Skip to content

Commit

Permalink
First version of Terraform Subscriber Setup
Browse files Browse the repository at this point in the history
  • Loading branch information
martinfrick committed Aug 10, 2023
1 parent 3e66b6d commit 150500e
Show file tree
Hide file tree
Showing 5 changed files with 359 additions and 0 deletions.
176 changes: 176 additions & 0 deletions docu/4-expert/-Kyma-/btp-terraform-setup/files/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,176 @@

###
data "btp_globalaccount" "project" {}
###

###
# Setup Subaccount
###
resource "btp_subaccount" "project" {
name = "${var.name}-${var.stage}"
subdomain = lower(replace("${var.name}-${var.stage}", " ", "-"))
region = lower(var.region)
}


###
# Setup Trust configuration
###
resource "btp_subaccount_trust_configuration" "project" {
subaccount_id = btp_subaccount.project.id
identity_provider = var.ias_host
}

###
# Setup Subscription
###
resource "btp_subaccount_subscription" "project" {
subaccount_id = btp_subaccount.project.id
app_name = "${var.app_name}-${var.namespace}-${var.shootname}"
plan_name = var.app_plan
}

###
# Setup Subaccount Admins
###
resource "btp_subaccount_role_collection_assignment" "subaccount_admins" {
for_each = { for user in var.subaccount_admins : user => user }
subaccount_id = btp_subaccount.project.id
origin = "sap.default"
role_collection_name = "Subaccount Administrator"
user_name = each.value
}


###
# Setup Subaccount Viewers
###
resource "btp_subaccount_role_collection_assignment" "subaccount_viewers" {
for_each = { for user in var.saas_admins : user => user }
subaccount_id = btp_subaccount.project.id
origin = "${split(".", var.ias_host)[0]}-platform"
role_collection_name = "Subaccount Viewer"
user_name = each.value
}


###
# Setup SaaS Admins
###
resource "btp_subaccount_role_collection_assignment" "saas_admins" {
for_each = { for user in var.saas_admins : user => user }
subaccount_id = btp_subaccount.project.id
origin = "sap.custom"
role_collection_name = "Susaas Administrator (${var.app_name}-${var.namespace})"
user_name = each.value
depends_on = [
btp_subaccount_subscription.project,
btp_subaccount_trust_configuration.project
]
}

###
# Setup SaaS Members
###
resource "btp_subaccount_role_collection_assignment" "saas_members" {
for_each = { for user in var.saas_members : user => user }
subaccount_id = btp_subaccount.project.id
origin = "sap.custom"
role_collection_name = "Susaas Member (${var.app_name}-${var.namespace})"
user_name = each.value
depends_on = [
btp_subaccount_subscription.project,
btp_subaccount_trust_configuration.project
]
}

###
# Setup SaaS Extension Developers
###
resource "btp_subaccount_role_collection_assignment" "saas_extends" {
for_each = { for user in var.saas_extends : user => user }
subaccount_id = btp_subaccount.project.id
origin = "sap.custom"
role_collection_name = "Susaas Extension Developer (${var.app_name}-${var.namespace})"
user_name = each.value
depends_on = [
btp_subaccount_subscription.project,
btp_subaccount_trust_configuration.project
]
}


resource "null_resource" "delay" {
provisioner "local-exec" {
command = "sleep 30"
}
depends_on = [
btp_subaccount_subscription.project
]
}



###
# Get Service Plan of API Service Broker
###
data "btp_subaccount_service_plan" "project" {
subaccount_id = btp_subaccount.project.id
name = var.api_plan
offering_name = "${var.api_name}-${var.namespace}-${var.shootname}"
depends_on = [
null_resource.delay
]
}


###
# Setup API Service Instance
###
resource "btp_subaccount_service_instance" "project" {
subaccount_id = btp_subaccount.project.id
serviceplan_id = data.btp_subaccount_service_plan.project.id
name = var.app_name
depends_on = [
null_resource.delay
]
}


###
# Setup Binding for API Service Instance
###
resource "btp_subaccount_service_binding" "project" {
subaccount_id = btp_subaccount.project.id
service_instance_id = btp_subaccount_service_instance.project.id
name = "default"
depends_on = [
btp_subaccount_service_instance.project
]
}


###
# Get Subaccount details
###
data "btp_subaccount" "project" {
id = btp_subaccount.project.id
}


###
# Configure SAP IAS Settings
###
resource "null_resource" "ias_config" {
provisioner "local-exec" {
command = <<EOT
btp login --user '${var.username}' --password '${var.password}' --subdomain '${var.globacct}' --url https://cpcli.cf.eu10.hana.ondemand.com
btp update security/trust sap.custom --subaccount ${btp_subaccount.project.id} --auto-create-shadow-users false
btp update security/trust sap.default --subaccount ${btp_subaccount.project.id} --available-for-user-logon false
EOT
interpreter = ["/bin/bash", "-c"]
}
depends_on = [
btp_subaccount_trust_configuration.project
]
}
9 changes: 9 additions & 0 deletions docu/4-expert/-Kyma-/btp-terraform-setup/files/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
output "subaccount_id" {
value = btp_subaccount.project.id
description = "The ID of the project subaccount."
}

output "subaccount_name" {
value = btp_subaccount.project.name
description = "The name of the project subaccount."
}
16 changes: 16 additions & 0 deletions docu/4-expert/-Kyma-/btp-terraform-setup/files/provider.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
terraform {
required_providers {
btp = {
source = "sap/btp"
version = "0.2.0-beta2"
}
}
}

# Please checkout documentation on how best to authenticate
# against SAP BTP via the Terraform provider for SAP BTP
provider "btp" {
globalaccount = var.globacct
username = var.username
password = var.password
}
21 changes: 21 additions & 0 deletions docu/4-expert/-Kyma-/btp-terraform-setup/files/terraform.tfvars
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# If you comment out the variables, the default values are taken defined in the variables.tf file

name = "susaas" # Subaccount name/subdomain = "${name}-{stage}"
stage = "dev" # Subaccount subdomain = "${name}-{stage}"

globacct = "sap-demo"
username = "[email protected]"
password = "abcd1234!?#+"
region = "eu10" # Kyma Cluster region
shootname = "a1b2c3" # Kyma Cluster shootname
namespace = "default" # Kyma Cluster namespace
ias_host = "sap-demo.accounts.ondemand.com"

# Do not include the Global Admin used above
subaccount_admins = ["[email protected]"]

app_name = "susaas"
api_name = "susaas-api"
saas_admins = ["[email protected]"]
saas_members = ["[email protected]"]
saas_extends = ["[email protected]"]
137 changes: 137 additions & 0 deletions docu/4-expert/-Kyma-/btp-terraform-setup/files/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@


variable "name" {
type = string
description = "The account name."

validation {
condition = can(regex("^[a-zA-Z0-9_\\-]{1,200}", var.name))
error_message = "Provide a valid project account name."
}
}


variable "globacct" {
type = string
description = "The Global Account subdomain."
}


variable "username" {
type = string
description = "Global Administrator e-mail address."
}


variable "password" {
type = string
description = "Global Administrator password."
}


variable "stage" {
type = string
description = "The stage/tier the account will be used for."
default = "dev"

validation {
condition = contains(["dev", "test", "prod"], var.stage)
error_message = "Select a valid stage for the project account."
}
}


variable "region" {
type = string
description = "The region where the project account shall be created in."
}


variable "shootname" {
type = string
description = "The Kyma Cluster shootname which the project is deployed to."
}


variable "namespace" {
type = string
description = "The Kyma Cluster namespace which the project is deployed to."
default = "default"
}


variable "ias_host" {
type = string
description = "The host of the customers SAP IAS tenant for central user management."
}


variable "subaccount_admins" {
type = list(string)
description = "The Subaccount Admin(s)."

validation {
condition = can([for s in var.subaccount_admins : regex("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", s)])
error_message = "Provide a valid subaccount administrator."
}
}

variable "saas_admins" {
type = list(string)
description = "The SaaS Admin(s)."

validation {
condition = can([for s in var.saas_admins : regex("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", s)])
error_message = "Provide a valid SaaS administrator."
}
}


variable "saas_members" {
type = list(string)
description = "The SaaS Member(s)."

validation {
condition = can([for s in var.saas_members : regex("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", s)])
error_message = "Provide a valid SaaS member."
}
}


variable "saas_extends" {
type = list(string)
description = "The SaaS Extension Developer(s)."

validation {
condition = can([for s in var.saas_extends : regex("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", s)])
error_message = "Provide a valid SaaS extension developer."
}
}


variable "app_name" {
type = string
description = "The name of the SaaS application to be subscribed."
default = "susaas"
}


variable "api_name" {
type = string
description = "The name of the SaaS API Service Broker."
default = "susaas-api"
}


variable "app_plan" {
type = string
description = "The service plan of the SaaS subscription."
default = "trial"
}


variable "api_plan" {
type = string
description = "The service plan of the API Service Broker."
default = "trial"
}

0 comments on commit 150500e

Please sign in to comment.