diff --git a/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/main.tf b/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/main.tf index 25697871..2f40e0f4 100644 --- a/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/main.tf +++ b/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/main.tf @@ -150,8 +150,13 @@ locals { subaccount_admins = var.subaccount_admins build_code_admins = var.build_code_admins build_code_developers = var.build_code_developers + + custom_idp_tenant = var.custom_idp != "" ? element(split(".", var.custom_idp), 0) : "" + origin_key = local.custom_idp_tenant != "" ? "${local.custom_idp_tenant}-platform" : "" } +data "btp_whoami" "me" {} + # Get all roles in the subaccount data "btp_subaccount_roles" "all" { subaccount_id = data.btp_subaccount.dc_mission.id @@ -166,6 +171,7 @@ resource "btp_subaccount_role_collection_assignment" "subaccount_admin" { subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Subaccount Administrator" user_name = each.value + origin = local.origin_key depends_on = [btp_subaccount.dc_mission] } @@ -192,6 +198,16 @@ resource "btp_subaccount_role_collection_assignment" "build_code_administrator" subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Build Code Administrator" user_name = each.value + origin = var.custom_idp_apps_origin_key + depends_on = [btp_subaccount_role_collection.build_code_administrator] +} +# Assign logged in user to the role collection "Build Code Administrator" if not custom idp user +resource "btp_subaccount_role_collection_assignment" "build_code_administrator_default" { + count = data.btp_whoami.me.issuer != var.custom_idp ? 1 : 0 + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "Build Code Administrator" + user_name = data.btp_whoami.me.email + origin = "sap.default" depends_on = [btp_subaccount_role_collection.build_code_administrator] } @@ -218,6 +234,17 @@ resource "btp_subaccount_role_collection_assignment" "build_code_developer" { subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Build Code Developer" user_name = each.value + origin = var.custom_idp_apps_origin_key + depends_on = [btp_subaccount_role_collection.build_code_developer] +} + +# Assign logged in user to the role collection "Build Code Developer" if not custom idp user +resource "btp_subaccount_role_collection_assignment" "build_code_developer_default" { + count = data.btp_whoami.me.issuer != var.custom_idp ? 1 : 0 + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "Build Code Developer" + user_name = data.btp_whoami.me.email + origin = "sap.default" depends_on = [btp_subaccount_role_collection.build_code_developer] } @@ -229,6 +256,7 @@ resource "local_file" "output_vars_step1" { content = <<-EOT globalaccount = "${var.globalaccount}" cli_server_url = ${jsonencode(var.cli_server_url)} + custom_idp = ${jsonencode(var.custom_idp)} subaccount_id = "${data.btp_subaccount.dc_mission.id}" @@ -237,7 +265,7 @@ resource "local_file" "output_vars_step1" { cf_org_id = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org ID"]}" cf_org_name = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org Name"]}" - origin_key = "${var.origin}" + origin_key = "${local.origin_key}" cf_space_name = "${var.cf_space_name}" diff --git a/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/outputs.tf b/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/outputs.tf index 24b2aa88..54233f42 100644 --- a/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/outputs.tf +++ b/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/outputs.tf @@ -1,15 +1,3 @@ -/* -output "globalaccount" { - value = var.globalaccount - description = "The Global Account subdomain." -} - -output "cli_server_url" { - value = var.cli_server_url - description = "The BTP CLI server URL." -} -*/ - output "subaccount_id" { value = data.btp_subaccount.dc_mission.id description = "The ID of the subaccount." diff --git a/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/variables.tf b/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/variables.tf index 680ea7ae..c4ab32eb 100644 --- a/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/variables.tf +++ b/released/discovery_center/mission_4441/minimal_setup_enterprise/step1/variables.tf @@ -18,6 +18,12 @@ variable "custom_idp" { default = "" } +variable "custom_idp_apps_origin_key" { + type = string + description = "The custom identity provider for the subaccount." + default = "sap.custom" +} + variable "region" { type = string description = "The region where the subaccount shall be created in." @@ -50,9 +56,8 @@ variable "origin" { variable "origin_key" { type = string description = "Defines the origin key of the identity provider" - default = "sap.ids" - # The value for the origin_key can be defined - # but are normally set to "sap.ids", "sap.default" or "sap.custom" + default = "" + # The value for the origin_key can be defined, set to "sap.ids", "sap.default" or "sap.custom" } variable "cf_landscape_label" { diff --git a/released/discovery_center/mission_4441/minimal_setup_enterprise/step2/main.tf b/released/discovery_center/mission_4441/minimal_setup_enterprise/step2/main.tf index 31aabf94..f72749f7 100644 --- a/released/discovery_center/mission_4441/minimal_setup_enterprise/step2/main.tf +++ b/released/discovery_center/mission_4441/minimal_setup_enterprise/step2/main.tf @@ -1,3 +1,22 @@ +# ------------------------------------------------------------------------------------------------------ +# Import custom trust config and disable for user login +# ------------------------------------------------------------------------------------------------------ +locals { + available_for_user_logon = data.btp_whoami.me.issuer != var.custom_idp ? true : false +} + +import { + to = btp_subaccount_trust_configuration.default + id = "${var.subaccount_id},sap.default" +} + +resource "btp_subaccount_trust_configuration" "default" { + subaccount_id = var.subaccount_id + identity_provider = "" + auto_create_shadow_users = false + available_for_user_logon = local.available_for_user_logon +} + # ------------------------------------------------------------------------------------------------------ # Create the Cloud Foundry space # ------------------------------------------------------------------------------------------------------ @@ -15,11 +34,15 @@ resource "cloudfoundry_space" "dev" { data "btp_whoami" "me" {} locals { - # Remove current user - cf_org_admins = setsubtract(toset(var.cf_org_admins), [data.btp_whoami.me.email]) + # Remove current user if issuer (idp) of logged in user is not same as used custom idp + cf_org_admins = data.btp_whoami.me.issuer != var.custom_idp ? var.cf_org_admins : setsubtract(toset(var.cf_org_admins), [data.btp_whoami.me.email]) cf_space_managers = var.cf_space_managers cf_space_developers = var.cf_space_developers + + # get origin_key from custom.idp + custom_idp_tenant = var.custom_idp != "" ? element(split(".", var.custom_idp), 0) : "" + origin_key = local.custom_idp_tenant != "" ? "${local.custom_idp_tenant}-platform" : "sap.ids" } # ------------------------------------------------------------------------------------------------------ @@ -30,7 +53,7 @@ resource "cloudfoundry_org_role" "organization_user" { username = each.value type = "organization_user" org = var.cf_org_id - origin = var.origin_key + origin = local.origin_key } # ------------------------------------------------------------------------------------------------------ @@ -41,7 +64,7 @@ resource "cloudfoundry_org_role" "organization_manager" { username = each.value type = "organization_manager" org = var.cf_org_id - origin = var.origin_key + origin = local.origin_key depends_on = [cloudfoundry_org_role.organization_user] } @@ -54,7 +77,7 @@ resource "cloudfoundry_space_role" "space_manager" { username = each.value type = "space_manager" space = cloudfoundry_space.dev.id - origin = var.origin_key + origin = local.origin_key depends_on = [cloudfoundry_org_role.organization_manager] } @@ -66,6 +89,6 @@ resource "cloudfoundry_space_role" "space_developer" { username = each.value type = "space_developer" space = cloudfoundry_space.dev.id - origin = var.origin_key + origin = local.origin_key depends_on = [cloudfoundry_org_role.organization_manager] } diff --git a/released/discovery_center/mission_4441/minimal_setup_enterprise/step2/variables.tf b/released/discovery_center/mission_4441/minimal_setup_enterprise/step2/variables.tf index a02b8ca9..65560129 100644 --- a/released/discovery_center/mission_4441/minimal_setup_enterprise/step2/variables.tf +++ b/released/discovery_center/mission_4441/minimal_setup_enterprise/step2/variables.tf @@ -19,6 +19,18 @@ variable "cli_server_url" { default = "https://cli.btp.cloud.sap" } +variable "custom_idp" { + type = string + description = "Defines the custom IDP to be used for the subaccount" + default = "" +} + +variable "custom_idp_tenant" { + type = string + description = "workaround" + default = "" +} + variable "cf_api_url" { type = string description = "The Cloud Foundry API endpoint from the Cloud Foundry environment instance."