstage.id
+  humanitec_ci_service_user_token_ref = local.secret_refs["humanitec-token"]
 
-  github_org_id            = var.github_org_id
-  github_app_client_id     = var.github_app_client_id
-  github_app_client_secret = var.github_app_client_secret
-  github_app_id            = var.github_app_id
-  github_app_private_key   = var.github_app_private_key
-  github_webhook_secret    = var.github_webhook_secret
+  github_org_id                = var.github_org_id
+  github_app_client_id_ref     = local.secret_refs["github-app-client-id"]
+  github_app_client_secret_ref = local.secret_refs["github-app-client-secret"]
+  github_app_id                = var.github_app_id
+  github_app_private_key_ref   = local.secret_refs["github-app-private-key"]
+  github_webhook_secret_ref    = local.secret_refs["github-webhook-secret"]
 }
 
 # Configure required resources for backstage
diff --git a/modules/portal-backstage/providers.tf b/modules/portal-backstage/providers.tf
index 30a1f60..59d13ba 100644
--- a/modules/portal-backstage/providers.tf
+++ b/modules/portal-backstage/providers.tf
@@ -1,21 +1,9 @@
 terraform {
   required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.17"
-    }
     humanitec = {
       source  = "humanitec/humanitec"
       version = "~> 1.0"
     }
-    github = {
-      source  = "integrations/github"
-      version = "~> 5.38"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3.5"
-    }
   }
   required_version = ">= 1.3.0"
 }
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
index a67967d..6ffb111 100644
--- a/terraform.tfvars.example
+++ b/terraform.tfvars.example
@@ -11,9 +11,6 @@ disk_size = 20
 # GitHub org id (required for Backstage)
 github_org_id = ""
 
-# Humanitec CI Service User Token (required for Backstage)
-humanitec_ci_service_user_token = ""
-
 # Humanitec Organization ID (required for Backstage)
 humanitec_org_id = ""
 
diff --git a/variables.tf b/variables.tf
index 6b61e49..0f0cc79 100644
--- a/variables.tf
+++ b/variables.tf
@@ -39,10 +39,3 @@ variable "humanitec_org_id" {
   type        = string
   default     = null
 }
-
-variable "humanitec_ci_service_user_token" {
-  description = "Humanitec CI Service User Token (required for Backstage)"
-  type        = string
-  sensitive   = true
-  default     = null
-}