SAP-samples · lechnerc77 · Apr 17, 2025 · Apr 17, 2025 · Apr 17, 2025 · Apr 17, 2025
@@ -42,12 +42,20 @@ js
 JS
 jq
 Kyma
+Kubeconfig
+kubeconfig
+kymaruntime
+Kyma
+kyma
 macOS
 md
 namings
 Namings
 NextSteps
 OAuth
+OpenID
+oidc
+OIDC
 OpenSSF
 OpenTofu
 PEM

@@ -41,16 +41,25 @@ To ease the provisioning of entitlements we use the Terraform community module [
 
 The setup of a Cloud Foundry environment is optional. The caller can decide if a Cloud Foundry environment is required or not e.g. when setting up a shared subaccount. The boolean variable is `provision_cf_environment` in the [variables.tf](./variables.tf) file.
 
+The configuration of the setup is done in the corresponding module [`sap-btp-environment/cloudfoundry`](../../modules/sap-btp-environment/cloudfoundry/README.md).
+
+### Setup of Kyma Environment
+
+The setup of a Kyma environment is optional. The caller can decide if a Kyma environment is required or not e.g. when setting up a shared subaccount. The boolean variable is `provision_kyma_environment` in the [variables.tf](./variables.tf) file.
+
+If the Kyma environment is requested, the variable `kyma_administrators` in the [variables.tf](./variables.tf) file must be filled with the users that should be assigned as administrators. This condition is validated
+
+The configuration of the setup is done in the corresponding module [`sap-btp-environment/kyma`](../../modules/sap-btp-environment/kyma/README.md).
 
 ### Output
 
 The output defined in the [outputs.tf](./outputs.tf) file returns the main information relevant for the development team namely:
 
 - a link to the subaccount
-- The ID of the Cloud Foundry org
-- The API endpoint of the Cloud Foundry environment
-
-
+- The ID of the Cloud Foundry org if a Cloud Foundry environment is created
+- The API endpoint of the Cloud Foundry environment if a Cloud Foundry environment is created
+- The URL to the Kyma dashboard if a Kyma environment is created
+- The URL to the Kubeconfig file for the Kyma runtime if a Kyma environment is created
 
 ## SAP BTP Administrator's Guide - References
 

@@ -70,11 +70,21 @@ module "sap_btp_entitlements" {
 }
 
 module "cf_environment" {
-  source = "../../modules/sap-btp-environment/CloudFoundry"
+  source = "../../modules/sap-btp-environment/cloudfoundry"
 
   count = var.provision_cf_environment ? 1 : 0
 
   subaccount_id = btp_subaccount.self.id
   instance_name = module.subaccount_namings.cloudfoundry_org_name
   cf_org_name   = module.subaccount_namings.cloudfoundry_org_name
 }
+
+module "kyma_environment" {
+  source = "../../modules/sap-btp-environment/kyma"
+
+  count = var.provision_kyma_environment ? 1 : 0
+
+  subaccount_id       = btp_subaccount.self.id
+  instance_name       = module.subaccount_namings.kyma_instance_name
+  kyma_administrators = var.kyma_administrators
+}
@@ -12,3 +12,13 @@ output "cf_org_id" {
   value       = var.provision_cf_environment ? module.cf_environment[0].cf_org_id : "No Cloud Foundry environment was requested to be provisioned"
   description = "The Cloud Foundry org ID"
 }
+
+output "kyma_dashboard_url" {
+  value       = var.provision_kyma_environment ? module.kyma_environment[0].kyma_dashboard_url : "No Kyma environment was requested to be provisioned"
+  description = "The URL to the Kyma dashboard"
+}
+
+output "kyma_kubeconfig_url" {
+  value       = var.provision_kyma_environment ? module.kyma_environment[0].kyma_kubeconfig_url : "No Kyma environment was requested to be provisioned"
+  description = "The URL to the Kubeconfig file for the Kyma runtime"
+}
@@ -76,3 +76,20 @@ variable "provision_cf_environment" {
   description = "Provision Cloud Foundry environment in subaccount"
   default     = true
 }
+
+variable "provision_kyma_environment" {
+  type        = bool
+  description = "Provision Kyma environment in subaccount"
+  default     = false
+}
+
+variable "kyma_administrators" {
+  description = "Users to be assigned as administrators for the Kyma environment."
+  type        = list(string)
+  default     = null
+
+  validation {
+    condition     = var.provision_kyma_environment ? length(var.kyma_administrators) > 0 : true
+    error_message = "Kyma administrators must be provided if a Kyma environment is provisioned"
+  }
+}
@@ -1,4 +1,4 @@
-# SAP BTP - Environment Setup
+# SAP BTP - Cloud Foundry Environment Setup
 
 This module encapsulates the creation of a Cloud Foundry environment in a subaccount on SAP BTP.
 

@@ -2,6 +2,7 @@ variable "subaccount_id" {
   type        = string
   description = "ID of the subaccount where the Cloud Foundry environment will be created."
 }
+
 variable "instance_name" {
   type        = string
   description = "Name of the Cloud Foundry environment instance."

@@ -0,0 +1,46 @@
+# SAP BTP - Kyma Environment Setup
+
+This module encapsulates the creation of a Kyma environment in a subaccount on SAP BTP. The configuration is a basic setup. In a real world scenario, you would likely want to customize the setup further with respect to the available parameters like machine type etc. as described in the [documentation](https://help.sap.com/docs/btp/sap-business-technology-platform/provisioning-and-update-parameters-in-kyma-environment) depending on the stage of the environment (development, test, production).
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.11 |
+| <a name="requirement_btp"></a> [btp](#requirement\_btp) | >= 1.11.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_btp"></a> [btp](#provider\_btp) | >= 1.11.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [btp_subaccount_entitlement.kymaruntime](https://registry.terraform.io/providers/SAP/btp/latest/docs/resources/subaccount_entitlement) | resource |
+| [btp_subaccount_environment_instance.kymaruntime](https://registry.terraform.io/providers/SAP/btp/latest/docs/resources/subaccount_environment_instance) | resource |
+| [btp_regions.all](https://registry.terraform.io/providers/SAP/btp/latest/docs/data-sources/regions) | data source |
+| [btp_subaccount.this](https://registry.terraform.io/providers/SAP/btp/latest/docs/data-sources/subaccount) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | Name of the Kyma environment instance. | `string` | n/a | yes |
+| <a name="input_kyma_administrators"></a> [kyma\_administrators](#input\_kyma\_administrators) | Users to be assigned as administrators. | `list(string)` | `[]` | no |
+| <a name="input_oidc"></a> [oidc](#input\_oidc) | Custom OpenID Connect IdP configuration to authenticate users in your Kyma runtime. | <pre>object({<br/>    # the URL of the OpenID issuer (use the https schema)<br/>    issuer_url = string<br/><br/>    # the client ID for the OpenID client<br/>    client_id = string<br/><br/>    #the name of a custom OpenID Connect claim for specifying user groups<br/>    groups_claim = string<br/><br/>    # the list of allowed cryptographic algorithms used for token signing. The allowed values are defined by RFC 7518.<br/>    signing_algs = set(string)<br/><br/>    # the prefix for all usernames. If you don't provide it, username claims other than “email” are prefixed by the issuerURL to avoid clashes. To skip any prefixing, provide the value as -.<br/>    username_prefix = string<br/><br/>    # the name of a custom OpenID Connect claim for specifying a username<br/>    username_claim = string<br/>  })</pre> | `null` | no |
+| <a name="input_plan_name"></a> [plan\_name](#input\_plan\_name) | Desired service plan for the Kyma environment instance.<br/>If not provided it will be set to the default value of the region. | `string` | `null` | no |
+| <a name="input_subaccount_id"></a> [subaccount\_id](#input\_subaccount\_id) | ID of the subaccount where the Cloud Foundry environment will be created. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kyma_dashboard_url"></a> [kyma\_dashboard\_url](#output\_kyma\_dashboard\_url) | The URL to the Kyma dashboard |
+| <a name="output_kyma_kubeconfig_url"></a> [kyma\_kubeconfig\_url](#output\_kyma\_kubeconfig\_url) | The URL to the Kubeconfig file for the Kyma runtime |
@@ -0,0 +1,45 @@
+data "btp_regions" "all" {}
+
+data "btp_subaccount" "this" {
+  id = var.subaccount_id
+}
+
+locals {
+  subaccount_iaas_provider = [for region in data.btp_regions.all.values : region if region.region == data.btp_subaccount.this.region][0].iaas_provider
+}
+
+resource "btp_subaccount_entitlement" "kymaruntime" {
+  subaccount_id = var.instance_name
+  service_name  = "kymaruntime"
+  plan_name     = var.plan_name != null ? var.plan_name : lower(local.subaccount_iaas_provider)
+  amount        = 1
+}
+
+resource "btp_subaccount_environment_instance" "kymaruntime" {
+  subaccount_id    = var.subaccount_id
+  name             = var.instance_name
+  environment_type = "kyma"
+  service_name     = btp_subaccount_entitlement.kymaruntime.service_name
+  plan_name        = btp_subaccount_entitlement.kymaruntime.plan_name
+  parameters = jsonencode(merge({
+    name           = var.instance_name
+    administrators = toset(var.kyma_administrators)
+    },
+    var.oidc == null ? null : {
+      issuerURL      = var.oidc.issuer_url
+      clientID       = var.oidc.client_id
+      groupsClaim    = var.oidc.groups_claim
+      usernameClaim  = var.oidc.username_claim
+      usernamePrefix = var.oidc.username_prefix
+      signingAlgs    = var.oidc.signing_algs
+  }))
+
+  depends_on = [btp_subaccount_entitlement.kymaruntime]
+
+  timeouts = {
+    read   = "10m"
+    create = "60m"
+    update = "60m"
+    delete = "120m"
+  }
+}
@@ -0,0 +1,9 @@
+output "kyma_dashboard_url" {
+  value       = btp_subaccount_environment_instance.kymaruntime.dashboard_url
+  description = "The URL to the Kyma dashboard"
+}
+
+output "kyma_kubeconfig_url" {
+  value       = jsondecode(btp_subaccount_environment_instance.kymaruntime.labels)["KubeconfigURL"]
+  description = "The URL to the Kubeconfig file for the Kyma runtime"
+}
@@ -0,0 +1,53 @@
+variable "subaccount_id" {
+  type        = string
+  description = "ID of the subaccount where the Cloud Foundry environment will be created."
+}
+
+variable "instance_name" {
+  type        = string
+  description = "Name of the Kyma environment instance."
+
+  validation {
+    condition     = can(regex("^[a-zA-Z0-9_\\-\\.]{1,32}$", var.instance_name))
+    error_message = "Please provide a valid instance name (^[a-zA-Z0-9_\\-\\.]{1,32})."
+  }
+}
+
+variable "plan_name" {
+  type        = string
+  description = <<-EOT
+     Desired service plan for the Kyma environment instance.
+     If not provided it will be set to the default value of the region.
+     EOT
+  default     = null
+}
+
+variable "kyma_administrators" {
+  description = "Users to be assigned as administrators."
+  type        = list(string)
+  default     = []
+}
+
+variable "oidc" {
+  description = "Custom OpenID Connect IdP configuration to authenticate users in your Kyma runtime."
+  type = object({
+    # the URL of the OpenID issuer (use the https schema)
+    issuer_url = string
+
+    # the client ID for the OpenID client
+    client_id = string
+
+    #the name of a custom OpenID Connect claim for specifying user groups
+    groups_claim = string
+
+    # the list of allowed cryptographic algorithms used for token signing. The allowed values are defined by RFC 7518.
+    signing_algs = set(string)
+
+    # the prefix for all usernames. If you don't provide it, username claims other than “email” are prefixed by the issuerURL to avoid clashes. To skip any prefixing, provide the value as -.
+    username_prefix = string
+
+    # the name of a custom OpenID Connect claim for specifying a username
+    username_claim = string
+  })
+  default = null
+}
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.11"
+  required_providers {
+    btp = {
+      source  = "SAP/btp"
+      version = ">= 1.11.0"
+    }
+  }
+}
@@ -44,6 +44,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_cloudfoundry_org_name"></a> [cloudfoundry\_org\_name](#output\_cloudfoundry\_org\_name) | Name of the Cloud Foundry org |
+| <a name="output_kyma_instance_name"></a> [kyma\_instance\_name](#output\_kyma\_instance\_name) | Name of the Kyma instance |
 | <a name="output_subaccount_description"></a> [subaccount\_description](#output\_subaccount\_description) | Description of the subaccount |
 | <a name="output_subaccount_labels"></a> [subaccount\_labels](#output\_subaccount\_labels) | Labels for the subaccount |
 | <a name="output_subaccount_name"></a> [subaccount\_name](#output\_subaccount\_name) | Name of the subaccount |