Skip to content

Instantly share code, notes, and snippets.

@RustyNails8

RustyNails8/SAPonAzure-hands-on-session.md

Last active March 12, 2023 16:22
Show Gist options
  • Save RustyNails8/3983aee64859670f707c5dec11afbfff to your computer and use it in GitHub Desktop.
Save RustyNails8/3983aee64859670f707c5dec11afbfff to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SAPonAzure-hands-on-session.md

Enterprise Scale for SAP on Azure Deployment Automation Framework - Hands-on Lab

Refernce

Reference

Workstation Preparation

Spin up Ubuntu droplet from Digital Ocean

Workstation

Install az cli

curl -L https://aka.ms/InstallAzureCli | bash

Login

az login
az account list --output=table | grep True
az login
az account list --output=table | grep True

OUTPUT

AzureLearning  AzureCloud   <Subscription ID>  Enabled  True

Az CLI

Clone sap automation repository on Workstation

mkdir -p ~/Azure_SAP_Automated_Deployment
cd ~/Azure_SAP_Automated_Deployment
git clone https://github.com/Azure/sap-automation.git
git clone https://github.com/Azure/sap-automation-samples.git

Clone Repo

Validate the versions of Terraform and the Azure CLI available on your instance of the WorkStatio / Cloud Shell.

./sap-automation/deploy/scripts/helpers/check_workstation.sh

In case of failure, install ansible, terraform and jq manually.

curl -L https://aka.ms/InstallAzureCli | bash

sudo apt install ansible

wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform

OUTPUT should be

Check Workstation

Create service principal

Prepare the deployment credentials

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<Subscription ID>" --name="MGMT-Deployment-Account"

OUTPUT Service Principle App ID

{
  "appId": "<App_ID>",
  "displayName": "MGMT-Deployment-Account",
  "password": "<passwd>",
  "tenant": "<tenant>"
}

Service Principle

Assign the User Access Administrator role to the service principal.

az role assignment create --assignee <App_ID> --role "User Access Administrator" --scope /subscriptions/<Subscription ID>/resourceGroups/cloud-shell-storage-centralindia

OUTPUT User Access Administrator Role

{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/<Subscription ID>/resourceGroups/cloud-shell-storage-centralindia/providers/Microsoft.Authorization/roleAssignments/08d5ff7d-9b10-4f81-8287-0e0baced1cee",
  "name": "08d5ff7d-9b10-4f81-8287-0e0baced1cee",
  "principalId": "<spn_ID>",
  "principalName": "<App_ID>",
  "principalType": "ServicePrincipal",
  "resourceGroup": "cloud-shell-storage-centralindia",
  "roleDefinitionId": "/subscriptions/<Subscription ID>/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "roleDefinitionName": "User Access Administrator",
  "scope": "/subscriptions/<Subscription ID>/resourceGroups/cloud-shell-storage-centralindia",
  "type": "Microsoft.Authorization/roleAssignments"
}

Role Assignment

Prepare Web App

echo '[{"resourceAppId":"<App_ID>","resourceAccess":[{"id":"<Subscription ID>","type":"Scope"}]}]' >> manifest.json

region_code=WEEU

export TF_VAR_app_registration_app_id=$(az ad app create \
    --display-name ${region_code}-webapp-registration \
    --required-resource-access @manifest.json \
    --query "appId" | tr -d '"')

export TF_VAR_webapp_client_secret=$(az ad app credential reset \
    --id $TF_VAR_app_registration_app_id --append               \
    --query "password" | tr -d '"')

export TF_VAR_use_webapp=true
rm manifest.json

OUTPUT :: Web App

in10c2 ➜ ~/IN10C2/github/Azure_SAP_Automated_Deployment/WORKSPACES $ export TF_VAR_app_registration_app_id=$(az ad app create \
>     --display-name ${region_code}-webapp-registration \
>     --required-resource-access @manifest.json \
>     --query "appId" | tr -d '"')
Found an existing application instance of "<webAPPID>". We will patch it
in10c2 ➜ ~/IN10C2/github/Azure_SAP_Automated_Deployment/WORKSPACES $
in10c2 ➜ ~/IN10C2/github/Azure_SAP_Automated_Deployment/WORKSPACES $ export TF_VAR_webapp_client_secret=$(az ad app credential reset \
>     --id $TF_VAR_app_registration_app_id --append               \
>     --query "password" | tr -d '"')
in10c2 ➜ ~/IN10C2/github/Azure_SAP_Automated_Deployment/WORKSPACES $
in10c2 ➜ ~/IN10C2/github/Azure_SAP_Automated_Deployment/WORKSPACES $ export TF_VAR_use_webapp=true
in10c2 ➜ ~/IN10C2/github/Azure_SAP_Automated_Deployment/WORKSPACES $ rm manifest.json
in10c2 ➜ ~/IN10C2/github/Azure_SAP_Automated_Deployment/WORKSPACES $

Deploy control plane Bash

export subscriptionId="<Subscription ID>"
export control_plane_env_code="MGMT"

export displayName="MGMT-Deployment-Account"
export password="<passwd>"
export tenant="<tenant>"
export principalId="<spn_ID>"
export principalName="<App_ID>"
export principalType="ServicePrincipal"

cd ~/Azure_SAP_Automated_Deployment
cp -Rp sap-automation/samples/WORKSPACES WORKSPACES
cd ~/Azure_SAP_Automated_Deployment/WORKSPACES

WORKSPACES

export subscriptionId="<Subscription ID>"
export appId="<App_ID>",
export        spn_id="<spn_ID>"
export     spn_secret="<passwd>"
export      tenant_id="<tenant>"
export       env_code="MGMT"
export    region_code="WEEU"

export DEPLOYMENT_REPO_PATH="/root/Azure_SAP_Automated_Deployment/sap-automation"
export CONFIG_REPO_PATH="/root/Azure_SAP_Automated_Deployment/sap-automation-samples/Terraform/WORKSPACES"
export SAP_AUTOMATION_REPO_PATH="/root/Azure_SAP_Automated_Deployment/sap-automation"
export ARM_SUBSCRIPTION_ID="${subscriptionId}"

${DEPLOYMENT_REPO_PATH}/deploy/scripts/deploy_controlplane.sh                                                                                  \
    --deployer_parameter_file DEPLOYER/${env_code}-${region_code}-DEP00-INFRASTRUCTURE/${env_code}-${region_code}-DEP00-INFRASTRUCTURE.tfvars  \
    --library_parameter_file LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars                      \
    --subscription "${subscriptionId}"                                                                                                         \
    --spn_id "${spn_id}"                                                                                                                       \
    --spn_secret "${spn_secret}"                                                                                                               \
    --tenant_id "${tenant_id}"                                                                                                                 \
    --auto-approve

Deploy Control Plane - 1

Deploy Control Place - 2

Deploy Control Plane -3

Deploy Control Plane - Step Before Error 1

Deploy Control Plane - Step Before Error 2

Deploy Control Plane - Error

Stuck at above step

Have done the below steps earlier... and proceeded with next steps, but I think problem is on above steps ... as I think sapbits is not initialized in this above step.

Azure shows the deployment plane was created and infrastrucure is ready, but again get stuck in BOM download step

Azure Deployment Infrastructure

sapbit missing in key vault

Added debug to 2nd line of all bash scripts

root@ubuntu-s-1vcpu-1gb-blr1-01:~/Azure_SAP_Automated_Deployment/sap-automation/deploy/scripts# sed -i '2s/^/set -x\n/' *.sh

Tried this as suggested by DK

${DEPLOYMENT_REPO_PATH}/deploy/scripts/prepare_region.sh                                                                                       \
        --deployer_parameter_file DEPLOYER/${env_code}-${region_code}-DEP00-INFRASTRUCTURE/${env_code}-${region_code}-DEP00-INFRASTRUCTURE.tfvars  \
        --library_parameter_file LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars                      \
        --subscription "${subscriptionId}"                                                                                                         \
        --spn_id "${spn_id}"                                                                                                                       \
        --spn_secret "${spn_secret}"                                                                                                               \
        --tenant_id "${tenant_id}"                                                                                                                 \
        --auto-approve

Now error has changed

Error in prepare region

Connect to deployer VM

Connect via Azure Bastion

Run the following script to configure the deployer.

mkdir -p ~/Azure_SAP_Automated_Deployment
cd ~/Azure_SAP_Automated_Deployment
git clone https://github.com/Azure/sap-automation.git
cd sap-automation/deploy/scripts
./configure_deployer.sh

In case of failure, install ansible, terraform and jq manually.

curl -L https://aka.ms/InstallAzureCli | bash

sudo apt install ansible

wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform

Get SAP software using the Bill of Materials (BOM)

export key_vault=MGMTWEEUDEP00user0FF
export sap_username=S0012512875
export sap_user_password='myPASSWORD'

az keyvault secret set --name "S-Username" --vault-name $key_vault --value "${sap_username}";
az keyvault secret set --name "S-Password" --vault-name "${key_vault}" --value "${sap_user_password}";

Check BOM S/W

cd ~/Azure_SAP_Automated_Deployment/WORKSPACES
cp -Rp ../sap-automation/training-materials/WORKSPACES/BOMS .
cd BOMS

export DEPLOYMENT_REPO_PATH="/root/Azure_SAP_Automated_Deployment/sap-automation"
export CONFIG_REPO_PATH="/root/Azure_SAP_Automated_Deployment/sap-automation-samples/Terraform/WORKSPACES"
export SAP_AUTOMATION_REPO_PATH="/root/Azure_SAP_Automated_Deployment/sap-automation"
export ARM_SUBSCRIPTION_ID="${subscriptionId}"

ls -d ${DEPLOYMENT_REPO_PATH}/deploy/ansible/BOM-catalog/S41909SPS03* | xargs basename
vi sap-parameters.yaml

sap-parameters.yml should look like this:

bom_base_name:                 S41909SPS03_v0011ms 

# Name of the key vault containing the S user credentials
deployer_kv_name:              MGMTWEEUDEP00user0FF

# Set the following value to true to calculate checksums for the downloaded files
# Not needed for the Microsoft provided BOMs
# create_checksums:              true
check_storage_account:         false

Execute the Ansible playbooks. One way you can execute the playbooks is to use the Downloader menu. Run the download_menu script.

pwd
~/Azure_SAP_Automated_Deployment/WORKSPACES/BOMS
~/Azure_SAP_Automated_Deployment/sap-automation/deploy/ansible/download_menu.sh

az keyvault secret show --vault-name MGMTWEEUDEP00user0FF --name "S-Username"

Storage Account sapbits

azureadmin@mgmtweeudep00deploy00:~/Azure_SAP_Automated_Deployment/WORKSPACES/BOMS$ grep sapbits ../../sap-automation/deploy/ansible/vars/ansible-input-api.yaml
sapbits_bom_files: "sapfiles"
sapbits_location_secret: "sapbits-location-base-path" # Name of secret containing the SAP Binaries storage account container URL
sapbits_sas_token_secret: "sapbits-sas-token" # Name of secret containing the SAP Binaries storage account SAS token
azureadmin@mgmtweeudep00deploy00:~/Azure_SAP_Automated_Deployment/WORKSPACES/BOMS$
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment