At the beginning of the year, I wrote a couple of blogs on using Terraform to automate and manage SAP BTP. The first one (Infrastructure as Code for Cloud Foundry and Kyma Environments) explained what is Terraform and Infrastructure-as-Code + a demo on how to manage Cloud Foundry ORGs, spaces and services with a Terraform provider for Cloud Foundry. The second (A workaround for Global Account, Directories and Subaccounts with btp CLI), was exploring a workaround to manage SAP BTP accounts on a higher level because there was no Terraform provider for SAP BTP. There was... SAP has just released its official Terraform Provider for SAP BTP! Hooray!!!
As announced, these are the operations supported by the new SAP BTP Terraform Provider:
You already know the concepts and probably played a bit with Terraform. So, here we go exploring what we can do now. I’ll use my SAP BTP trial account for that. Most people that spoke to me about Terraform were using the trial account, I guess nobody wants to destroy production by mistake...
Because we have a proper Terraform provider, we start setting it up. It’s straightforward, no secrets. Define the required provider and set the details to connect to your SAP BTP Global Account. You’ll need to get the Global Account subdomain, you find it in SAP BTP cockpit:
Create your Terraform script file, eg main.tf, and run $ terraform init
Then, we add a resource btp_subaccount to manage SAP BTP Subaccounts. We’ll create a Subaccount called dev.
Whoever creates the subaccount will have the role collection “Subaccount Administrator” assigned to them. But, let’s say you want to assign any role collection to any user. We use the resource btp_subaccount_role_collection_assignment.
Some services are included in the subaccount entitlement set by default. Everything else, you must configure it. Let’s add some services to the subaccount entitlement using the resource btp_subaccount_entitlement.
For the last step, we want to activate Cloud Foundry environment in the subaccount. The resource btp_subaccount_environment_instance is responsible for managing all environments: Cloud Foundry, Kyma and ABAP. However, just activating Cloud Foundry won’t be enough, as it won’t have entitlement for memory quota to run your apps. Therefore, we need to configure the entitlement as well.
All set! Let’s run it and see what is the plan, this won’t do anything on SAP BTP yet, it’ll just show will change if you apply it: $ terraform plan
Alright, let’s apply the proposed plan and check the results on SAP BTP. Run $ terraform apply.
Well done! Subaccount and Could Foundry environment have been created, some services added to the subaccount entitlement, and a role collection added to the user. Everything using the brand new Terraform provider for SAP BTP.
What if you also want to add a space to the newly created CF ORG? Easy! Just use the Cloud Foundry provider. You can mix and match multiple Terraform providers in the same script.
Let's add the Terraform provider for Cloud Foundry, the CF provider configuration and the resource cloudfoundry_space to our script. The resource cloudfoundry_space requires the CF ORG id which will come from resource btp_subaccount_environment_instance.platform_id.
Run $ terraform apply again.
Voilà! You have used two Terraform providers to manage SAP BTP and Cloud Foundry stuff in one go. That's one of the most powerful things in Terraform. You could add the Kyma/Kubernetes provider or anything else to meet your needs. You now have the tools to manage everything in SAP BTP with Terraform. Ok, not really everything yet, but the SAP BTP provider is still in beta, it'll get there. There's still room for improvement, but it's already great! It doesn't do everything, but it's better than nothing.
To finish up, let's destroy everything, let's delete the subaccount and its contents. Run $ terraform destroy --auto-approve. Don't worry, it won't delete the Global Account or anything else that isn't managed by the Terraform script. Other directories and subaccounts are safe.
To make it easier, here's the full Terraform script (with variables for user credentials):
As announced, these are the operations supported by the new SAP BTP Terraform Provider:
- Create, read, and delete subaccounts
- Create, read, and delete directories
- Assign, read, and delete labels (directories and subaccounts)
- Create, read, and delete roles
- Create, read, and delete role collections
- Assign, read, and delete assignment of users to role collections
- Create, read, and delete service entitlements
- Assign custom identity providers (global account and subaccount)
You already know the concepts and probably played a bit with Terraform. So, here we go exploring what we can do now. I’ll use my SAP BTP trial account for that. Most people that spoke to me about Terraform were using the trial account, I guess nobody wants to destroy production by mistake...
Because we have a proper Terraform provider, we start setting it up. It’s straightforward, no secrets. Define the required provider and set the details to connect to your SAP BTP Global Account. You’ll need to get the Global Account subdomain, you find it in SAP BTP cockpit:
SAP BTP cockpit
SAP BTP Global Account subdomain
Create your Terraform script file, eg main.tf, and run $ terraform init
terraform {
required_providers {
btp = {
source = "sap/btp"
version = "0.1.0-beta1"
}
}
}
provider "btp" {
globalaccount = "globa_account_subdomain"
username = "btp_username"
password = "btp_password"
}Then, we add a resource btp_subaccount to manage SAP BTP Subaccounts. We’ll create a Subaccount called dev.
resource "btp_subaccount" "dev" {
name = "subaccount_name"
subdomain = "subaccount_domain_must_be_unique"
region = "us10"
description = "Hey, this subaccount is managed by Terraform!"
}Whoever creates the subaccount will have the role collection “Subaccount Administrator” assigned to them. But, let’s say you want to assign any role collection to any user. We use the resource btp_subaccount_role_collection_assignment.
resource "btp_subaccount_role_collection_assignment" "subaccount-viewer" {
subaccount_id = btp_subaccount.dev.id
role_collection_name = "Subaccount Viewer"
user_name = "btp_username"
}Some services are included in the subaccount entitlement set by default. Everything else, you must configure it. Let’s add some services to the subaccount entitlement using the resource btp_subaccount_entitlement.
resource "btp_subaccount_entitlement" "bas" {
subaccount_id = btp_subaccount.dev.id
service_name = "sapappstudiotrial"
plan_name = "trial"
}
resource "btp_subaccount_entitlement" "alert" {
subaccount_id = btp_subaccount.dev.id
service_name = "alert-notification"
plan_name = "standard"
}For the last step, we want to activate Cloud Foundry environment in the subaccount. The resource btp_subaccount_environment_instance is responsible for managing all environments: Cloud Foundry, Kyma and ABAP. However, just activating Cloud Foundry won’t be enough, as it won’t have entitlement for memory quota to run your apps. Therefore, we need to configure the entitlement as well.
resource "btp_subaccount_entitlement" "cloudfoundry" {
subaccount_id = btp_subaccount.dev.id
service_name = "APPLICATION_RUNTIME"
plan_name = "MEMORY"
amount = 1
}
resource "btp_subaccount_environment_instance" "cloudfoundry" {
subaccount_id = btp_subaccount.dev.id
name = "my-cf-environment"
environment_type = "cloudfoundry"
service_name = "cloudfoundry"
plan_name = "standard"
parameters = jsonencode({
instance_name = "my-cf-org-name"
})
}All set! Let’s run it and see what is the plan, this won’t do anything on SAP BTP yet, it’ll just show will change if you apply it: $ terraform plan
$ terraform plan
Alright, let’s apply the proposed plan and check the results on SAP BTP. Run $ terraform apply.
$ terraform apply --auto-approve
Subaccount has been created by Terraform SAP BTP provider
Well done! Subaccount and Could Foundry environment have been created, some services added to the subaccount entitlement, and a role collection added to the user. Everything using the brand new Terraform provider for SAP BTP.
What if you also want to add a space to the newly created CF ORG? Easy! Just use the Cloud Foundry provider. You can mix and match multiple Terraform providers in the same script.
Let's add the Terraform provider for Cloud Foundry, the CF provider configuration and the resource cloudfoundry_space to our script. The resource cloudfoundry_space requires the CF ORG id which will come from resource btp_subaccount_environment_instance.platform_id.
terraform {
required_providers {
btp = {
source = "sap/btp"
version = "0.1.0-beta1"
}
cloudfoundry = {
source = "cloudfoundry-community/cloudfoundry"
version = "0.50.8"
}
}
}
### all the stuff we wrote before ###
provider "cloudfoundry" {
api_url = "https://api.cf.us10-001.hana.ondemand.com"
user = "btp_username"
password = "btp_password"
}
resource "cloudfoundry_space" "dev" {
name = "dev"
org = btp_subaccount_environment_instance.cloudfoundry.platform_id
}Run $ terraform apply again.
$ terraform apply --auto-approve
Voilà! You have used two Terraform providers to manage SAP BTP and Cloud Foundry stuff in one go. That's one of the most powerful things in Terraform. You could add the Kyma/Kubernetes provider or anything else to meet your needs. You now have the tools to manage everything in SAP BTP with Terraform. Ok, not really everything yet, but the SAP BTP provider is still in beta, it'll get there. There's still room for improvement, but it's already great! It doesn't do everything, but it's better than nothing.
To finish up, let's destroy everything, let's delete the subaccount and its contents. Run $ terraform destroy --auto-approve. Don't worry, it won't delete the Global Account or anything else that isn't managed by the Terraform script. Other directories and subaccounts are safe.
To make it easier, here's the full Terraform script (with variables for user credentials):
terraform {
required_providers {
btp = {
source = "sap/btp"
version = "0.1.0-beta1"
}
cloudfoundry = {
source = "cloudfoundry-community/cloudfoundry"
version = "0.50.8"
}
}
}
variable "admin_user" {}
variable "admin_password" {}
variable "globalaccount_subdomain" {}
# SAP BTP provider configuration
provider "btp" {
globalaccount = var.globalaccount_subdomain
username = var.admin_user
password = var.admin_password
}
# Manage subaccount (create subaccount at Global Account level)
resource "btp_subaccount" "dev" {
name = "my-terraform-dev"
subdomain = "dev-terraform-ejzl2vx1" # it must be unique in SAP BTP
region = "us10"
description = "This was created by Terraform"
}
# Assign role collection Subaccount Administrator to users
resource "btp_subaccount_role_collection_assignment" "subaccount-viewer" {
subaccount_id = btp_subaccount.dev.id
role_collection_name = "Subaccount Viewer"
user_name = var.admin_user
}
# Configure subaccount entitlement, add service SAP Business Application Studio
resource "btp_subaccount_entitlement" "bas" {
subaccount_id = btp_subaccount.dev.id
service_name = "sapappstudiotrial"
plan_name = "trial"
}
# Configure subaccount entitlement, add service Alert Notification
resource "btp_subaccount_entitlement" "alert" {
subaccount_id = btp_subaccount.dev.id
service_name = "alert-notification"
plan_name = "standard"
}
# Configure subaccount entitlement, add quota to Cloud Foundry Runtime
resource "btp_subaccount_entitlement" "cloudfoundry" {
subaccount_id = btp_subaccount.dev.id
service_name = "APPLICATION_RUNTIME"
plan_name = "MEMORY"
amount = 1 # It allocates 1GB RAM to the subaccount
}
# Manage Cloud Foundry environment (create CF ORG at Subaccount level)
resource "btp_subaccount_environment_instance" "cloudfoundry" {
subaccount_id = btp_subaccount.dev.id
name = "my-cf-environment"
environment_type = "cloudfoundry"
service_name = "cloudfoundry"
plan_name = "standard"
parameters = jsonencode({
instance_name = "my-cf-org-x1" # it must be unique in the region
})
}
# Cloud Foundry provider configuration
provider "cloudfoundry" {
api_url = "https://api.cf.us10-001.hana.ondemand.com"
user = var.admin_user
password = var.admin_password
}
# CF Spaces
resource "cloudfoundry_space" "dev" {
name = "dev"
org = btp_subaccount_environment_instance.cloudfoundry.platform_id
}- SAP Managed Tags:
8 Comments
