Technology Blog Posts by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extending Infrastructure as Code for SAP BTP: Managing Resources on SAP BTP

Alexander_Teslya
Associate
Associate
3 weeks ago
398

In our previous discussion on leveraging Infrastructure as Code (IaC) for SAP BTP environment management, we focused on setting up the environment using Terraform. Now, let’s take it further by exploring how to modify the environment dynamically—adding resources and managing user access effectively.

Expanding Your SAP BTP Environment with Terraform

When managing SAP BTP environments, infrastructure needs evolve over time.

We may need to:

  • Scale resources, add new services, onboard additional users and manage role collections.
  • Manage and synchronize configuration across BTP landscape and subaccounts
  • Deploy of new landscapes on demand with unified and automated way with version control for changes.
  • Integrated with CI/CD processes

With Terraform, these tasks become repeatable, automated, and version-controlled.

1. Adding New Resources to an Existing SAP BTP Environment

Adding new resources, such as service instances or entitlements, ensures scalability and adaptability. Here’s an example of updating your Terraform configuration to include additional services.

Example: Adding a New Service

Let's create a Destination service in our subaccount. 

We need to add a few blocks of code:

  • Fetch Service Plans based on the filters provided
  • Create a service instance for this service plan
# Destination service

data "cloudfoundry_service_plans" "destination_plan" {
  depends_on = [ cloudfoundry_space_role.space_manager ]
  service_offering_name = "destination"
  name                  = var.destination_service_plan
}

resource "cloudfoundry_service_instance" "destination" {
  depends_on = [ cloudfoundry_space_role.space_manager ]
  name         = var.destination_name
  space        = cloudfoundry_space.dev.id
  service_plan = data.cloudfoundry_service_plans.destination_plan.service_plans[0].id
  type              = "managed"
  
}

After adding this configuration, plan and execute:

docker run --rm -i -t -v $PWD:/$PWD -w $PWD hashicorp/terraform:latest plan
docker run --rm -i -t -v $PWD:/$PWD -w $PWD hashicorp/terraform:latest apply --auto-approve

This will provision the destination service instance in the existing subaccount.

2. Managing User Access in SAP BTP

User management is crucial for maintaining security and role-based access control. Terraform allows us to automate user onboarding and role assignments.

Example: Adding Users to a Subaccount

In BTP Terraform provider there is no dedicated resources for user creation. However, user will be automatically added to subaccount when assign a user to a role collection on a subaccount level.

Of course we can specify list of accounts in separate file.

# Assign role collection Subaccount Viewer to users
resource "btp_subaccount_role_collection_assignment" "subaccount-viewer" {
  subaccount_id        = btp_subaccount.terra_example_dev.id
  for_each             = toset(var.subaccount_viewers)
  role_collection_name = "Subaccount Viewer"
  user_name            = each.value
}

Then, plan and execute:

docker run --rm -i -t -v $PWD:/$PWD -w $PWD hashicorp/terraform:latest plan
docker run --rm -i -t -v $PWD:/$PWD -w $PWD hashicorp/terraform:latest apply --auto-approve

Alexander_Teslya_0-1746033492164.png

Optionally, we can specify "origin" as parameter to identity provider that hosts the user or a group. Only needed for custom identity provider.

Applying this configuration ensures the user has appropriate access without manual intervention.

Manage Users in Subaccounts

We can use this approach to add new user or remove existing or remove role collection. For example, for we need to maintain combination of users and assigned role collections for Dev subbacount and then multiply the same configuration for a multiple subaccounts. In this case we can easily update code and distribute configuration in automatic way.

3. Updating Existing Resources

To modify an existing service (e.g., upgrading the plan or changing parameters), update the Terraform configuration and reapply changes.

Example: Changing the Service Plan

# Configure subaccount entitlement, add quota to Cloud Foundry Runtime
resource "btp_subaccount_entitlement" "cloudfoundry" {
  subaccount_id = btp_subaccount.terra_example_dev.id
  service_name  = "APPLICATION_RUNTIME"
  plan_name     = "MEMORY"
  amount        = 1     # It allocates 1GB RAM to the subaccount
}

We can change amount from 1 to 2 and apply it.

Executing terraform apply will ensure the quota is upgraded.

4. Using depends_on in Terraform

In Terraform, the depends_on argument is used to explicitly define dependencies between resources. This is useful when a resource must wait for another resource to be created before it can be provisioned.

Example: Using depends_on

resource "cloudfoundry_space" "dev" {
  depends_on = [btp_subaccount_environment_instance.cloudfoundry]
  name      = "dev"
  org       = btp_subaccount_environment_instance.cloudfoundry.platform_id
  allow_ssh = "false"
#  labels    = { test : "pass", purpose : "prod" }
}

This ensures that Cloud Foundry space will only be created afterCloud Foundry instance has been successfully provisioned.

5. Managing of state file

Terraform tracks the current state of your infrastructure in a file called terraform.tfstate. This file is critical because:

  • It represents the real-world infrastructure Terraform manages.

  • It enables Terraform to know what it created and how future changes should be applied.

  • It is used to detect drift between your code and deployed resources.

You can find a various recommendations how to manage this state file or your company already introduced internal policies. Let's highlight a few.

  • Use Remote Backends.
    • Instead of storing terraform.tfstate locally (which is unsafe in team environments), use a backend like:
      • S3 storage
      • Terraform Cloud
  • Secure the File
    • Terraform.tfstate may contain sensitive data like credentials or resource IDs.
  • Version Control State Indirectly
    • Do not use VCS to store terraform.tfstate. Instead, configure remote backends.

As example, you can introduce S3 object store on SAP BTP to store state files.

6. Analyzing Dependencies with terraform graph

Terraform provides the terraform graph command to visualize resource dependencies. This helps in understanding the sequence of resource creation and their interdependencies.

Running Terraform Graph

Execute the following command to generate a dependency graph:

docker run --rm -i -t -v $PWD:/$PWD -w $PWD hashicorp/terraform:latest graph | dot -Tpng > graph.png

This generates a visual representation of the infrastructure, which can be analyzed to debug issues or optimize dependencies. It would be helpful to analyze deployment sequence of dependent object.

Alexander_Teslya_0-1746037105676.png

 

Conclusion

By extending Terraform configurations to include resource modifications, user management, and dependency handling, we create a scalable and automated approach to SAP BTP environment management. Additionally, using depends_on and terraform graph helps in ensuring proper sequencing and analyzing dependencies effectively.

In next blog I will cover integration with CI/CD platforms for automated execution.

Are you looking to implement more advanced automation strategies in SAP BTP? Share your thoughts and experiences in the comments below!

 

 

Labels in this area
Popular Blog Posts