Merge pull request #252831 from KimForss/main

v-shils · web-flow · commit 6ace02b1dfb6 · 2023-09-26T11:18:55.000-07:00
Control plane deployment updates
diff --git a/articles/sap/automation/deploy-control-plane.md b/articles/sap/automation/deploy-control-plane.md
@@ -43,71 +43,94 @@ Optionally, assign the following permissions to the service principal:
 az role assignment create --assignee <appId> --role "User Access Administrator" --scope /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>
 ```
 
-## Prepare the web app
-This step is optional. If you want a browser-based UX to help the configuration of SAP workload zones and systems, run the following commands before you deploy the control plane.
 
-# [Linux](#tab/linux)
+## Deploy the control plane
 
-```bash
-echo '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]' >> manifest.json
+All the artifacts that are required to deploy the control plane are located in GitHub repositories.
 
-region_code=WEEU
+Prepare for the control plane deployment by cloning the repositories using the following commands:
 
-export TF_VAR_app_registration_app_id=$(az ad app create \
-    --display-name ${region_code}-webapp-registration \
-    --enable-id-token-issuance true \
-    --sign-in-audience AzureADMyOrg \
-    --required-resource-access @manifest.json \
-    --query "appId" | tr -d '"')
 
-export TF_VAR_webapp_client_secret=$(az ad app credential reset \
-    --id $TF_VAR_app_registration_app_id --append               \
-    --query "password" | tr -d '"')
+```bash
+mkdir -p ~/Azure_SAP_Automated_Deployment; cd $_
 
-export TF_VAR_use_webapp=true
-rm manifest.json
+git clone https://github.com/Azure/sap-automation.git sap-automation
+
+git clone https://github.com/Azure/sap-automation-samples.git samples
 
 ```
-# [Windows](#tab/windows)
 
-```powershell
+The sample deployer configuration file `MGMT-WEEU-DEP00-INFRASTRUCTURE.tfvars` is located in the `~/Azure_SAP_Automated_Deployment/samples/Terraform/WORKSPACES/DEPLOYER/MGMT-WEEU-DEP00-INFRASTRUCTURE` folder.
 
-Add-Content -Path manifest.json -Value '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]'
+The sample SAP library configuration file `MGMT-WEEU-SAP_LIBRARY.tfvars` is located in the `~/Azure_SAP_Automated_Deployment/samples/Terraform/WORKSPACES/LIBRARY/MGMT-WEEU-SAP_LIBRARY` folder.
 
-$region_code="WEEU"
+You can copy the sample configuration files to start testing the deployment automation framework.
 
-$env:TF_VAR_app_registration_app_id = (az ad app create `
-    --display-name $region_code-webapp-registration     `
-    --required-resource-accesses ./manifest.json        `
-    --query "appId").Replace('"',"")
+A minimal Terraform file for the `DEPLOYER` might look like this example:
 
-$env:TF_VAR_webapp_client_secret=(az ad app credential reset `
-    --id $env:TF_VAR_app_registration_app_id --append            `
-    --query "password").Replace('"',"")
+```terraform
+# The environment value is a mandatory field, it is used for partitioning the environments.
+environment = "MGMT"
+# The location/region value is a mandatory field, it is used to control where the resources are deployed
+location = "westeurope"
 
-$env:TF_VAR_use_webapp="true"
+# management_network_address_space is the address space for management virtual network
+management_network_address_space = "10.10.20.0/25"
+# management_subnet_address_prefix is the address prefix for the management subnet
+management_subnet_address_prefix = "10.10.20.64/28"
 
-del manifest.json
+# management_firewall_subnet_address_prefix is the address prefix for the firewall subnet
+management_firewall_subnet_address_prefix = "10.10.20.0/26"
+firewall_deployment = false
+
+# management_bastion_subnet_address_prefix is the address prefix for the bastion subnet
+management_bastion_subnet_address_prefix = "10.10.20.128/26"
+bastion_deployment = true
+
+# deployer_enable_public_ip controls if the deployer Virtual machines will have Public IPs
+deployer_enable_public_ip = false
+
+# deployer_count defines how many deployer VMs will be deployed
+deployer_count = 1
+
+# use_service_endpoint defines that the management subnets have service endpoints enabled
+use_service_endpoint = true
+
+# use_private_endpoint defines that the storage accounts and key vaults have private endpoints enabled
+use_private_endpoint = false
+
+# enable_firewall_for_keyvaults_and_storage defines that the storage accounts and key vaults have firewall enabled
+enable_firewall_for_keyvaults_and_storage = false
+
+# public_network_access_enabled controls if storage account and key vaults have public network access enabled
+public_network_access_enabled = true
 
 ```
 
-# [Azure DevOps](#tab/devops)
+Note the Terraform variable file locations for future edits during deployment.
 
-Currently, it isn't possible to perform this action from Azure DevOps.
+A minimal Terraform file for the `LIBRARY` might look like this example:
 
----
+```terraform
+# The environment value is a mandatory field, it is used for partitioning the environments, for example, PROD and NP.
+environment = "MGMT"
+# The location/region value is a mandatory field, it is used to control where the resources are deployed
+location = "westeurope"
 
-## Deploy the control plane
+#Defines the DNS suffix for the resources
+dns_label = "azure.contoso.net"
 
-The sample deployer configuration file `MGMT-WEEU-DEP00-INFRASTRUCTURE.tfvars` is located in the `~/Azure_SAP_Automated_Deployment/samples/Terraform/WORKSPACES/DEPLOYER/MGMT-WEEU-DEP00-INFRASTRUCTURE` folder.
+# use_private_endpoint defines that the storage accounts and key vaults have private endpoints enabled
+use_private_endpoint = false
+```
 
-The sample SAP library configuration file `MGMT-WEEU-SAP_LIBRARY.tfvars` is located in the `~/Azure_SAP_Automated_Deployment/samples/Terraform/WORKSPACES/LIBRARY/MGMT-WEEU-SAP_LIBRARY` folder.
 
-Run the following command to create the deployer and the SAP library. The command adds the service principal details to the deployment key vault. If you followed the web app setup in the previous step, this command also creates the infrastructure to host the application.
+Note the Terraform variable file locations for future edits during deployment.
+
+Run the following command to create the deployer and the SAP library. The command adds the service principal details to the deployment key vault.
 
 # [Linux](#tab/linux)
 
-You can copy the sample configuration files to start testing the deployment automation framework.
 
 Run the following command to deploy the control plane:
 
@@ -119,7 +142,7 @@ export   ARM_CLIENT_SECRET="<password>"
 export       ARM_TENANT_ID="<tenantId>"
 export            env_code="MGMT"
 export         region_code="WEEU"
-export           vnet_code="DEP01"
+export           vnet_code="DEP00"
 
 export DEPLOYMENT_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation"
 export CONFIG_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/WORKSPACES"
@@ -128,16 +151,18 @@ export SAP_AUTOMATION_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-auto
 az logout
 az login --service-principal -u "${ARM_CLIENT_ID}" -p="${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
 
-
 cd ~/Azure_SAP_Automated_Deployment/WORKSPACES
 
 
-sudo ${SAP_AUTOMATION_REPO_PATH}/deploy/scripts/deploy_controlplane.sh                                                                                                            \
-    --deployer_parameter_file "${CONFIG_REPO_PATH}/DEPLOYER/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE.tfvars" \
-    --library_parameter_file "${CONFIG_REPO_PATH}/LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars"                                   \
-    --subscription "${ARM_SUBSCRIPTION_ID}"                                                                                                                                       \
-    --spn_id "${ARM_CLIENT_ID}"                                                                                                                                                   \
-    --spn_secret "${ARM_CLIENT_SECRET}"                                                                                                                                           \
+deployer_parameter_file="${CONFIG_REPO_PATH}/DEPLOYER/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE.tfvars"
+library_parameter_file="${CONFIG_REPO_PATH}/LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars"
+
+${SAP_AUTOMATION_REPO_PATH}/deploy/scripts/deploy_controlplane.sh  \
+    --deployer_parameter_file "${deployer_parameter_file}"         \
+    --library_parameter_file "{library_parameter_file}"            \
+    --subscription "${ARM_SUBSCRIPTION_ID}"                        \
+    --spn_id "${ARM_CLIENT_ID}"                                    \
+    --spn_secret "${ARM_CLIENT_SECRET}"                            \
     --tenant_id "${ARM_TENANT_ID}"
 ```
 
@@ -163,7 +188,7 @@ You can track the progress in the Azure DevOps portal. After the deployment is f
 
 ---
 
-### Manually configure the deployer by using Azure Bastion
+### Manually configure a virtual machine as a SDAF deployer by using Azure Bastion
 
 To connect to the deployer:
 
@@ -204,7 +229,7 @@ cd sap-automation/deploy/scripts
 
 The script installs Terraform and Ansible and configures the deployer.
 
-### Manually configure the deployer
+### Manually configure a virtual machine as a SDAF deployer 
 
 Connect to the deployer VM from a computer that can reach the Azure virtual network.
 
@@ -251,6 +276,116 @@ cd sap-automation/deploy/scripts
 
 The script installs Terraform and Ansible and configures the deployer.
 
+## Securing the control plane
+
+The control plane is the most critical part of the SAP automation framework. It's important to secure the control plane. The following steps help you secure the control plane.
+If you have created your control plane using an external virtual machine or by using the cloud shell, you should secure the control plane by implementing private endpoints for the storage accounts and key vaults.
+
+Log on to the deployer virtual machine and copy the control plane configuration `tfvars` terraform files to the deployer. Ensure that the files are located in the `~/Azure_SAP_Automated_Deployment/WORKSPACES` DEPLOYER and LIBRARY folders.
+
+Ensure that the `use_private_endpoint` variable is set to `true` in the `DEPLOYER` and `LIBRARY` configuration files. Also ensure that `public_network_access_enabled` is set to `false` in the `DEPLOYER`  configuration files.
+
+```terraform
+
+# use_private_endpoint defines that the storage accounts and key vaults have private endpoints enabled
+use_private_endpoint = true
+
+# public_network_access_enabled controls if storage account and key vaults have public network access enabled
+public_network_access_enabled = false
+
+```
+
+Rerun the control plane deployment to enable private endpoints for the storage accounts and key vaults.
+
+```bash
+
+export ARM_SUBSCRIPTION_ID="<subscriptionId>"
+export       ARM_CLIENT_ID="<appId>"
+export   ARM_CLIENT_SECRET="<password>"
+export       ARM_TENANT_ID="<tenantId>"
+export            env_code="MGMT"
+export         region_code="WEEU"
+export           vnet_code="DEP00"
+export  storageaccountname=<storageaccountname>
+
+export DEPLOYMENT_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation"
+export CONFIG_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/WORKSPACES"
+export SAP_AUTOMATION_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation"
+
+az logout
+az login --service-principal -u "${ARM_CLIENT_ID}" -p="${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
+
+cd ~/Azure_SAP_Automated_Deployment/WORKSPACES
+
+deployer_parameter_file="${CONFIG_REPO_PATH}/DEPLOYER/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE.tfvars"
+library_parameter_file="${CONFIG_REPO_PATH}/LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars"
+
+${SAP_AUTOMATION_REPO_PATH}/deploy/scripts/deploy_controlplane.sh  \
+    --deployer_parameter_file "${deployer_parameter_file}"         \
+    --library_parameter_file "{library_parameter_file}"            \
+    --subscription "${ARM_SUBSCRIPTION_ID}"                        \
+    --spn_id "${ARM_CLIENT_ID}"                                    \
+    --spn_secret "${ARM_CLIENT_SECRET}"                            \
+    --tenant_id "${ARM_TENANT_ID}"                                 \
+    --storageaccountname "${storageaccountname}"                   \
+    --recover
+```
+
+
+## Prepare the web app
+This step is optional. If you want a browser-based UX to help the configuration of SAP workload zones and systems, run the following commands before you deploy the control plane.
+
+# [Linux](#tab/linux)
+
+```bash
+echo '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]' >> manifest.json
+
+region_code=WEEU
+
+export TF_VAR_app_registration_app_id=$(az ad app create \
+    --display-name ${region_code}-webapp-registration \
+    --enable-id-token-issuance true \
+    --sign-in-audience AzureADMyOrg \
+    --required-resource-access @manifest.json \
+    --query "appId" | tr -d '"')
+
+export TF_VAR_webapp_client_secret=$(az ad app credential reset \
+    --id $TF_VAR_app_registration_app_id --append               \
+    --query "password" | tr -d '"')
+
+export TF_VAR_use_webapp=true
+rm manifest.json
+
+```
+# [Windows](#tab/windows)
+
+```powershell
+
+Add-Content -Path manifest.json -Value '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]'
+
+$region_code="WEEU"
+
+$env:TF_VAR_app_registration_app_id = (az ad app create `
+    --display-name $region_code-webapp-registration     `
+    --required-resource-accesses ./manifest.json        `
+    --query "appId").Replace('"',"")
+
+$env:TF_VAR_webapp_client_secret=(az ad app credential reset `
+    --id $env:TF_VAR_app_registration_app_id --append            `
+    --query "password").Replace('"',"")
+
+$env:TF_VAR_use_webapp="true"
+
+del manifest.json
+
+```
+
+# [Azure DevOps](#tab/devops)
+
+Currently, it isn't possible to perform this action from Azure DevOps.
+
+---
+
 ## Next step
 
 > [!div class="nextstepaction"]
