From 5cb32b4ae6ec33b1f1e14a7a2fcc8f17a22c8a9d Mon Sep 17 00:00:00 2001 From: Jens Glander Date: Mon, 16 Sep 2024 17:28:54 +0200 Subject: [PATCH 1/4] 3260: Fix & Polished the QAS enabled Mission * Fix: Added CF environment * Polished script code to be consistent with other QAS Missions --- .../discovery_center/mission_3260/main.tf | 113 --------- .../mission_3260/sample.tfvars | 16 -- .../mission_3260/{ => step1}/README.md | 0 .../mission_3260/step1/main.tf | 226 ++++++++++++++++++ .../mission_3260/{ => step1}/outputs.tf | 0 .../mission_3260/{ => step1}/provider.tf | 0 .../mission_3260/step1/sample.tfvars | 32 +++ .../mission_3260/step1/variables.tf | 174 ++++++++++++++ .../mission_3260/step2/main.tf | 95 ++++++++ .../mission_3260/step2/provider.tf | 22 ++ .../mission_3260/step2/variables.tf | 108 +++++++++ .../mission_3260/variables.tf | 80 ------- 12 files changed, 657 insertions(+), 209 deletions(-) delete mode 100644 released/discovery_center/mission_3260/main.tf delete mode 100644 released/discovery_center/mission_3260/sample.tfvars rename released/discovery_center/mission_3260/{ => step1}/README.md (100%) create mode 100644 released/discovery_center/mission_3260/step1/main.tf rename released/discovery_center/mission_3260/{ => step1}/outputs.tf (100%) rename released/discovery_center/mission_3260/{ => step1}/provider.tf (100%) create mode 100644 released/discovery_center/mission_3260/step1/sample.tfvars create mode 100644 released/discovery_center/mission_3260/step1/variables.tf create mode 100644 released/discovery_center/mission_3260/step2/main.tf create mode 100644 released/discovery_center/mission_3260/step2/provider.tf create mode 100644 released/discovery_center/mission_3260/step2/variables.tf delete mode 100644 released/discovery_center/mission_3260/variables.tf diff --git a/released/discovery_center/mission_3260/main.tf b/released/discovery_center/mission_3260/main.tf deleted file mode 100644 index d003cffc..00000000 --- a/released/discovery_center/mission_3260/main.tf +++ /dev/null @@ -1,113 +0,0 @@ -# ------------------------------------------------------------------------------------------------------ -# Subaccount setup for DC mission 3260 -# ------------------------------------------------------------------------------------------------------ -# Setup subaccount domain (to ensure uniqueness in BTP global account) -resource "random_uuid" "uuid" {} - -locals { - random_uuid = random_uuid.uuid.result - subaccount_domain = lower(replace("mission-3260-${local.random_uuid}", "_", "-")) -} - -# ------------------------------------------------------------------------------------------------------ -# Creation of subaccount -# ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount" "dc_mission" { - count = var.subaccount_id == "" ? 1 : 0 - name = var.subaccount_name - subdomain = local.subaccount_domain - region = var.region -} - -data "btp_subaccount" "dc_mission" { - id = var.subaccount_id != "" ? var.subaccount_id : btp_subaccount.dc_mission[0].id -} - -# ------------------------------------------------------------------------------------------------------ -# Assign custom IDP to sub account (if custom_idp is set) -# ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_trust_configuration" "fully_customized" { - # Only create trust configuration if custom_idp has been set - count = var.custom_idp == "" ? 0 : 1 - subaccount_id = data.btp_subaccount.dc_mission.id - identity_provider = var.custom_idp -} - -# ------------------------------------------------------------------------------------------------------ -# APP SUBSCRIPTIONS -# ------------------------------------------------------------------------------------------------------ -# -locals { - service_name__sap_process_automation = "process-automation" -} -# ------------------------------------------------------------------------------------------------------ -# Setup process-automation (SAP Build Process Automation) -# ------------------------------------------------------------------------------------------------------ -# Entitle -resource "btp_subaccount_entitlement" "build_process_automation" { - subaccount_id = data.btp_subaccount.dc_mission.id - service_name = local.service_name__sap_process_automation - plan_name = var.service_plan__sap_process_automation -} -# Subscribe -resource "btp_subaccount_subscription" "build_process_automation" { - subaccount_id = data.btp_subaccount.dc_mission.id - app_name = local.service_name__sap_process_automation - plan_name = var.service_plan__sap_process_automation - depends_on = [btp_subaccount_entitlement.build_process_automation] -} -# ------------------------------------------------------------------------------------------------------ -# USERS AND ROLES -# ------------------------------------------------------------------------------------------------------ -# ------------------------------------------------------------------------------------------------------ -# Assign role collection "Subaccount Administrator" -# ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_role_collection_assignment" "subaccount_admins" { - for_each = toset(var.subaccount_admins) - subaccount_id = data.btp_subaccount.dc_mission.id - role_collection_name = "Subaccount Administrator" - user_name = each.value -} - -# ------------------------------------------------------------------------------------------------------ -# Assign role collection "Subaccount Service Administrator" -# ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_role_collection_assignment" "subaccount_service_admins" { - for_each = toset(var.subaccount_service_admins) - subaccount_id = data.btp_subaccount.dc_mission.id - role_collection_name = "Subaccount Service Administrator" - user_name = each.value -} - -# ------------------------------------------------------------------------------------------------------ -# Assign role collection "ProcessAutomationAdmin" -# ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_role_collection_assignment" "bpa_admins" { - depends_on = [btp_subaccount_subscription.build_process_automation] - for_each = toset(var.process_automation_admins) - subaccount_id = data.btp_subaccount.dc_mission.id - role_collection_name = "ProcessAutomationAdmin" - user_name = each.value -} - -# ------------------------------------------------------------------------------------------------------ -# Assign role collection "ProcessAutomationDeveloper" -# ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_role_collection_assignment" "sbpa_developers" { - depends_on = [btp_subaccount_subscription.build_process_automation] - for_each = toset(var.process_automation_developers) - subaccount_id = data.btp_subaccount.dc_mission.id - role_collection_name = "ProcessAutomationDeveloper" - user_name = each.value -} - -# ------------------------------------------------------------------------------------------------------ -# Assign role collection "ProcessAutomationParticipant" -# ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_role_collection_assignment" "sbpa_participants" { - depends_on = [btp_subaccount_subscription.build_process_automation] - for_each = toset(var.process_automation_participants) - subaccount_id = data.btp_subaccount.dc_mission.id - role_collection_name = "ProcessAutomationParticipant" - user_name = each.value -} \ No newline at end of file diff --git a/released/discovery_center/mission_3260/sample.tfvars b/released/discovery_center/mission_3260/sample.tfvars deleted file mode 100644 index f1bad83e..00000000 --- a/released/discovery_center/mission_3260/sample.tfvars +++ /dev/null @@ -1,16 +0,0 @@ -# ------------------------------------------------------------------------------------------------------ -# Account settings -# ------------------------------------------------------------------------------------------------------ -globalaccount = "" -region = "us10" - -# ------------------------------------------------------------------------------------------------------ -# Use case specific configuration (please adapt!) -# ------------------------------------------------------------------------------------------------------ -# Don't add the user, that is executing the TF script to subaccount_admins or subaccount_service_admins! -subaccount_admins = ["jane.doe@test.com", "john.doe@test.com"] -subaccount_service_admins = ["jane.doe@test.com", "john.doe@test.com"] - -process_automation_admins = ["jane.doe@test.com", "john.doe@test.com"] -process_automation_developers = ["jane.doe@test.com", "john.doe@test.com"] -process_automation_participants = ["jane.doe@test.com", "john.doe@test.com"] \ No newline at end of file diff --git a/released/discovery_center/mission_3260/README.md b/released/discovery_center/mission_3260/step1/README.md similarity index 100% rename from released/discovery_center/mission_3260/README.md rename to released/discovery_center/mission_3260/step1/README.md diff --git a/released/discovery_center/mission_3260/step1/main.tf b/released/discovery_center/mission_3260/step1/main.tf new file mode 100644 index 00000000..91169926 --- /dev/null +++ b/released/discovery_center/mission_3260/step1/main.tf @@ -0,0 +1,226 @@ +# ------------------------------------------------------------------------------------------------------ +# Subaccount setup for DC mission 3260 +# ------------------------------------------------------------------------------------------------------ +# Setup subaccount domain (to ensure uniqueness in BTP global account) +resource "random_uuid" "uuid" {} + +locals { + random_uuid = random_uuid.uuid.result + subaccount_domain = lower(replace("mission-3260-${local.random_uuid}", "_", "-")) +} + +# ------------------------------------------------------------------------------------------------------ +# Creation of subaccount +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount" "dc_mission" { + count = var.subaccount_id == "" ? 1 : 0 + name = var.subaccount_name + subdomain = local.subaccount_domain + region = var.region +} + +data "btp_subaccount" "dc_mission" { + id = var.subaccount_id != "" ? var.subaccount_id : btp_subaccount.dc_mission[0].id +} + +# ------------------------------------------------------------------------------------------------------ +# Assign custom IDP to sub account (if custom_idp is set) +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_trust_configuration" "fully_customized" { + # Only create trust configuration if custom_idp has been set + count = var.custom_idp == "" ? 0 : 1 + subaccount_id = data.btp_subaccount.dc_mission.id + identity_provider = var.custom_idp +} + +# ------------------------------------------------------------------------------------------------------ +# SERVICES +# ------------------------------------------------------------------------------------------------------ +# +locals { + service_name__cloudfoundry = "cloudfoundry" +} + +# ------------------------------------------------------------------------------------------------------ +# Setup cloudfoundry (Cloud Foundry Environment) +# ------------------------------------------------------------------------------------------------------ +# Fetch all available environments for the subaccount +data "btp_subaccount_environments" "all" { + subaccount_id = data.btp_subaccount.dc_mission.id +} +# Take the landscape label from the first CF environment if no environment label is provided (this replaces the previous null_resource) +resource "terraform_data" "cf_landscape_label" { + input = length(var.cf_landscape_label) > 0 ? var.cf_landscape_label : [for env in data.btp_subaccount_environments.all.values : env if env.service_name == "cloudfoundry" && env.environment_type == "cloudfoundry"][0].landscape_label +} +# Create instance +resource "btp_subaccount_environment_instance" "cloudfoundry" { + subaccount_id = data.btp_subaccount.dc_mission.id + name = "cf-${random_uuid.uuid.result}" + environment_type = "cloudfoundry" + service_name = local.service_name__cloudfoundry + plan_name = var.service_plan__cloudfoundry + landscape_label = terraform_data.cf_landscape_label.output + + parameters = jsonencode({ + instance_name = "cf-${random_uuid.uuid.result}" + }) +} + +# ------------------------------------------------------------------------------------------------------ +# APP SUBSCRIPTIONS +# ------------------------------------------------------------------------------------------------------ +# +locals { + service_name__sap_process_automation = "process-automation" +} +# ------------------------------------------------------------------------------------------------------ +# Setup process-automation (SAP Build Process Automation) +# ------------------------------------------------------------------------------------------------------ +# Entitle +resource "btp_subaccount_entitlement" "build_process_automation" { + subaccount_id = data.btp_subaccount.dc_mission.id + service_name = local.service_name__sap_process_automation + plan_name = var.service_plan__sap_process_automation +} +# Subscribe +resource "btp_subaccount_subscription" "build_process_automation" { + subaccount_id = data.btp_subaccount.dc_mission.id + app_name = local.service_name__sap_process_automation + plan_name = var.service_plan__sap_process_automation + depends_on = [btp_subaccount_entitlement.build_process_automation] +} +# ------------------------------------------------------------------------------------------------------ +# USERS AND ROLES +# ------------------------------------------------------------------------------------------------------ +data "btp_whoami" "me" {} +# +locals { + subaccount_admins = var.subaccount_admins + subaccount_service_admins = var.subaccount_service_admins + + process_automation_admins = var.process_automation_admins + process_automation_developers = var.process_automation_developers + process_automation_participants = var.process_automation_participants + + custom_idp_tenant = var.custom_idp != "" ? element(split(".", var.custom_idp), 0) : "" + origin_key = local.custom_idp_tenant != "" ? "${local.custom_idp_tenant}-platform" : "" +} + +# ------------------------------------------------------------------------------------------------------ +# Assign role collection "Subaccount Administrator" +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_role_collection_assignment" "subaccount_admin" { + for_each = toset("${local.subaccount_admins}") + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "Subaccount Administrator" + user_name = each.value + origin = local.origin_key + depends_on = [btp_subaccount.dc_mission] +} + +# ------------------------------------------------------------------------------------------------------ +# Assign role collection "Subaccount Service Administrator" +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_role_collection_assignment" "subaccount_service_admin" { + for_each = toset("${local.subaccount_service_admins}") + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "Subaccount Service Administrator" + user_name = each.value + origin = local.origin_key + depends_on = [btp_subaccount.dc_mission] +} + +# ------------------------------------------------------------------------------------------------------ +# Assign role collection "ProcessAutomationAdmin" +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_role_collection_assignment" "process_automation_admins" { + for_each = toset(local.process_automation_admins) + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "ProcessAutomationAdmin" + user_name = each.value + origin = var.custom_idp_apps_origin_key + depends_on = [btp_subaccount_subscription.build_process_automation] +} + +# Assign logged in user to the role collection "ProcessAutomationAdmin" if not custom idp user +resource "btp_subaccount_role_collection_assignment" "process_automation_admins_default" { + count = data.btp_whoami.me.issuer != var.custom_idp ? 1 : 0 + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "ProcessAutomationAdmin" + user_name = data.btp_whoami.me.email + origin = "sap.default" + depends_on = [btp_subaccount_subscription.build_process_automation] +} + +# ------------------------------------------------------------------------------------------------------ +# Assign role collection "ProcessAutomationDeveloper" +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_role_collection_assignment" "process_automation_developers" { + for_each = toset(local.process_automation_developers) + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "ProcessAutomationDeveloper" + user_name = each.value + origin = var.custom_idp_apps_origin_key + depends_on = [btp_subaccount_subscription.build_process_automation] +} + +# Assign logged in user to the role collection "ProcessAutomationDeveloper" if not custom idp user +resource "btp_subaccount_role_collection_assignment" "process_automation_developers_default" { + count = data.btp_whoami.me.issuer != var.custom_idp ? 1 : 0 + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "ProcessAutomationDeveloper" + user_name = data.btp_whoami.me.email + origin = "sap.default" + depends_on = [btp_subaccount_subscription.build_process_automation] +} + +# ------------------------------------------------------------------------------------------------------ +# Assign role collection "ProcessAutomationParticipant" +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_role_collection_assignment" "process_automation_participants" { + for_each = toset(local.process_automation_admins) + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "ProcessAutomationParticipant" + user_name = each.value + origin = var.custom_idp_apps_origin_key + depends_on = [btp_subaccount_subscription.build_process_automation] +} + +# Assign logged in user to the role collection "ProcessAutomationParticipant" if not custom idp user +resource "btp_subaccount_role_collection_assignment" "process_automation_participants_default" { + count = data.btp_whoami.me.issuer != var.custom_idp ? 1 : 0 + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "ProcessAutomationParticipant" + user_name = data.btp_whoami.me.email + origin = "sap.default" + depends_on = [btp_subaccount_subscription.build_process_automation] +} +# ------------------------------------------------------------------------------------------------------ +# Create tfvars file for step 2 (if variable `create_tfvars_file_for_step2` is set to true) +# ------------------------------------------------------------------------------------------------------ +resource "local_file" "output_vars_step1" { + count = var.create_tfvars_file_for_step2 ? 1 : 0 + content = <<-EOT + globalaccount = "${var.globalaccount}" + cli_server_url = ${jsonencode(var.cli_server_url)} + custom_idp = ${jsonencode(var.custom_idp)} + + subaccount_id = "${data.btp_subaccount.dc_mission.id}" + + cf_api_url = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["API Endpoint"]}" + + cf_org_id = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org ID"]}" + cf_org_name = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org Name"]}" + + origin_key = "${local.origin_key}" + + cf_space_name = "${var.cf_space_name}" + + cf_org_admins = ${jsonencode(var.cf_org_admins)} + cf_org_users = ${jsonencode(var.cf_org_users)} + cf_space_developers = ${jsonencode(var.cf_space_developers)} + cf_space_managers = ${jsonencode(var.cf_space_managers)} + + EOT + filename = "../step2/terraform.tfvars" +} diff --git a/released/discovery_center/mission_3260/outputs.tf b/released/discovery_center/mission_3260/step1/outputs.tf similarity index 100% rename from released/discovery_center/mission_3260/outputs.tf rename to released/discovery_center/mission_3260/step1/outputs.tf diff --git a/released/discovery_center/mission_3260/provider.tf b/released/discovery_center/mission_3260/step1/provider.tf similarity index 100% rename from released/discovery_center/mission_3260/provider.tf rename to released/discovery_center/mission_3260/step1/provider.tf diff --git a/released/discovery_center/mission_3260/step1/sample.tfvars b/released/discovery_center/mission_3260/step1/sample.tfvars new file mode 100644 index 00000000..93f42a61 --- /dev/null +++ b/released/discovery_center/mission_3260/step1/sample.tfvars @@ -0,0 +1,32 @@ +# ------------------------------------------------------------------------------------------------------ +# Provider configuration +# ------------------------------------------------------------------------------------------------------ +custom_idp = "<>.accounts.ondemand.com" + +# ------------------------------------------------------------------------------------------------------ +# Account settings +# ------------------------------------------------------------------------------------------------------ +globalaccount = "" +region = "us10" + +subaccount_name = "Your Mission 3260 Subaccount Name" + +# ------------------------------------------------------------------------------------------------------ +# Use case specific configuration +# ------------------------------------------------------------------------------------------------------ +subaccount_admins = ["another.sap-ids-user@test.com", "you@test.com"] +subaccount_service_admins = ["another.sap-ids-user@test.com", "you@test.com"] + +process_automation_admins = ["another.sap-ids-user@test.com", "you@test.com"] +process_automation_developers = ["another.sap-ids-user@test.com", "you@test.com"] +process_automation_participants = ["another.sap-ids-user@test.com", "you@test.com"] + +cf_org_admins = ["another.sap-ids-user@test.com", "you@test.com"] +cf_org_users = ["another.sap-ids-user@test.com", "you@test.com"] +cf_space_managers = ["another.sap-ids-user@test.com", "you@test.com"] +cf_space_developers = ["another.sap-ids-user@test.com", "you@test.com"] + +# ------------------------------------------------------------------------------------------------------ +# Create tfvars file for the step 2 +# ------------------------------------------------------------------------------------------------------ +create_tfvars_file_for_step2 = true \ No newline at end of file diff --git a/released/discovery_center/mission_3260/step1/variables.tf b/released/discovery_center/mission_3260/step1/variables.tf new file mode 100644 index 00000000..bd465e46 --- /dev/null +++ b/released/discovery_center/mission_3260/step1/variables.tf @@ -0,0 +1,174 @@ +# ------------------------------------------------------------------------------------------------------ +# Account variables +# ------------------------------------------------------------------------------------------------------ +variable "globalaccount" { + type = string + description = "The globalaccount subdomain where the sub account shall be created." +} + +variable "cli_server_url" { + type = string + description = "The BTP CLI server URL." + default = "https://cli.btp.cloud.sap" +} + +variable "custom_idp" { + type = string + description = "The custom identity provider for the subaccount." + default = "" +} + +variable "custom_idp_apps_origin_key" { + type = string + description = "The custom identity provider for the subaccount." + default = "sap.custom" +} + +variable "region" { + type = string + description = "The region where the subaccount shall be created in." + default = "us10" +} + +variable "subaccount_name" { + type = string + description = "The subaccount name." + default = "My SAP DC mission subaccount." +} + +variable "subaccount_id" { + type = string + description = "The subaccount ID." + default = "" +} + +# ------------------------------------------------------------------------------------------------------ +# cf related variables +# ------------------------------------------------------------------------------------------------------ +variable "origin" { + type = string + description = "Defines the origin key of the identity provider" + default = "sap.ids" + # The value for the origin_key can be defined + # but are normally set to "sap.ids", "sap.default" or "sap.custom" +} + +variable "origin_key" { + type = string + description = "Defines the origin key of the identity provider" + default = "" + # The value for the origin_key can be defined, set to "sap.ids", "sap.default" or "sap.custom" +} + +variable "cf_landscape_label" { + type = string + description = "In case there are multiple environments available for a subaccount, you can use this label to choose with which one you want to go. If nothing is given, we take by default the first available." + default = "" +} + +variable "cf_org_name" { + type = string + description = "Name of the Cloud Foundry org." + default = "mission-4441-sap-build-code" + + validation { + condition = can(regex("^.{1,255}$", var.cf_org_name)) + error_message = "The Cloud Foundry org name must not be emtpy and not exceed 255 characters." + } +} + +variable "cf_space_name" { + type = string + description = "Name of the Cloud Foundry space." + default = "dev" + + validation { + condition = can(regex("^.{1,255}$", var.cf_space_name)) + error_message = "The Cloud Foundry space name must not be emtpy and not exceed 255 characters." + } +} + +# ------------------------------------------------------------------------------------------------------ +# services plans +# ------------------------------------------------------------------------------------------------------ +variable "service_plan__cloudfoundry" { + type = string + description = "The plan for service 'Destination Service' with technical name 'destination'" + default = "standard" + validation { + condition = contains(["standard"], var.service_plan__cloudfoundry) + error_message = "Invalid value for service_plan__cloudfoundry. Only 'standard' is allowed." + } +} + +# ------------------------------------------------------------------------------------------------------ +# app subscription plans +# ------------------------------------------------------------------------------------------------------ +variable "service_plan__sap_process_automation" { + type = string + description = "The plan for service 'SAP Build Process Automation' with technical name 'process-automation'" + default = "free" + + validation { + condition = contains(["standard", "free"], var.service_plan__sap_process_automation) + error_message = "Invalid value for service_plan__sap_process_automation. Only 'standard' and 'free' are allowed." + } +} + +# ------------------------------------------------------------------------------------------------------ +# User lists +# ------------------------------------------------------------------------------------------------------ +variable "subaccount_admins" { + type = list(string) + description = "Defines the users who are added to subaccount as administrators." +} + +variable "subaccount_service_admins" { + type = list(string) + description = "Defines the users who are added to subaccount as service administrators." +} + +variable "process_automation_admins" { + type = list(string) + description = "Defines the users who have the role of 'ProcessAutomationAdmin' in SAP Build Process Automation." +} + +variable "process_automation_developers" { + type = list(string) + description = "Defines the users who have the role of ProcessAutomationDeveloper in SAP Build Process Automation" +} + +variable "process_automation_participants" { + type = list(string) + description = "Defines the users who have the role of ProcessAutomationParticipant in SAP Build Process Automation" + default = ["jane.doe@test.com", "john.doe@test.com"] +} + +variable "cf_org_admins" { + type = list(string) + description = "Defines the colleagues who are added to a Cloudfoundry as org administrators." +} + +variable "cf_org_users" { + type = list(string) + description = "Defines the colleagues who are added to a Cloudfoundry as org users." +} + +variable "cf_space_managers" { + type = list(string) + description = "Defines the colleagues who are added to a CF space as space manager." +} + +variable "cf_space_developers" { + type = list(string) + description = "Defines the colleagues who are added to a CF space as space developer." +} + +# ------------------------------------------------------------------------------------------------------ +# Switch for creating tfvars for step 2 +# ------------------------------------------------------------------------------------------------------ +variable "create_tfvars_file_for_step2" { + type = bool + description = "Switch to enable the creation of the tfvars file for step 2." + default = true +} \ No newline at end of file diff --git a/released/discovery_center/mission_3260/step2/main.tf b/released/discovery_center/mission_3260/step2/main.tf new file mode 100644 index 00000000..7a44de91 --- /dev/null +++ b/released/discovery_center/mission_3260/step2/main.tf @@ -0,0 +1,95 @@ +data "btp_whoami" "me" {} +# ------------------------------------------------------------------------------------------------------ +# Import custom trust config and disable for user login +# ------------------------------------------------------------------------------------------------------ +locals { + available_for_user_logon = data.btp_whoami.me.issuer != var.custom_idp ? true : false +} + +import { + to = btp_subaccount_trust_configuration.default + id = "${var.subaccount_id},sap.default" +} + +resource "btp_subaccount_trust_configuration" "default" { + subaccount_id = var.subaccount_id + identity_provider = "" + auto_create_shadow_users = false + available_for_user_logon = local.available_for_user_logon +} + +# ------------------------------------------------------------------------------------------------------ +# Create the Cloud Foundry space +# ------------------------------------------------------------------------------------------------------ +resource "cloudfoundry_space" "dev" { + name = "dev" + org = var.cf_org_id +} + +# ------------------------------------------------------------------------------------------------------ +# SETUP ALL SERVICES FOR CF USAGE +# ------------------------------------------------------------------------------------------------------ +# ------------------------------------------------------------------------------------------------------ +# USERS AND ROLES +# ------------------------------------------------------------------------------------------------------ + +locals { + # Remove current user if issuer (idp) of logged in user is not same as used custom idp + cf_org_admins = setsubtract(toset(var.cf_org_admins), [data.btp_whoami.me.email]) + cf_org_users = setsubtract(toset(var.cf_org_users), [data.btp_whoami.me.email]) + + cf_space_managers = var.cf_space_managers + cf_space_developers = var.cf_space_developers + + # origin_key is default (sap.ids) if issuer (idp) of logged in user is not same as used custom idp, otherwise calculated from custom.idp + custom_idp_tenant = var.custom_idp != "" ? element(split(".", var.custom_idp), 0) : "" + origin_key = data.btp_whoami.me.issuer != var.custom_idp ? "sap.ids" : "${local.custom_idp_tenant}-platform" +} + +# ------------------------------------------------------------------------------------------------------ +# cf_org_users: Assign organization_user role +# ------------------------------------------------------------------------------------------------------ +resource "cloudfoundry_org_role" "organization_user" { + for_each = toset(local.cf_org_users) + username = each.value + type = "organization_user" + org = var.cf_org_id + origin = local.origin_key +} + +# ------------------------------------------------------------------------------------------------------ +# cf_org_admins: Assign organization_manager role +# ------------------------------------------------------------------------------------------------------ +resource "cloudfoundry_org_role" "organization_manager" { + for_each = toset(local.cf_org_admins) + username = each.value + type = "organization_manager" + org = var.cf_org_id + origin = local.origin_key + depends_on = [cloudfoundry_org_role.organization_user] +} + +# ------------------------------------------------------------------------------------------------------ +# cf_space_managers: Assign space_manager role +# ------------------------------------------------------------------------------------------------------ +# Define Space Manager role +resource "cloudfoundry_space_role" "space_manager" { + for_each = toset(local.cf_space_managers) + username = each.value + type = "space_manager" + space = cloudfoundry_space.dev.id + origin = local.origin_key + depends_on = [cloudfoundry_org_role.organization_manager] +} + +# ------------------------------------------------------------------------------------------------------ +# cf_space_developers: Assign space_developer role +# ------------------------------------------------------------------------------------------------------ +resource "cloudfoundry_space_role" "space_developer" { + for_each = toset(local.cf_space_developers) + username = each.value + type = "space_developer" + space = cloudfoundry_space.dev.id + origin = local.origin_key + depends_on = [cloudfoundry_org_role.organization_manager] +} \ No newline at end of file diff --git a/released/discovery_center/mission_3260/step2/provider.tf b/released/discovery_center/mission_3260/step2/provider.tf new file mode 100644 index 00000000..4ec94611 --- /dev/null +++ b/released/discovery_center/mission_3260/step2/provider.tf @@ -0,0 +1,22 @@ +terraform { + required_providers { + cloudfoundry = { + source = "SAP/cloudfoundry" + version = "1.0.0-rc1" + } + btp = { + source = "SAP/btp" + version = "~> 1.5.0" + } + } +} + +provider "btp" { + globalaccount = var.globalaccount + cli_server_url = var.cli_server_url +} + + +provider "cloudfoundry" { + api_url = var.cf_api_url +} \ No newline at end of file diff --git a/released/discovery_center/mission_3260/step2/variables.tf b/released/discovery_center/mission_3260/step2/variables.tf new file mode 100644 index 00000000..6aa54807 --- /dev/null +++ b/released/discovery_center/mission_3260/step2/variables.tf @@ -0,0 +1,108 @@ +# Description: This file contains the input variables for the mission 3260 step 2. +# +# ------------------------------------------------------------------------------------------------------ +# Account variables +# ------------------------------------------------------------------------------------------------------ +variable "globalaccount" { + type = string + description = "The globalaccount subdomain where the sub account shall be created." +} + +variable "cli_server_url" { + type = string + description = "The BTP CLI server URL." + default = "https://cli.btp.cloud.sap" +} + +variable "subaccount_id" { + type = string + description = "The subaccount ID." +} + +variable "custom_idp" { + type = string + description = "The custom identity provider for the subaccount." + default = "" +} + +# ------------------------------------------------------------------------------------------------------ +# cf related variables +# ------------------------------------------------------------------------------------------------------ +variable "origin" { + type = string + description = "Defines the origin of the identity provider" + default = "sap.ids" + # The value for the origin can be defined + # but are normally set to "sap.ids", "sap.default" or "sap.custom" +} + +variable "origin_key" { + type = string + description = "Defines the origin key of the identity provider" + default = "sap.ids" + # The value for the origin_key can be defined + # but are normally set to "sap.ids", "sap.default" or "sap.custom" +} + +variable "cf_api_url" { + type = string + description = "The Cloud Foundry API endpoint from the Cloud Foundry environment instance." +} + +variable "cf_org_id" { + type = string + description = "The Cloud Foundry Org ID from the Cloud Foundry environment instance." +} + +variable "cf_org_name" { + type = string + description = "Name of the Cloud Foundry org." + + validation { + condition = can(regex("^.{1,255}$", var.cf_org_name)) + error_message = "The Cloud Foundry org name must not be emtpy and not exceed 255 characters." + } +} + +variable "cf_space_name" { + type = string + description = "Name of the Cloud Foundry space." + default = "dev" + + validation { + condition = can(regex("^.{1,255}$", var.cf_space_name)) + error_message = "The Cloud Foundry space name must not be emtpy and not exceed 255 characters." + } +} + +# ------------------------------------------------------------------------------------------------------ +# User lists +# ------------------------------------------------------------------------------------------------------ +variable "cf_org_admins" { + type = list(string) + description = "Defines the colleagues who are added to a CF org as administrators." +} + +variable "cf_org_users" { + type = list(string) + description = "Defines the colleagues who are added to a CF org as users." +} + +variable "cf_space_managers" { + type = list(string) + description = "Defines the colleagues who are added to a CF space as space manager." +} + +variable "cf_space_developers" { + type = list(string) + description = "Defines the colleagues who are added to a CF space as space developer." +} + +/* +# The CF Org name from the Cloud Foundry environment instance +variable "cf_org_name" { + type = string + description = "The Cloud Foundry Org name from the Cloud Foundry environment instance." + +} +*/ \ No newline at end of file diff --git a/released/discovery_center/mission_3260/variables.tf b/released/discovery_center/mission_3260/variables.tf deleted file mode 100644 index 496fa07a..00000000 --- a/released/discovery_center/mission_3260/variables.tf +++ /dev/null @@ -1,80 +0,0 @@ -# ------------------------------------------------------------------------------------------------------ -# Account variables -# ------------------------------------------------------------------------------------------------------ -variable "globalaccount" { - type = string - description = "The globalaccount subdomain where the sub account shall be created." -} - -variable "cli_server_url" { - type = string - description = "The BTP CLI server URL." - default = "https://cli.btp.cloud.sap" -} - -variable "custom_idp" { - type = string - description = "The custom identity provider for the subaccount." - default = "" -} - -variable "region" { - type = string - description = "The region where the subaccount shall be created in." - default = "us10" -} - -variable "subaccount_name" { - type = string - description = "The subaccount name." - default = "My SAP DC mission subaccount." -} - -variable "subaccount_id" { - type = string - description = "The subaccount ID." - default = "" -} - -# ------------------------------------------------------------------------------------------------------ -# app subscription plans -# ------------------------------------------------------------------------------------------------------ -variable "service_plan__sap_process_automation" { - type = string - description = "The plan for service 'SAP Build Process Automation' with technical name 'process-automation'" - default = "free" - - validation { - condition = contains(["standard", "free"], var.service_plan__sap_process_automation) - error_message = "Invalid value for service_plan__sap_process_automation. Only 'standard' and 'free' are allowed." - } -} - -# ------------------------------------------------------------------------------------------------------ -# User lists -# ------------------------------------------------------------------------------------------------------ -variable "subaccount_admins" { - type = list(string) - description = "Defines the users who are added to subaccount as administrators." -} - -variable "subaccount_service_admins" { - type = list(string) - description = "Defines the users who are added to subaccount as service administrators." -} - -variable "process_automation_admins" { - type = list(string) - description = "Defines the users who have the role of 'ProcessAutomationAdmin' in SAP Build Process Automation." -} - -variable "process_automation_developers" { - type = list(string) - description = "Defines the users who have the role of ProcessAutomationDeveloper in SAP Build Process Automation" -} - -variable "process_automation_participants" { - type = list(string) - description = "Defines the users who have the role of ProcessAutomationParticipant in SAP Build Process Automation" - default = ["jane.doe@test.com", "john.doe@test.com"] -} From d117304fb937cf56cd92c11df6f7aa5e2361fbc9 Mon Sep 17 00:00:00 2001 From: Jens Glander Date: Mon, 16 Sep 2024 17:52:24 +0200 Subject: [PATCH 2/4] fix formatting issue --- released/discovery_center/mission_3260/step1/main.tf | 2 +- .../discovery_center/mission_3260/step2/variables.tf | 11 +---------- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/released/discovery_center/mission_3260/step1/main.tf b/released/discovery_center/mission_3260/step1/main.tf index 91169926..9cc3ed7e 100644 --- a/released/discovery_center/mission_3260/step1/main.tf +++ b/released/discovery_center/mission_3260/step1/main.tf @@ -38,7 +38,7 @@ resource "btp_subaccount_trust_configuration" "fully_customized" { # ------------------------------------------------------------------------------------------------------ # locals { - service_name__cloudfoundry = "cloudfoundry" + service_name__cloudfoundry = "cloudfoundry" } # ------------------------------------------------------------------------------------------------------ diff --git a/released/discovery_center/mission_3260/step2/variables.tf b/released/discovery_center/mission_3260/step2/variables.tf index 6aa54807..7740729d 100644 --- a/released/discovery_center/mission_3260/step2/variables.tf +++ b/released/discovery_center/mission_3260/step2/variables.tf @@ -96,13 +96,4 @@ variable "cf_space_managers" { variable "cf_space_developers" { type = list(string) description = "Defines the colleagues who are added to a CF space as space developer." -} - -/* -# The CF Org name from the Cloud Foundry environment instance -variable "cf_org_name" { - type = string - description = "The Cloud Foundry Org name from the Cloud Foundry environment instance." - -} -*/ \ No newline at end of file +} \ No newline at end of file From d859cad7de2e31ab1a21e7e7e1c857ad90ff2565 Mon Sep 17 00:00:00 2001 From: Jens Glander Date: Mon, 16 Sep 2024 17:57:08 +0200 Subject: [PATCH 3/4] fix formatting issues --- released/discovery_center/mission_3260/step1/sample.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/released/discovery_center/mission_3260/step1/sample.tfvars b/released/discovery_center/mission_3260/step1/sample.tfvars index 93f42a61..8904195d 100644 --- a/released/discovery_center/mission_3260/step1/sample.tfvars +++ b/released/discovery_center/mission_3260/step1/sample.tfvars @@ -9,7 +9,7 @@ custom_idp = "<>.accounts.ondemand.com" globalaccount = "" region = "us10" -subaccount_name = "Your Mission 3260 Subaccount Name" +subaccount_name = "Your Mission 3260 Subaccount Name" # ------------------------------------------------------------------------------------------------------ # Use case specific configuration From 352e6abd17206199435a925a34a8e02ea5eb5bac Mon Sep 17 00:00:00 2001 From: Jens Glander Date: Tue, 17 Sep 2024 09:46:54 +0200 Subject: [PATCH 4/4] added missing output changes --- .../mission_3260/step1/outputs.tf | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/released/discovery_center/mission_3260/step1/outputs.tf b/released/discovery_center/mission_3260/step1/outputs.tf index c13effef..aa3c7b58 100644 --- a/released/discovery_center/mission_3260/step1/outputs.tf +++ b/released/discovery_center/mission_3260/step1/outputs.tf @@ -1,3 +1,13 @@ +output "globalaccount" { + value = var.globalaccount + description = "The globalaccount subdomain." +} + +output "cli_server_url" { + value = var.cli_server_url + description = "The BTP CLI server URL." +} + output "subaccount_id" { value = data.btp_subaccount.dc_mission.id description = "The ID of the dc mission subaccount." @@ -7,3 +17,48 @@ output "process_automation_subscription_url" { value = btp_subaccount_subscription.build_process_automation.subscription_url description = "Subscription URL for SAP Build Process Automation" } + +output "cf_api_url" { + value = jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["API Endpoint"] + description = "The Cloudfoundry API endpoint." +} + +output "cf_landscape_label" { + value = btp_subaccount_environment_instance.cloudfoundry.landscape_label + description = "The Cloudfoundry landscape label." +} + +output "cf_org_id" { + value = jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org ID"] + description = "The Cloudfoundry org id." +} + +output "cf_org_name" { + value = jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org Name"] + description = "The Cloudfoundry org name." +} + +output "cf_space_name" { + value = var.cf_space_name + description = "The name of the Cloud Foundry space." +} + +output "cf_org_admins" { + value = var.cf_org_admins + description = "List of users to set as Cloudfoundry org administrators." +} + +output "cf_space_developers" { + value = var.cf_space_developers + description = "List of users to set as Cloudfoundry space developers." +} + +output "cf_space_managers" { + value = var.cf_space_managers + description = "List of users to set as Cloudfoundry space managers." +} + +output "origin" { + value = var.origin + description = "The identity provider for the UAA user." +}