Obtain kubeconfig via provisioning API - not via token request to IAS (…

…#50)

* Obtain kubeconfig via provisioning API (cis) - not via token request to IAS

* Update docs

* Do not create ias instance as part of kyma module

* fix provider version constraints

.github/workflows/push-e2e-test.yml

@@ -26,5 +26,4 @@ jobs:
           TF_VAR_BTP_KYMA_PLAN: ${{ secrets.kyma_plan }}
           TF_VAR_BTP_KYMA_REGION: ${{ secrets.kyma_region }}
           TF_VAR_BTP_CUSTOM_IAS_TENANT: ${{ secrets.ias_tenant }}
-          TF_VAR_BTP_CUSTOM_IAS_DOMAIN: ${{ secrets.ias_domain }}
           TF_VAR_BTP_BACKEND_URL: ${{ secrets.btp_api_url }}

README.md

@@ -8,20 +8,17 @@
 
 Terraform module that creates kyma runtime in SAP BTP platform.
 
-![image](./assets/sequence.png)
+![image](./assets/sequence.drawio.svg)
 
 ### Input Variables (TF vars)
 
 | NAME                       | MANDATORY | DEFAULT VALUE             | DESCRIPTION                                                                                                                                        |
 |----------------------------|-----------|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
 | BTP_GLOBAL_ACCOUNT         | true      |                           | UUID of SAP BTP Global Account                                                                                                                     |
-| BTP_BOT_USER               | true      |                           | Email of the technical user (shared mailbox)                                                                                                       |
-| BTP_BOT_PASSWORD           | true      |                           | Password of the techniacal user (created when inviting shared mailbox into custom SAP IAS tenant)                                                  |
 | BTP_USE_SUBACCOUNT_ID      | false     |                           | Provide an UUID of existing SAP BTP Subaccount to be used. Should not be combined with `BTP_NEW_SUBACCOUNT_*` inputs.                              |
 | BTP_NEW_SUBACCOUNT_NAME    | false     |                           | Provide a name for a new SAP BTP Subaccount to be created. Should not be combined with  `BTP_USE_SUBACCOUNT_ID` input.                             |
 | BTP_NEW_SUBACCOUNT_REGION  | false     |                           | Provide a region for a new SAP BTP Subaccount to be created. Should not be combined with  `BTP_USE_SUBACCOUNT_ID` input.                           |
 | BTP_CUSTOM_IAS_TENANT      | true      |                           | Provide the name of the custom SAP IAS tenant that is an authentication provider for the technical user.                                           |
-| BTP_CUSTOM_IAS_DOMAIN      | false     | accounts.ondemand.com     | Domain of the identity provider (on canary and staging environments this has to be set to `accounts400.ondemand.com`)                              |
 | BTP_BACKEND_URL            | false     | https://cli.btp.cloud.sap | URL of the BTP backend API (on canary environment this has to be set to  `https://cpcli.cf.sap.hana.ondemand.com`).                                |
 | BTP_KYMA_PLAN              | false     | azure                     | Use one of a valid kyma plans that you are entitled to use (One of: `azure`, `gcp`, `aws`,`sap-converged-cloud`)                                   |
 | BTP_KYMA_REGION            | false     | westeurope                | Use a valid kyma region that matches your selected kyma plan                                                                                       |
@@ -32,6 +29,7 @@ Terraform module for Kyma uses the following terraform [providers](provider.tf),
  - `SAP/btp`
  - `massdriver-cloud/jq`
  - `hashicorp/http`
+ - `salrashid123/http-full`
 
 ### Outputs 
 
@@ -61,7 +59,7 @@ Terraform module for Kyma uses the following terraform [providers](provider.tf),
 |   +-- .tfvars
 ```
 
-2. In the `.tfvars` file, provide [input parameters](#input-variables-tf-vars). Refer to the [template](examples/kyma-on-btp-new-sa/.tfvars-template) file.
+2. In the `.tfvars` file, provide values that are necessary for the `kyma` child module (kyma module's [input parameters](#input-variables-tf-vars)) and the `sap/btp` provider.
 
 For example:
 ```tf
@@ -70,7 +68,6 @@ BTP_BOT_PASSWORD = "..."
 BTP_GLOBAL_ACCOUNT = "..."
 BTP_BACKEND_URL = "https://cpcli.cf.sap.hana.ondemand.com"
 BTP_CUSTOM_IAS_TENANT = "my-tenant"
-BTP_CUSTOM_IAS_DOMAIN = "accounts400.ondemand.com"
 BTP_NEW_SUBACCOUNT_NAME = "kyma-runtime-subaccount"
 BTP_NEW_SUBACCOUNT_REGION = "eu21"
 BTP_KYMA_PLAN = "azure"
@@ -94,12 +91,8 @@ provider "btp" {
 module "kyma" {
   source = "git::https://github.com/kyma-project/terraform-module.git?ref=v0.2.0"
   BTP_KYMA_PLAN = var.BTP_KYMA_PLAN
-  BTP_NEW_SUBACCOUNT_NAME = var.BTP_NEW_SUBACCOUNT_NAME
-  BTP_CUSTOM_IAS_TENANT = var.BTP_CUSTOM_IAS_TENANT
-  BTP_CUSTOM_IAS_DOMAIN = var.BTP_CUSTOM_IAS_DOMAIN
   BTP_KYMA_REGION = var.BTP_KYMA_REGION
-  BTP_BOT_USER = var.BTP_BOT_USER
-  BTP_BOT_PASSWORD = var.BTP_BOT_PASSWORD
+  BTP_NEW_SUBACCOUNT_NAME = var.BTP_NEW_SUBACCOUNT_NAME
   BTP_NEW_SUBACCOUNT_REGION = var.BTP_NEW_SUBACCOUNT_REGION
 }
 

examples/kyma-on-btp-new-sa/.tfvars-template

@@ -14,10 +14,11 @@ BTP_BACKEND_URL = ""
 
 # Mandatory
 BTP_CUSTOM_IAS_TENANT = ""
-# Optional. Defaults to `accounts.ondemand.com`. For Canary landscape use `accounts400.ondemand.com`
-BTP_CUSTOM_IAS_DOMAIN = ""
 
 # Optional. defaults to `azure`; One of: `azure`, `sap-converged-cloud`, `aws`, `gcp`
 BTP_KYMA_PLAN = ""
 # Must match options for given plan; i.e `westeurope` is a valid kyma region for kyma plan `azure`
 BTP_KYMA_REGION = ""
+
+# Optional
+BTP_KYMA_CUSTOM_ADMINISTRATORS= ""

examples/kyma-on-btp-new-sa/main.tf

@@ -2,21 +2,27 @@ terraform {
   required_providers {
     btp = {
       source  = "SAP/btp"
-      version = "1.8.0"
     }
     jq = {
       source  = "massdriver-cloud/jq"
     }
     http = {
       source = "hashicorp/http"
-      version = "3.4.5"
     }
+    http-full = {
+      source = "salrashid123/http-full"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.32.0"
+    }   
   }
 }
 
 
 provider "jq" {}
 provider "http" {}
+provider "http-full" {}
 
 provider "btp" {
   globalaccount = var.BTP_GLOBAL_ACCOUNT
@@ -26,17 +32,25 @@ provider "btp" {
   password = var.BTP_BOT_PASSWORD
 }
 
+# this shows how to configure kubernetes terraform provider with the output from terraform module for kyma
+locals {
+  kubeconfig = module.kyma.kubeconfig
+}
+
+provider "kubernetes" {
+  cluster_ca_certificate = base64decode(local.kubeconfig.clusters.0.cluster.certificate-authority-data)
+  host                   = local.kubeconfig.clusters.0.cluster.server
+  token                  = local.kubeconfig.users.0.user.token
+}
+
 module "kyma" {
   source = "../.."
   BTP_KYMA_PLAN = var.BTP_KYMA_PLAN
   BTP_NEW_SUBACCOUNT_NAME = var.BTP_NEW_SUBACCOUNT_NAME
-  BTP_CUSTOM_IAS_TENANT = var.BTP_CUSTOM_IAS_TENANT
-  BTP_CUSTOM_IAS_DOMAIN = var.BTP_CUSTOM_IAS_DOMAIN
   BTP_KYMA_REGION = var.BTP_KYMA_REGION
-  BTP_BOT_USER = var.BTP_BOT_USER
-  BTP_BOT_PASSWORD = var.BTP_BOT_PASSWORD
   BTP_NEW_SUBACCOUNT_REGION = var.BTP_NEW_SUBACCOUNT_REGION
   BTP_KYMA_MODULES = var.BTP_KYMA_MODULES
+  BTP_KYMA_CUSTOM_ADMINISTRATORS = var.BTP_KYMA_CUSTOM_ADMINISTRATORS
 }
 
 output "subaccount_id" {
@@ -54,3 +68,13 @@ output "cluster_id" {
 output "domain" {
   value = module.kyma.domain
 }
+
+# this shows how to use kubernetes terraform provider to read data from k8s cluster
+data "kubernetes_namespace" "default" {
+  depends_on = [
+    module.kyma.kubeconfig
+  ]
+  metadata {
+    name = "default"
+  }
+}

examples/kyma-on-btp-new-sa/variables.tf

@@ -47,13 +47,7 @@ variable "BTP_KYMA_PLAN" {
 variable "BTP_CUSTOM_IAS_TENANT" {
   type        = string
   description = "Custom IAS tenant"
-  default     = "custon-tenant"
-}
-
-variable "BTP_CUSTOM_IAS_DOMAIN" {
-  type        = string
-  description = "Custom IAS domain"
-  default     = "accounts.ondemand.com"
+  default     = "custom-tenant"
 }
 
 variable "BTP_KYMA_REGION" {
@@ -83,3 +77,7 @@ variable "BTP_KYMA_MODULES" {
   ]
   description = "The list of kyma modules to install"
 }
+
+variable "BTP_KYMA_CUSTOM_ADMINISTRATORS" {
+  type = list(string)
+}

examples/kyma-on-btp-reuse-sa/.tfvars-template

@@ -11,10 +11,11 @@ BTP_BACKEND_URL = ""
 
 # Mandatory
 BTP_CUSTOM_IAS_TENANT = ""
-# Optional. Defaults to `accounts.ondemand.com`. For Canary landscape use `accounts400.ondemand.com`
-BTP_CUSTOM_IAS_DOMAIN = ""
 
 # Optional. defaults to `azure`; One of: `azure`, `sap-converged-cloud`, `aws`, `gcp`
 BTP_KYMA_PLAN = ""
 # Must match options for given plan; i.e `westeurope` is a valid kyma region for kyma plan `azure`
 BTP_KYMA_REGION = ""
+
+# Optional
+BTP_KYMA_CUSTOM_ADMINISTRATORS= ""

examples/kyma-on-btp-reuse-sa/main.tf

@@ -2,21 +2,23 @@ terraform {
   required_providers {
     btp = {
       source  = "SAP/btp"
-      version = "1.8.0"
     }
     jq = {
       source  = "massdriver-cloud/jq"
     }
     http = {
       source = "hashicorp/http"
-      version = "3.4.5"
+    }
+    http-full = {
+      source = "salrashid123/http-full"
     }
   }
 }
 
 
 provider "jq" {}
 provider "http" {}
+provider "http-full" {}
 
 provider "btp" {
   globalaccount = var.BTP_GLOBAL_ACCOUNT
@@ -29,11 +31,7 @@ provider "btp" {
 module "kyma" {
   source = "../.."
   BTP_KYMA_PLAN = var.BTP_KYMA_PLAN
-  BTP_CUSTOM_IAS_TENANT = var.BTP_CUSTOM_IAS_TENANT
-  BTP_CUSTOM_IAS_DOMAIN = var.BTP_CUSTOM_IAS_DOMAIN
   BTP_KYMA_REGION = var.BTP_KYMA_REGION
-  BTP_BOT_USER = var.BTP_BOT_USER
-  BTP_BOT_PASSWORD = var.BTP_BOT_PASSWORD
   BTP_USE_SUBACCOUNT_ID = var.BTP_USE_SUBACCOUNT_ID
 }
 

examples/kyma-on-btp-reuse-sa/variables.tf

@@ -55,3 +55,6 @@ variable "BTP_KYMA_REGION" {
   default     = "westeurope"
 }
 
+variable "BTP_KYMA_CUSTOM_ADMINISTRATORS" {
+  type = list(string)
+}

examples/kyma-on-btp-with-custom-oidc/README.md

@@ -0,0 +1,50 @@
+## Prerequisites
+
+### Ensure CLI tools
+Ensure you have opentofu (or terraform CLI installed).
+The sample scripts relly on `tofu` command, but its 100% compatible with `terraform` CLI.
+
+Ensure the tofu CLI is installed by calling:
+```sh
+brew install opentofu
+```
+
+### Ensure Input parameters 
+
+Save a new version of the template file `examples/kyma-on-btp-with-custom-oidc/local-template.tfvars` as `examples/kyma-on-btp-with-custom-oidc/local.tfvars`. Provide values for input variables.
+
+```
+BTP_NEW_SUBACCOUNT_NAME = "new-test-sa"
+BTP_NEW_SUBACCOUNT_REGION = "..."
+BTP_BOT_USER = "{my-technical-user}@sap.com"
+BTP_BOT_PASSWORD = "..."
+BTP_GLOBAL_ACCOUNT = "..."
+BTP_CUSTOM_IAS_TENANT = "..."
+```
+
+### Ensure technical user access
+
+In this example a new subaccount is created automatically. Please ensure the following
+ - make sure that your custom SAP IAS tenant is trusted on global account level,
+ - make sure that technical user (bot user) is added to the global account and is assigned a global account administrator role collection,
+ - make sure the technical user is added to your custom SAP IAS tenant. 
+
+## Run 
+Run the example:
+
+```sh
+tofu init
+tofu apply -var-file="local.tfvars" -auto-approve
+```
+
+As a result, a new `kubeconfig.yaml` file was created that you can use to access the newly provisioned kyma runtime on SAP BTP.
+
+```sh
+kubectl get nodes --kubeconfig kubeconfig.yaml
+```
+
+Last but not least, deprovision all resources via:
+
+```sh
+tofu destroy -var-file="local.tfvars" -auto-approve
+```