Cloudythings Blog

Building Platform Environment Catalogs that Developers Actually Use

Marrying Backstage, GitOps, and policy-as-code to give teams self-service environments without sacrificing control.

February 07, 2023 at 10:21 AM EST 11 min read
Platform EngineeringGitOpsBackstageEphemeral EnvironmentsGovernance
Product engineers browsing a platform environment catalog on a large screen
Image: Kaleidico / Unsplash

Internal developer portals are everywhere. Backstage adoption exploded, Port, Cortex, and OpsLevel hit feature parity, and every platform team seems to be publishing Medium articles about “golden paths.” Yet many environment catalogs still feel like static wikis. Developers click a link, file a ticket, and wait. To move the needle, catalogs must provision real infrastructure, enforce guardrails, and give SREs visibility.

This post explains how Cloudythings builds environment catalogs that engineers rely on daily. We blend Backstage, GitOps, policy-as-code, and ephemeral environments to create a living experience.

Model environments as products

We define environment archetypes:

  • Preview: short-lived per pull request (ephemeral).
  • Integration: shared testing with nightly refresh.
  • Staging: production-like with change management.
  • Training / sandbox: for experimentation.

Each archetype has SLAs, cost envelopes, and guardrails. We document capabilities (e.g., “includes synthetic data,” “connects to service virtualization”). Treating environments as products clarifies expectations.

Use Backstage as the front door

Backstage remains our preferred portal. We extend it with:

  • Environment Custom Resource Definitions stored in a catalog file such as environments/checkout-staging.yaml.
  • Plugins that let developers request, extend, pause, or delete environments. Under the hood, these actions create Git PRs in the environment repo.
  • Status widgets showing GitOps sync, drift, cost usage (via CloudHealth or AWS Cost Explorer), and SLO adherence.

The portal becomes the control tower, not a brochure.

Engineer initiating an environment request through Backstage
Photo by You X Ventures on Unsplash. Portals work when they trigger automation, not tickets.

GitOps drives provisioning

Every environment request generates a Git PR:

  1. Templates (Helm, Kustomize, Terraform) describe infrastructure, policies, and secrets.
  2. Policy-as-code (Open Policy Agent, Conftest) validates the PR—quota limits, approved service lists, cost checks.
  3. Upon merge, Argo CD/Flux reconciles the environment. Terraform Cloud handles cloud primitives; Crossplane provisions managed services.

Developers track progress via GitHub statuses and Backstage plugins. No human approval? The PR stays open. Guardrails catch misconfigurations before they reach production.

Layer service virtualization and data governance

Environments need realistic dependencies without violating compliance:

  • Mountebank or WireMock proxies mimic third-party APIs, inspired by Thoughtworks’ writings.
  • Synthetic data pipelines (Tonic, custom scripts) populate databases. Data masking policies run as GitOps jobs, and compliance teams sign off on templates.
  • Secrets flow via External Secrets Operator, which integrates with Vault or AWS Secrets Manager per environment scope.

Every component is tagged with environment metadata, making observability and cost attribution trivial.

Bake in policy and cost controls

Governance is automated:

  • TTL enforcement with controllers that close the Git PR and delete resources when expiration passes.
  • Quota budgets tracked in FinOps tooling. Teams see daily burn rates and predict when to tear down idle stacks.
  • Security scanning (Trivy, kube-bench) runs on each environment at creation. Alerts surface in Backstage with remediation guidance.

This approach mirrors best practices from Humanitec’s platform engineering playbooks and Bloomberg’s FinOps talks.

Observability at launch

Environments ship with:

  • Grafana dashboards pre-filtered by environment label.
  • Synthetic checks (k6, Playwright) triggered post-provision.
  • Log routing to dedicated Loki/Elastic indices, ensuring on-call engineers can debug without cross-tenant noise.
  • Feature flag integration so product teams test progressive delivery in lower environments before production.

Observability is not optional; it is part of the template.

Measure adoption and satisfaction

We treat the catalog like any product:

  • Track environment creation frequency, lead time, and failure rate.
  • Survey developers on satisfaction, discoverability, and documentation clarity.
  • Analyze MTTR improvements—teams with self-service environments tend to resolve incidents faster thanks to reproducible contexts.

When metrics dip, we adjust templates or add enablement content—just like product teams iterate.

Environment catalogs succeed when they combine automation, policy, and developer empathy. Backstage and GitOps provide the rails; service virtualization, data governance, and observability provide the substance. Build that, and engineers stop filing tickets—they start building with confidence.