diff --git a/released/discovery_center/mission_3680/step1/README.md b/released/discovery_center/mission_3680/step1/README.md index a2862bdc..76fd72d3 100644 --- a/released/discovery_center/mission_3680/step1/README.md +++ b/released/discovery_center/mission_3680/step1/README.md @@ -1,4 +1,4 @@ -# Discovery Center Mission: Create a custom mobile app to extend HR capabilities (3680) +# Discovery Center Mission: Create a custom mobile app to extend HR capabilities (3680) - Step 1 ## Overview @@ -18,27 +18,31 @@ The setup comprises the following resources: To deploy the resources you must: -1. Export environment variables BTP_USERNAME, BTP_PASSWORD, CF_USER, and CF_PASSWORD with your username and password for the custom IdP of your global account. +1. Set the environment variables BTP_USERNAME and BTP_PASSWORD to pass credentials to the BTP provider to authenticate and interact with your BTP environments. -2. Change the variables in the `samples.tfvars` file in the main folder to meet your requirements + ```bash + export BTP_USERNAME= + export BTP_PASSWORD= + ``` + +2. Change the variables in the `sample.tfvars` file to meet your requirements > ⚠ NOTE: You should pay attention **specifically** to the users defined in the samples.tfvars whether they already exist in your SAP BTP accounts. Otherwise you might get error messages like e.g. `Error: The user could not be found: jane.doe@test.com`. -3. Execute the apply.sh script. -4. Verify e.g., in BTP cockpit that a new subaccount with a integration suite, SAP Business Application Studio, CF environment instance and a CF space have been created. +3. Initialize your workspace: ```bash terraform init ``` -5. You can check what Terraform plans to apply based on your configuration: +4. You can check what Terraform plans to apply based on your configuration: ```bash - terraform plan -var-file="samples.tfvars" + terraform plan -var-file="sample.tfvars" ``` -6. Apply your configuration to provision the resources: +5. Apply your configuration to provision the resources: ```bash terraform apply -var-file="samples.tfvars" @@ -50,4 +54,4 @@ You probably want to remove the assets after trying them out to avoid unnecessar ```bash terraform destroy -var-file="samples.tfvars" -``` \ No newline at end of file +``` diff --git a/released/discovery_center/mission_3680/step1/locals.tf b/released/discovery_center/mission_3680/step1/locals.tf deleted file mode 100644 index 0cad1df9..00000000 --- a/released/discovery_center/mission_3680/step1/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - service_name__sap_build_apps = "sap-build-apps" - service_name__build_workzone = "SAPLaunchpad" -} \ No newline at end of file diff --git a/released/discovery_center/mission_3680/step1/main.tf b/released/discovery_center/mission_3680/step1/main.tf index 8764c364..3a09cdb9 100644 --- a/released/discovery_center/mission_3680/step1/main.tf +++ b/released/discovery_center/mission_3680/step1/main.tf @@ -9,47 +9,98 @@ locals { # If a cf_org_name was defined by the user, take that as a subaccount_cf_org. Otherwise create it. subaccount_cf_org = length(var.cf_org_name) > 0 ? var.cf_org_name : substr(replace("${local.subaccount_domain}", "-", ""), 0, 32) } + +locals { + service_name__sap_build_apps = "sap-build-apps" + service_name__build_workzone = "SAPLaunchpad" +} + # ------------------------------------------------------------------------------------------------------ # Creation of subaccount # ------------------------------------------------------------------------------------------------------ resource "btp_subaccount" "dc_mission" { + count = var.subaccount_id == "" ? 1 : 0 + name = var.subaccount_name subdomain = local.subaccount_domain region = lower(var.region) usage = "USED_FOR_PRODUCTION" } +data "btp_subaccount" "dc_mission" { + id = var.subaccount_id != "" ? var.subaccount_id : btp_subaccount.dc_mission[0].id +} + + +# ------------------------------------------------------------------------------------------------------ +# Assign custom IDP to sub account +# ------------------------------------------------------------------------------------------------------ +locals { + service_name__sap_identity_services_onboarding = "sap-identity-services-onboarding" +} + +# Entitle +resource "btp_subaccount_entitlement" "sap_identity_services_onboarding" { + count = var.custom_idp == "" ? 1 : 0 + + subaccount_id = data.btp_subaccount.dc_mission.id + service_name = local.service_name__sap_identity_services_onboarding + plan_name = var.service_plan__sap_identity_services_onboarding +} +# Subscribe +resource "btp_subaccount_subscription" "sap_identity_services_onboarding" { + count = var.custom_idp == "" ? 1 : 0 + + subaccount_id = data.btp_subaccount.dc_mission.id + app_name = local.service_name__sap_identity_services_onboarding + plan_name = var.service_plan__sap_identity_services_onboarding + depends_on = [btp_subaccount_entitlement.sap_identity_services_onboarding] +} + +# IdP trust configuration +resource "btp_subaccount_trust_configuration" "fully_customized" { + subaccount_id = data.btp_subaccount.dc_mission.id + identity_provider = var.custom_idp != "" ? var.custom_idp : element(split("/", btp_subaccount_subscription.sap_identity_services_onboarding[0].subscription_url), 2) +} + +locals { + custom_idp_tenant = element(split(".", btp_subaccount_trust_configuration.fully_customized.identity_provider), 0) + origin_key = local.custom_idp_tenant != "" ? "${local.custom_idp_tenant}-platform" : "sap.default" + origin_key_app_users = var.custom_idp_apps_origin_key +} + # ------------------------------------------------------------------------------------------------------ # Assignment of users as sub account administrators # ------------------------------------------------------------------------------------------------------ resource "btp_subaccount_role_collection_assignment" "subaccount-admins" { for_each = toset(var.subaccount_admins) - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Subaccount Administrator" user_name = each.value + origin = local.origin_key } # ------------------------------------------------------------------------------------------------------ # Assignment of users as sub account service administrators # ------------------------------------------------------------------------------------------------------ resource "btp_subaccount_role_collection_assignment" "subaccount-service-admins" { for_each = toset(var.subaccount_service_admins) - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Subaccount Service Administrator" user_name = each.value + origin = local.origin_key } - # ------------------------------------------------------------------------------------------------------ # Entitle subaccount for usage of SAP HANA Cloud tools # ------------------------------------------------------------------------------------------------------ resource "btp_subaccount_entitlement" "hana_cloud_tools" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id service_name = "hana-cloud-tools" plan_name = "tools" } resource "btp_subaccount_subscription" "hana_cloud_tools" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id app_name = "hana-cloud-tools" plan_name = "tools" depends_on = [btp_subaccount_entitlement.hana_cloud_tools] @@ -57,32 +108,32 @@ resource "btp_subaccount_subscription" "hana_cloud_tools" { # Assign users to Role Collection: SAP HANA Cloud Administrator resource "btp_subaccount_role_collection_assignment" "hana_cloud_admin" { - for_each = toset(var.hana_cloud_admins) - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "SAP HANA Cloud Administrator" - user_name = each.value + user_name = var.hana_system_admin depends_on = [btp_subaccount_subscription.hana_cloud_tools] + origin = local.origin_key_app_users } # ------------------------------------------------------------------------------------------------------ # Entitle subaccount for usage of SAP HANA Cloud # ------------------------------------------------------------------------------------------------------ resource "btp_subaccount_entitlement" "hana_cloud" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id service_name = "hana-cloud" plan_name = "hana" } # Get plan for SAP HANA Cloud data "btp_subaccount_service_plan" "hana_cloud" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id offering_name = "hana-cloud" name = "hana" depends_on = [btp_subaccount_entitlement.hana_cloud] } resource "btp_subaccount_service_instance" "hana_cloud" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id serviceplan_id = data.btp_subaccount_service_plan.hana_cloud.id name = "my-hana-cloud-instance" depends_on = [btp_subaccount_entitlement.hana_cloud] @@ -117,7 +168,7 @@ resource "btp_subaccount_service_instance" "hana_cloud" { # Create service binding to SAP HANA Cloud service resource "btp_subaccount_service_binding" "hana_cloud" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id service_instance_id = btp_subaccount_service_instance.hana_cloud.id name = "hana-cloud-key" } @@ -130,7 +181,7 @@ resource "btp_subaccount_service_binding" "hana_cloud" { # # Fetch all available environments for the subaccount data "btp_subaccount_environments" "all" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id } # ------------------------------------------------------------------------------------------------------ # Take the landscape label from the first CF environment if no environment label is provided @@ -143,7 +194,7 @@ resource "terraform_data" "cf_landscape_label" { # Creation of Cloud Foundry environment # ------------------------------------------------------------------------------------------------------ resource "btp_subaccount_environment_instance" "cloudfoundry" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id name = local.subaccount_cf_org environment_type = "cloudfoundry" service_name = "cloudfoundry" @@ -158,19 +209,19 @@ resource "btp_subaccount_environment_instance" "cloudfoundry" { # Event Mesh # ------------------------------------------------------------------------------------------------------ resource "btp_subaccount_entitlement" "event_mesh" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id service_name = "enterprise-messaging" plan_name = "default" } resource "btp_subaccount_entitlement" "event_mesh_application" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id service_name = "enterprise-messaging-hub" plan_name = "standard" } resource "btp_subaccount_subscription" "event_mesh_application" { - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id app_name = "enterprise-messaging-hub" plan_name = "standard" depends_on = [btp_subaccount_entitlement.event_mesh_application] @@ -179,19 +230,150 @@ resource "btp_subaccount_subscription" "event_mesh_application" { resource "btp_subaccount_role_collection_assignment" "event_mesh_admin" { depends_on = [btp_subaccount_subscription.event_mesh_application] for_each = toset(var.event_mesh_admins) - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Enterprise Messaging Administrator" user_name = each.value + origin = local.origin_key_app_users } resource "btp_subaccount_role_collection_assignment" "event_mesh_developer" { depends_on = [btp_subaccount_subscription.event_mesh_application] for_each = toset(var.event_mesh_developers) - subaccount_id = btp_subaccount.dc_mission.id + subaccount_id = data.btp_subaccount.dc_mission.id role_collection_name = "Enterprise Messaging Developer" user_name = each.value + origin = local.origin_key_app_users +} + +# ------------------------------------------------------------------------------------------------------ +# Prepare and setup app: SAP Build Apps +# ------------------------------------------------------------------------------------------------------ +# Entitle subaccount for usage of SAP Build Apps +resource "btp_subaccount_entitlement" "sap_build_apps" { + subaccount_id = data.btp_subaccount.dc_mission.id + service_name = local.service_name__sap_build_apps + plan_name = var.service_plan__sap_build_apps + amount = 1 + depends_on = [btp_subaccount_trust_configuration.fully_customized] +} + +# Create a subscription to the SAP Build Apps +resource "btp_subaccount_subscription" "sap-build-apps_standard" { + subaccount_id = data.btp_subaccount.dc_mission.id + app_name = "sap-appgyver-ee" + plan_name = var.service_plan__sap_build_apps + depends_on = [btp_subaccount_entitlement.sap_build_apps] +} + +# Get all roles in the subaccount +data "btp_subaccount_roles" "all" { + subaccount_id = data.btp_subaccount.dc_mission.id + depends_on = [btp_subaccount_subscription.sap-build-apps_standard] +} + +# ------------------------------------------------------------------------------------------------------ +# Setup for role collection BuildAppsAdmin +# ------------------------------------------------------------------------------------------------------ +# Create the role collection +resource "btp_subaccount_role_collection" "build_apps_BuildAppsAdmin" { + subaccount_id = data.btp_subaccount.dc_mission.id + name = "BuildAppsAdmin" + + roles = [ + for role in data.btp_subaccount_roles.all.values : { + name = role.name + role_template_app_id = role.app_id + role_template_name = role.role_template_name + } if contains(["BuildAppsAdmin"], role.name) + ] +} +# Assign users to the role collection +resource "btp_subaccount_role_collection_assignment" "build_apps_BuildAppsAdmin" { + depends_on = [btp_subaccount_role_collection.build_apps_BuildAppsAdmin] + for_each = toset(var.users_buildApps_admins) + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "BuildAppsAdmin" + user_name = each.value + origin = local.origin_key_app_users +} + +# ------------------------------------------------------------------------------------------------------ +# Setup for role collection BuildAppsDeveloper +# ------------------------------------------------------------------------------------------------------ +# Create the role collection +resource "btp_subaccount_role_collection" "build_apps_BuildAppsDeveloper" { + subaccount_id = data.btp_subaccount.dc_mission.id + name = "BuildAppsDeveloper" + + roles = [ + for role in data.btp_subaccount_roles.all.values : { + name = role.name + role_template_app_id = role.app_id + role_template_name = role.role_template_name + } if contains(["BuildAppsDeveloper"], role.name) + ] +} +# Assign users to the role collection +resource "btp_subaccount_role_collection_assignment" "build_apps_BuildAppsDeveloper" { + depends_on = [btp_subaccount_role_collection.build_apps_BuildAppsDeveloper] + for_each = toset(var.users_buildApps_developers) + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "BuildAppsDeveloper" + user_name = each.value + origin = local.origin_key_app_users } +# ------------------------------------------------------------------------------------------------------ +# Setup for role collection RegistryAdmin +# ------------------------------------------------------------------------------------------------------ +# Create the role collection +resource "btp_subaccount_role_collection" "build_apps_RegistryAdmin" { + subaccount_id = data.btp_subaccount.dc_mission.id + name = "RegistryAdmin" + + roles = [ + for role in data.btp_subaccount_roles.all.values : { + name = role.name + role_template_app_id = role.app_id + role_template_name = role.role_template_name + } if contains(["RegistryAdmin"], role.name) + ] +} +# Assign users to the role collection +resource "btp_subaccount_role_collection_assignment" "build_apps_RegistryAdmin" { + depends_on = [btp_subaccount_role_collection.build_apps_RegistryAdmin] + for_each = toset(var.users_registry_admins) + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "RegistryAdmin" + user_name = each.value + origin = local.origin_key_app_users +} + +# ------------------------------------------------------------------------------------------------------ +# Setup for role collection RegistryDeveloper +# ------------------------------------------------------------------------------------------------------ +# Create the role collection +resource "btp_subaccount_role_collection" "build_apps_RegistryDeveloper" { + subaccount_id = data.btp_subaccount.dc_mission.id + name = "RegistryDeveloper" + + roles = [ + for role in data.btp_subaccount_roles.all.values : { + name = role.name + role_template_app_id = role.app_id + role_template_name = role.role_template_name + } if contains(["RegistryDeveloper"], role.name) + ] +} +# Assign users to the role collection +resource "btp_subaccount_role_collection_assignment" "build_apps_RegistryDeveloper" { + depends_on = [btp_subaccount_role_collection.build_apps_RegistryDeveloper] + for_each = toset(var.users_registry_developers) + subaccount_id = data.btp_subaccount.dc_mission.id + role_collection_name = "RegistryDeveloper" + user_name = each.value + origin = local.origin_key_app_users +} # ------------------------------------------------------------------------------------------------------ # Create tfvars file for step 2 (if variable `create_tfvars_file_for_step2` is set to true) @@ -199,17 +381,16 @@ resource "btp_subaccount_role_collection_assignment" "event_mesh_developer" { resource "local_file" "output_vars_step1" { count = var.create_tfvars_file_for_step2 ? 1 : 0 content = <<-EOT - subaccount_id = "${btp_subaccount.dc_mission.id}" + subaccount_id = "${data.btp_subaccount.dc_mission.id}" + globalaccount = "${var.globalaccount}" cf_api_url = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["API Endpoint"]}" cf_org_id = "${jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org ID"]}" - origin = "${var.origin}" cf_space_name = "${var.cf_space_name}" cf_org_users = ${jsonencode(var.cf_org_users)} cf_org_admins = ${jsonencode(var.cf_org_admins)} cf_space_developers = ${jsonencode(var.cf_space_developers)} cf_space_managers = ${jsonencode(var.cf_space_managers)} - event_mesh_url = "${btp_subaccount_subscription.event_mesh_application.subscription_url}" - hana_tools_url = "${btp_subaccount_subscription.hana_cloud_tools.subscription_url}" + custom_idp = "${btp_subaccount_trust_configuration.fully_customized.identity_provider}" EOT filename = "../step2/terraform.tfvars" } \ No newline at end of file diff --git a/released/discovery_center/mission_3680/step1/outputs.tf b/released/discovery_center/mission_3680/step1/outputs.tf index c6f4202a..303da533 100644 --- a/released/discovery_center/mission_3680/step1/outputs.tf +++ b/released/discovery_center/mission_3680/step1/outputs.tf @@ -1,5 +1,5 @@ output "subaccount_id" { - value = btp_subaccount.dc_mission.id + value = data.btp_subaccount.dc_mission.id description = "The ID of the subaccount." } @@ -27,38 +27,12 @@ output "hana_tools_url" { value = btp_subaccount_subscription.hana_cloud_tools.subscription_url description = "HANA Tools URL" } +output "build_apps_url" { + value = btp_subaccount_subscription.sap-build-apps_standard.subscription_url + description = "SAP Build Apps URL" +} output "cf_org_name" { value = jsondecode(btp_subaccount_environment_instance.cloudfoundry.labels)["Org Name"] description = "The Cloudfoundry org name." } - -output "cf_org_admins" { - value = var.cf_org_admins - description = "The Cloudfoundry org admins." -} - -output "cf_org_users" { - value = var.cf_org_users - description = "The Cloudfoundry org users." -} - -output "cf_space_developers" { - value = var.cf_space_developers - description = "The Cloudfoundry space developers." -} - -output "cf_space_managers" { - value = var.cf_space_managers - description = "The Cloudfoundry space managers." -} - -output "cf_space_name" { - value = var.cf_space_name - description = "The Cloudfoundry space name." -} - -output "origin" { - value = var.origin - description = "The origin of the identity provider." -} diff --git a/released/discovery_center/mission_3680/step1/samples.tfvars b/released/discovery_center/mission_3680/step1/sample.tfvars similarity index 67% rename from released/discovery_center/mission_3680/step1/samples.tfvars rename to released/discovery_center/mission_3680/step1/sample.tfvars index 6ff37127..545ca8c4 100644 --- a/released/discovery_center/mission_3680/step1/samples.tfvars +++ b/released/discovery_center/mission_3680/step1/sample.tfvars @@ -5,6 +5,7 @@ globalaccount = "yourglobalaccount" region = "us10" subaccount_name = "SAP Discovery Center Mission 3680" +custom_idp = ".accounts.ondemand.com" # ------------------------------------------------------------------------------------------------------ # Project specific configuration (please adapt!) @@ -14,15 +15,21 @@ subaccount_name = "SAP Discovery Center Mission 3680" subaccount_admins = ["another.user@test.com"] subaccount_service_admins = ["another.user@test.com"] -hana_cloud_admins = ["another.user@test.com"] +hana_system_admin = "another.user@test.com" hana_system_password = "Abc12345" # Don't add the user, that is executing the TF script to cf_org_admins or cf_org_users! cf_org_admins = ["another.user@test.com"] cf_org_users = ["another.user@test.com"] -cf_space_managers = ["another.user@test.com", "you@test.com"] -cf_space_developers = ["another.user@test.com", "you@test.com"] +cf_space_managers = ["another.user@test.com"] +cf_space_developers = ["another.user@test.com"] # Event Mesh users -event_mesh_admins = ["another.user@test.com", "you@test.com"] -event_mesh_developers = ["another.user@test.com", "you@test.com"] +event_mesh_admins = ["another.user@test.com"] +event_mesh_developers = ["another.user@test.com"] + +# Build Apps +users_buildApps_admins = ["another.user@test.com"] +users_registry_admins = ["another.user@test.com"] +users_buildApps_developers = ["another.user@test.com"] +users_registry_developers = ["another.user@test.com"] diff --git a/released/discovery_center/mission_3680/step1/variables.tf b/released/discovery_center/mission_3680/step1/variables.tf index 5baffe57..cd76d5ac 100644 --- a/released/discovery_center/mission_3680/step1/variables.tf +++ b/released/discovery_center/mission_3680/step1/variables.tf @@ -28,39 +28,23 @@ variable "subaccount_id" { variable "subaccount_admins" { type = list(string) description = "Defines the colleagues who are added to each subaccount as subaccount administrators." - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "subaccount_service_admins" { type = list(string) description = "Defines the colleagues who are added to each subaccount as subaccount service administrators." - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "region" { type = string description = "The region where the sub account shall be created in." - default = "us10" - - # Checkout https://github.com/SAP-samples/btp-service-metadata/blob/main/v0/developer/aicore.json for the latest list of regions - # supported by the AI Core service with the "extended" service plan. - validation { - condition = contains(["ap10", "eu10", "eu11", "eu20", "eu30", "jp10", "us10", "us21", "us30"], var.region) - error_message = "Please enter a valid region for the sub account. Checkout https://github.com/SAP-samples/btp-service-metadata/blob/main/v0/developer/aicore.json for regions providing the AI Core service." - } + default = "" } -variable "hana_cloud_admins" { - type = list(string) - description = "Defines the colleagues who are added as admins to access the instance of SAP HANA Cloud." - default = ["jane.doe@test.com", "john.doe@test.com"] - - # add validation to check if admins contains a list of valid email addresses - validation { - condition = length([for email in var.hana_cloud_admins : can(regex("^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$", email))]) == length(var.hana_cloud_admins) - error_message = "Please enter a valid email address for the admins of SAP HANA Cloud instance." - } +variable "hana_system_admin" { + type = string + description = "Defines the colleague who is added as admin to access the instance of SAP HANA Cloud." } variable "custom_idp" { @@ -72,7 +56,7 @@ variable "custom_idp" { variable "create_tfvars_file_for_step2" { type = bool description = "Switch to enable the creation of the tfvars file for step 2." - default = false + default = true } variable "hana_system_password" { @@ -126,25 +110,21 @@ variable "cf_space_name" { variable "cf_space_developers" { type = list(string) description = "CF Space developers" - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "cf_space_managers" { type = list(string) description = "CF Space managers" - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "cf_org_admins" { type = list(string) description = "CF Org Admins" - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "cf_org_users" { type = list(string) description = "CF Org Users" - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "origin" { @@ -169,13 +149,56 @@ variable "cf_org_name" { variable "event_mesh_admins" { type = list(string) description = "Enterprise Messaging Administrators" - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "event_mesh_developers" { type = list(string) description = "Enterprise Messaging Developers" - default = ["jane.doe@test.com", "john.doe@test.com"] } +variable "custom_idp_apps_origin_key" { + type = string + description = "The custom identity provider for the subaccount." + default = "sap.custom" +} + +variable "service_plan__sap_identity_services_onboarding" { + type = string + description = "The plan for service 'Cloud Identity Services' with technical name 'sap-identity-services-onboarding'" + default = "default" + validation { + condition = contains(["default"], var.service_plan__sap_identity_services_onboarding) + error_message = "Invalid value for service_plan__sap_identity_services_onboarding. Only 'default' is allowed." + } +} + +variable "users_buildApps_admins" { + type = list(string) + description = "Defines the colleagues who have the role of 'BuildAppsAdmin' in SAP Build Apps." +} + +variable "users_buildApps_developers" { + type = list(string) + description = "Defines the colleagues who have the role of 'BuildAppsDeveloper' in SAP Build Apps." +} + +variable "users_registry_admins" { + type = list(string) + description = "Defines the colleagues who have the role of 'RegistryAdmin' in SAP Build Apps." +} + +variable "users_registry_developers" { + type = list(string) + description = "Defines the colleagues who have the role of RegistryDeveloper' in SAP Build Apps." +} + +variable "service_plan__sap_build_apps" { + type = string + description = "The plan for SAP Build Apps subscription" + default = "free" + validation { + condition = contains(["free", "standard", "partner"], var.service_plan__sap_build_apps) + error_message = "Invalid value for service_plan__sap_build_apps. Only 'free', 'standard' and 'partner' are allowed." + } +} diff --git a/released/discovery_center/mission_3680/step2/README.md b/released/discovery_center/mission_3680/step2/README.md new file mode 100644 index 00000000..ef024581 --- /dev/null +++ b/released/discovery_center/mission_3680/step2/README.md @@ -0,0 +1,38 @@ +# Discovery Center mission - Create a custom mobile app to extend HR capabilities (3680) - Step 2 + +## Overview + +This script shows how to create a SAP BTP subaccount for Discovery Center Mission: Create a custom mobile app to extend HR capabilities (3680). Step 2 comprises all activities that depend on the step 1 completion. + +## Deploying the resources + +To deploy the resources you must: + + +1. If you did not create a `tfvars` file in step 1 (via the variable `create_tfvars_file_for_step2`) you must manually Take the output of step 1 and transfer it in a `tfvars` file e.g. `sample.tfvars` file to meet your requirements. Of course you can also further adjust the generated `tfvars` file from step 1. + +2. If not already done in step 1, initialize your workspace: + + ```bash + terraform init + ``` + +3. You can check what Terraform plans to apply based on your configuration. If you use the generated `tfvars` file from step 1 you do not need need to explicitly add the filename to the command: + + ```bash + terraform plan -var-file="terraform.tfvars" + ``` + +4. According to the variants of step 3. apply your configuration to provision the resources either via: + + ```bash + terraform apply -var-file="terraform.tfvars" + ``` + +## In the end + +You probably want to remove the assets after trying them out to avoid unnecessary costs. To do so execute the command fitting your setup: + +```bash +terraform destroy -var-file="terraform.tfvars" +``` diff --git a/released/discovery_center/mission_3680/step2/main.tf b/released/discovery_center/mission_3680/step2/main.tf index 14d85564..a982e0b3 100644 --- a/released/discovery_center/mission_3680/step2/main.tf +++ b/released/discovery_center/mission_3680/step2/main.tf @@ -1,3 +1,18 @@ +# ------------------------------------------------------------------------------------------------------ +# Import custom trust config and disable for user login +# ------------------------------------------------------------------------------------------------------ +import { + to = btp_subaccount_trust_configuration.default + id = "${var.subaccount_id},sap.default" +} + +resource "btp_subaccount_trust_configuration" "default" { + subaccount_id = var.subaccount_id + identity_provider = "" + auto_create_shadow_users = false + available_for_user_logon = false +} + # ------------------------------------------------------------------------------------------------------ # Create space using CF provider # ------------------------------------------------------------------------------------------------------ @@ -6,6 +21,24 @@ resource "cloudfoundry_space" "dev" { org = var.cf_org_id } +# ------------------------------------------------------------------------------------------------------ +# SETUP ALL SERVICES FOR CF USAGE +# ------------------------------------------------------------------------------------------------------ +# ------------------------------------------------------------------------------------------------------ +# USERS AND ROLES +# ------------------------------------------------------------------------------------------------------ +data "btp_whoami" "me" {} + +locals { + # Remove current user if issuer (idp) of logged in user is not same as used custom idp + cf_org_admins = data.btp_whoami.me.issuer != var.custom_idp ? var.cf_org_admins : setsubtract(toset(var.cf_org_admins), [data.btp_whoami.me.email]) + cf_org_users = data.btp_whoami.me.issuer != var.custom_idp ? var.cf_org_admins : setsubtract(toset(var.cf_org_users), [data.btp_whoami.me.email]) + + # get origin_key from custom.idp + custom_idp_tenant = var.custom_idp != "" ? element(split(".", var.custom_idp), 0) : "" + origin_key = local.custom_idp_tenant != "" ? "${local.custom_idp_tenant}-platform" : "sap.ids" +} + # ------------------------------------------------------------------------------------------------------ # add org and space users and managers # ------------------------------------------------------------------------------------------------------ @@ -14,7 +47,7 @@ resource "cloudfoundry_org_role" "organization_user" { username = each.value type = "organization_user" org = var.cf_org_id - origin = var.origin + origin = local.origin_key } resource "cloudfoundry_org_role" "organization_manager" { @@ -22,7 +55,7 @@ resource "cloudfoundry_org_role" "organization_manager" { username = each.value type = "organization_manager" org = var.cf_org_id - origin = var.origin + origin = local.origin_key } resource "cloudfoundry_space_role" "space_developer" { @@ -30,7 +63,7 @@ resource "cloudfoundry_space_role" "space_developer" { username = each.value type = "space_developer" space = cloudfoundry_space.dev.id - origin = var.origin + origin = local.origin_key depends_on = [cloudfoundry_org_role.organization_user, cloudfoundry_org_role.organization_manager] } @@ -39,6 +72,6 @@ resource "cloudfoundry_space_role" "space_manager" { username = each.value type = "space_manager" space = cloudfoundry_space.dev.id - origin = var.origin + origin = local.origin_key depends_on = [cloudfoundry_org_role.organization_user, cloudfoundry_org_role.organization_manager] } \ No newline at end of file diff --git a/released/discovery_center/mission_3680/step2/outputs.tf b/released/discovery_center/mission_3680/step2/outputs.tf deleted file mode 100644 index 039ee30d..00000000 --- a/released/discovery_center/mission_3680/step2/outputs.tf +++ /dev/null @@ -1,23 +0,0 @@ -output "subaccount_id" { - value = var.subaccount_id -} - -output "cf_org_id" { - value = var.cf_org_id -} - -output "cf_api_url" { - value = var.cf_api_url -} - -output "cf_space_name" { - value = cloudfoundry_space.dev.name -} - -output "hana_tools_url" { - value = var.hana_tools_url -} - -output "event_mesh_url" { - value = var.event_mesh_url -} \ No newline at end of file diff --git a/released/discovery_center/mission_3680/step2/provider.tf b/released/discovery_center/mission_3680/step2/provider.tf index fade3e6e..4ec94611 100644 --- a/released/discovery_center/mission_3680/step2/provider.tf +++ b/released/discovery_center/mission_3680/step2/provider.tf @@ -1,16 +1,22 @@ terraform { required_providers { cloudfoundry = { - source = "sap/cloudfoundry" + source = "SAP/cloudfoundry" version = "1.0.0-rc1" } + btp = { + source = "SAP/btp" + version = "~> 1.5.0" + } } } -# ------------------------------------------------------------------------------------------------------ -# Configure CF provider -# ------------------------------------------------------------------------------------------------------ +provider "btp" { + globalaccount = var.globalaccount + cli_server_url = var.cli_server_url +} + + provider "cloudfoundry" { - # resolve API URL from environment instance api_url = var.cf_api_url } \ No newline at end of file diff --git a/released/discovery_center/mission_3680/step2/variables.tf b/released/discovery_center/mission_3680/step2/variables.tf index 2f2e412d..9db7c505 100644 --- a/released/discovery_center/mission_3680/step2/variables.tf +++ b/released/discovery_center/mission_3680/step2/variables.tf @@ -1,12 +1,16 @@ -variable "cf_api_url" { - type = string +variable "globalaccount" { + type = string + description = "Defines the global account" + default = "yourglobalaccount" } -variable "hana_tools_url" { - type = string +variable "cli_server_url" { + type = string + description = "Defines the CLI server URL" + default = "https://cli.btp.cloud.sap" } -variable "event_mesh_url" { +variable "cf_api_url" { type = string } @@ -32,31 +36,26 @@ variable "cf_space_name" { variable "cf_space_developers" { type = list(string) description = "CF Space developers" - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "cf_space_managers" { type = list(string) description = "CF Space managers" - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "cf_org_admins" { type = list(string) description = "CF Org Admins" - default = ["jane.doe@test.com", "john.doe@test.com"] } variable "cf_org_users" { type = list(string) description = "CF Org Users" - default = ["jane.doe@test.com", "john.doe@test.com"] } -variable "origin" { + +variable "custom_idp" { type = string - description = "Defines the origin key of the identity provider" - default = "sap.ids" - # The value for the origin_key can be defined - # but are normally set to "sap.ids", "sap.default" or "sap.custom" + description = "Defines the custom IdP" + default = "" } \ No newline at end of file