Add a section on MSI

Kimmo Forss · Kimmo Forss · commit 7d32f1014edf · 2024-03-11T15:56:33.000+02:00
diff --git a/articles/sap/automation/get-started.md b/articles/sap/automation/get-started.md
@@ -19,13 +19,124 @@ Get started quickly with [SAP Deployment Automation Framework](deployment-framew
 To get started with SAP Deployment Automation Framework, you need:
 
 - An Azure subscription. If you don't have an Azure subscription, you can [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- An SAP USer account with permissions to [download the SAP software](software.md) in your Azure environment. See [SAP S-User](https://support.sap.com/en/my-support/users/welcome.html) for more information.
+- An SAP User account with permissions to [download the SAP software](software.md) in your Azure environment. For more information on S-User, see [SAP S-User](https://support.sap.com/en/my-support/users/welcome.html).
 - An [Azure CLI](/cli/azure/install-azure-cli) installation.
-- A service principal to use for the control plane deployment.
-- A service principal to use for the workload zone deployment.
+- A user Assigned Identity (MS) or a service principal to use for the control plane deployment.
+- A user Assigned Identity (MS) or a A service principal to use for the workload zone deployment.
 - An ability to create an Azure DevOps project if you want to use Azure DevOps for deployment.
 
-Some of the prerequisites might already be installed in your deployment environment. Both Azure Cloud Shell and the deployer have Terraform and the Azure CLI installed.
+Some of the prerequisites might already be installed in your deployment environment. Both Azure Cloud Shell and the deployer come with Terraform and the Azure CLI installed.
+
+### Create a service principal
+
+The SAP automation deployment framework uses service principals for deployment.
+
+When you choose a name for your service principal, make sure that the name is unique within your Azure tenant. Make sure to use an account with service principals creation permissions when running the script.
+
+1. Create the service principal with Contributor permissions.
+
+    ```cloudshell-interactive
+    export    ARM_SUBSCRIPTION_ID="<subscriptionId>"
+    export control_plane_env_code="LAB"
+
+    az ad sp create-for-rbac --role="Contributor"  --scopes="/subscriptions/$ARM_SUBSCRIPTION_ID"   --name="$control_plane_env_code-Deployment-Account"
+    ```
+
+    Review the output. For example:
+
+    ```json
+    {
+        "appId": "<AppId>",
+        "displayName": "<environment>-Deployment-Account ",
+        "name": "<AppId>",
+        "password": "<AppSecret>",
+        "tenant": "<TenantId>"
+    }
+    ```
+
+1. Copy the output details. Make sure to save the values for `appId`, `password`, and `Tenant`.
+
+    The output maps to the following parameters. You use these parameters in later steps, with automation commands.
+
+    | Parameter input name | Output name |
+    |--------------------------|-----------------|
+    | `spn_id`                 | `appId`         |
+    | `spn_secret`             | `password`      |
+    | `tenant_id`              | `tenant`        |
+
+1. Optionally, assign the User Access Administrator role to the service principal.
+
+    ```cloudshell-interactive
+    export appId="<appId>"
+
+    az role assignment create --assignee $appId --role "User Access Administrator"  --scope /subscriptions/$ARM_SUBSCRIPTION_ID
+    ```
+
+
+> [!IMPORTANT]
+> If you don't assign the User Access Administrator role to the service principal, you can't assign permissions using the automation framework.
+
+### Create a user assigned Identity
+
+
+The SAP automation deployment framework can also use a user assigned identity (MSI) for the deployment. Make sure to use an account with permissions to create managed identities when running the script that creates the identity.
+
+
+1. Create the managed identity.
+
+    ```cloudshell-interactive
+    export    ARM_SUBSCRIPTION_ID="<subscriptionId>"
+    export control_plane_env_code="LAB"
+
+    az identity create --name ${control_plane_env_code}-Deployment-Identity --resource-group <ExistingResourceGroup>
+    ```
+
+    Review the output. For example:
+
+    ```json
+       {
+         "clientId": "<appId>",
+         "id": "<armId>",
+         "location": "<location>",
+         "name": "${control_plane_env_code}-Deployment-Identity",
+         "principalId": "<objectId>",
+         "resourceGroup": "<ExistingResourceGroup>",
+         "systemData": null,
+         "tags": {},
+         "tenantId": "<TenantId>",
+         "type": "Microsoft.ManagedIdentity/userAssignedIdentities"
+       }
+    ```
+
+1. Copy the output details.
+
+    The output maps to the following parameters. You use these parameters in later steps, with automation commands.
+
+    | Parameter input name     | Output name     |
+    |--------------------------|-----------------|
+    | `app_id`                 | `appId`         |
+    | `msi_id`                 | `armId`         |
+
+
+1. Assign the Contributor role to the identity.
+
+    ```cloudshell-interactive
+    export appId="<appId>"
+
+    az role assignment create --assignee $appId  --role "Contributor"  --scope /subscriptions/$ARM_SUBSCRIPTION_ID
+    ```
+
+1. Optionally, assign the User Access Administrator role to the identity.
+
+    ```cloudshell-interactive
+    export appId="<appId>"
+
+    az role assignment create --assignee $appId  --role "User Access Administrator"  --scope /subscriptions/$ARM_SUBSCRIPTION_ID
+    ```
+
+
+> [!IMPORTANT]
+> If you don't assign the User Access Administrator role to the managed identity, you can't assign permissions using the automation framework.
 
 ## Use SAP Deployment Automation Framework from Azure DevOps Services
 
@@ -51,34 +162,34 @@ Open PowerShell ISE and copy the following script and update the parameters to m
     $Env:SDAF_ControlPlaneSubscriptionID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
     $Env:SDAF_WorkloadZoneSubscriptionID = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"
     $Env:ARM_TENANT_ID="zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"
-    
+
     $UniqueIdentifier = Read-Host "Please provide an identifier that makes the service principal names unique, for instance a project code"
-    
+
     $confirmation = Read-Host "Do you want to create a new Application registration (needed for the Web Application) y/n?"
     if ($confirmation -eq 'y') {
         $Env:SDAF_APP_NAME = $UniqueIdentifier + " SDAF Control Plane"
     }
-    
+
     else {
       $Env:SDAF_APP_NAME = Read-Host "Please provide the Application registration name"
     }
-    
+
     $confirmation = Read-Host "Do you want to create a new Service Principal for the Control plane y/n?"
     if ($confirmation -eq 'y') {
         $Env:SDAF_MGMT_SPN_NAME = $UniqueIdentifier + " SDAF " + $Env:SDAF_CONTROL_PLANE_CODE + " SPN"
     }
         else {
       $Env:SDAF_MGMT_SPN_NAME = Read-Host "Please provide the Control Plane Service Principal Name"
     }
-    
+
     $confirmation = Read-Host "Do you want to create a new Service Principal for the Workload zone y/n?"
     if ($confirmation -eq 'y') {
         $Env:SDAF_WorkloadZone_SPN_NAME = $UniqueIdentifier + " SDAF " + $Env:SDAF_WORKLOAD_ZONE_CODE + " SPN"
     }
         else {
       $Env:SDAF_WorkloadZone_SPN_NAME = Read-Host "Please provide the Workload Zone Service Principal Name"
     }
-    
+
     if ( $PSVersionTable.Platform -eq "Unix") {
         if ( Test-Path "SDAF") {
         }
@@ -94,15 +205,15 @@ Open PowerShell ISE and copy the following script and update the parameters to m
             New-Item -Path $sdaf_path -Type Directory
         }
     }
-    
+
     Set-Location -Path $sdaf_path
-    
+
     if ( Test-Path "New-SDAFDevopsProject.ps1") {
         remove-item .\New-SDAFDevopsProject.ps1
     }
-    
+
     Invoke-WebRequest -Uri https://raw.githubusercontent.com/Azure/sap-automation/main/deploy/scripts/New-SDAFDevopsProject.ps1 -OutFile .\New-SDAFDevopsProject.ps1 ; .\New-SDAFDevopsProject.ps1
-    
+
 ```
 
 Run the script and follow the instructions. The script opens browser windows for authentication and for performing tasks in the Azure DevOps project.
@@ -142,7 +253,7 @@ You can then install the deployer components by using the following commands:
 
 ```bash
 
-wget https://raw.githubusercontent.com/Azure/sap-automation/main/deploy/scripts/configure_deployer.sh -O configure_deployer.sh	
+wget https://raw.githubusercontent.com/Azure/sap-automation/main/deploy/scripts/configure_deployer.sh -O configure_deployer.sh
 chmod +x ./configure_deployer.sh
 ./configure_deployer.sh
 
diff --git a/articles/sap/automation/plan-deployment.md b/articles/sap/automation/plan-deployment.md
@@ -232,7 +232,7 @@ The following table shows the required permissions for the service principals.
 > | Workload Zone SPN                            | SAP library `sapbits` storage account | Reader                                 |                    |
 > | Workload Zone SPN                            | Private DNS zone                      | Private DNS zone contributor           |                    |
 > | Web Application Identity                     | Target subscription                   | Reader                                 |                    |
-> | Cluster Virtual Machine Identity             | Resource group                        | Fencing role                           |
+> | Cluster Virtual Machine Identity             | Resource group                        | Fencing role                           |                    |
 
 ### Firewall configuration
 
