From 5b2ac2fe0a1d38dce510c7d8e8e80aab1723779d Mon Sep 17 00:00:00 2001
From: Christian Lechner <22294087+lechnerc77@users.noreply.github.com.>
Date: Mon, 26 May 2025 09:31:43 +0200
Subject: [PATCH] feat: app identifier for role collections

---
 .../app_identifer_for_roles/README.md         |  5 ++
 .../usecases/app_identifer_for_roles/main.tf  | 54 +++++++++++++++++++
 .../app_identifer_for_roles/provider.tf       | 14 +++++
 .../app_identifer_for_roles/variables.tf      | 10 ++++
 4 files changed, 83 insertions(+)
 create mode 100644 released/usecases/app_identifer_for_roles/README.md
 create mode 100644 released/usecases/app_identifer_for_roles/main.tf
 create mode 100644 released/usecases/app_identifer_for_roles/provider.tf
 create mode 100644 released/usecases/app_identifer_for_roles/variables.tf

diff --git a/released/usecases/app_identifer_for_roles/README.md b/released/usecases/app_identifer_for_roles/README.md
new file mode 100644
index 00000000..fe705925
--- /dev/null
+++ b/released/usecases/app_identifer_for_roles/README.md
@@ -0,0 +1,5 @@
+# Creation of role collections
+
+In some scenarios the creation of a service instance or an app subscription only creates the roles but leaves the creation of the role collections to the user. The biggest pain point when automating this setup is to fetch the correct app identifier.
+
+In this setup we want to show how you can fetch this identifier and use it to create the role collections.
diff --git a/released/usecases/app_identifer_for_roles/main.tf b/released/usecases/app_identifer_for_roles/main.tf
new file mode 100644
index 00000000..c7cd452a
--- /dev/null
+++ b/released/usecases/app_identifer_for_roles/main.tf
@@ -0,0 +1,54 @@
+resource "btp_subaccount" "self" {
+  name      = "My Dev Project"
+  subdomain = "my-dev-project"
+  region    = var.region
+}
+
+resource "btp_subaccount_entitlement" "auditlog-management_default" {
+  subaccount_id = btp_subaccount.self.id
+  service_name  = "auditlog-management"
+  plan_name     = "default"
+}
+
+data "btp_subaccount_service_plan" "auditlog_default" {
+  name          = "default"
+  offering_name = "auditlog-management"
+  subaccount_id = btp_subaccount.self.id
+
+  depends_on = [btp_subaccount_entitlement.auditlog-management_default]
+}
+
+resource "btp_subaccount_service_instance" "auditlog_default" {
+  name           = "auditlog-default-dev"
+  serviceplan_id = data.btp_subaccount_service_plan.auditlog_default.id
+  subaccount_id  = btp_subaccount.self.id
+}
+
+data "btp_subaccount_apps" "all" {
+  subaccount_id = btp_subaccount.self.id
+
+  depends_on = [btp_subaccount_service_instance.auditlog_default]
+}
+
+locals {
+  app_id = try(
+    { for app in data.btp_subaccount_apps.all.values : app.xsappname => app.id
+    if app.xsappname == "auditlog-management" }
+  )
+}
+
+resource "btp_subaccount_role_collection" "auditlog-viewer" {
+
+  description = "Audit Log Viewer Role Collection"
+  name        = "Audit Log Viewer"
+  roles = [
+    {
+      name                 = "Auditlog_Auditor"
+      role_template_app_id = local.app_id.auditlog-management
+      role_template_name   = "Auditlog_Auditor"
+    },
+  ]
+  subaccount_id = btp_subaccount.self.id
+
+  depends_on = [data.btp_subaccount_apps.all]
+}
diff --git a/released/usecases/app_identifer_for_roles/provider.tf b/released/usecases/app_identifer_for_roles/provider.tf
new file mode 100644
index 00000000..cd46a155
--- /dev/null
+++ b/released/usecases/app_identifer_for_roles/provider.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    btp = {
+      source  = "sap/btp"
+      version = "~>1.12.0"
+    }
+  }
+}
+
+# Please checkout documentation on how best to authenticate against SAP BTP
+# via the Terraform provider for SAP BTP
+provider "btp" {
+  globalaccount = var.globalaccount
+}
diff --git a/released/usecases/app_identifer_for_roles/variables.tf b/released/usecases/app_identifer_for_roles/variables.tf
new file mode 100644
index 00000000..4684a4c5
--- /dev/null
+++ b/released/usecases/app_identifer_for_roles/variables.tf
@@ -0,0 +1,10 @@
+variable "globalaccount" {
+  description = "The subdomainof the global account to use for the SAP BTP provider"
+  type        = string
+}
+
+variable "region" {
+  description = "The region of the subaccount"
+  type        = string
+  default     = "us10"
+}