Merge pull request #9 from Cortey/new-example-case

Added a new example case and support for reusing an existing subaccount

.github/workflows/pull-e2e-test.yml → .github/workflows/push-e2e-test.yml

@@ -12,14 +12,14 @@ jobs:
         id: vars
         run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
       - name: Create kyma runtime on btp
-        working-directory: examples/kyma-on-btp-basic
+        working-directory: examples/kyma-on-btp-new-sa
         run: |
           terraform init
           terraform apply -auto-approve
           terraform destroy -auto-approve
         env:
-          TF_VAR_BTP_SUBACCOUNT: tf-kyma-module-test-${{ steps.vars.outputs.sha_short }}-${{ github.run_attempt }}
-          TF_VAR_BTP_SA_REGION: ${{ secrets.sa_region }}
+          TF_VAR_BTP_NEW_SUBACCOUNT_NAME: tf-kyma-module-test-${{ steps.vars.outputs.sha_short }}-${{ github.run_attempt }}
+          TF_VAR_BTP_NEW_SUBACCOUNT_REGION: ${{ secrets.sa_region }}
           TF_VAR_BTP_GLOBAL_ACCOUNT: ${{ secrets.global_account }}
           TF_VAR_BTP_BOT_USER: ${{ secrets.username }}
           TF_VAR_BTP_BOT_PASSWORD: ${{ secrets.password }}

examples/kyma-on-btp-new-sa/README.md

@@ -0,0 +1,30 @@
+# Run 
+
+Ensure you have opentofu (or terraform CLI installed).
+The sample scripts relly on `tofu` command, but its 100% compatible with `terraform` CLI.
+
+Ensure the tofu CLI is installed by calling:
+```sh
+brew install opentofu
+```
+
+Save a new version of the template file `examples/kyma-on-btp-new-sa/local-template.tfvars` as `examples/kyma-on-btp-new-sa/local.tfvars`. Provide values for input variables.
+
+Run the example:
+
+```sh
+tofu init
+tofu apply -var-file="local.tfvars" -auto-approve
+```
+
+As a result, a new `kubeconfig.yaml` file was created that you can use to access the newly provisioned kyma runtime on SAP BTP.
+
+```sh
+kubectl get nodes --kubeconfig kubeconfig.yaml
+```
+
+Last but not least, deprovision all resources via:
+
+```sh
+tofu destroy -var="BTP_NEW_SUBACCOUNT_NAME=foo" -var-file="local.tfvars" -auto-approve
+```

examples/kyma-on-btp-basic/local-template.tfvars → examples/kyma-on-btp-new-sa/local-template.tfvars

@@ -1,8 +1,9 @@
 # BTP_USE_SUBACCOUNT_ID = ""
-# BTP_NEW_SUBACCOUNT_NAME = ""
+
+BTP_NEW_SUBACCOUNT_NAME = ""
 
 # one of many available regions (without the `cf-` prefix!). I.e `eu20`
-BTP_SA_REGION = ""
+BTP_NEW_SUBACCOUNT_REGION = ""
 
 BTP_BOT_USER = ""
 BTP_BOT_PASSWORD = ""

examples/kyma-on-btp-new-sa/main.tf

@@ -0,0 +1,40 @@
+terraform {
+  required_providers {
+    btp = {
+      source  = "SAP/btp"
+      version = "1.5.0"
+    }
+    jq = {
+      source  = "massdriver-cloud/jq"
+    }
+    http = {
+      source = "hashicorp/http"
+      version = "3.4.4"
+    }
+  }
+}
+
+
+provider "jq" {}
+provider "http" {}
+
+provider "btp" {
+  globalaccount = var.BTP_GLOBAL_ACCOUNT
+  cli_server_url = var.BTP_BACKEND_URL
+  idp            = var.BTP_CUSTOM_IAS_TENANT
+  username = var.BTP_BOT_USER
+  password = var.BTP_BOT_PASSWORD
+}
+
+module "kyma" {
+  source = "../.."
+  BTP_KYMA_PLAN = var.BTP_KYMA_PLAN
+  BTP_NEW_SUBACCOUNT_NAME = var.BTP_NEW_SUBACCOUNT_NAME
+  BTP_CUSTOM_IAS_TENANT = var.BTP_CUSTOM_IAS_TENANT
+  BTP_CUSTOM_IAS_DOMAIN = var.BTP_CUSTOM_IAS_DOMAIN
+  BTP_KYMA_REGION = var.BTP_KYMA_REGION
+  BTP_BOT_USER = var.BTP_BOT_USER
+  BTP_BOT_PASSWORD = var.BTP_BOT_PASSWORD
+  BTP_PROVIDER_SUBACCOUNT_ID = var.BTP_PROVIDER_SUBACCOUNT_ID
+  BTP_NEW_SUBACCOUNT_REGION = var.BTP_NEW_SUBACCOUNT_REGION
+}

examples/kyma-on-btp-basic/variables.tf → examples/kyma-on-btp-new-sa/variables.tf

@@ -26,22 +26,22 @@ variable "BTP_BACKEND_URL" {
   default     = "https://cli.btp.cloud.sap"
 }
 
-variable "BTP_SUBACCOUNT" {
+variable "BTP_NEW_SUBACCOUNT_NAME" {
   type        = string
   description = "Subaccount name"
-  default     = "subaccount-name"
+  default     = null
 }
 
-variable "BTP_KYMA_PLAN" {
+variable "BTP_NEW_SUBACCOUNT_REGION" {
   type        = string
-  description = "Plan name"
-  default     = "azure"
+  description = "Region name"
+  default     = null
 }
 
-variable "BTP_SA_REGION" {
+variable "BTP_KYMA_PLAN" {
   type        = string
-  description = "Region name"
-  default     = "eu20"
+  description = "Plan name"
+  default     = "azure"
 }
 
 variable "BTP_CUSTOM_IAS_TENANT" {

examples/kyma-on-btp-basic/README.md → examples/kyma-on-btp-reuse-sa/README.md

@@ -2,6 +2,9 @@
 
 ## Ensure CLI tools
 
+#TODO : Explain the requirements that existing subaccount needs to fulfill to be reused.
+- the bot user should have "Administrator" role
+
 Ensure you have opentofu (or terraform CLI installed).
 The sample scripts relly on `tofu` command, but its 100% compatible with `terraform` CLI.
 
@@ -20,7 +23,7 @@ In order to make automatic management of btp resources possible you need to ensu
 
 ## Ensure Input Variables
 
-Save a new version of the template file `examples/kyma-on-btp-basic/local-template.tfvars` as `examples/kyma-on-btp-basic/local.tfvars`. Provide values for input variables
+Save a new version of the template file `examples/kyma-on-btp-new-sa/local-template.tfvars` as `examples/kyma-on-btp-new-sa/local.tfvars`. Provide values for input variables
 
 
 # Run 
@@ -30,7 +33,7 @@ Run the example:
 
 ```sh
 tofu init
-tofu apply -var="BTP_SUBACCOUNT=foo" -var-file="local.tfvars" -auto-approve
+tofu apply -var-file="local.tfvars" -auto-approve
 ```
 
 As a result, a new `kubeconfig.yaml` file was created that you can use to access the newly provisioned kyma runtime on SAP BTP.
@@ -42,5 +45,5 @@ kubectl get nodes --kubeconfig kubeconfig.yaml
 Last but not least, deprovision all resources via:
 
 ```sh
-tofu destroy -var="BTP_SUBACCOUNT=foo" -var-file="local.tfvars" -auto-approve
+tofu destroy -var-file="local.tfvars" -auto-approve
 ```

examples/kyma-on-btp-reuse-sa/local-template.tfvars

@@ -0,0 +1,22 @@
+
+# Mandatory ID of the subaccount to be used
+BTP_USE_SUBACCOUNT_ID = ""
+
+BTP_BOT_USER = ""
+BTP_BOT_PASSWORD = ""
+BTP_GLOBAL_ACCOUNT = ""
+
+# optional. will default to `https://cli.btp.cloud.sap`. For Canary landscape use `https://cpcli.cf.sap.hana.ondemand.com`
+BTP_BACKEND_URL = ""
+
+# Mandatory
+BTP_CUSTOM_IAS_TENANT = ""
+# Optional. Defaults to `accounts.ondemand.com`. For Canary landscape use `accounts400.ondemand.com`
+BTP_CUSTOM_IAS_DOMAIN = ""
+
+# Optional. defaults to `azure`; One of: `azure`, `sap-converged-cloud`, `aws`, `gcp`
+BTP_KYMA_PLAN = ""
+# Must match options for given plan; i.e `westeurope` is a valid kyma region for kyma plan `azure`
+BTP_KYMA_REGION = ""
+#optional
+BTP_PROVIDER_SUBACCOUNT_ID = ""

examples/kyma-on-btp-basic/main.tf → examples/kyma-on-btp-reuse-sa/main.tf

@@ -28,14 +28,12 @@ provider "btp" {
 
 module "kyma" {
   source = "../.."
-
   BTP_KYMA_PLAN = var.BTP_KYMA_PLAN
-  BTP_SUBACCOUNT = var.BTP_SUBACCOUNT
   BTP_CUSTOM_IAS_TENANT = var.BTP_CUSTOM_IAS_TENANT
   BTP_CUSTOM_IAS_DOMAIN = var.BTP_CUSTOM_IAS_DOMAIN
   BTP_KYMA_REGION = var.BTP_KYMA_REGION
   BTP_BOT_USER = var.BTP_BOT_USER
   BTP_BOT_PASSWORD = var.BTP_BOT_PASSWORD
   BTP_PROVIDER_SUBACCOUNT_ID = var.BTP_PROVIDER_SUBACCOUNT_ID
-  BTP_SA_REGION = var.BTP_SA_REGION
+  BTP_USE_SUBACCOUNT_ID = var.BTP_USE_SUBACCOUNT_ID
 }

examples/kyma-on-btp-reuse-sa/variables.tf

@@ -0,0 +1,62 @@
+# we're using uppercase variable names, since in some cases (e.g Azure DevOps) the system variables are forced to be uppercase
+# TF allows providing variable values as env variables of name name, case sensitive
+
+variable "BTP_GLOBAL_ACCOUNT" {
+  type        = string
+  description = "Global account name"
+  default     = "global-account-guid"
+}
+
+variable "BTP_BOT_USER" {
+  type        = string
+  description = "Bot account name"
+  default     = "email@domain.com"
+}
+
+variable "BTP_BOT_PASSWORD" {
+  type        = string
+  description = "Bot account password"
+  default     = "password"
+}
+
+variable "BTP_BACKEND_URL" {
+  type        = string
+  description = "BTP backend URL"
+  default     = "https://cli.btp.cloud.sap"
+}
+
+variable "BTP_USE_SUBACCOUNT_ID" {
+  type        = string
+  description = "Subaccount name"
+  default     = null
+}
+
+variable "BTP_KYMA_PLAN" {
+  type        = string
+  description = "Plan name"
+  default     = "azure"
+}
+
+variable "BTP_CUSTOM_IAS_TENANT" {
+  type        = string
+  description = "Custom IAS tenant"
+  default     = "custon-tenant"
+}
+
+variable "BTP_CUSTOM_IAS_DOMAIN" {
+  type        = string
+  description = "Custom IAS domain"
+  default     = "accounts.ondemand.com"
+}
+
+variable "BTP_KYMA_REGION" {
+  type        = string
+  description = "Kyma region"
+  default     = "westeurope"
+}
+
+variable "BTP_PROVIDER_SUBACCOUNT_ID" {
+  type        = string
+  description = "Subaccount ID"
+  default = null
+}

main.tf

@@ -1,15 +1,20 @@
 # "kyma.tf"
 
+locals {
+  subaccount_name = var.BTP_USE_SUBACCOUNT_ID != null && var.BTP_NEW_SUBACCOUNT_NAME ==null ? one(data.btp_subaccount.reuse_subaccount).name : one(btp_subaccount.subaccount).name
+  subaccount_id   = var.BTP_USE_SUBACCOUNT_ID != null && var.BTP_NEW_SUBACCOUNT_NAME ==null ? one(data.btp_subaccount.reuse_subaccount).id : one(btp_subaccount.subaccount).id
+}
+
 resource "btp_subaccount_entitlement" "kyma" {
-  subaccount_id = btp_subaccount.subaccount.id
+  subaccount_id = local.subaccount_id
   service_name  = "kymaruntime"
   plan_name     = var.BTP_KYMA_PLAN
   amount        = 1
 }
 
 resource "btp_subaccount_environment_instance" "kyma" {
-  subaccount_id    = btp_subaccount.subaccount.id
-  name             = "${var.BTP_SUBACCOUNT}-kyma"
+  subaccount_id    = local.subaccount_id
+  name             = "${local.subaccount_name}-kyma"
   environment_type = "kyma"
   service_name     = btp_subaccount_entitlement.kyma.service_name
   plan_name        = btp_subaccount_entitlement.kyma.plan_name
@@ -38,7 +43,7 @@ resource "btp_subaccount_environment_instance" "kyma" {
       clientID       = jsondecode(btp_subaccount_service_binding.identity_application_binding.credentials).clientid
       issuerURL      = "https://${var.BTP_CUSTOM_IAS_TENANT}.${var.BTP_CUSTOM_IAS_DOMAIN}"
     }
-    name   = "${var.BTP_SUBACCOUNT}-kyma"
+    name   = "${local.subaccount_name}-kyma"
     region = var.BTP_KYMA_REGION
     administrators = [
       var.BTP_BOT_USER
@@ -84,30 +89,30 @@ resource "local_sensitive_file" "kubeconfig-yaml" {
 #"oidc.tf"
 
 resource "btp_subaccount_entitlement" "identity" {
-  subaccount_id = btp_subaccount.subaccount.id
+  subaccount_id = local.subaccount_id
   service_name  = "identity"
   plan_name     = "application"
 }
 
 # custom idp
 resource "btp_subaccount_trust_configuration" "custom_idp" {
-  subaccount_id     = btp_subaccount.subaccount.id
+  subaccount_id     = local.subaccount_id
   identity_provider = "${var.BTP_CUSTOM_IAS_TENANT}.${var.BTP_CUSTOM_IAS_DOMAIN}"
-  name              = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}"
+  name              = "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}"
   depends_on        = [btp_subaccount_entitlement.identity]
 }
 
 data "btp_subaccount_service_plan" "identity_application" {
   depends_on    = [btp_subaccount_entitlement.identity]
-  subaccount_id = btp_subaccount.subaccount.id
+  subaccount_id = local.subaccount_id
   offering_name = "identity"
   name          = "application"
 }
 
 resource "btp_subaccount_service_instance" "identity_application" {
   depends_on     = [btp_subaccount_trust_configuration.custom_idp]
-  subaccount_id  = btp_subaccount.subaccount.id
-  name           = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app"
+  subaccount_id  = local.subaccount_id
+  name           = "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app"
   serviceplan_id = data.btp_subaccount_service_plan.identity_application.id
   parameters = jsonencode({
     user-access = "public"
@@ -149,14 +154,14 @@ resource "btp_subaccount_service_instance" "identity_application" {
       user_uuid  = "userUuid",
       locale     = "language"
     },
-    name         = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app",
-    display-name = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app"
+    name         = "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app",
+    display-name = "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app"
   })
 }
 
 resource "btp_subaccount_service_binding" "identity_application_binding" {
-  subaccount_id       = btp_subaccount.subaccount.id
-  name                = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app-binding"
+  subaccount_id       = local.subaccount_id
+  name                =  "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app-binding"
   service_instance_id = btp_subaccount_service_instance.identity_application.id
   parameters = jsonencode({
     credential-type = "X509_GENERATED"
@@ -191,9 +196,15 @@ data "btp_subaccount_service_binding" "provider_sm" {
 
 #"subaccount.tf"
 
+data "btp_subaccount" "reuse_subaccount" {
+  count = var.BTP_USE_SUBACCOUNT_ID != null && var.BTP_NEW_SUBACCOUNT_NAME == null ? 1 : 0
+  id = var.BTP_USE_SUBACCOUNT_ID
+}
+
 resource "btp_subaccount" "subaccount" {
-  name      = var.BTP_SUBACCOUNT
-  region    = var.BTP_SA_REGION
-  subdomain = var.BTP_SUBACCOUNT
+  count = var.BTP_NEW_SUBACCOUNT_NAME != null && var.BTP_USE_SUBACCOUNT_ID == null ? 1 : 0
+  name      = var.BTP_NEW_SUBACCOUNT_NAME
+  region    = var.BTP_NEW_SUBACCOUNT_REGION
+  subdomain = var.BTP_NEW_SUBACCOUNT_NAME
 }
 

output.tf

@@ -7,5 +7,5 @@ output "kubeconfig" {
 }
 
 output "subaccount_id" {
-  value = btp_subaccount.subaccount == null ? var.BTP_USE_SUBACCOUNT_ID : btp_subaccount.subaccount.id
+  value = local.subaccount_id
 }