diff --git a/released/discovery_center/mission_4356/step1/locals.tf b/released/discovery_center/mission_4356/step1/locals.tf deleted file mode 100644 index 0663eaea..00000000 --- a/released/discovery_center/mission_4356/step1/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - service__sap_business_app_studio = "sapappstudio" - service_name__sap_integration_suite = "integrationsuite" -} \ No newline at end of file diff --git a/released/discovery_center/mission_4356/step1/main.tf b/released/discovery_center/mission_4356/step1/main.tf index 75358a05..1465f712 100644 --- a/released/discovery_center/mission_4356/step1/main.tf +++ b/released/discovery_center/mission_4356/step1/main.tf @@ -1,13 +1,12 @@ # ------------------------------------------------------------------------------------------------------ -# Setup of names in accordance to naming convention +# Subaccount setup for DC mission 4356 # ------------------------------------------------------------------------------------------------------ +# Setup subaccount domain (to ensure uniqueness in BTP global account) resource "random_uuid" "uuid" {} locals { random_uuid = random_uuid.uuid.result - subaccount_domain = lower(replace("mission-4356-${local.random_uuid}", "_", "-")) - # If a cf_org_name was defined by the user, take that as a subaccount_cf_org. Otherwise create it. - subaccount_cf_org = length(var.cf_org_name) > 0 ? var.cf_org_name : substr(replace("${local.subaccount_domain}", "-", ""), 0, 32) + subaccount_domain = "dcmission4356${local.random_uuid}" } # ------------------------------------------------------------------------------------------------------ @@ -18,165 +17,263 @@ resource "btp_subaccount" "dc_mission" { name = var.subaccount_name subdomain = local.subaccount_domain - region = lower(var.region) - usage = "USED_FOR_PRODUCTION" + region = var.region } data "btp_subaccount" "dc_mission" { id = var.subaccount_id != "" ? var.subaccount_id : btp_subaccount.dc_mission[0].id } +data "btp_subaccount" "subaccount" { + id = data.btp_subaccount.dc_mission.id +} + # ------------------------------------------------------------------------------------------------------ -# Assignment of users as sub account administrators +# Assign custom IDP to sub account (if custom_idp is set) # ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_role_collection_assignment" "subaccount-admins" { - for_each = toset(var.subaccount_admins) - subaccount_id = data.btp_subaccount.dc_mission.id - role_collection_name = "Subaccount Administrator" - user_name = each.value +resource "btp_subaccount_trust_configuration" "fully_customized" { + # Only create trust configuration if custom_idp has been set + count = var.custom_idp == "" ? 0 : 1 + subaccount_id = data.btp_subaccount.dc_mission.id + identity_provider = var.custom_idp } # ------------------------------------------------------------------------------------------------------ -# Assignment of users as sub account service administrators +# SERVICES # ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_role_collection_assignment" "subaccount-service-admins" { - for_each = toset(var.subaccount_service_admins) - subaccount_id = data.btp_subaccount.dc_mission.id - role_collection_name = "Subaccount Service Administrator" - user_name = each.value +# +locals { + service_name__cloudfoundry = "cloudfoundry" + service_name__connectivity = "connectivity" + service_name__destination = "destination" + service_name__html5_apps_repo = "html5-apps-repo" + service_name__xsuaa = "xsuaa" } # ------------------------------------------------------------------------------------------------------ -# CLOUDFOUNDRY PREPARATION +# Setup cloudfoundry (Cloud Foundry Environment) # ------------------------------------------------------------------------------------------------------ # # Fetch all available environments for the subaccount data "btp_subaccount_environments" "all" { subaccount_id = data.btp_subaccount.dc_mission.id } -# ------------------------------------------------------------------------------------------------------ -# Take the landscape label from the first CF environment if no environment label is provided -# ------------------------------------------------------------------------------------------------------ +# Take the landscape label from the first CF environment if no environment label is provided (this replaces the previous null_resource) resource "terraform_data" "cf_landscape_label" { input = length(var.cf_landscape_label) > 0 ? var.cf_landscape_label : [for env in data.btp_subaccount_environments.all.values : env if env.service_name == "cloudfoundry" && env.environment_type == "cloudfoundry"][0].landscape_label } - -# ------------------------------------------------------------------------------------------------------ -# Creation of Cloud Foundry environment -# ------------------------------------------------------------------------------------------------------ +# Create instance resource "btp_subaccount_environment_instance" "cloudfoundry" { subaccount_id = data.btp_subaccount.dc_mission.id - name = local.subaccount_cf_org + name = "cf-${random_uuid.uuid.result}" environment_type = "cloudfoundry" - service_name = "cloudfoundry" - plan_name = "standard" + service_name = local.service_name__cloudfoundry + plan_name = var.service_plan__cloudfoundry landscape_label = terraform_data.cf_landscape_label.output + parameters = jsonencode({ - instance_name = local.subaccount_cf_org + instance_name = "cf-${random_uuid.uuid.result}" }) } +# ------------------------------------------------------------------------------------------------------ +# Setup connectivity (Connectivity Service) +# ------------------------------------------------------------------------------------------------------ +# Entitle +resource "btp_subaccount_entitlement" "connectivity" { + subaccount_id = data.btp_subaccount.dc_mission.id + service_name = local.service_name__connectivity + plan_name = var.service_plan__connectivity +} # ------------------------------------------------------------------------------------------------------ -# Entitlement of all general services +# Setup destination (Destination Service) # ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_entitlement" "genentitlements" { - for_each = { - for index, entitlement in var.entitlements : - index => entitlement - } +# Entitle +resource "btp_subaccount_entitlement" "destination" { subaccount_id = data.btp_subaccount.dc_mission.id - service_name = each.value.service_name - plan_name = each.value.plan_name + service_name = local.service_name__destination + plan_name = var.service_plan__destination } # ------------------------------------------------------------------------------------------------------ -# Create app subscription to SAP Integration Suite +# Setup destination (HTML5 Application Repository Service) # ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_entitlement" "sap_integration_suite" { +# Entitle +resource "btp_subaccount_entitlement" "html5_apps_repo" { subaccount_id = data.btp_subaccount.dc_mission.id - service_name = local.service_name__sap_integration_suite - plan_name = var.service_plan__sap_integration_suite - amount = var.service_plan__sap_integration_suite == "free" ? 1 : null + service_name = local.service_name__html5_apps_repo + plan_name = var.service_plan__html5_apps_repo +} + +# ------------------------------------------------------------------------------------------------------ +# Setup destination (Authorization and Trust Management Service) +# ------------------------------------------------------------------------------------------------------ +# Entitle +resource "btp_subaccount_entitlement" "xsuaa" { + subaccount_id = data.btp_subaccount.dc_mission.id + service_name = local.service_name__xsuaa + plan_name = var.service_plan__xsuaa +} + +# ------------------------------------------------------------------------------------------------------ +# APP SUBSCRIPTIONS +# ------------------------------------------------------------------------------------------------------ +# +locals { + service_name__integrationsuite = "integrationsuite" + service_name__sapappstudio = "sapappstudio" +} +# ------------------------------------------------------------------------------------------------------ +# Setup integrationsuite (Integration Suite Service) +# ------------------------------------------------------------------------------------------------------ +# Entitle +resource "btp_subaccount_entitlement" "integrationsuite" { + subaccount_id = data.btp_subaccount.dc_mission.id + service_name = local.service_name__integrationsuite + plan_name = var.service_plan__integrationsuite + amount = var.service_plan__integrationsuite == "free" ? 1 : null } data "btp_subaccount_subscriptions" "all" { subaccount_id = data.btp_subaccount.dc_mission.id - depends_on = [btp_subaccount_entitlement.sap_integration_suite] + depends_on = [btp_subaccount_entitlement.integrationsuite] } -resource "btp_subaccount_subscription" "sap_integration_suite" { +# Subscribe +resource "btp_subaccount_subscription" "integrationsuite" { subaccount_id = data.btp_subaccount.dc_mission.id app_name = [ for subscription in data.btp_subaccount_subscriptions.all.values : subscription - if subscription.commercial_app_name == local.service_name__sap_integration_suite + if subscription.commercial_app_name == local.service_name__integrationsuite ][0].app_name - plan_name = var.service_plan__sap_integration_suite + plan_name = var.service_plan__integrationsuite depends_on = [data.btp_subaccount_subscriptions.all] } -resource "btp_subaccount_role_collection_assignment" "int_prov" { - depends_on = [btp_subaccount_subscription.sap_integration_suite] - for_each = toset(var.int_provisioners) +# ------------------------------------------------------------------------------------------------------ +# Setup sapappstudio (SAP Business Application Studio) +# ------------------------------------------------------------------------------------------------------ +# Entitle +resource "btp_subaccount_entitlement" "sapappstudio" { + subaccount_id = data.btp_subaccount.dc_mission.id + service_name = local.service_name__sapappstudio + plan_name = var.service_plan__sapappstudio +} +# Subscribe +resource "btp_subaccount_subscription" "sapappstudio" { + subaccount_id = data.btp_subaccount.dc_mission.id + app_name = local.service_name__sapappstudio + plan_name = var.service_plan__sapappstudio + depends_on = [btp_subaccount_entitlement.sapappstudio] +} + +# ------------------------------------------------------------------------------------------------------ +# USERS AND ROLES +# ------------------------------------------------------------------------------------------------------ +data "btp_whoami" "me" {} +# +locals { + subaccount_admins = var.subaccount_admins + subaccount_service_admins = var.subaccount_service_admins + + integration_provisioners = var.integration_provisioners + sapappstudio_admins = var.sapappstudio_admins + sapappstudio_developers = var.sapappstudio_developers + + cloud_connector_admins = var.cloud_connector_admins + connectivity_destination_admins = var.connectivity_destination_admins + + custom_idp_tenant = var.custom_idp != "" ? element(split(".", var.custom_idp), 0) : "" + origin_key = local.custom_idp_tenant != "" ? "${local.custom_idp_tenant}-platform" : "" +} + +# ------------------------------------------------------------------------------------------------------ +# Assign role collection "Subaccount Administrator" +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_role_collection_assignment" "subaccount_admin" { + for_each = toset("${local.subaccount_admins}") subaccount_id = data.btp_subaccount.dc_mission.id - role_collection_name = "Integration_Provisioner" + role_collection_name = "Subaccount Administrator" user_name = each.value + origin = local.origin_key + depends_on = [btp_subaccount.dc_mission] } # ------------------------------------------------------------------------------------------------------ -# Create app subscription to SAP Business Application Studio +# Assign role collection "Subaccount Service Administrator" # ------------------------------------------------------------------------------------------------------ -resource "btp_subaccount_entitlement" "bas" { - subaccount_id = data.btp_subaccount.dc_mission.id - service_name = local.service__sap_business_app_studio - plan_name = var.service_plan__sap_business_app_studio +resource "btp_subaccount_role_collection_assignment" "subaccount_service_admin" { + for_each = toset("${local.subaccount_service_admins}") + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "Subaccount Service Administrator" + user_name = each.value + origin = local.origin_key + depends_on = [btp_subaccount.dc_mission] } -# Create app subscription to busineass applicaiton stuido -resource "btp_subaccount_subscription" "bas" { - subaccount_id = data.btp_subaccount.dc_mission.id - app_name = local.service__sap_business_app_studio - plan_name = var.service_plan__sap_business_app_studio - depends_on = [btp_subaccount_entitlement.bas] +# ------------------------------------------------------------------------------------------------------ +# Assign role collection "Integration_Provisioner" +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_role_collection_assignment" "integration_provisioner" { + for_each = toset("${local.integration_provisioners}") + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "Integration_Provisioner" + user_name = each.value + origin = var.custom_idp_apps_origin_key + depends_on = [btp_subaccount_subscription.integrationsuite] } -resource "btp_subaccount_role_collection_assignment" "bas_dev" { - depends_on = [btp_subaccount_subscription.bas] - for_each = toset(var.appstudio_developers) +# Assign logged in user to the role collection "Integration_Provisioner" if not custom idp user +resource "btp_subaccount_role_collection_assignment" "integration_provisioner_default" { + count = data.btp_whoami.me.issuer != var.custom_idp ? 1 : 0 subaccount_id = data.btp_subaccount.dc_mission.id - role_collection_name = "Business_Application_Studio_Developer" - user_name = each.value + role_collection_name = "Integration_Provisioner" + user_name = data.btp_whoami.me.email + origin = "sap.default" + depends_on = [btp_subaccount_subscription.integrationsuite] } -resource "btp_subaccount_role_collection_assignment" "bas_admn" { - depends_on = [btp_subaccount_subscription.bas] - for_each = toset(var.appstudio_admins) + +# ------------------------------------------------------------------------------------------------------ +# Assign role collection "Business_Application_Studio_Administrator" +# ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_role_collection_assignment" "bas_admins" { + for_each = toset(local.sapappstudio_admins) subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Business_Application_Studio_Administrator" user_name = each.value + depends_on = [btp_subaccount_subscription.sapappstudio] } # ------------------------------------------------------------------------------------------------------ -# Assign Role Collection +# Assign role collection "Business_Application_Studio_Developer" # ------------------------------------------------------------------------------------------------------ +resource "btp_subaccount_role_collection_assignment" "bas_developer" { + for_each = toset(local.sapappstudio_developers) + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "Business_Application_Studio_Developer" + user_name = each.value + depends_on = [btp_subaccount_subscription.sapappstudio] +} + -resource "btp_subaccount_role_collection_assignment" "cloud_conn_admn" { - depends_on = [btp_subaccount_entitlement.genentitlements] - for_each = toset(var.cloudconnector_admins) +resource "btp_subaccount_role_collection_assignment" "cloud_connector_admins" { + for_each = toset(local.cloud_connector_admins) subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Cloud Connector Administrator" user_name = each.value + depends_on = [btp_subaccount_entitlement.connectivity] } -resource "btp_subaccount_role_collection_assignment" "conn_dest_admn" { - depends_on = [btp_subaccount_entitlement.genentitlements] - for_each = toset(var.conn_dest_admins) +resource "btp_subaccount_role_collection_assignment" "connectivity_destination_admins" { + for_each = toset(local.connectivity_destination_admins) subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Connectivity and Destination Administrator" user_name = each.value + depends_on = [btp_subaccount_entitlement.destination] } - # ------------------------------------------------------------------------------------------------------ # Create tfvars file for step 2 (if variable `create_tfvars_file_for_step2` is set to true) # ------------------------------------------------------------------------------------------------------ @@ -185,14 +282,16 @@ resource "local_file" "output_vars_step1" { content = <<-EOT globalaccount = "${var.globalaccount}" cli_server_url = ${jsonencode(var.cli_server_url)} + custom_idp = ${jsonencode(var.custom_idp)} subaccount_id = "${data.btp_subaccount.dc_mission.id}" cf_api_url = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["API Endpoint"]}" cf_org_id = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org ID"]}" + cf_org_name = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org Name"]}" - origin = "${var.origin}" + origin_key = "${local.origin_key}" cf_space_name = "${var.cf_space_name}" @@ -203,4 +302,4 @@ resource "local_file" "output_vars_step1" { EOT filename = "../step2/terraform.tfvars" -} +} \ No newline at end of file diff --git a/released/discovery_center/mission_4356/step1/outputs.tf b/released/discovery_center/mission_4356/step1/outputs.tf index b2b0b6ae..d2af4b04 100644 --- a/released/discovery_center/mission_4356/step1/outputs.tf +++ b/released/discovery_center/mission_4356/step1/outputs.tf @@ -1,21 +1,21 @@ -output "globalaccount" { - value = var.globalaccount - description = "The globalaccount subdomain." +output "subaccount_id" { + value = data.btp_subaccount.dc_mission.id + description = "The ID of the subaccount." } -output "cli_server_url" { - value = var.cli_server_url - description = "The BTP CLI server URL." +output "integrationsuite_subscription_url" { + value = btp_subaccount_subscription.integrationsuite.subscription_url + description = "SAP Integration Suite subscription URL." } -output "subaccount_id" { - value = data.btp_subaccount.dc_mission.id - description = "The ID of the subaccount." +output "custom_idp" { + value = var.custom_idp + description = "The custom identity provider." } output "cf_api_url" { value = jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["API Endpoint"] - description = "The Cloudfoundry API endpoint." + description = "The Cloudfoundry API Url." } output "cf_landscape_label" { diff --git a/released/discovery_center/mission_4356/step1/sample.tfvars b/released/discovery_center/mission_4356/step1/sample.tfvars index e7e94f97..f21988a6 100644 --- a/released/discovery_center/mission_4356/step1/sample.tfvars +++ b/released/discovery_center/mission_4356/step1/sample.tfvars @@ -1,20 +1,34 @@ # ------------------------------------------------------------------------------------------------------ # Provider configuration # ------------------------------------------------------------------------------------------------------ -# Your global account subdomain -globalaccount = "yourglobalaccount" +custom_idp = "<>.accounts.ondemand.com" + +# ------------------------------------------------------------------------------------------------------ +# Account settings +# ------------------------------------------------------------------------------------------------------ +globalaccount = "" region = "us10" subaccount_name = "SAP Discovery Center Mission 4356" # ------------------------------------------------------------------------------------------------------ -# Project specific configuration (please adapt!) +# Use case specific configuration # ------------------------------------------------------------------------------------------------------ +subaccount_admins = ["another-user@test.com", "you@test.com"] +subaccount_service_admins = ["another-user@test.com", "you@test.com"] + +integration_provisioners = ["another-user@test.com", "you@test.com"] +sapappstudio_admins = ["another-user@test.com", "you@test.com"] +sapappstudio_developers = ["another-user@test.com", "you@test.com"] -subaccount_admins = ["another.user@test.com"] -subaccount_service_admins = ["another.user@test.com"] -cf_org_admins = ["another.user@test.com"] -cf_org_users = ["another.user@test.com"] -cf_space_managers = ["another.user@test.com", "you@test.com"] -cf_space_developers = ["another.user@test.com", "you@test.com"] +cloud_connector_admins = ["another-user@test.com", "you@test.com"] +connectivity_destination_admins = ["another-user@test.com", "you@test.com"] -custom_idp = "sap.ids" +cf_org_admins = ["another-user@test.com", "you@test.com"] +cf_org_users = ["another-user@test.com", "you@test.com"] +cf_space_managers = ["another-user@test.com", "you@test.com"] +cf_space_developers = ["another-user@test.com", "you@test.com"] + +# ------------------------------------------------------------------------------------------------------ +# Create tfvars file for the step 2 +# ------------------------------------------------------------------------------------------------------ +create_tfvars_file_for_step2 = true \ No newline at end of file diff --git a/released/discovery_center/mission_4356/step1/variables.tf b/released/discovery_center/mission_4356/step1/variables.tf index 7defa44b..bfdabc59 100644 --- a/released/discovery_center/mission_4356/step1/variables.tf +++ b/released/discovery_center/mission_4356/step1/variables.tf @@ -1,49 +1,63 @@ -###################################################################### -# Customer account setup -###################################################################### -# subaccount +# ------------------------------------------------------------------------------------------------------ +# Account variables +# ------------------------------------------------------------------------------------------------------ variable "globalaccount" { type = string - description = "The globalaccount subdomain." - default = "yourglobalaccount" + description = "The globalaccount subdomain where the sub account shall be created." } -variable "subaccount_id" { +variable "cli_server_url" { type = string - description = "The subaccount ID." + description = "The BTP CLI server URL." + default = "https://cli.btp.cloud.sap" +} + +variable "custom_idp" { + type = string + description = "The custom identity provider for the subaccount." default = "" } -# subaccount +variable "custom_idp_apps_origin_key" { + type = string + description = "The custom identity provider for the subaccount." + default = "sap.custom" +} + +variable "region" { + type = string + description = "The region where the subaccount shall be created in." + default = "us10" +} + variable "subaccount_name" { type = string description = "The subaccount name." - default = "UC - Deliver Connected Experiences with a single view of Material Availability" + default = "My SAP Build Code subaccount." } -variable "custom_idp" { +variable "subaccount_id" { type = string - description = "Defines the custom IdP" + description = "The subaccount ID." default = "" } +# ------------------------------------------------------------------------------------------------------ +# cf related variables +# ------------------------------------------------------------------------------------------------------ variable "origin" { type = string - description = "Defines the origin of the identity provider" + description = "Defines the origin key of the identity provider" default = "sap.ids" - # The value for the origin can be defined + # The value for the origin_key can be defined # but are normally set to "sap.ids", "sap.default" or "sap.custom" } -variable "cf_space_name" { +variable "origin_key" { type = string - description = "Name of the Cloud Foundry space." - default = "dev" - - validation { - condition = can(regex("^.{1,255}$", var.cf_space_name)) - error_message = "The Cloud Foundry space name must not be emtpy and not exceed 255 characters." - } + description = "Defines the origin key of the identity provider" + default = "" + # The value for the origin_key can be defined, set to "sap.ids", "sap.default" or "sap.custom" } variable "cf_landscape_label" { @@ -55,141 +69,140 @@ variable "cf_landscape_label" { variable "cf_org_name" { type = string description = "Name of the Cloud Foundry org." - default = "mission-4356" + default = "mission-4441-sap-build-code" validation { condition = can(regex("^.{1,255}$", var.cf_org_name)) error_message = "The Cloud Foundry org name must not be emtpy and not exceed 255 characters." } } -# Region -variable "region" { + +variable "cf_space_name" { type = string - description = "The region where the project account shall be created in." - default = "us10" + description = "Name of the Cloud Foundry space." + default = "dev" + + validation { + condition = can(regex("^.{1,255}$", var.cf_space_name)) + error_message = "The Cloud Foundry space name must not be emtpy and not exceed 255 characters." + } } +/* # hana password variable "hana_cloud_system_password" { type = string description = "The system password for the hana_cloud service instance." default = "Abcd1234" } +*/ -# CLI server -variable "cli_server_url" { +# ------------------------------------------------------------------------------------------------------ +# services plans +# ------------------------------------------------------------------------------------------------------ +variable "service_plan__cloudfoundry" { type = string - description = "The BTP CLI server URL." - default = "https://cpcli.cf.eu10.hana.ondemand.com" + description = "The plan for service 'Destination Service' with technical name 'destination'" + default = "standard" + validation { + condition = contains(["standard"], var.service_plan__cloudfoundry) + error_message = "Invalid value for service_plan__cloudfoundry. Only 'standard' is allowed." + } } -# subaccount variables -variable "subaccount_admins" { - type = list(string) - description = "Defines the colleagues who are added to each subaccount as subaccount administrators." - default = ["jane.doe@test.com", "john.doe@test.com"] +variable "service_plan__connectivity" { + type = string + description = "The plan for service 'Connectivity Service' with technical name 'connectivity'" + default = "lite" } -variable "subaccount_service_admins" { - type = list(string) - description = "Defines the colleagues who are added to each subaccount as subaccount service administrators." - default = ["jane.doe@test.com", "john.doe@test.com"] +variable "service_plan__destination" { + type = string + description = "The plan for service 'Destination Service' with technical name 'destination'" + default = "lite" +} + +variable "service_plan__html5_apps_repo" { + type = string + description = "The plan for service 'HTML5 Application Repository Service' with technical name 'html5-apps-repo'" + default = "app-host" } -variable "service_plan__sap_integration_suite" { +variable "service_plan__xsuaa" { + type = string + description = "The plan for service 'Authorization and Trust Management Service' with technical name 'xsuaa'" + default = "application" +} + +# ------------------------------------------------------------------------------------------------------ +# app subscription plans +# ------------------------------------------------------------------------------------------------------ +variable "service_plan__integrationsuite" { type = string - description = "The plan for SAP Integration Suite" + description = "The plan for service 'Integration Suite' with technical name 'integrationsuite'" default = "enterprise_agreement" validation { - condition = contains(["free", "enterprise_agreement"], var.service_plan__sap_integration_suite) - error_message = "Invalid value for service_plan__sap_integration_suite. Only 'free' and 'enterprise_agreement' are allowed." + condition = contains(["enterprise_agreement", "free"], var.service_plan__integrationsuite) + error_message = "Invalid value for service_plan__integrationsuite. Only 'enterprise_agreement' and 'free' are allowed." } } -variable "service_plan__sap_business_app_studio" { +variable "service_plan__sapappstudio" { type = string - description = "The plan for SAP Business Application Studio" + description = "The plan for service 'SAP Business Application Studio' with technical name 'sapappstudio'" default = "standard-edition" validation { - condition = contains(["standard-edition"], var.service_plan__sap_business_app_studio) - error_message = "Invalid value for service_plan__sap_business_app_studio. Only 'standard-edition' is allowed." + condition = contains(["standard-edition"], var.service_plan__sapappstudio) + error_message = "Invalid value for service_plan__sapappstudio. Only 'standard-edition' is allowed." } } # ------------------------------------------------------------------------------------------------------ -# Entitlements +# User lists # ------------------------------------------------------------------------------------------------------ -variable "entitlements" { - type = list(object({ - service_name = string - plan_name = string - type = string - })) - description = "The list of entitlements that shall be added to the subaccount." - default = [ - { - service_name = "connectivity" - plan_name = "lite", - type = "service" - }, - { - service_name = "destination" - plan_name = "lite", - type = "service" - }, - { - service_name = "html5-apps-repo" - plan_name = "app-host", - type = "service" - }, - { - service_name = "xsuaa" - plan_name = "application", - type = "service" - } - ] -} - -variable "appstudio_developers" { +variable "subaccount_admins" { type = list(string) - description = "Business Application Studio Developer" - default = ["jane.doe@test.com", "john.doe@test.com"] + description = "Defines the colleagues who are added to subaccount as administrator" } -variable "appstudio_admins" { +variable "subaccount_service_admins" { type = list(string) - description = "Business Application Studio Administrator" - default = ["jane.doe@test.com", "john.doe@test.com"] + description = "Defines the colleagues who are added to subaccount as service administrator" } -variable "cloudconnector_admins" { +variable "integration_provisioners" { type = list(string) - description = "Cloud Connector Administrator" - default = ["jane.doe@test.com", "john.doe@test.com"] + description = "Integration Provisioner" } -variable "conn_dest_admins" { +variable "sapappstudio_admins" { type = list(string) - description = "Connectivity and Destination Administrator" - default = ["jane.doe@test.com", "john.doe@test.com"] + description = "Defines the colleagues who are administrators for SAP Business Application Studio." } -variable "int_provisioners" { +variable "sapappstudio_developers" { type = list(string) - description = "Integration Provisioner" - default = ["jane.doe@test.com", "john.doe@test.com"] + description = "Defines the colleagues who are developers for SAP Business Application Studio." } +variable "cloud_connector_admins" { + type = list(string) + description = "Defines the colleagues who are administrators for Cloud Connector" +} -variable "cf_org_users" { +variable "connectivity_destination_admins" { type = list(string) - description = "CF Org Users" - default = ["jane.doe@test.com", "john.doe@test.com"] + description = "Defines the colleagues who are administrators for Connectivity and Destinations" } variable "cf_org_admins" { type = list(string) - description = "List of users to set as Cloudfoundry org administrators." + description = "Defines the colleagues who are added to a Cloudfoundry as org administrators." +} + +variable "cf_org_users" { + type = list(string) + description = "Defines the colleagues who are added to a Cloudfoundry as org users." } variable "cf_space_managers" { @@ -202,6 +215,9 @@ variable "cf_space_developers" { description = "Defines the colleagues who are added to a CF space as space developer." } +# ------------------------------------------------------------------------------------------------------ +# Switch for creating tfvars for step 2 +# ------------------------------------------------------------------------------------------------------ variable "create_tfvars_file_for_step2" { type = bool description = "Switch to enable the creation of the tfvars file for step 2." diff --git a/released/discovery_center/mission_4356/step2/main.tf b/released/discovery_center/mission_4356/step2/main.tf index 77ee7c20..7a44de91 100644 --- a/released/discovery_center/mission_4356/step2/main.tf +++ b/released/discovery_center/mission_4356/step2/main.tf @@ -1,47 +1,95 @@ -###################################################################### -# Create space using CF provider -###################################################################### +data "btp_whoami" "me" {} +# ------------------------------------------------------------------------------------------------------ +# Import custom trust config and disable for user login +# ------------------------------------------------------------------------------------------------------ +locals { + available_for_user_logon = data.btp_whoami.me.issuer != var.custom_idp ? true : false +} + +import { + to = btp_subaccount_trust_configuration.default + id = "${var.subaccount_id},sap.default" +} + +resource "btp_subaccount_trust_configuration" "default" { + subaccount_id = var.subaccount_id + identity_provider = "" + auto_create_shadow_users = false + available_for_user_logon = local.available_for_user_logon +} + +# ------------------------------------------------------------------------------------------------------ +# Create the Cloud Foundry space +# ------------------------------------------------------------------------------------------------------ resource "cloudfoundry_space" "dev" { - name = "DEV" + name = "dev" org = var.cf_org_id } -###################################################################### -# add org and space users and managers -###################################################################### -# Define Org User role +# ------------------------------------------------------------------------------------------------------ +# SETUP ALL SERVICES FOR CF USAGE +# ------------------------------------------------------------------------------------------------------ +# ------------------------------------------------------------------------------------------------------ +# USERS AND ROLES +# ------------------------------------------------------------------------------------------------------ + +locals { + # Remove current user if issuer (idp) of logged in user is not same as used custom idp + cf_org_admins = setsubtract(toset(var.cf_org_admins), [data.btp_whoami.me.email]) + cf_org_users = setsubtract(toset(var.cf_org_users), [data.btp_whoami.me.email]) + + cf_space_managers = var.cf_space_managers + cf_space_developers = var.cf_space_developers + + # origin_key is default (sap.ids) if issuer (idp) of logged in user is not same as used custom idp, otherwise calculated from custom.idp + custom_idp_tenant = var.custom_idp != "" ? element(split(".", var.custom_idp), 0) : "" + origin_key = data.btp_whoami.me.issuer != var.custom_idp ? "sap.ids" : "${local.custom_idp_tenant}-platform" +} + +# ------------------------------------------------------------------------------------------------------ +# cf_org_users: Assign organization_user role +# ------------------------------------------------------------------------------------------------------ resource "cloudfoundry_org_role" "organization_user" { - for_each = toset(var.cf_org_users) + for_each = toset(local.cf_org_users) username = each.value type = "organization_user" org = var.cf_org_id - origin = var.origin + origin = local.origin_key } -# Define Org Manager role + +# ------------------------------------------------------------------------------------------------------ +# cf_org_admins: Assign organization_manager role +# ------------------------------------------------------------------------------------------------------ resource "cloudfoundry_org_role" "organization_manager" { - for_each = toset(var.cf_org_admins) + for_each = toset(local.cf_org_admins) username = each.value type = "organization_manager" org = var.cf_org_id - origin = var.origin + origin = local.origin_key depends_on = [cloudfoundry_org_role.organization_user] } - -resource "cloudfoundry_space_role" "space_developer" { - for_each = toset(var.cf_space_developers) +# ------------------------------------------------------------------------------------------------------ +# cf_space_managers: Assign space_manager role +# ------------------------------------------------------------------------------------------------------ +# Define Space Manager role +resource "cloudfoundry_space_role" "space_manager" { + for_each = toset(local.cf_space_managers) username = each.value - type = "space_developer" + type = "space_manager" space = cloudfoundry_space.dev.id - origin = var.origin - depends_on = [cloudfoundry_org_role.organization_user, cloudfoundry_org_role.organization_manager] + origin = local.origin_key + depends_on = [cloudfoundry_org_role.organization_manager] } -resource "cloudfoundry_space_role" "space_manager" { - for_each = toset(var.cf_space_managers) +# ------------------------------------------------------------------------------------------------------ +# cf_space_developers: Assign space_developer role +# ------------------------------------------------------------------------------------------------------ +resource "cloudfoundry_space_role" "space_developer" { + for_each = toset(local.cf_space_developers) username = each.value - type = "space_manager" + type = "space_developer" space = cloudfoundry_space.dev.id - origin = var.origin - depends_on = [cloudfoundry_org_role.organization_user, cloudfoundry_org_role.organization_manager] + origin = local.origin_key + depends_on = [cloudfoundry_org_role.organization_manager] } \ No newline at end of file diff --git a/released/discovery_center/mission_4356/step2/outputs.tf b/released/discovery_center/mission_4356/step2/outputs.tf deleted file mode 100644 index 742f4536..00000000 --- a/released/discovery_center/mission_4356/step2/outputs.tf +++ /dev/null @@ -1,15 +0,0 @@ -output "subaccount_id" { - value = var.subaccount_id -} - -output "cf_org_id" { - value = var.cf_org_id -} - -output "cf_api_url" { - value = var.cf_api_url -} - -output "cf_space_name" { - value = cloudfoundry_space.dev.name -} \ No newline at end of file diff --git a/released/discovery_center/mission_4356/step2/provider.tf b/released/discovery_center/mission_4356/step2/provider.tf index 970b90df..4ec94611 100644 --- a/released/discovery_center/mission_4356/step2/provider.tf +++ b/released/discovery_center/mission_4356/step2/provider.tf @@ -1,28 +1,22 @@ terraform { required_providers { - btp = { - source = "SAP/btp" - version = "1.5.0" - } cloudfoundry = { source = "SAP/cloudfoundry" version = "1.0.0-rc1" } + btp = { + source = "SAP/btp" + version = "~> 1.5.0" + } } } -###################################################################### -# Configure BTP provider -###################################################################### provider "btp" { - cli_server_url = var.cli_server_url globalaccount = var.globalaccount + cli_server_url = var.cli_server_url } -###################################################################### -# Configure CF provider -###################################################################### + provider "cloudfoundry" { - # resolve API URL from environment instance api_url = var.cf_api_url } \ No newline at end of file diff --git a/released/discovery_center/mission_4356/step2/variables.tf b/released/discovery_center/mission_4356/step2/variables.tf index 65b1f80d..5ad3a591 100644 --- a/released/discovery_center/mission_4356/step2/variables.tf +++ b/released/discovery_center/mission_4356/step2/variables.tf @@ -1,23 +1,69 @@ +# Description: This file contains the input variables for the mission 4356 step 2. +# +# ------------------------------------------------------------------------------------------------------ +# Account variables +# ------------------------------------------------------------------------------------------------------ variable "globalaccount" { type = string - description = "Defines the global account" - default = "yourglobalaccount" + description = "The globalaccount subdomain where the sub account shall be created." } variable "cli_server_url" { type = string - description = "Defines the CLI server URL" + description = "The BTP CLI server URL." default = "https://cli.btp.cloud.sap" } +variable "subaccount_id" { + type = string + description = "The subaccount ID." +} + +variable "custom_idp" { + type = string + description = "The custom identity provider for the subaccount." + default = "" +} + +# ------------------------------------------------------------------------------------------------------ +# cf related variables +# ------------------------------------------------------------------------------------------------------ +variable "origin" { + type = string + description = "Defines the origin of the identity provider" + default = "sap.ids" + # The value for the origin can be defined + # but are normally set to "sap.ids", "sap.default" or "sap.custom" +} + +variable "origin_key" { + type = string + description = "Defines the origin key of the identity provider" + default = "sap.ids" + # The value for the origin_key can be defined + # but are normally set to "sap.ids", "sap.default" or "sap.custom" +} + variable "cf_api_url" { type = string description = "The Cloud Foundry API endpoint from the Cloud Foundry environment instance." } variable "cf_org_id" { - type = string + type = string + description = "The Cloud Foundry Org ID from the Cloud Foundry environment instance." } + +variable "cf_org_name" { + type = string + description = "Name of the Cloud Foundry org." + + validation { + condition = can(regex("^.{1,255}$", var.cf_org_name)) + error_message = "The Cloud Foundry org name must not be emtpy and not exceed 255 characters." + } +} + variable "cf_space_name" { type = string description = "Name of the Cloud Foundry space." @@ -29,38 +75,34 @@ variable "cf_space_name" { } } -variable "origin" { - type = string - description = "Defines the origin of the identity provider" - default = "sap.ids" - # The value for the origin can be defined - # but are normally set to "sap.ids", "sap.default" or "sap.custom" -} - -variable "subaccount_id" { - type = string +# ------------------------------------------------------------------------------------------------------ +# User lists +# ------------------------------------------------------------------------------------------------------ +variable "cf_org_admins" { + type = list(string) + description = "Defines the colleagues who are added to a CF org as administrators." } -variable "cf_space_developers" { +variable "cf_org_users" { type = list(string) - description = "CF Space developers" - default = ["jane.doe@test.com", "john.doe@test.com"] + description = "Defines the colleagues who are added to a CF org as users." } variable "cf_space_managers" { type = list(string) - description = "CF Space managers" - default = ["jane.doe@test.com", "john.doe@test.com"] + description = "Defines the colleagues who are added to a CF space as space manager." } -variable "cf_org_admins" { +variable "cf_space_developers" { type = list(string) - description = "CF Org Admins" - default = ["jane.doe@test.com", "john.doe@test.com"] + description = "Defines the colleagues who are added to a CF space as space developer." } -variable "cf_org_users" { - type = list(string) - description = "CF Org Users" - default = ["jane.doe@test.com", "john.doe@test.com"] +/* +# The CF Org name from the Cloud Foundry environment instance +variable "cf_org_name" { + type = string + description = "The Cloud Foundry Org name from the Cloud Foundry environment instance." + } +*/ \ No newline at end of file