Worklog: gcp-infra (19/03/26)

Done

  • Updated bootstrap script references throughout the repo (seed/bootstrap.shscripts/seed-bootstrap.sh, scripts/control-plane-bootstrap.sh)
  • Added Workload Identity Federation (WIF) to the control plane Terraform (terraform/modules/control-plane/wif.tf): pool, GitHub OIDC provider, and IAM binding for tf-admin-sa
  • Added iamcredentials.googleapis.com and sts.googleapis.com to control plane API list
  • Added workload_identity_provider and tf_admin_sa_email outputs to control plane module and environment
  • Diagnosed and fixed Backstage production database auth error (Supabase pooler requires postgres.<projectref> username format; stale Cloud Run env vars from previous revision)
  • Designed client project architecture: each client gets its own GitHub repo scaffolded by Backstage (no per-client directories in gcp-org)
  • Read and planned implementation of Backstage IDP spec (System Specification: Backstage.md)
  • Fixed Backstage local dev environment:
    • SQLite config: changed connection: './local-dev.sqlite'connection.directory: './local-dev-db' (new backend system requirement)
    • Commented out plugin-search-backend-module-pg in packages/backend/src/index.ts (crashes backend without Postgres)
    • Fixed catalog path: ./catalog/user.yaml../../catalog/user.yaml (relative to packages/backend/)
    • Configured Google OAuth for local dev (auth.environment: development, separate OAuth client)
    • Confirmed full sign-in flow working end-to-end
  • Created .LEARNINGS/backstage-local-dev-setup.md with all local dev gotchas documented
  • Created .FEATURES/backstage-idp-implementation.md with remaining IDP roadmap
  • Updated backstage/README.md with full local dev guide

Next steps

[ ] Set up local Postgres (Docker) to match production — re-enable plugin-search-backend-module-pg and switch app-config.local.yaml database to Postgres. packages/backend/src/index.ts has a TODO marking the commented-out line.

  • Task 2 — Update catalog ownership model (group:internal, rename from admins)
  • Task 3 — Create MVP common-assets/ skeleton (.gitignore only for now)
  • Task 4 — Build bare-minimum scaffold template (prove pipeline end-to-end)
  • Task 5 — End-to-end scaffold test (repo creation + catalog registration)
  • Task 6 — Build new-client-project scaffold template (GCP platform bootstrap)
  • Task 7 — Deploy to Cloud Run + update CLAUDE.md