Configure the control plane

The control plane for the SAP on Azure Deployment Automation Framework consists of the following components:

  • Deployer
  • SAP library

Diagram Control Plane.

Deployer

The deployer is the execution engine of the SAP automation framework. It's a pre-configured virtual machine (VM) that is used for executing Terraform and Ansible commands. When using Azure DevOps the deployer is a self-hosted agent.

The configuration of the deployer is performed in a Terraform tfvars variable file.

Terraform Parameters

This table shows the Terraform parameters, these parameters need to be entered manually if not using the deployment scripts

Variable Description Type
tfstate_resource_id Azure resource identifier for the storage account in the SAP Library that contains the Terraform state files Required

Environment Parameters

This table shows the parameters that define the resource naming.

Variable Description Type Notes
environment Identifier for the control plane (max 5 chars) Mandatory For example, PROD for a production environment and NP for a non-production environment.
location The Azure region in which to deploy. Required Use lower case
'name_override_file' Name override file Optional see Custom naming

Resource Group

This table shows the parameters that define the resource group.

Variable Description Type
resource_group_name Name of the resource group to be created Optional
resource_group_arm_id Azure resource identifier for an existing resource group Optional
resourcegroup_tags Tags to be associated with the resource group Optional

Network Parameters

The automation framework supports both creating the virtual network and the subnets (green field) or using an existing virtual network and existing subnets (brown field) or a combination of green field and brown field.

  • For the green field scenario, the virtual network address space and the subnet address prefixes must be specified
  • For the brown field scenario, the Azure resource identifier for the virtual network and the subnets must be specified

The recommended CIDR of the virtual network address space is /27, which allows space for 32 IP addresses. A CIDR value of /28 only allows 16 IP addresses. If you want to include Azure Firewall, use a CIDR value of /25, because Azure Firewall requires a range of /26.

The recommended CIDR value for the management subnet is /28 that allows 16 IP addresses. The recommended CIDR value for the firewall subnet is /26 that allows 64 IP addresses.

This table shows the networking parameters.

Variable Description Type Notes
management_network_name The name of the VNet into which the deployer will be deployed Optional For green field deployments.
management_network_logical_name The logical name of the network (DEV-WEEU-MGMT01-INFRASTRUCTURE) Required
management_network_arm_id The Azure resource identifier for the virtual network Optional For brown field deployments.
management_network_address_space The address range for the virtual network Mandatory For green field deployments.
management_subnet_name The name of the subnet Optional
management_subnet_address_prefix The address range for the subnet Mandatory For green field deployments.
management_subnet_arm_id The Azure resource identifier for the subnet Mandatory For brown field deployments.
management_subnet_nsg_name The name of the Network Security Group name Optional
management_subnet_nsg_arm_id The Azure resource identifier for the Network Security Group Mandatory Mandatory For brown field deployments.
management_subnet_nsg_allowed_ips Range of allowed IP addresses to add to Azure Firewall Optional
management_firewall_subnet_arm_id The Azure resource identifier for the Firewall subnet Mandatory For brown field deployments.
management_firewall_subnet_address_prefix The address range for the subnet Mandatory For green field deployments.
management_bastion_subnet_arm_id The Azure resource identifier for the Bastion subnet Mandatory For brown field deployments.
management_bastion_subnet_address_prefix The address range for the subnet Mandatory For green field deployments.
webapp_subnet_arm_id The Azure resource identifier for the web app subnet Mandatory For brown field deployments using the web app
webapp_subnet_address_prefix The address range for the subnet Mandatory For green field deployments using the web app

Note

When using an existing subnet for the web app, the subnet must be empty, in the same region as the resource group being deployed, and delegated to Microsoft.Web/serverFarms

Deployer Virtual Machine Parameters

This table shows the parameters related to the deployer virtual machine.

Variable Description Type
deployer_size Defines the Virtual machine SKU to use, for example Standard_D4s_v3 Optional
deployer_count Defines the number of Deployers Optional
deployer_image Defines the Virtual machine image to use, see below Optional
plan Defines the plan associated to the Virtual machine image, see below Optional
deployer_disk_type Defines the disk type, for example Premium_LRS Optional
deployer_use_DHCP Controls if Azure subnet provided IP addresses should be used (dynamic) true Optional
deployer_private_ip_address Defines the Private IP address to use Optional
deployer_enable_public_ip Defines if the deployer has a public IP Optional
auto_configure_deployer Defines deployer will be configured with the required software (Terraform and Ansible) Optional

The Virtual Machine image is defined using the following structure:

{
  "os_type"         = ""
  "source_image_id" = ""
  "publisher"       = "Canonical"
  "offer"           = "0001-com-ubuntu-server-focal"
  "sku"             = "20_04-lts"
  "version"         = "latest"
  "type"            = "marketplace"
}

Note

type can be marketplace/marketplace_with_plan/custom Note that using a image of type 'marketplace_with_plan' will require that the image in question has been used at least once in the subscription. This is because the first usage prompts the user to accept the License terms and the automation has no mean to approve it.

Authentication Parameters

The table below defines the parameters used for defining the Virtual Machine authentication

Variable Description Type
deployer_vm_authentication_type Defines the default authentication for the Deployer Optional
deployer_authentication_username Administrator account name Optional
deployer_authentication_password Administrator password Optional
deployer_authentication_path_to_public_key Path to the public key used for authentication Optional
deployer_authentication_path_to_private_key Path to the private key used for authentication Optional

Key Vault Parameters

The table below defines the parameters used for defining the Key Vault information

Variable Description Type
user_keyvault_id Azure resource identifier for the user key vault Optional
spn_keyvault_id Azure resource identifier for the key vault containing the deployment credentials Optional
deployer_private_key_secret_name The Azure Key Vault secret name for the deployer private key Optional
deployer_public_key_secret_name The Azure Key Vault secret name for the deployer public key Optional
deployer_username_secret_name The Azure Key Vault secret name for the deployer username Optional
deployer_password_secret_name The Azure Key Vault secret name for the deployer password Optional
additional_users_to_add_to_keyvault_policies A list of user object IDs to add to the deployment KeyVault access policies Optional

DNS Support

Variable Description Type
use_custom_dns_a_registration Use an existing Private DNS zone Optional
management_dns_subscription_id Subscription ID for the subscription containing the Private DNS Zone Optional
management_dns_resourcegroup_name Resource group containing the Private DNS Zone Optional
dns_label DNS name of the private DNS zone Optional

Other parameters

Variable Description Type Notes
firewall_deployment Boolean flag controlling if an Azure firewall is to be deployed Optional
bastion_deployment Boolean flag controlling if Azure Bastion host is to be deployed Optional
enable_purge_control_for_keyvaults Boolean flag controlling if purge control is enabled on the Key Vault. Optional Use only for test deployments
use_private_endpoint Use private endpoints Optional
use_service_endpoint Use service endpoints for subnets Optional
enable_firewall_for_keyvaults_and_storage Restrict access to selected subnets Optional

Example parameters file for deployer (required parameters only)

# The environment value is a mandatory field, it is used for partitioning the environments, for example (PROD and NP)
environment="MGMT"

# The location/region value is a mandatory field, it is used to control where the resources are deployed
location="westeurope"

# management_network_address_space is the address space for management virtual network
management_network_address_space="10.10.20.0/25"

# management_subnet_address_prefix is the address prefix for the management subnet
management_subnet_address_prefix="10.10.20.64/28"

# management_firewall_subnet_address_prefix is the address prefix for the firewall subnet
management_firewall_subnet_address_prefix="10.10.20.0/26"

# management_bastion_subnet_address_prefix is a mandatory parameter if bastion is deployed and if the subnets are not defined in the workload or if existing subnets are not used
management_bastion_subnet_address_prefix = "10.10.20.128/26"

deployer_enable_public_ip=false

firewall_deployment=true

bastion_deployment=true

SAP Library

The SAP Library provides the persistent storage of the Terraform state files and the downloaded SAP installation media for the control plane.

The configuration of the SAP Library is performed in a Terraform tfvars variable file.

Terraform Parameters

This table shows the Terraform parameters, these parameters need to be entered manually when not using the deployment scripts

Variable Description Type Notes
deployer_tfstate_key The state file name for the deployer Required

Environment Parameters

This table shows the parameters that define the resource naming.

Variable Description Type Notes
environment Identifier for the control plane (max 5 chars) Mandatory For example, PROD for a production environment and NP for a non-production environment.
location The Azure region in which to deploy. Required Use lower case
'name_override_file' Name override file Optional see Custom naming

Resource Group

This table shows the parameters that define the resource group.

Variable Description Type
resource_group_name Name of the resource group to be created Optional
resource_group_arm_id Azure resource identifier for an existing resource group Optional
resourcegroup_tags Tags to be associated with the resource group Optional

SAP Installation media storage account

Variable Description Type
library_sapmedia_arm_id Azure resource identifier Optional

Terraform remote state storage account

Variable Description Type
library_terraform_state_arm_id Azure resource identifier Optional

DNS Support

Variable Description Type
use_custom_dns_a_registration Use an existing Private DNS zone Optional
management_dns_subscription_id Subscription ID for the subscription containing the Private DNS Zone Optional
management_dns_resourcegroup_name Resource group containing the Private DNS Zone Optional
dns_label DNS name of the private DNS zone Optional

Extra parameters

Variable Description Type
use_private_endpoint Use private endpoints Optional
use_service_endpoint Use service endpoints for subnets Optional
enable_firewall_for_keyvaults_and_storage Restrict access to selected subnets Optional

Example parameters file for sap library (required parameters only)

# The environment value is a mandatory field, it is used for partitioning the environments, for example (PROD and NP)
environment = "MGMT"

# The location/region value is a mandatory field, it is used to control where the resources are deployed
location = "westeurope"

Next steps