Use kyma tf module (#171)

* Use yma tf module

* do not need headless-kubeconfig

* create file for creating provider SM creds

.github/workflows/_integration-tests.yaml

@@ -72,21 +72,19 @@ jobs:
           . ./set-tf-envs.sh
           terraform -chdir=../tf init
           terraform -chdir=../tf apply -auto-approve
-          echo "SUBACC_ID=$(cat ../tf/subaccount_id.txt)" >> $GITHUB_ENV
+          echo "SUBACC_ID=$(terraform -chdir=../tf output -raw subaccount_id)" >> $GITHUB_ENV
         env:
           BTP_ENV: ${{ secrets.BTP_INTEGRATION_TEST }}
-          TF_VAR_BTP_SUBACCOUNT: docker-registry-test-${{ github.run_id }}-${{ github.run_attempt }}
+          TF_VAR_BTP_NEW_SUBACCOUNT_NAME: docker-registry-test-${{ github.run_id }}-${{ github.run_attempt }}
 
       - name: Generate access
         run: |
           sudo ln -sf bash /bin/sh
           . ./set-tf-envs.sh
           mkdir -p tmp
-          make headless-kubeconfig
           CLUSTERROLE=cluster-admin make service-account-kubeconfig
         env:
           BTP_ENV: ${{ secrets.BTP_INTEGRATION_TEST }}
-          TF_VAR_BTP_SUBACCOUNT: btp-test-${{ github.run_id }}-${{ github.run_attempt }}
 
       - name: Add bindings
         run: |
@@ -97,7 +95,6 @@ jobs:
           KUBECONFIG=tmp/sa-kubeconfig.yaml OPERATOR_MANIFEST=../../../dockerregistry-operator.yaml make enable_docker_registry
         env:
           BTP_ENV: ${{ secrets.BTP_INTEGRATION_TEST }}
-          TF_VAR_BTP_SUBACCOUNT: btp-test-${{ github.run_id }}-${{ github.run_attempt }}
           IMG: ${{ inputs.image }}
 
       - name: Test if docker registry is working

tests/btp/README.md

@@ -11,12 +11,8 @@ Export the following environment variables:
 TF_VAR_BTP_BOT_USER=
 TF_VAR_BTP_BOT_PASSWORD=
 TF_VAR_BTP_GLOBAL_ACCOUNT=
-TF_VAR_BTP_BACKEND_URL=https://cpcli.cf.sap.hana.ondemand.com
 TF_VAR_BTP_CUSTOM_IAS_TENANT=
-TF_VAR_BTP_CUSTOM_IAS_DOMAIN=accounts400.ondemand.com
-TF_VAR_BTP_KYMA_PLAN=gcp
-TF_VAR_BTP_SA_REGION=us31
-TF_VAR_BTP_KYMA_REGION=us-central1
+
 TF_VAR_BTP_PROVIDER_SUBACCOUNT_ID=
 ```
 

tests/btp/hack/Makefile

@@ -1,27 +1,7 @@
-.PHONY: headless-kubeconfig
-headless-kubeconfig:
-	pwd
-	ls -la
-	( \
-	set -e -o pipefail ;\
-	curl -s -o tmp/kubeconfig.yaml $$(cat ../tf/kubeconfig_url.txt) ;\
-	ISSUER=$$(cat ../tf/binding_credentials.json | jq  -r '. | { clientid, url: (.url+ "/oauth2/token")  }' ) ;\
-	TOKEN=$$(curl -X POST  $$(jq -r '. | .url' <<< $$ISSUER) \
-	-H 'Content-Type: application/x-www-form-urlencoded' \
-	-d 'grant_type=password' \
-	-d 'username='"$$TF_VAR_BTP_BOT_USER" \
-	-d 'password='"$$TF_VAR_BTP_BOT_PASSWORD" \
-	-d 'client_id='$$(jq -r '. | .clientid' <<< $$ISSUER) \
-	-d 'scope=groups, email' \
-	| jq -r '.id_token' ) ;\
-	echo "i got $$(jq -r '. | .clientid' <<< $$ISSUER)" ;\
-	../bin/kyma alpha oidc --kubeconfig=tmp/kubeconfig.yaml --output=tmp/headless-kubeconfig.yaml --token=$$TOKEN ;\
-	)
-
 .PHONY: service-account-kubeconfig
 service-account-kubeconfig:
 	@echo "Generating expiring service-account based kubeconfig..."
-	../bin/kyma alpha access --clusterrole ${CLUSTERROLE} --kubeconfig tmp/headless-kubeconfig.yaml --name ci-workflow-sa --time 1h --output tmp/sa-kubeconfig.yaml
+	../bin/kyma alpha access --clusterrole ${CLUSTERROLE} --kubeconfig ../tf/kubeconfig.yaml --name ci-workflow-sa --time 1h --output tmp/sa-kubeconfig.yaml
 	@echo "Service-account based kubeconfig generated"
 
 .PHONY: docker_push_simple_app

tests/btp/tf/main.tf

@@ -0,0 +1,51 @@
+terraform {
+  required_providers {
+    btp = {
+      source  = "SAP/btp"
+      version = "1.6.0"
+    }
+    jq = {
+      source  = "massdriver-cloud/jq"
+    }
+    http = {
+      source = "hashicorp/http"
+      version = "3.4.4"
+    }
+  }
+}
+
+provider "jq" {}
+provider "http" {}
+
+provider "btp" {
+  globalaccount = var.BTP_GLOBAL_ACCOUNT
+  cli_server_url = var.BTP_BACKEND_URL
+  idp            = var.BTP_CUSTOM_IAS_TENANT
+  username = var.BTP_BOT_USER
+  password = var.BTP_BOT_PASSWORD
+}
+
+module "kyma" {
+  source = "github.com/kyma-project/terraform-module"
+  BTP_NEW_SUBACCOUNT_NAME = var.BTP_NEW_SUBACCOUNT_NAME
+  BTP_CUSTOM_IAS_TENANT = var.BTP_CUSTOM_IAS_TENANT
+  BTP_BOT_USER = var.BTP_BOT_USER
+  BTP_BOT_PASSWORD = var.BTP_BOT_PASSWORD
+  BTP_PROVIDER_SUBACCOUNT_ID = var.BTP_PROVIDER_SUBACCOUNT_ID
+}
+
+resource "local_file" "provider_sm" {
+  content  = <<EOT
+clientid=${module.kyma.custom_service_manager_credentials.clientid}
+clientsecret=${module.kyma.custom_service_manager_credentials.clientsecret}
+sm_url=${module.kyma.custom_service_manager_credentials.sm_url}
+tokenurl=${module.kyma.custom_service_manager_credentials.url}
+tokenurlsuffix=/oauth/token
+EOT
+  filename = "provider-sm-decoded.env"
+}
+
+
+output "subaccount_id" {
+  value = module.kyma.subaccount_id
+}

tests/btp/tf/variables.tf

@@ -22,10 +22,10 @@ variable "BTP_BOT_PASSWORD" {
 variable "BTP_BACKEND_URL" {
   type        = string
   description = "BTP backend URL"
-  default     = "https://cpcli.cf.sap.hana.ondemand.com"
+  default     = "https://cli.btp.cloud.sap"
 }
 
-variable "BTP_SUBACCOUNT" {
+variable "BTP_NEW_SUBACCOUNT_NAME" {
   type        = string
   description = "Subaccount name"
   default     = "subaccount-name"
@@ -34,13 +34,13 @@ variable "BTP_SUBACCOUNT" {
 variable "BTP_KYMA_PLAN" {
   type        = string
   description = "Plan name"
-  default     = "gcp"
+  default     = "azure"
 }
 
-variable "BTP_SA_REGION" {
+variable "BTP_NEW_SUBACCOUNT_REGION" {
   type        = string
   description = "Region name"
-  default     = "us31"
+  default     = "eu20"
 }
 
 variable "BTP_CUSTOM_IAS_TENANT" {
@@ -52,17 +52,16 @@ variable "BTP_CUSTOM_IAS_TENANT" {
 variable "BTP_CUSTOM_IAS_DOMAIN" {
   type        = string
   description = "Custom IAS domain"
-  default     = "accounts400.ondemand.com"
+  default     = "accounts.ondemand.com"
 }
 
 variable "BTP_KYMA_REGION" {
   type        = string
   description = "Kyma region"
-  default     = "us-central1"
+  default     = "westeurope"
 }
 
 variable "BTP_PROVIDER_SUBACCOUNT_ID" {
   type        = string
   description = "Subaccount ID"
-  default     = "subaccount-id"
 }