Skip to Content
Technical Articles
Author's profile photo Maximiliano Colman

Gitops with Argo CD & Kyma, Terraforming SAP BTP Kyma Clusters

Hi all,

I want to share another experience, this time with Flux, as you can find in another post is another alternative / tool to handle CD pipeline, and it has pros & cons compared with Argo CD, but I’d like to highlight that sometimes is not black & white, you can choose gray, and that is Flamingo the best of both worlds in yours SAP BTP Kyma Cluster.

Basically Flamingo is the bridge between Flux & Argo CD, allowing you to extend the capabilities of Argo CD with all the rest from Flux, like the Terraform controller, so you create an Argo CD application that is converted to an Flux object, that perform all the job instructed where Flamingo keep updating Argo CD with the results from Flux.



With this extra functionalities in your Argo CD now you are able to execute your Terraform scrips, and with the SAP BTP Terraform provider the loop is closed 😉

Let’s see it in action:

Assume that we want to create a new SAP BTP SubAccount, add the SAP BTP Kyma Runtime entitlement, and finally create an instance of it your Terraform scripts will be something like this:

# Get Global Account details
data "btp_globalaccount" "project" {}
# Get Subaccount details
data "btp_subaccount" "project" {
  id =
# create a subaccount
resource "btp_subaccount" "project" {
  name      = lower(var.tenant)
  subdomain = lower(var.tenant)
  region    = lower(var.region)
# create a Kyma runtime
data "btp_regions" "all" {}

data "btp_whoami" "me" {}

resource "btp_subaccount_entitlement" "kymaruntime" {
  subaccount_id =

  service_name = "kymaruntime"
  plan_name    = "trial"
  amount       = 1

resource "btp_subaccount_environment_instance" "kymaruntime" {
  subaccount_id =

  name             = var.tenant
  environment_type = "kyma"
  service_name     = btp_subaccount_entitlement.kymaruntime.service_name
  plan_name        = btp_subaccount_entitlement.kymaruntime.plan_name

  parameters = jsonencode({
    name           = var.tenant
    administrators = []

  timeouts = { 
    create = "1h"
    update = "35m"
    delete = "1h"

  depends_on = [btp_subaccount_entitlement.kymaruntime]

data "http" "kubeconfig" {
  url = jsondecode(btp_subaccount_environment_instance.kymaruntime.labels)["KubeconfigURL"]

resource "local_sensitive_file" "kubeconfig" {
  filename = ".${}-${var.tenant}.kubeconfig"
  content  = data.http.kubeconfig.response_body

Your Terraform provider file should look like:

terraform {
  required_providers {
    btp = {
      source  = "sap/btp"
      version = "0.6.0-beta1"

# Please checkout documentation on how best to authenticate  
# against SAP BTP via the Terraform provider for SAP BTP
provider "btp" {
  globalaccount = var.globacct
  username = var.username
  password = var.password

Your Terraform variables:

variable "globacct" {
  type        = string
  nullable    = false
  description = "The Global Account subdomain."

variable "username" {
  type        = string
  nullable    = false
  sensitive = true
  description = "Global Administrator e-mail address."

variable "password" {
  type        = string
  nullable    = false
  sensitive   = true
  description = "Global Administrator password."

variable "region" {
  type        = string
  description = "The region where the project account shall be created in."
  nullable    = false

variable "shootname" {
  type        = string
  description = "The Kyma Cluster shootname which the project is deployed to."
  default     = null
  nullable    = true

variable "subaccount_admins" {
  type        = list(string)
  default     = null
  description = "The Subaccount Admin(s)."

  validation {
    condition = (var.subaccount_admins == null || can([for s in var.subaccount_admins : regex("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", s)]))
    error_message = "Provide a valid subaccount administrator."

variable "tenant" {
  type        = string
  nullable    = false
  description = "The name of your subscriber tenant."

  validation {
    condition     = can(regex("^[a-zA-Z0-9_\\-]{1,200}", var.tenant))
    error_message = "Provide a valid subscriber tenant name."

And finally the Terraform values:

globacct="<your value>"
password="<your value>"
username="<your value>"

After that you install all required components in your SAP BTP Kyma Cluster, you can see the Terraform controller up & running:


Terraform Controller

After that you create the Argo CD to provision a new SAP BTP Kyma Cluster you can see the details in the UI:


SAP BTP Kyma Cluster US10 – Argo CD App

And finally you can go to your SAP BTP Global Account and check the results:


New SAP BTP Subaccount & Kyma Cluster


Well now you are able to automate your CD pipelines for your applications and also your Infrastructure from your SAP BTP Kyma Cluster, think about the possibilities 😉


Repository: maxi1555/terraform-sap-btp-public (


Main configuration


Kind Regards.


Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.