Contact Us | Stratusphere FinOps | StratusGrid Home | Blog
This repo contains the Terraform to deploy Backstage to AWS for evaluation purposes into an AWS ECS Fargate service. A new VPC and associated resources are created. Backstage will be deployed to ECS in private subnets fronted by an Application Load Balancer in a public subnet. On the backend, Backstage connects to a PostgreSQL RDS instance for state management.
![ECS Architecture](images/ECS Architecture.png)
Please note that the instructions in this repo will enable you to use Backstage for evaluation purposes. Further investment will be required in order to implement Backstage in a production capacity. See Next Steps below for more details.
Backstage is a a framework for building developer portals. The three essential features of Backstage are:
- Create new projects and repositories from scaffolded templates.
- Catalog software components and their associated metadata and relationships.
- Enrich the understanding of your software components with plugins, viewable in the Backstage UI.
This repository passes checkov scans. The following checks are intentionally skipped because this is meant for temporary evaluation of Backstage:
- CKV_AWS_150: Ensure that Load Balancer has deletion protection enabled
- CKV_AWS_91: Ensure the ELBv2 (Application/Network) has access logging enabled
- CKV_AWS_139: Ensure that RDS clusters have deletion protection enabled
In addition to fixing the three checkov checks listed above, in order to run Backstage in production you should consider the following changes:
- Switch from guest authentication to IDP authentication, i.e. GitHub Auth or Okta.
- Install Backstage from source instead of the images provided for the walkthrough.
- Use Amazon ElastiCache Redis for catalog caching.
- Configure the GitHub Discovery plugin.
- Write custom Backstage templates.
In order to secure Backstage with TLS, a domain name is required. Terraform will output the AWS Nameservers, but you will need to delegate your domain to the provided Nameservers. An example is provided below.
By default, access to Backstage is limited to the IP addresses provided in the allowed_cidr
in apply-tfvars/dev.tfvars
. You can retrieve the IP address of your system by visiting https://checkip.amazonaws.com/.
This repo uses a default Backstage image hosted by StratusGrid. You can build the image yourself running this command from the root of the project repository:
docker build -f packages/backend/Dockerfile
Clone this repository.
git clone git@github.com:StratusGrid/backstage-aws-walkthrough.git
Authenticate with an AWS account.
Set values for backstage_domain_name
and allowed_cidr
in apply-tfvars/dev.tfvars
.
region = "us-east-1"
env_name = "dev"
source_repo = "https://github.com/StratusGrid/backstage-aws-walkthrough"
application_name = "backstage"
docker_image = "public.ecr.aws/r1z1c0k6/backstage:latest"
vpc_cidr_octet = 10
allowed_cidr = "10.0.0.1/32"
backstage_domain_name = "mydomainname.com"
Run terraform init
from the root of this repository.
This repository has been tested with Terraform version 1.4.6. You can use tfenv to manage multiple versions of Terraform.
First we will need to run Terraform and target the Route 53 hosted zone, so that we can retrieve the nameservers to set in the Registrar. These are required to be in place for ACM to create the cert:
terraform apply -var-file apply-tfvars/dev.tfvars -target=aws_route53_zone.backstage
This will give you outputs similar to this:
Here's a screenshot of me setting the domain NS servers in my registrar:
Next, run the command terraform apply -var-file apply-tfvars/dev.tfvars
.
Type yes
to provision the resources. The resource provisioning and deployment typically takes 10-15 minutes.
The Terraform outputs will display the URL. When you click on the URL you will see Backstage.
- Enable Authentication with an authentication provider, e.g. GitHub Authentication Provider.
- Enable GitHub Discovery to automatically add repositories to the Backstage catalog.
- Author Backstage Software Templates.
- Customize Backstage.
- Configure CI/CD.
- Migrate Terraform State To Remote State.