Add Launchpad (#2)

Signed-off-by: Roman Schwarz <rs@cloudeteer.de>

Author: rswrz

.github/workflows/prod-stackit-terraform-10-launchpad.yaml

@@ -0,0 +1,35 @@
+name: prod-stackit-terraform-10-launchpad
+
+on:
+  workflow_dispatch:
+    inputs:
+      terraform-force-unlock:
+        default: false
+        description: Terraform force unlock
+        required: false
+        type: boolean
+      terraform-force-unlock-id:
+        description: Terraform LOCK_ID
+        required: false
+        type: string
+  pull_request:
+    paths:
+      - prod-stackit/terraform/10_launchpad/**
+      - .github/workflows/prod-stackit-terraform-10-launchpad.yaml
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  terraform:
+    name: Terraform
+    uses: cloudeteer/iac-deployment-framework/.github/workflows/terraform-deploy-stackit.yaml@wip/stackit
+    with:
+      directory: prod-stackit/terraform/10_launchpad
+      terraform-force-unlock-id: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock-id }}
+      terraform-force-unlock: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock }}
+    secrets:
+      stackit_service_account_key: ${{ secrets.CDT_LAUNCHPAD_STACKIT_SERVICE_ACCOUNT_KEY }}
+      backend_s3_secret_key: ${{ secrets.CDT_LAUNCHPAD_STACKIT_BACKEND_SECRET_ACCESS_KEY }}
+      backend_s3_access_key: ${{ secrets.CDT_LAUNCHPAD_STACKIT_BACKEND_ACCESS_KEY }}

prod-stackit/terraform/10_launchpad/README.md

@@ -0,0 +1,172 @@
+# Launchpad
+
+This document details the initial setup process for the Launchpad on StackIT Cloud.
+
+## 1. Launchpad Service Account
+
+### Authentication
+
+We first logged in with a personal user account that had **Organization Owner** rights.
+
+```console
+$ stackit auth login
+Successfully logged into STACKIT CLI.
+```
+
+We set the organization ID statically because, unfortunately, the CLI wasn't feeling cooperative.
+
+```console
+$ STACKIT_ORGANIZATION_ID=6f0a04e7-8d5f-42a5-b1b3-89b8532126db
+```
+
+To avoid missing crucial details in CLI output, we switched to json format:
+
+```console
+$ stackit config set --output-format json
+```
+
+### Creating the StackIT Project
+
+The launchpad project was created under our organization:
+
+```console
+$ stackit project create --name launchpad --parent-id "$STACKIT_ORGANIZATION_ID"
+Are you sure you want to create a project under the parent with ID "6f0a04e7-8d5f-42a5-b1b3-89b8532126db"? [y/N] y
+{
+  "containerId": "launchpad-MyKfrt1",
+  "creationTime": "2025-03-05T19:45:07.325899101Z",
+  "labels": {},
+  "lifecycleState": "CREATING",
+  "name": "launchpad",
+  "parent": {
+    "containerId": "cloudeteer-gmb-h-iKVDWA1",
+    "id": "6f0a04e7-8d5f-42a5-b1b3-89b8532126db",
+    "type": "ORGANIZATION"
+  },
+  "projectId": "6b590d5d-f2ab-4584-9556-5ed8bbabb796",
+  "updateTime": "2025-03-05T19:45:07.325899101Z"
+}
+```
+
+For convenience, we set the project ID as a configuration parameter:
+
+```console
+$ stackit config set --project-id 6b590d5d-f2ab-4584-9556-5ed8bbabb796
+```
+
+### Creating and Configuring the Service Account
+
+A Service Account with **Organization Owner** permissions was created:
+
+```console
+$ stackit service-account create --name launchpad
+Are you sure you want to create a service account for project "launchpad"? [y/N] y
+{
+  "email": "launchpad-z3sy221@sa.stackit.cloud",
+  "id": "3e57ce0e-d7f6-48b8-865a-1336e547dde4",
+  "internal": false,
+  "projectId": "6b590d5d-f2ab-4584-9556-5ed8bbabb796"
+}
+```
+
+The generated email was saved for later:
+
+```console
+$ STACKIT_SERVICE_ACCOUNT_EMAIL=launchpad-z3sy221@sa.stackit.cloud
+```
+
+We then granted Organization Owner privileges to the Service Account:
+
+```console
+$ stackit organization member add "$STACKIT_SERVICE_ACCOUNT_EMAIL" \
+    --organization-id "$STACKIT_ORGANIZATION_ID" \
+    --role organization.owner
+Are you sure you want to add the organization.owner role to launchpad-z3sy221@sa.stackit.cloud on organization with ID "6f0a04e7-8d5f-42a5-b1b3-89b8532126db"? [y/N] y
+Member added
+```
+
+### Generating a Service Account Key
+
+A key was generated and securely stored as a GitHub secret:
+
+```console
+$ stackit service-account key create --email "$STACKIT_SERVICE_ACCOUNT_EMAIL" |
+    gh secret set CDT_LAUNCHPAD_STACKIT_SERVICE_ACCOUNT_KEY
+Are you sure you want to create a key for service account launchpad-z3sy221@sa.stackit.cloud? The key will be valid until deleted [y/N] y
+Created key for service account launchpad-z3sy221@sa.stackit.cloud with ID "a93c1c11-7710-49bf-b235-4d6b3aa1d708"
+✓ Set Actions secret CDT_LAUNCHPAD_STACKIT_SERVICE_ACCOUNT_KEY for cloudeteer/playground-stackit
+```
+
+## 2. Terraform Remote State Backend
+
+### Enabling Object Storage
+
+To store Terraform remote state, we needed an S3-compatible Object Store. Initially, we attempted to create a storage bucket:
+
+```console
+$ stackit object-storage bucket create launchpad
+Are you sure you want to create bucket "launchpad"? (This cannot be undone) [y/N] y
+Error: This service isn't enabled for the current project.
+
+To enable it, run:
+  $ stackit object-storage enable
+```
+
+So, we enabled the Object Storage service:
+
+```console
+$ stackit object-storage enable
+Are you sure you want to enable Object Storage for project "launchpad"? [y/N] y
+Enabled Object Storage for project "launchpad"
+```
+
+Once enabled, we successfully created the bucket:
+
+```console
+$ stackit object-storage bucket create launchpad
+Are you sure you want to create bucket "launchpad"? (This cannot be undone) [y/N] y
+Creating bucket ✓
+{
+  "bucket": "launchpad",
+  "project": "6b590d5d-f2ab-4584-9556-5ed8bbabb796"
+}
+```
+
+### Creating Object Storage Credentials
+
+Since Organization Owner rights were not enough for accessing Object Storage, we had to create an additional access key:
+
+```console
+$ stackit object-storage credentials-group create --name launchpad
+Are you sure you want to create a credentials group with name "launchpad"? [y/N] y
+{
+  "credentialsGroup": {
+    "credentialsGroupId": "76555949-9eee-442d-82ad-a3c3481b6f6a",
+    "displayName": "launchpad",
+    "urn": "urn:sgws:identity::79244107857127418979:group/credentials-group-49bb71"
+  },
+  "project": "6b590d5d-f2ab-4584-9556-5ed8bbabb796"
+}
+```
+
+Then, we generated credentials and stored them securely as GitHub secrets:
+
+```console
+$ temp=$(stackit object-storage credentials create --credentials-group-id 76555949-9eee-442d-82ad-a3c3481b6f6a)
+
+$ echo $temp | jq -r .accessKey | gh secret set CDT_LAUNCHPAD_STACKIT_BACKEND_ACCESS_KEY
+✓ Set Actions secret CDT_LAUNCHPAD_STACKIT_BACKEND_ACCESS_KEY for cloudeteer/playground-stackit
+
+$ echo $temp | jq -r .secretAccessKey | gh secret set CDT_LAUNCHPAD_STACKIT_BACKEND_SECRET_ACCESS_KEY
+✓ Set Actions secret CDT_LAUNCHPAD_STACKIT_BACKEND_SECRET_ACCESS_KEY for cloudeteer/playground-stackit
+
+$ unset temp
+```
+
+## Summary
+
+- Service Account with Organization Owner permissions created.
+- Object Storage provisioned for Terraform Remote State.
+- Credentials securely stored as GitHub secrets.
+
+Currently, a Launchpad Virtual Machine for a GitHub private runner is missing, but with StackIT, we may explore this possibility in the coming weeks. 🚀

prod-stackit/terraform/10_launchpad/main.tf

@@ -0,0 +1,47 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "0.43.3"
+    }
+  }
+
+  # Terraform Remote State Backend Configuration
+  # https://developer.hashicorp.com/terraform/language/backend/s3#configuration
+  backend "s3" {
+    bucket = "launchpad"
+    region = "eu01"
+    key    = "prod-stackid/terraform/10_launchpad/terraform.tfstate"
+
+    endpoints = {
+      s3 = "https://object.storage.eu01.onstackit.cloud"
+    }
+
+    # AWS specific checks must be skipped as they do not work on STACKIT
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    skip_s3_checksum            = true
+
+    # Credentials supplied by environment variables
+    # access_key = null # AWS_ACCESS_KEY_ID
+    # secret_key = null # AWS_SECRET_ACCESS_KEY
+  }
+}
+
+provider "stackit" {
+
+  # Region will be used as the default location for regional services.
+  # Not all services require a region, some are global
+  region = "eu01"
+
+  # NOTE: There are no environment variables available for the parameters service_account_key and private_key.
+  # Alternatively, we use TF_VAR_service_account_key and TF_VAR_private_key.
+
+  # Service account key used for authentication
+  service_account_key = var.service_account_key
+
+  # Private RSA key used for authentication, relevant for the key flow.
+  # It takes precedence over the private key that is included in the service account key.
+  private_key = var.private_key
+}