Merge pull request #261350 from KimForss/main

Minor control plane updates

Author: prmerger-automator[bot]

articles/sap/automation/deploy-control-plane.md

@@ -4,7 +4,7 @@ description: Overview of the control plane deployment process in SAP Deployment
 author: kimforss
 ms.author: kimforss
 ms.reviewer: kimforss
-ms.date: 05/19/2023
+ms.date: 12/15/2023
 ms.topic: how-to
 ms.service: sap-on-azure
 ms.subservice: sap-automation
@@ -40,9 +40,15 @@ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscrip
 Optionally, assign the following permissions to the service principal:
 
 ```azurecli
-az role assignment create --assignee <appId> --role "User Access Administrator" --scope /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>
+az role assignment create --assignee <appId> --role "User Access Administrator" --scope /subscriptions/<subscriptionID>
 ```
 
+If you want to provide the User Access Administrator role scoped to the resource group only, use the following command:
+
+```azurecli
+
+az role assignment create --assignee <appId> --role "User Access Administrator" --scope /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>
+```
 
 ## Deploy the control plane
 
@@ -194,7 +200,7 @@ You can track the progress in the Azure DevOps portal. After the deployment is f
 
 ---
 
-### Manually configure a virtual machine as a SDAF deployer by using Azure Bastion
+### Manually configure a virtual machine as a SDAF deployer using Azure Bastion
 
 To connect to the deployer:
 
@@ -222,15 +228,14 @@ Run the following script to configure the deployer:
 
 mkdir -p ~/Azure_SAP_Automated_Deployment; cd $_
 
-git clone https://github.com/Azure/sap-automation-bootstrap.git config
-
-git clone https://github.com/Azure/sap-automation.git sap-automation
+wget https://raw.githubusercontent.com/Azure/sap-automation/main/deploy/scripts/configure_deployer.sh -O configure_deployer.sh	
+chmod +x ./configure_deployer.sh
+./configure_deployer.sh
 
-git clone https://github.com/Azure/sap-automation-samples.git samples
+# Source the new variables
 
-cd sap-automation/deploy/scripts
+. /etc/profile.d/deploy_server.sh
 
-./configure_deployer.sh
 ```
 
 The script installs Terraform and Ansible and configures the deployer.
@@ -269,15 +274,13 @@ Configure the deployer by using the following script:
 ```bash
 mkdir -p ~/Azure_SAP_Automated_Deployment; cd $_
 
-git clone https://github.com/Azure/sap-automation-bootstrap.git config
-
-git clone https://github.com/Azure/sap-automation.git sap-automation
-
-git clone https://github.com/Azure/sap-automation-samples.git samples
+wget https://raw.githubusercontent.com/Azure/sap-automation/main/deploy/scripts/configure_deployer.sh -O configure_deployer.sh	
+chmod +x ./configure_deployer.sh
+./configure_deployer.sh
 
-cd sap-automation/deploy/scripts
+# Source the new variables
 
-./configure_deployer.sh
+. /etc/profile.d/deploy_server.sh
 ```
 
 The script installs Terraform and Ansible and configures the deployer.
@@ -287,7 +290,15 @@ The script installs Terraform and Ansible and configures the deployer.
 The control plane is the most critical part of the SAP automation framework. It's important to secure the control plane. The following steps help you secure the control plane.
 If you have created your control plane using an external virtual machine or by using the cloud shell, you should secure the control plane by implementing private endpoints for the storage accounts and key vaults.
 
-Log on to the deployer virtual machine and copy the control plane configuration `tfvars` terraform files to the deployer. Ensure that the files are located in the `~/Azure_SAP_Automated_Deployment/WORKSPACES` DEPLOYER and LIBRARY folders.
+You can use the `sync_deployer.sh` script to copy the control plane configuration files to the deployer VM. Sign in to the deployer VM and run the following commands:
+
+```bash
+
+cd ~/Azure_SAP_Automated_Deployment/WORKSPACES
+
+../sap-automation/deploy/scripts/sync_deployer.sh --storageaccountname mgtneweeutfstate### --state_subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+
+```
 
 Ensure that the `use_private_endpoint` variable is set to `true` in the `DEPLOYER` and `LIBRARY` configuration files. Also ensure that `public_network_access_enabled` is set to `false` in the `DEPLOYER`  configuration files.
 

articles/sap/automation/tutorial.md

@@ -4,7 +4,7 @@ description: Learn how to use SAP Deployment Automation Framework.
 author: hdamecharla
 ms.author: hdamecharla
 ms.reviewer: kimforss
-ms.date: 12/13/2023
+ms.date: 12/15/2023
 ms.topic: tutorial
 ms.service: sap-on-azure
 ms.subservice: sap-automation
@@ -278,7 +278,6 @@ When you choose a name for your service principal, make sure that the name is un
     # public_network_access_enabled controls if storage account and key vaults have public network access enabled
     public_network_access_enabled = true
 
-
     ```
 
     Note the Terraform variable file locations for future edits during deployment.
@@ -325,7 +324,14 @@ export       ARM_TENANT_ID="<tenantId>"
 
 ```
 
-1. Create the deployer and the SAP library. Add the service principal details to the deployment key vault.
+If you are running the script from a workstation that is not part of the deployment network or from the Azure Cloud Shell, you can use the following command to set the environment variable for allowing connectivity from your IP address:
+
+```bash
+export TF_VAR_Agent_IP=<your-public-ip-address>
+```
+
+
+1. Create the deployer and the SAP library and add the service principal details to the deployment key vault using this script.
 
 ```bash
 
@@ -336,15 +342,14 @@ export         region_code="<region_code>"
 export DEPLOYMENT_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation"
 export CONFIG_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/WORKSPACES"
 
-
 cd $CONFIG_REPO_PATH
 
 deployer_parameter_file="${CONFIG_REPO_PATH}/DEPLOYER/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE.tfvars"
 library_parameter_file="${CONFIG_REPO_PATH}/LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars"
 
 ${SAP_AUTOMATION_REPO_PATH}/deploy/scripts/deploy_controlplane.sh  \
     --deployer_parameter_file "${deployer_parameter_file}"         \
-    --library_parameter_file "${library_parameter_file}"            \
+    --library_parameter_file "${library_parameter_file}"           \
     --subscription "${ARM_SUBSCRIPTION_ID}"                        \
     --spn_id "${ARM_CLIENT_ID}"                                    \
     --spn_secret "${ARM_CLIENT_SECRET}"                            \
@@ -439,7 +444,9 @@ To connect to your deployer VM:
 1. Connect to the deployer VM through any SSH client, such as Visual Studio Code. Use the public IP address you noted earlier and the SSH key you downloaded. For instructions on how to connect to the deployer by using Visual Studio Code, see [Connect to the deployer by using Visual Studio Code](tools-configuration.md#configure-visual-studio-code). If you're using PuTTY, convert the SSH key file first by using PuTTYGen.
 
 > [!NOTE]
->The default username is *azureadm*.
+>The default username is *azureadm*. 
+>
+> Ensure that the file you use to save the ssh key can save the file using the correct format, i.e without Carrage Return (CR) characters. Use Visual Studio Code or Notepad++.
 
 After you're connected to the deployer VM, you can download the SAP software by using the Bill of Materials (BOM).
 
@@ -476,6 +483,8 @@ The rest of the tasks must be executed on the deployer.
 
 The control plane is the most critical part of the SAP automation framework. It's important to secure the control plane. The following steps help you secure the control plane.
 
+You should update the control plane tfvars file to enable private endpoints and to block public access to the storage accounts and key vaults. 
+
 To copy the control plane configuration files to the deployer VM, you can use the `sync_deployer.sh` script. Sign in to the deployer VM and run the following commands:
 
 ```bash