4441: Fix custom idp cases for QAS enabled Mission (#311)

Author: jglander

released/discovery_center/mission_4441/minimal_setup_enterprise/step1/main.tf

@@ -150,8 +150,13 @@ locals {
   subaccount_admins     = var.subaccount_admins
   build_code_admins     = var.build_code_admins
   build_code_developers = var.build_code_developers
+
+  custom_idp_tenant = var.custom_idp != "" ? element(split(".", var.custom_idp), 0) : ""
+  origin_key        = local.custom_idp_tenant != "" ? "${local.custom_idp_tenant}-platform" : ""
 }
 
+data "btp_whoami" "me" {}
+
 # Get all roles in the subaccount
 data "btp_subaccount_roles" "all" {
   subaccount_id = data.btp_subaccount.dc_mission.id
@@ -166,6 +171,7 @@ resource "btp_subaccount_role_collection_assignment" "subaccount_admin" {
   subaccount_id        = data.btp_subaccount.dc_mission.id
   role_collection_name = "Subaccount Administrator"
   user_name            = each.value
+  origin               = local.origin_key
   depends_on           = [btp_subaccount.dc_mission]
 }
 
@@ -192,6 +198,16 @@ resource "btp_subaccount_role_collection_assignment" "build_code_administrator"
   subaccount_id        = data.btp_subaccount.dc_mission.id
   role_collection_name = "Build Code Administrator"
   user_name            = each.value
+  origin               = var.custom_idp_apps_origin_key
+  depends_on           = [btp_subaccount_role_collection.build_code_administrator]
+}
+# Assign logged in user to the role collection "Build Code Administrator" if not custom idp user
+resource "btp_subaccount_role_collection_assignment" "build_code_administrator_default" {
+  count                = data.btp_whoami.me.issuer != var.custom_idp ? 1 : 0
+  subaccount_id        = data.btp_subaccount.dc_mission.id
+  role_collection_name = "Build Code Administrator"
+  user_name            = data.btp_whoami.me.email
+  origin               = "sap.default"
   depends_on           = [btp_subaccount_role_collection.build_code_administrator]
 }
 
@@ -218,6 +234,17 @@ resource "btp_subaccount_role_collection_assignment" "build_code_developer" {
   subaccount_id        = data.btp_subaccount.dc_mission.id
   role_collection_name = "Build Code Developer"
   user_name            = each.value
+  origin               = var.custom_idp_apps_origin_key
+  depends_on           = [btp_subaccount_role_collection.build_code_developer]
+}
+
+# Assign logged in user to the role collection "Build Code Developer" if not custom idp user
+resource "btp_subaccount_role_collection_assignment" "build_code_developer_default" {
+  count                = data.btp_whoami.me.issuer != var.custom_idp ? 1 : 0
+  subaccount_id        = data.btp_subaccount.dc_mission.id
+  role_collection_name = "Build Code Developer"
+  user_name            = data.btp_whoami.me.email
+  origin               = "sap.default"
   depends_on           = [btp_subaccount_role_collection.build_code_developer]
 }
 
@@ -229,6 +256,7 @@ resource "local_file" "output_vars_step1" {
   content  = <<-EOT
       globalaccount        = "${var.globalaccount}"
       cli_server_url       = ${jsonencode(var.cli_server_url)}
+      custom_idp           = ${jsonencode(var.custom_idp)}
 
       subaccount_id        = "${data.btp_subaccount.dc_mission.id}"
 
@@ -237,7 +265,7 @@ resource "local_file" "output_vars_step1" {
       cf_org_id            = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org ID"]}"
       cf_org_name          = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org Name"]}"
 
-      origin_key           = "${var.origin}"
+      origin_key           = "${local.origin_key}"
 
       cf_space_name        = "${var.cf_space_name}"
 

released/discovery_center/mission_4441/minimal_setup_enterprise/step1/outputs.tf

@@ -1,15 +1,3 @@
-/*
-output "globalaccount" {
-  value       = var.globalaccount
-  description = "The Global Account subdomain."
-}
-
-output "cli_server_url" {
-  value       = var.cli_server_url
-  description = "The BTP CLI server URL."
-}
-*/
-
 output "subaccount_id" {
   value       = data.btp_subaccount.dc_mission.id
   description = "The ID of the subaccount."

released/discovery_center/mission_4441/minimal_setup_enterprise/step1/variables.tf

@@ -18,6 +18,12 @@ variable "custom_idp" {
   default     = ""
 }
 
+variable "custom_idp_apps_origin_key" {
+  type        = string
+  description = "The custom identity provider for the subaccount."
+  default     = "sap.custom"
+}
+
 variable "region" {
   type        = string
   description = "The region where the subaccount shall be created in."
@@ -50,9 +56,8 @@ variable "origin" {
 variable "origin_key" {
   type        = string
   description = "Defines the origin key of the identity provider"
-  default     = "sap.ids"
-  # The value for the origin_key can be defined
-  # but are normally set to "sap.ids", "sap.default" or "sap.custom"
+  default     = ""
+  # The value for the origin_key can be defined, set to "sap.ids", "sap.default" or "sap.custom"
 }
 
 variable "cf_landscape_label" {

released/discovery_center/mission_4441/minimal_setup_enterprise/step2/main.tf

@@ -1,3 +1,22 @@
+# ------------------------------------------------------------------------------------------------------
+# Import custom trust config and disable for user login
+# ------------------------------------------------------------------------------------------------------
+locals {
+  available_for_user_logon = data.btp_whoami.me.issuer != var.custom_idp ? true : false
+}
+
+import {
+  to = btp_subaccount_trust_configuration.default
+  id = "${var.subaccount_id},sap.default"
+}
+
+resource "btp_subaccount_trust_configuration" "default" {
+  subaccount_id            = var.subaccount_id
+  identity_provider        = ""
+  auto_create_shadow_users = false
+  available_for_user_logon = local.available_for_user_logon
+}
+
 # ------------------------------------------------------------------------------------------------------
 # Create the Cloud Foundry space
 # ------------------------------------------------------------------------------------------------------
@@ -15,11 +34,15 @@ resource "cloudfoundry_space" "dev" {
 data "btp_whoami" "me" {}
 
 locals {
-  # Remove current user
-  cf_org_admins = setsubtract(toset(var.cf_org_admins), [data.btp_whoami.me.email])
+  # Remove current user if issuer (idp) of logged in user is not same as used custom idp 
+  cf_org_admins = data.btp_whoami.me.issuer != var.custom_idp ? var.cf_org_admins : setsubtract(toset(var.cf_org_admins), [data.btp_whoami.me.email])
 
   cf_space_managers   = var.cf_space_managers
   cf_space_developers = var.cf_space_developers
+
+  # get origin_key from custom.idp 
+  custom_idp_tenant = var.custom_idp != "" ? element(split(".", var.custom_idp), 0) : ""
+  origin_key        = local.custom_idp_tenant != "" ? "${local.custom_idp_tenant}-platform" : "sap.ids"
 }
 
 # ------------------------------------------------------------------------------------------------------
@@ -30,7 +53,7 @@ resource "cloudfoundry_org_role" "organization_user" {
   username = each.value
   type     = "organization_user"
   org      = var.cf_org_id
-  origin   = var.origin_key
+  origin   = local.origin_key
 }
 
 # ------------------------------------------------------------------------------------------------------
@@ -41,7 +64,7 @@ resource "cloudfoundry_org_role" "organization_manager" {
   username   = each.value
   type       = "organization_manager"
   org        = var.cf_org_id
-  origin     = var.origin_key
+  origin     = local.origin_key
   depends_on = [cloudfoundry_org_role.organization_user]
 }
 
@@ -54,7 +77,7 @@ resource "cloudfoundry_space_role" "space_manager" {
   username   = each.value
   type       = "space_manager"
   space      = cloudfoundry_space.dev.id
-  origin     = var.origin_key
+  origin     = local.origin_key
   depends_on = [cloudfoundry_org_role.organization_manager]
 }
 
@@ -66,6 +89,6 @@ resource "cloudfoundry_space_role" "space_developer" {
   username   = each.value
   type       = "space_developer"
   space      = cloudfoundry_space.dev.id
-  origin     = var.origin_key
+  origin     = local.origin_key
   depends_on = [cloudfoundry_org_role.organization_manager]
 }

released/discovery_center/mission_4441/minimal_setup_enterprise/step2/variables.tf

@@ -19,6 +19,18 @@ variable "cli_server_url" {
   default     = "https://cli.btp.cloud.sap"
 }
 
+variable "custom_idp" {
+  type        = string
+  description = "Defines the custom IDP to be used for the subaccount"
+  default     = ""
+}
+
+variable "custom_idp_tenant" {
+  type        = string
+  description = "workaround"
+  default     = ""
+}
+
 variable "cf_api_url" {
   type        = string
   description = "The Cloud Foundry API endpoint from the Cloud Foundry environment instance."