Scaffolder AWS CLI actions logo

Backstage Scaffolder AWS CLI actions Plugin

Created by roadie.io

Scaffolder AWS CLI actions adds AWS building blocks to Backstage templates. It lets your templates talk to S3, ECR, and Secrets Manager during a scaffolding run. So a new service can set up a container registry, create a secret, or upload starter files to a bucket as part of the same guided flow your team already uses.

The plugin exposes simple actions that fit the common bootstrap steps teams repeat. Need to create an ECR repository with the settings you expect. Call an action in the template and move on. Need to store a token or password before the first deploy. Create a secret in Secrets Manager from the form input. Need to push generated files or static assets. Copy them to S3 from the workspace. Each step runs inside the scaffolder task so engineers do not switch tools or paste commands.

This helps platform teams standardize the first mile of a service. You can keep guardrails in one place. You can make new projects production ready faster with fewer manual steps. If your Backstage is self hosted and your stack runs on AWS, these actions give you a clean path to wire cloud tasks into software templates. It stays high level by design, so you add only the actions you need and keep your templates readable.

Installation Instructions

These instructions apply to self-hosted Backstage only.

Install the backend actions package

Copy
cd packages/backend
yarn add @roadiehq/scaffolder-backend-module-aws

If your app code lives in a monorepo that contains the code for plugin scaffolder backend, update your build to transpile files from node modules as well.

Classic backend register the actions

Add the actions to your scaffolder backend. Edit packages backend src plugins scaffolder ts.

Copy
// packages/backend/src/plugins/scaffolder.ts
import { Router } from 'express';
import { PluginEnvironment } from '../types';
import {
  createRouter,
  createBuiltinActions,
} from '@backstage/plugin-scaffolder-backend';
import {
  createAwsS3CpAction,
  createEcrAction,
  createAwsSecretsManagerCreateAction,
} from '@roadiehq/scaffolder-backend-module-aws';

export default async function createPlugin(
  env: PluginEnvironment,
): Promise<Router> {
  const { logger, config, database, reader } = env;

  const actions = [
    createAwsS3CpAction(),
    createEcrAction(),
    createAwsSecretsManagerCreateAction(),
    ...createBuiltinActions({
      containerRunner: env.containerRunner,
      integrations: env.integrations,
      config,
      catalogClient: env.catalogClient,
      reader,
    }),
  ];

  return await createRouter({
    containerRunner: env.containerRunner,
    logger,
    config,
    database,
    catalogClient: env.catalogClient,
    reader,
    actions,
  });
}

Optional AWS credentials for S3 copy action

If you need to override the default AWS credentials for the S3 copy action, pass a credential provider.

Copy
// packages/backend/src/plugins/scaffolder.ts
import { fromIni } from '@aws-sdk/credential-provider';
import { createAwsS3CpAction } from '@roadiehq/scaffolder-backend-module-aws';

const actions = [
  createAwsS3CpAction({
    credentials: fromIni({ profile: 'dev' }),
  }),
  // other actions here
];

New backend register the actions

Create a small backend module that wires these actions into the scaffolder plugin. Add a file at packages backend src modules scaffolderAwsModule ts.

Copy
// packages/backend/src/modules/scaffolderAwsModule.ts
import { createBackendModule, coreServices } from '@backstage/backend-plugin-api';
import { scaffolderActionsExtensionPoint } from '@backstage/plugin-scaffolder-node/alpha';
import {
  createAwsS3CpAction,
  createEcrAction,
  createAwsSecretsManagerCreateAction,
} from '@roadiehq/scaffolder-backend-module-aws';

export const scaffolderAwsModule = createBackendModule({
  pluginId: 'scaffolder',
  moduleId: 'aws-actions',
  register(env) {
    env.registerInit({
      deps: {
        scaffolder: scaffolderActionsExtensionPoint,
        logger: coreServices.logger,
      },
      init({ scaffolder, logger }) {
        logger.info('Registering Roadie AWS scaffolder actions');
        scaffolder.addActions(
          createAwsS3CpAction(),
          createEcrAction(),
          createAwsSecretsManagerCreateAction(),
        );
      },
    });
  },
});

Add the module to your backend bootstrap. Edit packages backend src index ts.

Copy
// packages/backend/src/index.ts
import { createBackend } from '@backstage/backend-defaults';
import { scaffolderAwsModule } from './modules/scaffolderAwsModule';

const backend = createBackend();

// your existing plugins here
// backend.add(somePlugin());

backend.add(scaffolderAwsModule());

backend.start();

If you need custom credentials for the S3 copy action in the new backend, pass the provider the same way shown above when creating the action.

Add templates that use the actions

Create one or more templates in your repo that call these actions. Place them in a folder that your catalog reads.

S3 copy template

Copy
# templates/upload-to-s3.yaml
apiVersion: scaffolder.backstage.io/v1beta3
kind: Template
metadata:
  name: upload-to-s3
  title: Upload
  description: Uploads the workspace context to the given S3 bucket
spec:
  owner: roadie
  type: service
  parameters:
    - title: Upload to S3
      properties:
        required: ['bucket']
        bucket:
          title: Bucket
          type: string
          description: The context will be uploaded into this bucket
  steps:
    - id: uploadToS3
      name: Upload to S3
      action: roadiehq:aws:s3:cp
      input:
        region: eu-west-1
        bucket: ${{ parameters.bucket }}

ECR create template

Copy
# templates/create-ecr.yaml
apiVersion: scaffolder.backstage.io/v1beta3
kind: Template
metadata:
  name: create-ecr-repo-template
  title: Create ECR Repository
  description: Create ECR repository using scaffolder custom action
spec:
  owner: roadie
  type: service
  parameters:
    - title: Add Repository Details
      required:
        - RepoName
        - Region
      properties:
        RepoName:
          title: ECR Repository Name
          type: string
          description: The ECR repository Name
          ui:autofocus: true
        Region:
          title: aws region
          type: string
          description: region for aws ECR
          default: 'us-east-1'
        ImageMutability:
          title: Enable Image Mutability
          description: set image mutability to true or false
          type: boolean
          default: false
        ScanOnPush:
          title: Enable Image Scanning
          description: The image scanning configuration for the repository. This determines whether images are scanned for known vulnerabilities after being pushed to the repository.
          type: boolean
          default: false
        Tags:
          type: array
          items:
            type: object
            description: Repository tags
            title: tag
            properties:
              Key:
                type: string
                title: Key
              Value:
                type: string
                title: Value
  steps:
    - id: create-ecr
      name: Create ECR Rrepository
      action: roadiehq:aws:ecr:create
      input:
        repoName: ${{ parameters.RepoName }}
        tags: ${{ parameters.Tags }}
        imageMutability: ${{ parameters.ImageMutability }}
        scanOnPush: ${{ parameters.ScanOnPush }}
        region: ${{ parameters.Region }}

Secrets Manager create template

Copy
# templates/create-secret.yaml
apiVersion: scaffolder.backstage.io/v1beta3
kind: Template
metadata:
  name: create-secret-repo-template
  title: Create Secret
  description: Create secret in Secrets Manager using scaffolder custom action
spec:
  owner: roadie
  type: service
  parameters:
    - title: Add Secret Details
      required:
        - Name
        - Region
      properties:
        Name:
          title: Secret name
          type: string
          description: name of the secret to be created
          ui:autofocus: true
        Description:
          title: Description
          type: string
          description: description of the secret
        Value:
          title: Value
          description: secret string value
          type: string
        Tags:
          type: array
          items:
            type: object
            description: Secret tags
            title: tag
            properties:
              Key:
                type: string
                title: Key
              Value:
                type: string
                title: Value
        Profile:
          title: AWS profile
          description: AWS profile
          type: string
          default: 'default'
        Region:
          title: AWS region
          type: string
          description: region for aws secrets manager
          default: 'us-east-1'
  steps:
    - id: createSecret
      name: create secret - prod
      action: roadiehq:aws:secrets-manager:create
      input:
        name: ${{ parameters.Name }}
        description: ${{ parameters.Description }}
        value: ${{ parameters.Value }}
        tags: ${{ parameters.Tags }}
        profile: ${{ parameters.Profile }}
        region: ${{ parameters.Region }}

Make the templates visible in the Scaffolder

Add a catalog locations entry that picks up your template files. Edit app config. Adjust the target path to match your repo layout.

Copy
# app-config.yaml
catalog:
  locations:
    - type: file
      target: ./templates/*.yaml
      rules:
        - allow: [Template]

Place the template files in a templates folder at the repo root so the file location matches the target. If you keep templates in another repo or path, update the target accordingly.

Changelog

This changelog is produced from commits made to the Scaffolder AWS CLI actions plugin since a year ago, and based on the code located here. It may not contain information about all commits. Releases and version bumps are intentionally omitted. This changelog is generated by AI.

Breaking changes

  • Remove dependency on Scaffolder backend. It no longer pulls Scaffolder backend into your app. Install or pin it yourself if your setup needs it. #1730 10 months ago

Maintenance

  • Match plugin id in package metadata with the module id. This avoids future lint errors and warnings. #2042 3 weeks ago
  • Upgrade to Backstage 1.40. Keeps the actions compatible with newer Backstage apps. #1952 2 months ago
  • Remove unused dependencies. Smaller install with fewer transitive issues. #1847 7 months ago
  • Revert a previous dependency bump. Restore prior versions for stability. #1825 7 months ago
  • Update Backstage related packages using the Backstage CLI versions bump tool. #1821 7 months ago
  • Update Scaffolder packages. Keeps the actions current with Scaffolder changes. #1794 8 months ago
  • Update Backstage package versions to resolve Scaffolder compatibility. #1728 10 months ago
  • Automated dependency updates. #1684 11 months ago

Set up Backstage in minutes with Roadie