-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
First version of Terraform Subscriber Setup
- Loading branch information
1 parent
3e66b6d
commit 150500e
Showing
5 changed files
with
359 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,176 @@ | ||
|
||
### | ||
data "btp_globalaccount" "project" {} | ||
### | ||
|
||
### | ||
# Setup Subaccount | ||
### | ||
resource "btp_subaccount" "project" { | ||
name = "${var.name}-${var.stage}" | ||
subdomain = lower(replace("${var.name}-${var.stage}", " ", "-")) | ||
region = lower(var.region) | ||
} | ||
|
||
|
||
### | ||
# Setup Trust configuration | ||
### | ||
resource "btp_subaccount_trust_configuration" "project" { | ||
subaccount_id = btp_subaccount.project.id | ||
identity_provider = var.ias_host | ||
} | ||
|
||
### | ||
# Setup Subscription | ||
### | ||
resource "btp_subaccount_subscription" "project" { | ||
subaccount_id = btp_subaccount.project.id | ||
app_name = "${var.app_name}-${var.namespace}-${var.shootname}" | ||
plan_name = var.app_plan | ||
} | ||
|
||
### | ||
# Setup Subaccount Admins | ||
### | ||
resource "btp_subaccount_role_collection_assignment" "subaccount_admins" { | ||
for_each = { for user in var.subaccount_admins : user => user } | ||
subaccount_id = btp_subaccount.project.id | ||
origin = "sap.default" | ||
role_collection_name = "Subaccount Administrator" | ||
user_name = each.value | ||
} | ||
|
||
|
||
### | ||
# Setup Subaccount Viewers | ||
### | ||
resource "btp_subaccount_role_collection_assignment" "subaccount_viewers" { | ||
for_each = { for user in var.saas_admins : user => user } | ||
subaccount_id = btp_subaccount.project.id | ||
origin = "${split(".", var.ias_host)[0]}-platform" | ||
role_collection_name = "Subaccount Viewer" | ||
user_name = each.value | ||
} | ||
|
||
|
||
### | ||
# Setup SaaS Admins | ||
### | ||
resource "btp_subaccount_role_collection_assignment" "saas_admins" { | ||
for_each = { for user in var.saas_admins : user => user } | ||
subaccount_id = btp_subaccount.project.id | ||
origin = "sap.custom" | ||
role_collection_name = "Susaas Administrator (${var.app_name}-${var.namespace})" | ||
user_name = each.value | ||
depends_on = [ | ||
btp_subaccount_subscription.project, | ||
btp_subaccount_trust_configuration.project | ||
] | ||
} | ||
|
||
### | ||
# Setup SaaS Members | ||
### | ||
resource "btp_subaccount_role_collection_assignment" "saas_members" { | ||
for_each = { for user in var.saas_members : user => user } | ||
subaccount_id = btp_subaccount.project.id | ||
origin = "sap.custom" | ||
role_collection_name = "Susaas Member (${var.app_name}-${var.namespace})" | ||
user_name = each.value | ||
depends_on = [ | ||
btp_subaccount_subscription.project, | ||
btp_subaccount_trust_configuration.project | ||
] | ||
} | ||
|
||
### | ||
# Setup SaaS Extension Developers | ||
### | ||
resource "btp_subaccount_role_collection_assignment" "saas_extends" { | ||
for_each = { for user in var.saas_extends : user => user } | ||
subaccount_id = btp_subaccount.project.id | ||
origin = "sap.custom" | ||
role_collection_name = "Susaas Extension Developer (${var.app_name}-${var.namespace})" | ||
user_name = each.value | ||
depends_on = [ | ||
btp_subaccount_subscription.project, | ||
btp_subaccount_trust_configuration.project | ||
] | ||
} | ||
|
||
|
||
resource "null_resource" "delay" { | ||
provisioner "local-exec" { | ||
command = "sleep 30" | ||
} | ||
depends_on = [ | ||
btp_subaccount_subscription.project | ||
] | ||
} | ||
|
||
|
||
|
||
### | ||
# Get Service Plan of API Service Broker | ||
### | ||
data "btp_subaccount_service_plan" "project" { | ||
subaccount_id = btp_subaccount.project.id | ||
name = var.api_plan | ||
offering_name = "${var.api_name}-${var.namespace}-${var.shootname}" | ||
depends_on = [ | ||
null_resource.delay | ||
] | ||
} | ||
|
||
|
||
### | ||
# Setup API Service Instance | ||
### | ||
resource "btp_subaccount_service_instance" "project" { | ||
subaccount_id = btp_subaccount.project.id | ||
serviceplan_id = data.btp_subaccount_service_plan.project.id | ||
name = var.app_name | ||
depends_on = [ | ||
null_resource.delay | ||
] | ||
} | ||
|
||
|
||
### | ||
# Setup Binding for API Service Instance | ||
### | ||
resource "btp_subaccount_service_binding" "project" { | ||
subaccount_id = btp_subaccount.project.id | ||
service_instance_id = btp_subaccount_service_instance.project.id | ||
name = "default" | ||
depends_on = [ | ||
btp_subaccount_service_instance.project | ||
] | ||
} | ||
|
||
|
||
### | ||
# Get Subaccount details | ||
### | ||
data "btp_subaccount" "project" { | ||
id = btp_subaccount.project.id | ||
} | ||
|
||
|
||
### | ||
# Configure SAP IAS Settings | ||
### | ||
resource "null_resource" "ias_config" { | ||
provisioner "local-exec" { | ||
command = <<EOT | ||
btp login --user '${var.username}' --password '${var.password}' --subdomain '${var.globacct}' --url https://cpcli.cf.eu10.hana.ondemand.com | ||
btp update security/trust sap.custom --subaccount ${btp_subaccount.project.id} --auto-create-shadow-users false | ||
btp update security/trust sap.default --subaccount ${btp_subaccount.project.id} --available-for-user-logon false | ||
EOT | ||
interpreter = ["/bin/bash", "-c"] | ||
} | ||
depends_on = [ | ||
btp_subaccount_trust_configuration.project | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
output "subaccount_id" { | ||
value = btp_subaccount.project.id | ||
description = "The ID of the project subaccount." | ||
} | ||
|
||
output "subaccount_name" { | ||
value = btp_subaccount.project.name | ||
description = "The name of the project subaccount." | ||
} |
16 changes: 16 additions & 0 deletions
16
docu/4-expert/-Kyma-/btp-terraform-setup/files/provider.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
terraform { | ||
required_providers { | ||
btp = { | ||
source = "sap/btp" | ||
version = "0.2.0-beta2" | ||
} | ||
} | ||
} | ||
|
||
# Please checkout documentation on how best to authenticate | ||
# against SAP BTP via the Terraform provider for SAP BTP | ||
provider "btp" { | ||
globalaccount = var.globacct | ||
username = var.username | ||
password = var.password | ||
} |
21 changes: 21 additions & 0 deletions
21
docu/4-expert/-Kyma-/btp-terraform-setup/files/terraform.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# If you comment out the variables, the default values are taken defined in the variables.tf file | ||
|
||
name = "susaas" # Subaccount name/subdomain = "${name}-{stage}" | ||
stage = "dev" # Subaccount subdomain = "${name}-{stage}" | ||
|
||
globacct = "sap-demo" | ||
username = "[email protected]" | ||
password = "abcd1234!?#+" | ||
region = "eu10" # Kyma Cluster region | ||
shootname = "a1b2c3" # Kyma Cluster shootname | ||
namespace = "default" # Kyma Cluster namespace | ||
ias_host = "sap-demo.accounts.ondemand.com" | ||
|
||
# Do not include the Global Admin used above | ||
subaccount_admins = ["[email protected]"] | ||
|
||
app_name = "susaas" | ||
api_name = "susaas-api" | ||
saas_admins = ["[email protected]"] | ||
saas_members = ["[email protected]"] | ||
saas_extends = ["[email protected]"] |
137 changes: 137 additions & 0 deletions
137
docu/4-expert/-Kyma-/btp-terraform-setup/files/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
|
||
|
||
variable "name" { | ||
type = string | ||
description = "The account name." | ||
|
||
validation { | ||
condition = can(regex("^[a-zA-Z0-9_\\-]{1,200}", var.name)) | ||
error_message = "Provide a valid project account name." | ||
} | ||
} | ||
|
||
|
||
variable "globacct" { | ||
type = string | ||
description = "The Global Account subdomain." | ||
} | ||
|
||
|
||
variable "username" { | ||
type = string | ||
description = "Global Administrator e-mail address." | ||
} | ||
|
||
|
||
variable "password" { | ||
type = string | ||
description = "Global Administrator password." | ||
} | ||
|
||
|
||
variable "stage" { | ||
type = string | ||
description = "The stage/tier the account will be used for." | ||
default = "dev" | ||
|
||
validation { | ||
condition = contains(["dev", "test", "prod"], var.stage) | ||
error_message = "Select a valid stage for the project account." | ||
} | ||
} | ||
|
||
|
||
variable "region" { | ||
type = string | ||
description = "The region where the project account shall be created in." | ||
} | ||
|
||
|
||
variable "shootname" { | ||
type = string | ||
description = "The Kyma Cluster shootname which the project is deployed to." | ||
} | ||
|
||
|
||
variable "namespace" { | ||
type = string | ||
description = "The Kyma Cluster namespace which the project is deployed to." | ||
default = "default" | ||
} | ||
|
||
|
||
variable "ias_host" { | ||
type = string | ||
description = "The host of the customers SAP IAS tenant for central user management." | ||
} | ||
|
||
|
||
variable "subaccount_admins" { | ||
type = list(string) | ||
description = "The Subaccount Admin(s)." | ||
|
||
validation { | ||
condition = can([for s in var.subaccount_admins : regex("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", s)]) | ||
error_message = "Provide a valid subaccount administrator." | ||
} | ||
} | ||
|
||
variable "saas_admins" { | ||
type = list(string) | ||
description = "The SaaS Admin(s)." | ||
|
||
validation { | ||
condition = can([for s in var.saas_admins : regex("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", s)]) | ||
error_message = "Provide a valid SaaS administrator." | ||
} | ||
} | ||
|
||
|
||
variable "saas_members" { | ||
type = list(string) | ||
description = "The SaaS Member(s)." | ||
|
||
validation { | ||
condition = can([for s in var.saas_members : regex("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", s)]) | ||
error_message = "Provide a valid SaaS member." | ||
} | ||
} | ||
|
||
|
||
variable "saas_extends" { | ||
type = list(string) | ||
description = "The SaaS Extension Developer(s)." | ||
|
||
validation { | ||
condition = can([for s in var.saas_extends : regex("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", s)]) | ||
error_message = "Provide a valid SaaS extension developer." | ||
} | ||
} | ||
|
||
|
||
variable "app_name" { | ||
type = string | ||
description = "The name of the SaaS application to be subscribed." | ||
default = "susaas" | ||
} | ||
|
||
|
||
variable "api_name" { | ||
type = string | ||
description = "The name of the SaaS API Service Broker." | ||
default = "susaas-api" | ||
} | ||
|
||
|
||
variable "app_plan" { | ||
type = string | ||
description = "The service plan of the SaaS subscription." | ||
default = "trial" | ||
} | ||
|
||
|
||
variable "api_plan" { | ||
type = string | ||
description = "The service plan of the API Service Broker." | ||
default = "trial" | ||
} |