Skip to content

Simplify AMS/IAS flow #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
+15 −204
Draft

Simplify AMS/IAS flow #128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2fe6744
Use cds add
renejeglinsky Mar 14, 2025
a1e35a6
Use cds add
renejeglinsky Mar 14, 2025
1d76d65
Update 3-deploy-to-cf.md
renejeglinsky Mar 14, 2025
d9e18de
Update documentation/xsuaa-to-ams/2-integrate-with-ams.md
renejeglinsky Mar 14, 2025
339a8a8
Update documentation/xsuaa-to-ams/3-deploy-to-cf.md
renejeglinsky Mar 14, 2025
f04a449
Update documentation/xsuaa-to-ams/3-deploy-to-cf.md
renejeglinsky Mar 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 6 additions & 22 deletions documentation/xsuaa-to-ams/2-integrate-with-ams.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,30 +3,14 @@

### Implement in Your Application

1. Add the latest versions of `@sap/ams` dependency to `package.json/dependencies`
```json
"@sap/ams": "^1.18.1",
```
2. Add the latest versions of `@sap/ams-dev` dependency to `package.json/devDependencies`
```json
"@sap/ams-dev": "^1.3",
```
3. Make sure you have installed latest version of `@sap/xssec` dependency.
```sh
npm install @sap/xssec
```
4. Make sure you have `@sap/cds-dk` with `version > 8` is installed as a **global** npm module.
1. Make sure you have `@sap/cds-dk` with `version > 8` is installed as a **global** npm module.
Copy link

@finkmanAtSap finkmanAtSap Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The absolute minimum for the cds add ias and cds add ams commands is 8.6.0 (see https://pages.github.tools.sap/cap/docs/releases/dec24) but I would suggest >= 8.8 because there were some bug fixes for those commands.

Suggested change
1. Make sure you have `@sap/cds-dk` with `version > 8` is installed as a **global** npm module.
1. Make sure `@sap/cds-dk` with `version >= 8.8` is installed as a **global** npm module.

> Use `npm update -g` instead of `npm update` to update the library.
3. Add the following code to `package.json/cds/requires/[development]/auth`:
```json
"ams" : {
"autoCompile" : true,
"cache" : {
"TTL" : 0
}
}
2. Add needed dependencies
```sh
cds add ams
```
4. Build the project to install the added dependencies
> This adds the needed configuration for AMS as well as IAS.
3. Install the added dependencies
Copy link

@finkmanAtSap finkmanAtSap Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might actually be unncessary. I think the add commands runs it but not sure.

```sh
npm i
```
Expand Down
191 changes: 9 additions & 182 deletions documentation/xsuaa-to-ams/3-deploy-to-cf.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,190 +4,17 @@

Prepare your sample for deploying on Cloud Foundry: [Prerequisite-for-sample](./1-getting-started-with-ams.md).

## Deploy to Cloud

## Add Identity Authentication and Authorization Management

1. Create `ias-config.json` file in your project root folder with the following content and replace the ```<unique-id>``` with a unique value to identify your IAS app in IAS Tenant:

```json
{

"authorization": {
"enabled":true
},
"provided-apis": [
Copy link

@finkmanAtSap finkmanAtSap Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This information has to be manually added to the MTA before deployment, even if it gets generated.

{
"name": "incidents-api",
"description": "api exposed by incident mgmt app"
}
],
"display-name": "incident-ias-<unique-id>"
Copy link

@finkmanAtSap finkmanAtSap Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also make a manual change to the display-name if the mta is generated because the generated display-name will not contain and it might occur in some screenshots with a unique-id as suffix.

}
```

2. Check if the following dependencies and dev dependencies have been added to the `package.json`:


<!-- cpes-file package.json:$.cds.requires -->
```json
{
...
"dependencies": {
"@sap/ams": "^1.18.1",
"@sap/cds": "^8.0",
"@sap/xssec": "^3.3.5",
"hdb": "^0.19.0",
"passport": "^0"
},
"devDependencies": {
"@sap/ams-dev": "^1.3"
},

...
}
1. Prepare for production.
```sh
cds add mta,hana,approuter
```
3. Change the `auth.kind` to `ias` in `package.json` for the production profile:

```json
{
...
"cds": {
"requires": {
"[production]": {
...
"auth": {
"kind": "ias"
...
}
}
}
}
}
```

## Deploy on Cloud Foundry

1. Update the `mta.yaml` with the following content

- Change the dependency `incident-management-auth ` in `resources` from `xsuaa` service instance:
Copy link

@finkmanAtSap finkmanAtSap Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this tutorial is based on an existing MTA, I'm not sure if deleting and regenerating it will work fine. If not, we need to keep these manual steps to make sure that we do not have any XSUAA left-overs

```yaml
- name: incident-management-auth
type: org.cloudfoundry.managed-service
parameters:
config:
tenant-mode: dedicated
xsappname: incidents-${org}-${space}
path: ./xs-security.json
service: xsuaa
service-plan: application
```

- To `ias` service instance:
```yaml
- name: incident-management-auth
parameters:
path: ./ias-config.json
service-plan: application
service: identity
type: org.cloudfoundry.managed-service
```
This adds the needed configuration for an SAP HANA database (needs to be provisioned in your account), for using an approuter, and using MTA as deployment.


- Add the following configurations to the `incident-management-srv` module
<!-- The flow that I'm seeing is, that the mta.yaml is just being generated. So I'll remove all the mta.yaml editing steps. -->

- Change `incident-management-auth` service binding with `incident-management-srv` to:
```yaml
- name: incidents-management-srv
type: nodejs
path: gen/srv
requires:
- name: incident-management-auth
parameters:
config:
credential-type: "X509_GENERATED"
```

- Add `AMS_DCL_ROOT` to `properties` section

```yaml
properties:
AMS_DCL_ROOT: ams/dcl
```
- Add `incident-management-ams-policies-deployer` module in `mta.yaml` below `incident-management-srv` module:
```yaml
- name: incident-management-ams-policies-deployer
type: javascript.nodejs
path: gen/policies
parameters:
buildpack: nodejs_buildpack
no-route: true
no-start: true
tasks:
- name: deploy-dcl
command: npm start
memory: 512M
requires:
- name: incident-management-auth
parameters:
config:
credential-type: X509_GENERATED
app-identifier: policy-deployer
```
- Delete `incident-management-auth` binding from `incident-management-destination-content`
```yaml
- name: incident-management-auth
parameters:
service-key:
name: incident-management-auth-key
```
- Delete `incidents_incident_management_auth` destination from `incident-management-destination-content`
```yaml
- Authentication: OAuth2UserTokenExchange
Name: incidents_incident_management_auth
ServiceKeyName: incident-management-auth-key
sap.cloud.service: incidents
```

### Note:

Check if the module `incident-management-destination-content` in `mta.yaml` looks like this:

```yaml
- name: incident-management-destination-content
type: com.sap.application.content
requires:
- name: incident-management-destination-service
parameters:
content-target: true
- name: incident-management_html_repo_host
parameters:
service-key:
name: incident-management_html_repo_host-key
parameters:
content:
instance:
destinations:
- Name: incidents_incidents_management_html_repo_host
ServiceInstanceName: incident-management-html5-app-host-service
ServiceKeyName: incident-management_html_repo_host-key
sap.cloud.service: incidents
existing_destinations_policy: ignore
build-parameters:
no-source: true
```
- Update `incident-management-srv-api` destination in `incident-management-destination-service`

- Add `HTML5.IASDependencyName: incidents-api`
Copy link

@finkmanAtSap finkmanAtSap Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is Workzone specific configuration that is not part of the general cds add ias setup, so we need to keep this manual step


```yaml
- Authentication: NoAuthentication
HTML5.IASDependencyName: incidents-api
Name: incidents-management-srv-api
ProxyType: Internet
Type: HTTP
URL: ~{srv-api/srv-url}
existing_destinations_policy: update
```
2. Update `app/incidents/xs-app.json` with the following code:
```
{
Expand Down Expand Up @@ -226,18 +53,18 @@ Prepare your sample for deploying on Cloud Foundry: [Prerequisite-for-sample](./
> Change the `authenticationType ` of `incident-management-srv-api` and `html5-apps-repo-rt` from `xsuaa` to `ias`


6. Build the mtar.
3. Build the mtar.
```
mbt build
```

7. Log in to your SAP BTP subaccount and choose your Cloud Foundry space where you want to deploy your application.
4. Log in to your SAP BTP subaccount and choose your Cloud Foundry space where you want to deploy your application.

```
cf login -a <api-endpoint>
```

8. Deploy on Cloud Foundry.
5. Deploy on Cloud Foundry.

```
cf deploy mta_archive/<mtar_name>.mtar
Expand Down