Deploy SAP S/4HANA Public Cloud Edition and an RDS (SQL Server) DB on AWS using Terraform (Infrastructure as Code)

A_README.md

These artefacts are intented to help you provision a SAP S/4HANA Public Cloud edition on AWS and to provision an AWS RDS (SQL Server database) along with our SAP installation.

---

The testing and GitHub documentation were technically performed by Isaac Arnault, EMEA Managing Director for Data, AI and Analytics at HUBIA (Consulting IT firm for Data, AI, BI and Analytics) in France.
This gist is mainly dedicated to HUBIA's Clients' teams and its prospective customers.

Follow Isaac Arnault on GitHub: https://github.com/isaacarnault and https://isaacarnault.github.io/.

---

Without any further due let's get started.
To deploy SAP S/4HANA on the AWS Cloud using Terraform, you'll need to create several configuration files.

Existing Files

• main.tf: This is the primary configuration file where you define your providers, resources, and modules.
  
• variables.tf: This file contains all the variables used in your configuration.
  
• outputs.tf: This file defines the outputs of your Terraform configuration.
  
• providers.tf: This file specifies the providers you will use (e.g., AWS).
  
• ec2.tf: This file defines the EC2 instances for SAP S/4HANA.
  
• security_groups.tf: This file defines the security groups and rules.
  

Additional Files

• rds.tf: This file configures an RDS instance running SQL Server, which will serve as the database for SAP S/4HANA.
  
• userdata.sh: This script runs on the EC2 instance after it’s launched to install and configure SAP S/4HANA and connect it to the SQL Server database.
  
• sap_installation.tf: This file provisions the EC2 instance for SAP S/4HANA and uses the user data script to handle the post-deployment configuration.
  

Modules Directory

• modules/ec2/main.tf: This file defines the EC2 instance resource for SAP S/4HANA, specifying the AMI ID, instance type, key name, and security group IDs.
  
• modules/ec2/variables.tf: This file contains the variables used in the EC2 module configuration.
  

Author

• Isaac Arnault - Suggesting a way to deploy SAP S/4HANA Public Edition on AWS

License

All public gists https://gist.github.com/aiPhD
Copyright 2024, Isaac Arnault
MIT License, http://www.opensource.org/licenses/mit-license.php

B_INFRASTRUCTURE_OVERVIEW.md

Main Resources and Their Relationships

VPC

• Contains all networking components and resources.
• Segmented into public and private subnets.

Subnets

Public Subnets:

• Host resources that need direct access to the internet, such as NAT Gateway.

Private Subnets:

• Host resources that should not be directly accessible from the internet, such as EC2 instances running SAP S/4HANA and the RDS database.

Internet Gateway

• Attached to the VPC to provide internet connectivity to instances in public subnets.

NAT Gateway

• Placed in a public subnet to allow instances in private subnets to connect to the internet for updates or other needs without exposing them to direct internet access.

Security Groups

SAP S/4HANA Security Group:

• Allows traffic on ports needed for SAP application (e.g., SSH (22), HTTP (80)).

SQL Server Security Group:

• Allows traffic on port 1433 for SQL Server communication.

EC2 Instances

• Deployed in private subnets to run the SAP S/4HANA application.
• Configured using a user data script to install and set up SAP S/4HANA.

RDS Instance

• Deployed in private subnets with SQL Server engine.
• Configured with appropriate security groups to allow communication with SAP S/4HANA EC2 instances.

Key Pair

• Used to SSH into the EC2 instances for management and configuration.

IAM Roles and Policies

• Applied to EC2 instances and other resources to manage permissions and access control.

AWS Solution Architecture Diagram

To visually represent the architecture, here is a textual description that can be used to create an architecture diagram:

1. VPC with a CIDR block, divided into multiple subnets.
2. Public Subnets containing:
   • NAT Gateway connected to the Internet Gateway.
3. Private Subnets containing:
   • EC2 Instances for SAP S/4HANA.
   • RDS Instance for SQL Server.
4. Security Groups attached to the respective instances and RDS:
   • SAP S/4HANA Security Group allowing traffic on necessary ports.
   • SQL Server Security Group allowing traffic on port 1433.

C_DEPLOYMENT_STEPS.md

Here is a summary of the steps to set up and deploy SAP S/4HANA on AWS using the provided Terraform configuration files, including connecting it to a SQL Server database:

Step-by-Step Installation Guide

Step 1. Prepare Your Environment

Install Terraform: Ensure Terraform is installed on your machine. You can download it from the official Terraform website.
AWS CLI Configuration: Configure the AWS CLI with your credentials.

bash $ aws configure

Step 2. Clone the GitHub Repository

Create a GitHub repository and clone it to your local machine.

bash $ git clone <your-repo-url>
$ cd <your-repo-directory>

Step 3. Create the Terraform Configuration Files

main.tf: Define the main infrastructure, including providers and VPC setup.

hcl

  required_version = ">= 0.12"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

provider "aws" {
  region = var.aws_region
}

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  version = "2.21.0"

  name = "s4hana-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["us-west-2a", "us-west-2b"]
  public_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
  private_subnets = ["10.0.3.0/24", "10.0.4.0/24"]

  enable_nat_gateway = true
  single_nat_gateway = true

  tags = {
    Terraform = "true"
    Environment = "dev"
  }
}

module "ec2" {
  source = "./modules/ec2"

  vpc_id     = module.vpc.vpc_id
  subnets    = module.vpc.private_subnets
  ami_id     = var.ami_id
  instance_type = var.instance_type
  key_name   = var.key_name
  security_group_ids = [aws_security_group.sap_s4hana_sg.id]
}

module "rds" {
  source = "./rds"

  db_username = var.db_username
  db_password = var.db_password
  vpc_id      = module.vpc.vpc_id
  subnets     = module.vpc.private_subnets
}

module "sap" {
  source = "./sap_installation"

  ami_id              = var.ami_id
  instance_type       = var.instance_type
  key_name            = var.key_name
  subnets             = module.vpc.private_subnets
  security_group_ids  = [aws_security_group.sap_s4hana_sg.id]
  db_host             = aws_db_instance.sql_server.address
  db_username         = var.db_username
  db_password         = var.db_password
}

variables.tf

Define variables used in the configuration.

hcl

variable "aws_region" {
  description = "The AWS region to deploy resources."
  default     = "us-west-2"
}

variable "ami_id" {
  description = "The AMI ID for the EC2 instances."
  default     = "ami-0abcdef1234567890"
}

variable "instance_type" {
  description = "The instance type for the EC2 instances."
  default     = "r5.large"
}

variable "key_name" {
  description = "The key name for SSH access."
  default     = "my-key"
}

variable "db_username" {
  description = "The username for the SQL Server database."
  default     = "admin"
}

variable "db_password" {
  description = "The password for the SQL Server database."
  default     = "ChangeMe123!"
}

outputs.tf

Define outputs of the Terraform configuration.

hcl

output "vpc_id" {
  value = module.vpc.vpc_id
}

output "public_subnets" {
  value = module.vpc.public_subnets
}

output "private_subnets" {
  value = module.vpc.private_subnets
}

output "ec2_instance_id" {
  value = module.ec2.instance_id
}

providers.tf

Specify the providers you will use.

``` provider "aws" { region = var.aws_region } ```

ec2.tf

Define the EC2 instances for SAP S/4HANA.

hcl

module "ec2" {
 source = "./modules/ec2"

 vpc_id = module.vpc.vpc_id
 subnets = module.vpc.private_subnets
 ami_id = var.ami_id
 instance_type = var.instance_type
 key_name = var.key_name
}

security_groups.tf

Define security groups and rules.

hcl

resource "aws_security_group" "sap_s4hana_sg" {
  name_prefix = "sap-s4hana-sg"
  vpc_id      = module.vpc.vpc_id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "sap-s4hana-sg"
  }
}

resource "aws_security_group" "sql_server_sg" {
  name_prefix = "sql-server-sg"
  vpc_id      = module.vpc.vpc_id

  ingress {
    from_port   = 1433
    to_port     = 1433
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "sql-server-sg"
  }
}

rds.tf

Configure an RDS instance running SQL Server.

hcl

resource "aws_db_instance" "sql_server" {
allocated_storage       = 100
storage_type            = "gp2"
engine                  = "sqlserver-se"
engine_version          = "14.00.1000.169.v1"
instance_class          = "db.m4.large"
name                    = "sapdb"
username                = var.db_username
password                = var.db_password
db_subnet_group_name    = module.vpc.database_subnet_group
vpc_security_group_ids  = [aws_security_group.sql_server_sg.id]
multi_az                = false
publicly_accessible     = false

tags = {
  Name = "sap-s4hana-db"
}
}

userdata.sh

Script to run on the EC2 instance after it's launched to install and configure SAP S/4HANA and connect it to the SQL Server database.

bash
#!/bin/bash

Update and install necessary packages

$ sudo yum update -y

$ sudo yum install -y wget unzip java-1.8.0-openjdk.x86_64

<br>

Download SAP S/4HANA installer (replace with actual download link)

$ wget -O /tmp/sap_installer.zip "http://example.com/sap_installer.zip"
$ unzip /tmp/sap_installer.zip -d /tmp/sap_installer

Configuration commands

Adjust these commands based on the actual SAP S/4HANA installation process

Run the installer

$ cd /tmp/sap_installer
$ ./install.sh --database-host ${db_host} --database-port 1433 --database-name sapdb --database-username ${db_username} --database-password ${db_password}

Clean up

$ rm -rf /tmp/sap_installer.zip /tmp/sap_installer

sap_installation.tf

Provision the EC2 instance for SAP S/4HANA and use the user data script to handle the post-deployment configuration.

hcl

resource "aws_instance" "sap_s4hana" {
ami           = var.ami_id
instance_type = var.instance_type
key_name      = var.key_name
subnet_id     = element(var.subnets, 0)
user_data     = file("userdata.sh")

vpc_security_group_ids = var.security_group_ids

tags = {
  Name = "SAP S/4HANA"
}
}

Step 4. Modules Directory

`modules/ec2/main.tf`

Define the EC2 instance resource for SAP S/4HANA, specifying the AMI ID, instance type, key name, and security group IDs.

hcl

resource "aws_instance" "sap_s4hana" {
  ami           = var.ami_id
  instance_type = var.instance_type
  key_name      = var.key_name
  subnet_id     = element(var.subnets, 0)
  user_data     = file("userdata.sh")

  vpc_security_group_ids = var.security_group_ids

  tags = {
    Name = "SAP S/4HANA"
  }
}

modules/ec2/variables.tf

Contains the variables used in the EC2 module configuration.

hcl

variable "vpc_id" {
  description = "The VPC ID where the instance will be deployed."
}

variable "subnets" {
  description = "The subnets where the instance will be deployed."
}

variable "ami_id" {
  description = "The AMI ID for the instance."
}

variable "instance_type" {
  description = "The instance type for the instance."
}

variable "key_name" {
  description = "The key name for SSH access."
}

variable "security_group_ids" {
  description = "The security group IDs for the instance."
}

Step 5. Initialize and Apply the Configuration****

Initialize Terraform: Run terraform init to initialize the configuration.

bash $ terraform init

Plan the Deployment: Run terraform plan to see the execution plan.

bash $ terraform plan

Apply the Configuration: Run terraform apply to apply the configuration and deploy the infrastructure.

`bash` `$ terraform apply`

Step 6. Post-Deployment****

Verify Deployment: After the Terraform configuration is applied, verify that the EC2 instance for SAP S/4HANA is running and the RDS instance is available.
Check User Data Script: Ensure the user data script (userdata.sh) has run successfully on the EC2 instance and that SAP S/4HANA is installed and configured properly.

Directory structure yaml

terraform-sap-s4hana<br>
├── main.tf: Primary configuration file for providers, resources, and modules.<br>
├── variables.tf: Variables used in the configuration.<br>
├── outputs.tf: Outputs of the Terraform configuration.<br>
├── providers.tf: Specifies the providers used (e.g., AWS).<br>
├── ec2.tf: Defines the EC2 instances for SAP S/4HANA.<br>
├── security_groups.tf: Defines the security groups and rules.<br>
├── rds.tf: Configures an RDS instance running SQL Server for the SAP S/4HANA database.<br>
├── userdata.sh: Script to install and configure SAP S/4HANA and connect it to SQL Server.<br>
├── sap_installation.tf: Provisions the EC2 instance for SAP S/4HANA and runs the user data script.<br>
└── modules<br>
    └── ec2<br>
        ├── main.tf: Defines the EC2 instance resource for SAP S/4HANA.<br>
        └── variables.tf: Variables used in the EC2 module configuration.
        ```
  

<p>By following these steps, you will have a comprehensive setup for deploying SAP S/4HANA on AWS, including post-deployment configuration to connect it to a SQL Server database. <br>Adjust the userdata.sh script and other configurations based on your specific requirements and environment.</p>

D_main.tf

terraform {
  required_version = ">= 0.12"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

provider "aws" {
  region = var.aws_region
}

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  version = "2.21.0"

  name = "s4hana-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["us-west-2a", "us-west-2b"]
  public_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
  private_subnets = ["10.0.3.0/24", "10.0.4.0/24"]

  enable_nat_gateway = true
  single_nat_gateway = true

  tags = {
    Terraform = "true"
    Environment = "dev"
  }
}

module "ec2" {
  source = "./modules/ec2"

  vpc_id     = module.vpc.vpc_id
  subnets    = module.vpc.private_subnets
  ami_id     = var.ami_id
  instance_type = var.instance_type
  key_name   = var.key_name
  security_group_ids = [aws_security_group.sap_s4hana_sg.id]
}
    module "rds" {
  source = "./rds"

  db_username = var.db_username
  db_password = var.db_password
  vpc_id      = module.vpc.vpc_id
  subnets     = module.vpc.private_subnets
}

module "sap" {
  source = "./sap_installation"

  ami_id              = var.ami_id
  instance_type       = var.instance_type
  key_name            = var.key_name
  subnets             = module.vpc.private_subnets
  security_group_ids  = [aws_security_group.sap_s4hana_sg.id]
  db_host             = aws_db_instance.sql_server.address
  db_username         = var.db_username
  db_password         = var.db_password
}

E_ec2.tf

module "ec2" {
  source = "./modules/ec2"

  vpc_id = module.vpc.vpc_id
  subnets = module.vpc.private_subnets
  ami_id = var.ami_id
  instance_type = var.instance_type
  key_name = var.key_name
}

F_outputs.tf

output "vpc_id" {
  value = module.vpc.vpc_id
}

output "public_subnets" {
  value = module.vpc.public_subnets
}

output "private_subnets" {
  value = module.vpc.private_subnets
}

output "ec2_instance_id" {
  value = module.ec2.instance_id
}

G_providers.tf

provider "aws" {
  region = var.aws_region
}

H_variables.tf

variable "aws_region" {
  description = "The AWS region to deploy resources."
  default     = "us-west-2"
}

variable "ami_id" {
  description = "The AMI ID for the EC2 instances."
  default     = "ami-0abcdef1234567890"
}

variable "instance_type" {
  description = "The instance type for the EC2 instances."
  default     = "r5.large"
}

variable "key_name" {
  description = "The key name for SSH access."
  default     = "my-key"
}
variable "db_host" {
  description = "The database host for the SQL Server database."
}

variable "db_username" {
  description = "The database username for the SQL Server database."
}

variable "db_password" {
  description = "The database password for the SQL Server database."
}

I_security_groups.tf

resource "aws_security_group" "sap_s4hana_sg" {
  name_prefix = "sap-s4hana-sg"
  vpc_id      = module.vpc.vpc_id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "sap-s4hana-sg"
  }
}
  resource "aws_security_group" "sql_server_sg" {
  name_prefix = "sql-server-sg"
  vpc_id      = module.vpc.vpc_id

  ingress {
    from_port   = 1433
    to_port     = 1433
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "sql-server-sg"
  }
}

J_sap_installation.tf

resource "aws_instance" "sap_s4hana" {
  ami           = var.ami_id
  instance_type = var.instance_type
  key_name      = var.key_name
  subnet_id     = element(var.subnets, 0)
  user_data     = file("userdata.sh")

  vpc_security_group_ids = var.security_group_ids

  tags = {
    Name = "SAP S/4HANA"
  }
}

K_rds.tf

resource "aws_db_instance" "sql_server" {
  allocated_storage       = 100
  storage_type            = "gp2"
  engine                  = "sqlserver-se"
  engine_version          = "14.00.1000.169.v1"
  instance_class          = "db.m4.large"
  name                    = "sapdb"
  username                = var.db_username
  password                = var.db_password
  db_subnet_group_name    = module.vpc.database_subnet_group
  vpc_security_group_ids  = [aws_security_group.sql_server_sg.id]
  multi_az                = false
  publicly_accessible     = false

  tags = {
    Name = "sap-s4hana-db"
  }
}

L_userdata.sh

#!/bin/bash

# Update and install necessary packages
sudo yum update -y
sudo yum install -y wget unzip java-1.8.0-openjdk.x86_64

# Download SAP S/4HANA installer (replace with actual download link)
wget -O /tmp/sap_installer.zip "http://example.com/sap_installer.zip"
unzip /tmp/sap_installer.zip -d /tmp/sap_installer

# Example configuration commands
# Adjust these commands based on the actual SAP S/4HANA installation process

# Run the installer
cd /tmp/sap_installer
./install.sh --database-host ${db_host} --database-port 1433 --database-name sapdb --database-username ${db_username} --database-password ${db_password}

# Clean up
rm -rf /tmp/sap_installer.zip /tmp/sap_installer

M_LICENSE

MIT License

Copyright (c) 2024 Isaac Arnault, PhD

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.