diff --git a/.github/workflows/pull-e2e-test.yml b/.github/workflows/push-e2e-test.yml similarity index 79% rename from .github/workflows/pull-e2e-test.yml rename to .github/workflows/push-e2e-test.yml index 987dcbd..c6e9757 100644 --- a/.github/workflows/pull-e2e-test.yml +++ b/.github/workflows/push-e2e-test.yml @@ -12,14 +12,14 @@ jobs: id: vars run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Create kyma runtime on btp - working-directory: examples/kyma-on-btp-basic + working-directory: examples/kyma-on-btp-new-sa run: | terraform init terraform apply -auto-approve terraform destroy -auto-approve env: - TF_VAR_BTP_SUBACCOUNT: tf-kyma-module-test-${{ steps.vars.outputs.sha_short }}-${{ github.run_attempt }} - TF_VAR_BTP_SA_REGION: ${{ secrets.sa_region }} + TF_VAR_BTP_NEW_SUBACCOUNT_NAME: tf-kyma-module-test-${{ steps.vars.outputs.sha_short }}-${{ github.run_attempt }} + TF_VAR_BTP_NEW_SUBACCOUNT_REGION: ${{ secrets.sa_region }} TF_VAR_BTP_GLOBAL_ACCOUNT: ${{ secrets.global_account }} TF_VAR_BTP_BOT_USER: ${{ secrets.username }} TF_VAR_BTP_BOT_PASSWORD: ${{ secrets.password }} diff --git a/examples/kyma-on-btp-new-sa/README.md b/examples/kyma-on-btp-new-sa/README.md new file mode 100644 index 0000000..771f7a5 --- /dev/null +++ b/examples/kyma-on-btp-new-sa/README.md @@ -0,0 +1,30 @@ +# Run + +Ensure you have opentofu (or terraform CLI installed). +The sample scripts relly on `tofu` command, but its 100% compatible with `terraform` CLI. + +Ensure the tofu CLI is installed by calling: +```sh +brew install opentofu +``` + +Save a new version of the template file `examples/kyma-on-btp-new-sa/local-template.tfvars` as `examples/kyma-on-btp-new-sa/local.tfvars`. Provide values for input variables. + +Run the example: + +```sh +tofu init +tofu apply -var-file="local.tfvars" -auto-approve +``` + +As a result, a new `kubeconfig.yaml` file was created that you can use to access the newly provisioned kyma runtime on SAP BTP. + +```sh +kubectl get nodes --kubeconfig kubeconfig.yaml +``` + +Last but not least, deprovision all resources via: + +```sh +tofu destroy -var="BTP_NEW_SUBACCOUNT_NAME=foo" -var-file="local.tfvars" -auto-approve +``` \ No newline at end of file diff --git a/examples/kyma-on-btp-basic/local-template.tfvars b/examples/kyma-on-btp-new-sa/local-template.tfvars similarity index 92% rename from examples/kyma-on-btp-basic/local-template.tfvars rename to examples/kyma-on-btp-new-sa/local-template.tfvars index e438aaf..3e8ad2c 100644 --- a/examples/kyma-on-btp-basic/local-template.tfvars +++ b/examples/kyma-on-btp-new-sa/local-template.tfvars @@ -1,8 +1,9 @@ # BTP_USE_SUBACCOUNT_ID = "" -# BTP_NEW_SUBACCOUNT_NAME = "" + +BTP_NEW_SUBACCOUNT_NAME = "" # one of many available regions (without the `cf-` prefix!). I.e `eu20` -BTP_SA_REGION = "" +BTP_NEW_SUBACCOUNT_REGION = "" BTP_BOT_USER = "" BTP_BOT_PASSWORD = "" diff --git a/examples/kyma-on-btp-new-sa/main.tf b/examples/kyma-on-btp-new-sa/main.tf new file mode 100644 index 0000000..903cf74 --- /dev/null +++ b/examples/kyma-on-btp-new-sa/main.tf @@ -0,0 +1,40 @@ +terraform { + required_providers { + btp = { + source = "SAP/btp" + version = "1.5.0" + } + jq = { + source = "massdriver-cloud/jq" + } + http = { + source = "hashicorp/http" + version = "3.4.4" + } + } +} + + +provider "jq" {} +provider "http" {} + +provider "btp" { + globalaccount = var.BTP_GLOBAL_ACCOUNT + cli_server_url = var.BTP_BACKEND_URL + idp = var.BTP_CUSTOM_IAS_TENANT + username = var.BTP_BOT_USER + password = var.BTP_BOT_PASSWORD +} + +module "kyma" { + source = "../.." + BTP_KYMA_PLAN = var.BTP_KYMA_PLAN + BTP_NEW_SUBACCOUNT_NAME = var.BTP_NEW_SUBACCOUNT_NAME + BTP_CUSTOM_IAS_TENANT = var.BTP_CUSTOM_IAS_TENANT + BTP_CUSTOM_IAS_DOMAIN = var.BTP_CUSTOM_IAS_DOMAIN + BTP_KYMA_REGION = var.BTP_KYMA_REGION + BTP_BOT_USER = var.BTP_BOT_USER + BTP_BOT_PASSWORD = var.BTP_BOT_PASSWORD + BTP_PROVIDER_SUBACCOUNT_ID = var.BTP_PROVIDER_SUBACCOUNT_ID + BTP_NEW_SUBACCOUNT_REGION = var.BTP_NEW_SUBACCOUNT_REGION +} diff --git a/examples/kyma-on-btp-basic/variables.tf b/examples/kyma-on-btp-new-sa/variables.tf similarity index 92% rename from examples/kyma-on-btp-basic/variables.tf rename to examples/kyma-on-btp-new-sa/variables.tf index 5c2e4ef..55a635f 100644 --- a/examples/kyma-on-btp-basic/variables.tf +++ b/examples/kyma-on-btp-new-sa/variables.tf @@ -26,22 +26,22 @@ variable "BTP_BACKEND_URL" { default = "https://cli.btp.cloud.sap" } -variable "BTP_SUBACCOUNT" { +variable "BTP_NEW_SUBACCOUNT_NAME" { type = string description = "Subaccount name" - default = "subaccount-name" + default = null } -variable "BTP_KYMA_PLAN" { +variable "BTP_NEW_SUBACCOUNT_REGION" { type = string - description = "Plan name" - default = "azure" + description = "Region name" + default = null } -variable "BTP_SA_REGION" { +variable "BTP_KYMA_PLAN" { type = string - description = "Region name" - default = "eu20" + description = "Plan name" + default = "azure" } variable "BTP_CUSTOM_IAS_TENANT" { diff --git a/examples/kyma-on-btp-basic/README.md b/examples/kyma-on-btp-reuse-sa/README.md similarity index 75% rename from examples/kyma-on-btp-basic/README.md rename to examples/kyma-on-btp-reuse-sa/README.md index 8970dff..91f5d8d 100644 --- a/examples/kyma-on-btp-basic/README.md +++ b/examples/kyma-on-btp-reuse-sa/README.md @@ -2,6 +2,9 @@ ## Ensure CLI tools +#TODO : Explain the requirements that existing subaccount needs to fulfill to be reused. +- the bot user should have "Administrator" role + Ensure you have opentofu (or terraform CLI installed). The sample scripts relly on `tofu` command, but its 100% compatible with `terraform` CLI. @@ -20,7 +23,7 @@ In order to make automatic management of btp resources possible you need to ensu ## Ensure Input Variables -Save a new version of the template file `examples/kyma-on-btp-basic/local-template.tfvars` as `examples/kyma-on-btp-basic/local.tfvars`. Provide values for input variables +Save a new version of the template file `examples/kyma-on-btp-new-sa/local-template.tfvars` as `examples/kyma-on-btp-new-sa/local.tfvars`. Provide values for input variables # Run @@ -30,7 +33,7 @@ Run the example: ```sh tofu init -tofu apply -var="BTP_SUBACCOUNT=foo" -var-file="local.tfvars" -auto-approve +tofu apply -var-file="local.tfvars" -auto-approve ``` As a result, a new `kubeconfig.yaml` file was created that you can use to access the newly provisioned kyma runtime on SAP BTP. @@ -42,5 +45,5 @@ kubectl get nodes --kubeconfig kubeconfig.yaml Last but not least, deprovision all resources via: ```sh -tofu destroy -var="BTP_SUBACCOUNT=foo" -var-file="local.tfvars" -auto-approve +tofu destroy -var-file="local.tfvars" -auto-approve ``` \ No newline at end of file diff --git a/examples/kyma-on-btp-reuse-sa/local-template.tfvars b/examples/kyma-on-btp-reuse-sa/local-template.tfvars new file mode 100644 index 0000000..30230d8 --- /dev/null +++ b/examples/kyma-on-btp-reuse-sa/local-template.tfvars @@ -0,0 +1,22 @@ + +# Mandatory ID of the subaccount to be used +BTP_USE_SUBACCOUNT_ID = "" + +BTP_BOT_USER = "" +BTP_BOT_PASSWORD = "" +BTP_GLOBAL_ACCOUNT = "" + +# optional. will default to `https://cli.btp.cloud.sap`. For Canary landscape use `https://cpcli.cf.sap.hana.ondemand.com` +BTP_BACKEND_URL = "" + +# Mandatory +BTP_CUSTOM_IAS_TENANT = "" +# Optional. Defaults to `accounts.ondemand.com`. For Canary landscape use `accounts400.ondemand.com` +BTP_CUSTOM_IAS_DOMAIN = "" + +# Optional. defaults to `azure`; One of: `azure`, `sap-converged-cloud`, `aws`, `gcp` +BTP_KYMA_PLAN = "" +# Must match options for given plan; i.e `westeurope` is a valid kyma region for kyma plan `azure` +BTP_KYMA_REGION = "" +#optional +BTP_PROVIDER_SUBACCOUNT_ID = "" \ No newline at end of file diff --git a/examples/kyma-on-btp-basic/main.tf b/examples/kyma-on-btp-reuse-sa/main.tf similarity index 91% rename from examples/kyma-on-btp-basic/main.tf rename to examples/kyma-on-btp-reuse-sa/main.tf index 130312c..a564aae 100644 --- a/examples/kyma-on-btp-basic/main.tf +++ b/examples/kyma-on-btp-reuse-sa/main.tf @@ -28,14 +28,12 @@ provider "btp" { module "kyma" { source = "../.." - BTP_KYMA_PLAN = var.BTP_KYMA_PLAN - BTP_SUBACCOUNT = var.BTP_SUBACCOUNT BTP_CUSTOM_IAS_TENANT = var.BTP_CUSTOM_IAS_TENANT BTP_CUSTOM_IAS_DOMAIN = var.BTP_CUSTOM_IAS_DOMAIN BTP_KYMA_REGION = var.BTP_KYMA_REGION BTP_BOT_USER = var.BTP_BOT_USER BTP_BOT_PASSWORD = var.BTP_BOT_PASSWORD BTP_PROVIDER_SUBACCOUNT_ID = var.BTP_PROVIDER_SUBACCOUNT_ID - BTP_SA_REGION = var.BTP_SA_REGION + BTP_USE_SUBACCOUNT_ID = var.BTP_USE_SUBACCOUNT_ID } diff --git a/examples/kyma-on-btp-reuse-sa/variables.tf b/examples/kyma-on-btp-reuse-sa/variables.tf new file mode 100644 index 0000000..1909e2c --- /dev/null +++ b/examples/kyma-on-btp-reuse-sa/variables.tf @@ -0,0 +1,62 @@ +# we're using uppercase variable names, since in some cases (e.g Azure DevOps) the system variables are forced to be uppercase +# TF allows providing variable values as env variables of name name, case sensitive + +variable "BTP_GLOBAL_ACCOUNT" { + type = string + description = "Global account name" + default = "global-account-guid" +} + +variable "BTP_BOT_USER" { + type = string + description = "Bot account name" + default = "email@domain.com" +} + +variable "BTP_BOT_PASSWORD" { + type = string + description = "Bot account password" + default = "password" +} + +variable "BTP_BACKEND_URL" { + type = string + description = "BTP backend URL" + default = "https://cli.btp.cloud.sap" +} + +variable "BTP_USE_SUBACCOUNT_ID" { + type = string + description = "Subaccount name" + default = null +} + +variable "BTP_KYMA_PLAN" { + type = string + description = "Plan name" + default = "azure" +} + +variable "BTP_CUSTOM_IAS_TENANT" { + type = string + description = "Custom IAS tenant" + default = "custon-tenant" +} + +variable "BTP_CUSTOM_IAS_DOMAIN" { + type = string + description = "Custom IAS domain" + default = "accounts.ondemand.com" +} + +variable "BTP_KYMA_REGION" { + type = string + description = "Kyma region" + default = "westeurope" +} + +variable "BTP_PROVIDER_SUBACCOUNT_ID" { + type = string + description = "Subaccount ID" + default = null +} diff --git a/main.tf b/main.tf index 8ea6e9f..d40e88c 100644 --- a/main.tf +++ b/main.tf @@ -1,15 +1,20 @@ # "kyma.tf" +locals { + subaccount_name = var.BTP_USE_SUBACCOUNT_ID != null && var.BTP_NEW_SUBACCOUNT_NAME ==null ? one(data.btp_subaccount.reuse_subaccount).name : one(btp_subaccount.subaccount).name + subaccount_id = var.BTP_USE_SUBACCOUNT_ID != null && var.BTP_NEW_SUBACCOUNT_NAME ==null ? one(data.btp_subaccount.reuse_subaccount).id : one(btp_subaccount.subaccount).id +} + resource "btp_subaccount_entitlement" "kyma" { - subaccount_id = btp_subaccount.subaccount.id + subaccount_id = local.subaccount_id service_name = "kymaruntime" plan_name = var.BTP_KYMA_PLAN amount = 1 } resource "btp_subaccount_environment_instance" "kyma" { - subaccount_id = btp_subaccount.subaccount.id - name = "${var.BTP_SUBACCOUNT}-kyma" + subaccount_id = local.subaccount_id + name = "${local.subaccount_name}-kyma" environment_type = "kyma" service_name = btp_subaccount_entitlement.kyma.service_name plan_name = btp_subaccount_entitlement.kyma.plan_name @@ -38,7 +43,7 @@ resource "btp_subaccount_environment_instance" "kyma" { clientID = jsondecode(btp_subaccount_service_binding.identity_application_binding.credentials).clientid issuerURL = "https://${var.BTP_CUSTOM_IAS_TENANT}.${var.BTP_CUSTOM_IAS_DOMAIN}" } - name = "${var.BTP_SUBACCOUNT}-kyma" + name = "${local.subaccount_name}-kyma" region = var.BTP_KYMA_REGION administrators = [ var.BTP_BOT_USER @@ -84,30 +89,30 @@ resource "local_sensitive_file" "kubeconfig-yaml" { #"oidc.tf" resource "btp_subaccount_entitlement" "identity" { - subaccount_id = btp_subaccount.subaccount.id + subaccount_id = local.subaccount_id service_name = "identity" plan_name = "application" } # custom idp resource "btp_subaccount_trust_configuration" "custom_idp" { - subaccount_id = btp_subaccount.subaccount.id + subaccount_id = local.subaccount_id identity_provider = "${var.BTP_CUSTOM_IAS_TENANT}.${var.BTP_CUSTOM_IAS_DOMAIN}" - name = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}" + name = "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}" depends_on = [btp_subaccount_entitlement.identity] } data "btp_subaccount_service_plan" "identity_application" { depends_on = [btp_subaccount_entitlement.identity] - subaccount_id = btp_subaccount.subaccount.id + subaccount_id = local.subaccount_id offering_name = "identity" name = "application" } resource "btp_subaccount_service_instance" "identity_application" { depends_on = [btp_subaccount_trust_configuration.custom_idp] - subaccount_id = btp_subaccount.subaccount.id - name = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app" + subaccount_id = local.subaccount_id + name = "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app" serviceplan_id = data.btp_subaccount_service_plan.identity_application.id parameters = jsonencode({ user-access = "public" @@ -149,14 +154,14 @@ resource "btp_subaccount_service_instance" "identity_application" { user_uuid = "userUuid", locale = "language" }, - name = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app", - display-name = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app" + name = "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app", + display-name = "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app" }) } resource "btp_subaccount_service_binding" "identity_application_binding" { - subaccount_id = btp_subaccount.subaccount.id - name = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app-binding" + subaccount_id = local.subaccount_id + name = "${local.subaccount_name}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app-binding" service_instance_id = btp_subaccount_service_instance.identity_application.id parameters = jsonencode({ credential-type = "X509_GENERATED" @@ -191,9 +196,15 @@ data "btp_subaccount_service_binding" "provider_sm" { #"subaccount.tf" +data "btp_subaccount" "reuse_subaccount" { + count = var.BTP_USE_SUBACCOUNT_ID != null && var.BTP_NEW_SUBACCOUNT_NAME == null ? 1 : 0 + id = var.BTP_USE_SUBACCOUNT_ID +} + resource "btp_subaccount" "subaccount" { - name = var.BTP_SUBACCOUNT - region = var.BTP_SA_REGION - subdomain = var.BTP_SUBACCOUNT + count = var.BTP_NEW_SUBACCOUNT_NAME != null && var.BTP_USE_SUBACCOUNT_ID == null ? 1 : 0 + name = var.BTP_NEW_SUBACCOUNT_NAME + region = var.BTP_NEW_SUBACCOUNT_REGION + subdomain = var.BTP_NEW_SUBACCOUNT_NAME } diff --git a/output.tf b/output.tf index d8286b3..1625cd4 100644 --- a/output.tf +++ b/output.tf @@ -7,5 +7,5 @@ output "kubeconfig" { } output "subaccount_id" { - value = btp_subaccount.subaccount == null ? var.BTP_USE_SUBACCOUNT_ID : btp_subaccount.subaccount.id + value = local.subaccount_id } diff --git a/variables.tf b/variables.tf index b28cc69..0d9b4be 100644 --- a/variables.tf +++ b/variables.tf @@ -7,13 +7,6 @@ variable "BTP_KYMA_PLAN" { default = "gcp" } -#Deprecated -variable "BTP_SUBACCOUNT" { - type = string - description = "Subaccount name" - default = null -} - variable "BTP_USE_SUBACCOUNT_ID" { type = string description = "Subaccount name" @@ -70,9 +63,3 @@ variable "BTP_PROVIDER_SUBACCOUNT_ID" { default = null } -#deprecated -variable "BTP_SA_REGION" { - type = string - description = "Region name" - default = "us31" -}