First commit

.reuse/dep5

@@ -1,7 +1,7 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: <YOUR-REPO-NAME>
-Upstream-Contact: <YOUR-CONTACT (MAIL ADDRESS ETC.)>
-Source: <https://github.com/sap/YOUR-REPO-NAME>
+Upstream-Name: terraform-module
+Upstream-Contact: krzysztof.kwiatosz@sap.com
+Source: https://github.com/kyma-project/terraform-module
 Disclaimer: The code in this project may include calls to APIs ("API Calls") of
  SAP or third-party products or services developed outside of this project
  ("External Products").

README.md

@@ -1,55 +1,14 @@
-> **NOTE:** This is a general template that you can use for a project README.md. Except for the mandatory sections, use only those sections that suit your use case but keep the proposed section order.
->
-> Mandatory sections: 
-> - `Overview`
-> - `Prerequisites`, if there are any requirements regarding hard- or software
-> - `Installation`
-> - `Contributing` - do not change this!
-> - `Code of Conduct` - do not change this!
-> - `Licensing` - do not change this!
+> **TIP:** Apart from the {Module Name} heading, you can use your own titles for the remaining sections. You can also add more module-specific sections.
 
-# {Project Title}
-<!--- mandatory --->
-> Modify the title and insert the name of your project. Use Heading 1 (H1).
+# {Module Name}
+> Modify the title and insert the name of your module. Use Heading 1 (H1).
 
 ## Overview
-<!--- mandatory section --->
+> Provide a description of your module and its components. Describe its features and functionalities.
+> You can divide this section to the relevant subsections.
 
-> Provide a description of the project's functionality.
->
-> If it is an example README.md, describe what the example illustrates.
+## Useful Links (Optional)
+> Provide links to the most relevant module documentation (tutorials, technical references, resources, etc.).
 
-## Prerequisites
-
-> List the requirements to run the project or example.
-
-## Installation
-
-> Explain the steps to install your project. If there are multiple installation options, mention the recommended one and include others in a separate document. Create an ordered list for each installation task.
->
-> If it is an example README.md, describe how to build, run locally, and deploy the example. Format the example as code blocks and specify the language, highlighting where possible. Explain how you can validate that the example ran successfully. For example, define the expected output or commands to run which check a successful deployment.
->
-> Add subsections (H3) for better readability.
-
-## Usage
-
-> Explain how to use the project. You can create multiple subsections (H3). Include the instructions or provide links to the related documentation.
-
-## Development
-
-> Add instructions on how to develop the project or example. It must be clear what to do and, for example, how to trigger the tests so that other contributors know how to make their pull requests acceptable. Include the instructions or provide links to related documentation.
-
-## Contributing
-<!--- mandatory section - do not change this! --->
-
-See the [Contributing Rules](CONTRIBUTING.md).
-
-## Code of Conduct
-<!--- mandatory section - do not change this! --->
-
-See the [Code of Conduct](CODE_OF_CONDUCT.md) document.
-
-## Licensing
-<!--- mandatory section - do not change this! --->
-
-See the [license](./LICENSE) file.
+## Feedback (Optional)
+> Describe how users can provide feedback.

main.tf

@@ -0,0 +1,199 @@
+# "kyma.tf"
+
+resource "btp_subaccount_entitlement" "kyma" {
+  subaccount_id = btp_subaccount.subaccount.id
+  service_name  = "kymaruntime"
+  plan_name     = var.BTP_KYMA_PLAN
+  amount        = 1
+}
+
+resource "btp_subaccount_environment_instance" "kyma" {
+  subaccount_id    = btp_subaccount.subaccount.id
+  name             = "${var.BTP_SUBACCOUNT}-kyma"
+  environment_type = "kyma"
+  service_name     = btp_subaccount_entitlement.kyma.service_name
+  plan_name        = btp_subaccount_entitlement.kyma.plan_name
+  parameters = jsonencode({
+    modules = {
+      list = [
+        {
+          name    = "api-gateway"
+          channel = "fast"
+        },
+        {
+          name    = "istio"
+          channel = "fast"
+        },
+        {
+          name    = "btp-operator"
+          channel = "fast"
+        }
+      ]
+    }
+    oidc = {
+      groupsClaim    = "groups"
+      signingAlgs    = ["RS256"]
+      usernameClaim  = "sub"
+      usernamePrefix = "-"
+      clientID       = jsondecode(btp_subaccount_service_binding.identity_application_binding.credentials).clientid
+      issuerURL      = "https://${var.BTP_CUSTOM_IAS_TENANT}.${var.BTP_CUSTOM_IAS_DOMAIN}"
+    }
+    name   = "${var.BTP_SUBACCOUNT}-kyma"
+    region = var.BTP_KYMA_REGION
+    administrators = [
+      var.BTP_BOT_USER
+    ]
+  })
+  timeouts = {
+    create = "60m"
+    update = "30m"
+    delete = "60m"
+  }
+}
+
+data "http" "kubeconfig" {
+  url = jsondecode(btp_subaccount_environment_instance.kyma.labels).KubeconfigURL
+  retry {
+    attempts = 2
+    max_delay_ms = 2000
+    min_delay_ms = 1000
+  }
+  lifecycle {
+    postcondition {
+      condition     = can(regex("kind: Config",self.response_body))
+      error_message = "Invalid content of downloaded kubeconfig"
+    }
+  }
+}
+
+locals {
+  id_token = jsondecode(data.http.token.response_body).id_token
+  kubeconfig_oidc = yamldecode(data.http.kubeconfig.response_body)
+}
+
+data "jq_query" "kubeconfig" {
+  data = jsonencode(yamldecode(data.http.kubeconfig.response_body))
+  query = "del(.users[] | .user | .exec) | .users[] |= . + { user: { token: ${jsonencode(local.id_token)} } }"
+}
+
+resource "local_sensitive_file" "kubeconfig-yaml" {
+  filename = "kubeconfig.yaml"
+  content  = yamlencode(jsondecode(data.jq_query.kubeconfig.result) )
+}
+
+#"oidc.tf"
+
+resource "btp_subaccount_entitlement" "identity" {
+  subaccount_id = btp_subaccount.subaccount.id
+  service_name  = "identity"
+  plan_name     = "application"
+}
+
+# custom idp
+resource "btp_subaccount_trust_configuration" "custom_idp" {
+  subaccount_id     = btp_subaccount.subaccount.id
+  identity_provider = "${var.BTP_CUSTOM_IAS_TENANT}.${var.BTP_CUSTOM_IAS_DOMAIN}"
+  name              = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}"
+  depends_on        = [btp_subaccount_entitlement.identity]
+}
+
+data "btp_subaccount_service_plan" "identity_application" {
+  depends_on    = [btp_subaccount_entitlement.identity]
+  subaccount_id = btp_subaccount.subaccount.id
+  offering_name = "identity"
+  name          = "application"
+}
+
+resource "btp_subaccount_service_instance" "identity_application" {
+  depends_on     = [btp_subaccount_trust_configuration.custom_idp]
+  subaccount_id  = btp_subaccount.subaccount.id
+  name           = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app"
+  serviceplan_id = data.btp_subaccount_service_plan.identity_application.id
+  parameters = jsonencode({
+    user-access = "public"
+    oauth2-configuration = {
+      grant-types = [
+        "authorization_code",
+        "authorization_code_pkce_s256",
+        "password",
+        "refresh_token"
+      ],
+      token-policy = {
+        token-validity              = 3600,
+        refresh-validity            = 15552000,
+        refresh-usage-after-renewal = "off",
+        refresh-parallel            = 3,
+        access-token-format         = "default"
+      },
+      public-client = true,
+      redirect-uris = [
+        "https://dashboard.kyma.cloud.sap",
+        "https://dashboard.dev.kyma.cloud.sap",
+        "https://dashboard.stage.kyma.cloud.sap",
+        "http://localhost:8000"
+      ]
+    },
+    subject-name-identifier = {
+      attribute          = "mail",
+      fallback-attribute = "none"
+    },
+    default-attributes = null,
+    assertion-attributes = {
+      email      = "mail",
+      groups     = "companyGroups",
+      first_name = "firstName",
+      last_name  = "lastName",
+      login_name = "loginName",
+      mail       = "mail",
+      scope      = "companyGroups",
+      user_uuid  = "userUuid",
+      locale     = "language"
+    },
+    name         = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app",
+    display-name = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app"
+  })
+}
+
+resource "btp_subaccount_service_binding" "identity_application_binding" {
+  subaccount_id       = btp_subaccount.subaccount.id
+  name                = "${var.BTP_SUBACCOUNT}-${var.BTP_CUSTOM_IAS_TENANT}-oidc-app-binding"
+  service_instance_id = btp_subaccount_service_instance.identity_application.id
+  parameters = jsonencode({
+    credential-type = "X509_GENERATED"
+    key-length      = 4096
+    validity        = 1
+    validity-type   = "DAYS"
+    app-identifier  = "kymaruntime"
+  })
+}
+
+locals {
+  idp = jsondecode(btp_subaccount_service_binding.identity_application_binding.credentials)
+}
+
+data "http" "token" {
+  url = "${local.idp.url}/oauth2/token"
+  method = "POST"
+  request_headers = {
+    Content-Type  = "application/x-www-form-urlencoded"
+  }
+  request_body = "grant_type=password&username=${var.BTP_BOT_USER}&password=${var.BTP_BOT_PASSWORD}&client_id=${local.idp.clientid}&scope=groups,email"
+}
+
+#"provider-sm.tf"
+
+data "btp_subaccount_service_binding" "provider_sm" {
+  count = var.BTP_PROVIDER_SUBACCOUNT_ID == null ? 0 : 1
+  # count = try(var.BTP_PROVIDER_SUBACCOUNT_ID, false) ? 1 : 0
+  subaccount_id = var.BTP_PROVIDER_SUBACCOUNT_ID
+  name          = "provider-sm-binding"
+}
+
+#"subaccount.tf"
+
+resource "btp_subaccount" "subaccount" {
+  name      = var.BTP_SUBACCOUNT
+  region    = var.BTP_SA_REGION
+  subdomain = var.BTP_SUBACCOUNT
+}
+

output.tf

@@ -0,0 +1,9 @@
+output "custom_service_manager_credentials" {
+  value = var.BTP_PROVIDER_SUBACCOUNT_ID == null ? null : jsondecode(one(data.btp_subaccount_service_binding.provider_sm).credentials)
+}
+
+output "kubeconfig" {
+  value = yamlencode(jsondecode(data.jq_query.kubeconfig.result) )
+}
+
+

provider.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    btp = {
+      source  = "SAP/btp"
+      version = "1.5.0"
+    }
+    jq = {
+      source  = "massdriver-cloud/jq"
+    }
+    http = {
+      source = "hashicorp/http"
+      version = "3.4.4"
+    }
+  }
+}