Merge pull request #207149 from KimForss/main

DevOps Web App updates

Author: v-ccolin

articles/virtual-machines/workloads/sap/automation-configure-control-plane.md

@@ -88,7 +88,14 @@ The table below contains the networking parameters.
 > | `management_firewall_subnet_address_prefix` | The address range for the subnet                                 | Mandatory  | For green field deployments.  | 
 > |                                             |                                                                  |            | |
 > | `management_bastion_subnet_arm_id`		      | The Azure resource identifier for the Bastion subnet             | Mandatory  | For brown field deployments.  |
-> | `management_bastion_subnet_address_prefix`  | The address range for the subnet                                 | Mandatory  | For green field deployments.  | 
+> | `management_bastion_subnet_address_prefix`  | The address range for the subnet                                 | Mandatory  | For green field deployments.  |
+> |                                             |                                                                  |            | |
+> | `webapp_subnet_arm_id`		                  | The Azure resource identifier for the web app subnet             | Mandatory  | For brown field deployments using the web app |
+> | `webapp_subnet_address_prefix`              | The address range for the subnet                                 | Mandatory  | For green field deployments using the web app | 
+
+> [!NOTE]
+> When using an existing subnet for the web app, the subnet must be empty, in the same region as the resource group being deployed, and delegated to Microsoft.Web/serverFarms
+ 
 
 ### Deployer Virtual Machine Parameters
 

articles/virtual-machines/workloads/sap/automation-configure-devops.md

@@ -0,0 +1,124 @@
+---
+title: Configure a Deployer UX Web Application for SAP Deployment Automation Framework
+description: Configure a web app as a part of the control plane to help creating and deploying SAP workload zones and systems on Azure.
+author: wsheehan
+ms.author: wsheehan
+ms.reviewer: wsheehan
+ms.date: 06/21/2022
+ms.topic: conceptual
+ms.service: virtual-machines-sap
+---
+
+# Configure the Control Plane UX Web Application
+
+As a part of the SAP automation framework control plane, you can optionally create an interactive web application that will assist you in creating and deploying SAP workload zones and systems.
+
+:::image type="content" source="./media/automation-deployment-framework/webapp-front-page.png" alt-text="Web app front page":::
+
+## Create an app registration 
+
+If you would like to use the web app, you must first create an app registration for authentication purposes. Open the Azure Cloud Shell and execute the following commands:
+
+# [Linux](#tab/linux)
+Replace MGMT with your environment as necessary.
+```bash
+echo '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]' >> manifest.json 
+
+TF_VAR_app_registration_app_id=$(az ad app create \
+    --display-name MGMT-webapp-registration \
+    --enable-id-token-issuance true \
+    --sign-in-audience AzureADMyOrg \
+    --required-resource-access @manifest.json \
+    --query "appId" | tr -d '"')
+
+TF_VAR_webapp_client_secret=$(az ad app credential reset \
+    --id $TF_VAR_app_registration_app_id --append               \
+    --query "password" | tr -d '"')
+
+rm manifest.json
+```
+# [Windows](#tab/windows)
+Replace MGMT with your environment as necessary.
+```powershell
+Add-Content -Path manifest.json -Value '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]'
+
+$TF_VAR_app_registration_app_id=(az ad app create `
+    --display-name $region_code-webapp-registration     `
+    --enable-id-token-issuance true `
+    --sign-in-audience AzureADMyOrg `
+    --required-resource-accesses ./manifest.json        `
+    --query "appId").Replace('"',"")
+
+$TF_VAR_webapp_client_secret=(az ad app credential reset `
+    --id $TF_VAR_app_registration_app_id --append            `
+    --query "password").Replace('"',"") 
+
+rm ./manifest.json
+```
+---
+
+## Deploy via Azure DevOps (pipelines)
+
+For full instructions on setting up the web app using Azure DevOps, see [Use SAP Deployment Automation Framework from Azure DevOps Services](automation-configure-devops.md)
+
+### Summary of steps required to set up the web app before deploying the control plane:
+1. Add the web app deployment pipeline (deploy/pipelines/21-deploy-web-app.yaml).
+2. Add the variables TF_VAR_app_registration_app_id and TF_VAR_webapp_client_secret to your environment specific variable group before deployment.
+3. Assign the administrator role to the build service using the Security tab in your environment specific variable group.
+4. Check the box next to "deploy the web app infrastructure" when running the deploy control plane pipeline.
+
+### Summary of steps required to access the web app after deploying the control plane:
+1. Update the app registration reply URLs.
+2. Assign the reader role with the subscription scope to the app service system assigned managed identity.
+3. Run the web app deployment pipeline.
+4. (Optionally) add an additional access policy to the app service.
+
+## Deploy via Azure CLI (Cloud Shell)
+
+For full instructions on setting up the web app using the Azure CLI, see [Deploy the control plane](automation-deploy-control-plane.md)
+
+### Summary of steps required to set up the web app before deploying the control plane:
+1. Export the environment variables TF_VAR_app_registration_app_id, TF_VAR_webapp_client_secret, and TF_VAR_use_webapp="true".
+
+### Summary of steps required to access the web app after deploying the control plane:
+1. Update the app registration reply URLs.
+2. Assign the reader role with the subscription scope to the app service system assigned managed identity.
+3. Generate a zip file of the web app code.
+4. Deploy the software to the app service.
+5. Configure the application settings.
+6. (Optionally) add an additional access policy to the app service.
+
+
+## Using the web app
+
+The web app allows you to create SAP workload zone objects and system infrastructure objects. These are essentially another representation of the Terraform configuration file.
+If deploying using Azure Pipelines, you have ability to deploy these workload zones and system infrastructures right from the web app.
+If deploying using the Azure CLI, you can download the parameter file for any landscape or system object you create, and use that in your command line deployments.
+
+### Creating a landscape or system object from scratch
+1. Navigate to the "Workload zones" or "Systems" tab at the top of the website.
+2. Click "Create New" in the bottom left corner.
+3. Fill out the required parameters in the "Basic" and "Advanced" tabs, and any additional parameters you desire.
+4. Certain parameters will be dropdowns populated with existing Azure resources.
+   * If no results are shown for a dropdown, you probably need to specify another dropdown before you can see any options. Or, see step 2 above regarding the system assigned managed identity.
+       - The subscription parameter must be specified before any other dropdown functionality is enabled
+       - The network_arm_id parameter must be specified before any subnet dropdown functionality is enabled
+5. Select submit in the bottom left hand corner
+
+### Creating a workload zone or system object from a file
+1. Navigate to the "File" tab at the top of the website.
+2. Your options are
+   * Create a new file from scratch there in browser. 
+   * Import an existing.tfvars file, and (optionally) edit it before saving.
+   * Use an existing template, and (optionally) edit it before saving.
+3. Make sure your file conforms to the correct naming conventions.
+4. Next to the file you would like to convert to a workload zone or system object, click "Convert".
+5. The workload zone or system object will appear in its respective tab.
+
+### Deploying a workload zone or system object (Azure DevOps Pipelines deployment)
+1. Navigate to the Workload zones or Systems tab.
+2. Next to the workload zone or system you would like to deploy, click "Deploy".
+   * If you would like to deploy a file, first convert it to a workload zone or system object.
+4. Specify the necessary parameters, and confirm it's the correct object.
+5. Click deploy.
+6. The web app will automatically generate a '.tfvars' file from the object, update your Azure DevOps repository, and kick off the workload zone or system (infrastructure) pipeline. You can monitor the deployment in the Azure DevOps Portal.

articles/virtual-machines/workloads/sap/automation-configure-webapp.md

@@ -40,13 +40,71 @@ Optionally assign the following permissions to the Service Principal:
 az role assignment create --assignee <appId> --role "User Access Administrator" --scope /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>
 ```
 
+
+## Prepare the webapp
+This step is optional. If you would like a browser-based UX to assist in the configuration of SAP workload zones and systems, run the following commands before deploying the control plane.
+
+# [Linux](#tab/linux)
+
+```bash
+echo '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]' >> manifest.json
+
+region_code=WEEU
+
+export TF_VAR_app_registration_app_id=$(az ad app create \
+    --display-name ${region_code}-webapp-registration \
+    --enable-id-token-issuance true \
+    --sign-in-audience AzureADMyOrg \
+    --required-resource-access @manifest.json \
+    --query "appId" | tr -d '"')
+
+export TF_VAR_webapp_client_secret=$(az ad app credential reset \
+    --id $TF_VAR_app_registration_app_id --append               \
+    --query "password" | tr -d '"')
+
+export TF_VAR_use_webapp=true
+rm manifest.json
+
+```
+# [Windows](#tab/windows)
+
+```powershell
+
+Add-Content -Path manifest.json -Value '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]'
+
+$region_code="WEEU"
+
+$env:TF_VAR_app_registration_app_id = (az ad app create `
+    --display-name $region_code-webapp-registration     `
+    --enable-id-token-issuance true                     `
+    --sign-in-audience AzureADMyOrg                     `
+    --required-resource-accesses ./manifest.json        `
+    --query "appId").Replace('"',"")
+
+$env:TF_VAR_webapp_client_secret=(az ad app credential reset `
+    --id $env:TF_VAR_app_registration_app_id --append            `
+    --query "password").Replace('"',"")
+
+$env:TF_VAR_use_webapp="true"
+
+del manifest.json
+
+```
+
+# [Azure DevOps](#tab/devops)
+
+It is currently not possible to perform this action from Azure DevOps.
+
+---
+
+
 ## Deploy the control plane
 
 The sample Deployer configuration file `MGMT-WEEU-DEP00-INFRASTRUCTURE.tfvars` is located in the `~/Azure_SAP_Automated_Deployment/WORKSPACES/DEPLOYER/MGMT-WEEU-DEP00-INFRASTRUCTURE` folder.
 
 The sample SAP Library configuration file `MGMT-WEEU-SAP_LIBRARY.tfvars` is located in the `~/Azure_SAP_Automated_Deployment/WORKSPACES/LIBRARY/MGMT-WEEU-SAP_LIBRARY` folder.
 
-Running the command below will create the Deployer, the SAP Library and add the Service Principal details to the deployment key vault.
+Running the command below will create the Deployer, the SAP Library and add the Service Principal details to the deployment key vault. If you followed the web app setup in the step above, this command will also create the infrastructure to host the application. 
 
 # [Linux](#tab/linux)
 
@@ -85,7 +143,7 @@ cd ~/Azure_SAP_Automated_Deployment/WORKSPACES
         --spn_secret "${spn_secret}"                                                                                                               \
         --tenant_id "${tenant_id}"                                                                                                                 \
         --auto-approve
-    ```
+```
 
 # [Windows](#tab/windows)
 
@@ -100,7 +158,6 @@ xcopy /E sap-automation\samples\WORKSPACES WORKSPACES
 ```
 
 
-
 ```powershell
 
 
@@ -115,14 +172,13 @@ New-SAPAutomationRegion -DeployerParameterfile .\DEPLOYER\MGMT-WEEU-DEP00-INFRAS
 ```
 
 
-
 > [!NOTE]
 > Be sure to replace the sample value `<subscriptionID>` with your subscription ID.
 > Replace the `<appID>`, `<password>`, `<tenant>` values with the output values of the SPN creation
 
 # [Azure DevOps](#tab/devops)
 
-Open (https://dev.azure.com) and and go to your Azure DevOps project.
+Open (https://dev.azure.com) and go to your Azure DevOps project.
 
 > [!NOTE]
 > Ensure that the 'Deployment_Configuration_Path' variable in the 'SDAF-General' variable group is set to the folder that contains your configuration files, for this example you can use 'samples/WORKSPACES'.
@@ -224,9 +280,77 @@ cd sap-automation/deploy/scripts
 
 The script will install Terraform and Ansible and configure the deployer.
 
+
+## Deploy the web app software
+   
+If you would like to use the web app, follow the steps below. If not, ignore this section.
+
+The web app resource can be found in the deployer resource group. In the Azure portal, select resource groups in your subscription. The deployer resource group will be named something like MGMT-[region]-DEP00-INFRASTRUCTURE. Inside the deployer resource group, locate the app service, named something like mgmt-[region]-dep00-sapdeployment123. Open the app service and copy the URL listed. It should be in the format of https://mgmt-[region]-dep00-sapdeployment123.azurewebsites.net. This will be the value for webapp_url below.
+
+The following commands will configure the application urls, generate a zip file of the web app code, deploy the software to the app service, and configure the application settings.
+
+# [Linux](#tab/linux)
+
+```bash
+
+webapp_url=<webapp_url>
+az ad app update \
+    --id $TF_VAR_app_registration_app_id \
+    --web-home-page-url ${webapp_url} \
+    --web-redirect-uris ${webapp_url}/ ${webapp_url}/.auth/login/aad/callback
+
+```
+# [Windows](#tab/windows)
+
+```powershell
+
+$webapp_url="<webapp_url>"
+az ad app update `
+    --id $TF_VAR_app_registration_app_id `
+    --web-home-page-url $webapp_url `
+    --web-redirect-uris $webapp_url/ $webapp_url/.auth/login/aad/callback
+
+```
+# [Azure DevOps](#tab/devops)
+
+It is currently not possible to perform this action from Azure DevOps.
+---
+
+> [!TIP]
+> Perform the following task from the deployer.
+```bash
+
+cd ~/Azure_SAP_Automated_Deployment/sap-automation/Webapp/AutomationForm
+
+dotnet build
+dotnet publish --configuration Release
+
+cd bin/Release/netcoreapp3.1/publish/
+
+sudo apt install zip
+zip -r deploymentfile.zip .
+
+az webapp deploy --resource-group <group-name> --name <app-name> --src-path deploymentfile.zip
+
+```
+```bash
+
+az webapp config appsettings set -g <group-name> -n <app-name> --settings \
+IS_PIPELINE_DEPLOYMENT=false
+
+```
+
+
+## Accessing the web app
+
+By default there will be no inbound public internet access to the web app apart from the deployer virtual network. To allow additional access to the web app, navigate to the Azure portal. In the deployer resource group, find the web app. Then under settings on the left hand side, click on networking. From here, click Access restriction. Add any allow or deny rules you would like. For more information on configuring access restrictions, see [Set up Azure App Service access restrictions](/azure/app-service/app-service-ip-restrictions).
+
+You will also need to grant reader permissions to the app service system-assigned managed identity. Navigate to the app service resource. On the left hand side, click "Identity". In the "system assigned" tab, click on "Azure role assignments" > "Add role assignment". Select "subscription" as the scope, and "reader" as the role. Then click save. Without this step, the web app dropdown functionality will not work.
+
+You can log in and visit the web app by following the URL from earlier or clicking browse inside the app service resource. With the web app, you are able to configure SAP workload zones and system infrastructure. Click download to obtain a parameter file of the workload zone or system you specified, for use in the later deployment steps. 
+
+
 ## Next step
 
 > [!div class="nextstepaction"]
 > [Configure SAP Workload Zone](automation-configure-workload-zone.md)
-
-