Webapp backend changes (#4)

wksheehan · web-flow · commit 923664131efb · 2022-08-05T15:31:00.000-07:00
diff --git a/articles/virtual-machines/workloads/sap/automation-configure-control-plane.md b/articles/virtual-machines/workloads/sap/automation-configure-control-plane.md
@@ -89,11 +89,11 @@ The table below contains the networking parameters.
 > |                                             |                                                                  |            | |
 > | `management_bastion_subnet_arm_id`		      | The Azure resource identifier for the Bastion subnet             | Mandatory  | For brown field deployments.  |
 > | `management_bastion_subnet_address_prefix`  | The address range for the subnet                                 | Mandatory  | For green field deployments.  |
-> | `cmdb_subnet_arm_id`		                      | The Azure resource identifier for the Cosmos DB subnet   | Mandatory  | For brown field deployments using the web app |
-> | `cmdb_subnet_address_prefix`                | The address range for the subnet                         | Mandatory  | For green field deployments using the web app | 
+> | `webapp_subnet_arm_id`		               | The Azure resource identifier for the web app subnet   | Mandatory  | For brown field deployments using the web app |
+> | `webapp_subnet_address_prefix`         | The address range for the subnet                         | Mandatory  | For green field deployments using the web app | 
 
 > [!NOTE]
-> When using an existing subnet for the cosmos db and web app, the subnet must be empty, in the same region as the resource group being deployed, and delegated to Microsoft.Web/serverFarms![image](https://user-images.githubusercontent.com/9037701/174907147-05acfbd3-7ccb-4d62-aa4c-7e2ea64320c2.png)
+> When using an existing subnet for the web app, the subnet must be empty, in the same region as the resource group being deployed, and delegated to Microsoft.Web/serverFarms
  
 
 ### Deployer Virtual Machine Parameters
diff --git a/articles/virtual-machines/workloads/sap/automation-configure-devops.md b/articles/virtual-machines/workloads/sap/automation-configure-devops.md
@@ -250,7 +250,7 @@ The pipelines use a custom task to perform cleanup activities post deployment. T
 
    :::image type="content" source="./media/automation-devops/automation-select-personal-access-tokens.jpg" alt-text="Diagram showing the creation of the Personal Access Token (PAT).":::
 
-1. Create a personal access token. Ensure that _Read & manage_ is selected for _Agent Pools_, _Read & write_ is selected for _Code_, and _Read, create, & manage_ is selected for _Variable Groups_. Write down the created token value.
+1. Create a personal access token. Ensure that _Read & manage_ is selected for _Agent Pools_, _Read & write_ is selected for _Code_, _Read & execute_ is selected for _Build_, and _Read, create, & manage_ is selected for _Variable Groups_. Write down the created token value.
 
    :::image type="content" source="./media/automation-devops/automation-new-pat.png" alt-text="Diagram showing the attributes of the Personal Access Token (PAT).":::
 
@@ -429,7 +429,9 @@ az ad app update --id $TF_VAR_app_registration_app_id --web-home-page-url https:
 ---
 After updating the reply-urls, run the pipeline.
 
-By default there will be no inbound public internet access to the web app apart from the deployer virtual network. To allow additional access to the web app, navigate to the Azure portal. In the deployer resource group, find the web app. Then under settings on the left hand side, click on networking. From here, click Access restriction. Add any allow or deny rules you would like. For more information on configuring access restrictions, see [Set up Azure App Service access restrictions](https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions).
+By default there will be no inbound public internet access to the web app apart from the deployer virtual network. To allow additional access to the web app, navigate to the Azure portal. In the deployer resource group, navigate to the app service resource. Then under settings on the left hand side, click on networking. From here, click Access restriction. Add any allow or deny rules you would like. For more information on configuring access restrictions, see [Set up Azure App Service access restrictions](https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions).
+
+You will also need to grant reader permissions to the app service system-assigned managed identity. Navgiate to the app service resource. On the left hand side, click "Identity". In the "system assigned" tab, click on "Azure role assignments" > "Add role assignment". Select "subscription" as the scope, and "reader" as the role. Then click save. Without this step, the web app dropdown functionality will not work.
 
 You should now be able to visit the web app, and use it to deploy SAP workload zones and SAP system infrastructure.
 
diff --git a/articles/virtual-machines/workloads/sap/automation-configure-webapp.md b/articles/virtual-machines/workloads/sap/automation-configure-webapp.md
@@ -69,8 +69,9 @@ For full instructions on setting up the web app using Azure Devops, see [Use SAP
 
 ### Summary of steps required to access the web app after deploying the control plane:
 1. Update the app registration reply URLs.
-2. Run the webb app deployment pipeline you set up in step 1 above.
-3. (Optionally) add an additional access policy to the app service.
+2. Assign the reader role with the subscription scope to the app service system assigned managed identity.
+3. Run the web app deployment pipeline.
+4. (Optionally) add an additional access policy to the app service.
 
 ## Deploy via Azure CLI (cloudshell)
 
@@ -81,42 +82,43 @@ For full instructions on setting up the web app using the Azure CLI, see [Deploy
 
 ### Summary of steps required to access the web app after deploying the control plane:
 1. Update the app registration reply URLs.
-2. Generate a zip file of the web app code.
-3. Deploy the software to the app service.
-4. Configure the application settings.
-5. (Optionally) add an additional access policy to the app service.
+2. Assign the reader role with the subscription scope to the app service system assigned managed identity.
+3. Generate a zip file of the web app code.
+4. Deploy the software to the app service.
+5. Configure the application settings.
+6. (Optionally) add an additional access policy to the app service.
 
 
 ## Using the web app
 
-The web app allows you to create SAP workload zone (landscape) objects and system infrastructure objects. These are essentially another representation of a configuration file.
+The web app allows you to create SAP workload zone objects and system infrastructure objects. These are essentially another representation of a configuration file.
 In the case of deploying using Azure Devops, you have ability to deploy these workload zones and system infrastructures right from the web app.
 In the case of deploying using the Azure CLI, you can download the parameter file for any landscape or system object you create, and use that in your command line deployments.
 
 ### Creating a landscape or system object from scratch
-1. Navigate to the "Landscape" or "System" tab at the top of the website.
+1. Navigate to the "Workload zones" or "Systems" tab at the top of the website.
 2. Click "Create New" in the bottom left corner.
 3. Fill out the required parameters in the "Basic" and "Advanced" tabs, and any additional parameters you desire.
 4. Certain parameters will be dropdowns populated with existing azure resources.
-   * If no results are shown for a dropdown, you probably need to specify another dropdown before you can see any options.
+   * If no results are shown for a dropdown, you probably need to specify another dropdown before you can see any options. Or, see step 2 above regarding the system assigned managed identity.
        - The subscription parameter must be specified before any other dropdown functionality is enabled
        - The network_arm_id parameter must be specified before any subnet dropdown functionality is enabled
 5. Click submit in the bottom left hand corner
 
-### Creating a landscape or system object from a file
+### Creating a workload zone or system object from a file
 1. Navigate to the "File" tab at the top of the website.
 2. Your options are
    * Create a new file from scratch there in browser. It should be in the .tfvars file format. Click save.
    * Import an existing .tfvars file, and (optionally) edit it before saving.
    * Use an existing template, and (optionally) edit it before saving.
 3. Make sure your file conforms to the correct naming conventions.
-4. Next to the file you would like to convert to a landscape or system object, click "Convert".
-5. The landscape or system object will appear in its respective tab.
+4. Next to the file you would like to convert to a workload zone or system object, click "Convert".
+5. The workload zone or system object will appear in its respective tab.
 
-### Deploying a landscape or system object (Azure Devops deployment)
-1. Navigate to the Landscape or System tab.
-2. Next to the landscape or system you would like to deploy, click "Deploy".
-   * If you would like to deploy a file, first convert it to a landscape or system object.
+### Deploying a workload zone or system object (Azure Devops deployment)
+1. Navigate to the Workload zones or Systems tab.
+2. Next to the workload zone or system you would like to deploy, click "Deploy".
+   * If you would like to deploy a file, first convert it to a workload zone or system object.
 4. Specify the necessary parameters, and confirm it is the correct object.
 5. Click deploy.
 6. The web app will automatically generate a .tfvars file from the object, update your Devops repository, and kick off the workload zone or system (infrastructure) pipeline. Monitor the deployment back in Azure Devops.
diff --git a/articles/virtual-machines/workloads/sap/automation-deploy-control-plane.md b/articles/virtual-machines/workloads/sap/automation-deploy-control-plane.md
@@ -342,6 +342,8 @@ IS_PIPELINE_DEPLOYMENT=false
 
 By default there will be no inbound public internet access to the web app apart from the deployer virtual network. To allow additional access to the web app, navigate to the Azure portal. In the deployer resource group, find the web app. Then under settings on the left hand side, click on networking. From here, click Access restriction. Add any allow or deny rules you would like. For more information on configuring access restrictions, see [Set up Azure App Service access restrictions](https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions).
 
+You will also need to grant reader permissions to the app service system-assigned managed identity. Navgiate to the app service resource. On the left hand side, click "Identity". In the "system assigned" tab, click on "Azure role assignments" > "Add role assignment". Select "subscription" as the scope, and "reader" as the role. Then click save. Without this step, the web app dropdown functionality will not work.
+
 You can login and visit the web app by following the URL from earlier or clicking browse inside the app service resource. With the web app, you are able to configure SAP workload zones and system infrastructure. Click download to obtain a parameter file of the workload zone or system you specified, for use in the later deployment steps. 
 
 
