Deploy the control plane

The control plane deployment for the SAP on Azure Deployment Automation Framework consists of the following components:

  • Deployer
  • SAP library

Diagram Control Plane.

Prepare the deployment credentials

The SAP Deployment Frameworks uses Service Principals when doing the deployments. You can create the Service Principal for the Control Plane deployment using the following steps using an account with permissions to create Service Principals:

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscriptionID>" --name="<environment>-Deployment-Account"


The name of the Service Principal must be unique.

Record the output values from the command.

  • appId
  • password
  • tenant

Optionally assign the following permissions to the Service Principal:

az role assignment create --assignee <appId> --role "User Access Administrator" --scope /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>

Prepare the webapp

This step is optional. If you would like a browser-based UX to assist in the configuration of SAP workload zones and systems, run the following commands before deploying the control plane.

echo '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]' >> manifest.json


export TF_VAR_app_registration_app_id=$(az ad app create \
    --display-name ${region_code}-webapp-registration \
    --enable-id-token-issuance true \
    --sign-in-audience AzureADMyOrg \
    --required-resource-access @manifest.json \
    --query "appId" | tr -d '"')

export TF_VAR_webapp_client_secret=$(az ad app credential reset \
    --id $TF_VAR_app_registration_app_id --append               \
    --query "password" | tr -d '"')

export TF_VAR_use_webapp=true
rm manifest.json

Deploy the control plane

The sample Deployer configuration file MGMT-WEEU-DEP00-INFRASTRUCTURE.tfvars is located in the ~/Azure_SAP_Automated_Deployment/WORKSPACES/DEPLOYER/MGMT-WEEU-DEP00-INFRASTRUCTURE folder.

The sample SAP Library configuration file MGMT-WEEU-SAP_LIBRARY.tfvars is located in the ~/Azure_SAP_Automated_Deployment/WORKSPACES/LIBRARY/MGMT-WEEU-SAP_LIBRARY folder.

Running the command below will create the Deployer, the SAP Library and add the Service Principal details to the deployment key vault. If you followed the web app setup in the step above, this command will also create the infrastructure to host the application.

You can copy the sample configuration files to start testing the deployment automation framework.

cd ~/Azure_SAP_Automated_Deployment

cp -Rp sap-automation/samples/WORKSPACES WORKSPACES

Run the following command to deploy the control plane:

az logout
az login
cd ~/Azure_SAP_Automated_Deployment/WORKSPACES

    export subscriptionId="<subscriptionId>"
    export         spn_id="<appId>"
    export     spn_secret="<password>"
    export      tenant_id="<tenantId>"
    export       env_code="MGMT"
    export    region_code="<region_code>"

    export DEPLOYMENT_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation"
    export ARM_SUBSCRIPTION_ID="${subscriptionId}"

    ${DEPLOYMENT_REPO_PATH}/deploy/scripts/                                                                                       \
        --deployer_parameter_file DEPLOYER/${env_code}-${region_code}-DEP00-INFRASTRUCTURE/${env_code}-${region_code}-DEP00-INFRASTRUCTURE.tfvars  \
        --library_parameter_file LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars                      \
        --subscription "${subscriptionId}"                                                                                                         \
        --spn_id "${spn_id}"                                                                                                                       \
        --spn_secret "${spn_secret}"                                                                                                               \
        --tenant_id "${tenant_id}"                                                                                                                 \

Manually configure the deployer using Azure Bastion

Connect to the deployer by following these steps:

  1. Sign in to the Azure portal.

  2. Navigate to the resource group containing the deployer virtual machine.

  3. Connect to the virtual machine using Azure Bastion.

  4. The default username is azureadm

  5. Choose SSH Private Key from Azure Key Vault

  6. Select the subscription containing the control plane.

  7. Select the deployer key vault.

  8. From the list of secrets choose the secret ending with -sshkey.

  9. Connect to the virtual machine.

Run the following script to configure the deployer.

mkdir -p ~/Azure_SAP_Automated_Deployment

cd ~/Azure_SAP_Automated_Deployment

git clone

cd sap-automation/deploy/scripts


The script will install Terraform and Ansible and configure the deployer.

Manually configure the deployer


You need to connect to the deployer virtual Machine from a computer that is able to reach the Azure Virtual Network

Connect to the deployer by following these steps:

  1. Sign in to the Azure portal.

  2. Select or search for Key vaults.

  3. On the Key vault page, find the deployer key vault. The name starts with MGMT[REGION]DEP00user. Filter by the Resource group or Location if necessary.

  4. Select Secrets from the Settings section in the left pane.

  5. Find and select the secret containing sshkey. It might look like this: MGMT-[REGION]-DEP00-sshkey

  6. On the secret's page, select the current version. Then, copy the Secret value.

  7. Open a plain text editor. Copy in the secret value.

  8. Save the file where you keep SSH keys. For example, C:\\Users\\<your-username>\\.ssh.

  9. Save the file. If you're prompted to Save as type, select All files if SSH isn't an option. For example, use deployer.ssh.

  10. Connect to the deployer VM through any SSH client such as VSCode. Use the private IP address of the deployer, and the SSH key you downloaded. For instructions on how to connect to the Deployer using VSCode see Connecting to Deployer using VSCode. If you're using PuTTY, convert the SSH key file first using PuTTYGen.


The default username is azureadm

Configure the deployer using the following script:

mkdir -p ~/Azure_SAP_Automated_Deployment

cd ~/Azure_SAP_Automated_Deployment

git clone

cd sap-automation/deploy/scripts


The script will install Terraform and Ansible and configure the deployer.

Deploy the Control Plane Web Application


Control Plane Web Application is currently in PREVIEW and not yet available in the main branch.

If you would like to use the web app, follow the steps below. If not, ignore this section.

The web app resource can be found in the deployer resource group. In the Azure portal, select resource groups in your subscription. The deployer resource group will be named something like MGMT-[region]-DEP00-INFRASTRUCTURE. Inside the deployer resource group, locate the app service, named something like mgmt-[region]-dep00-sapdeployment123. Open the app service and copy the URL listed. It should be in the format of https://mgmt-[region] This will be the value for webapp_url below.

The following commands will configure the application urls, generate a zip file of the web app code, deploy the software to the app service, and configure the application settings.

az ad app update \
    --id $TF_VAR_app_registration_app_id \
    --web-home-page-url ${webapp_url} \
    --web-redirect-uris ${webapp_url}/ ${webapp_url}/.auth/login/aad/callback


Perform the following task from the deployer.

cd ~/Azure_SAP_Automated_Deployment/sap-automation/Webapp/AutomationForm

dotnet build
dotnet publish --configuration Release

cd bin/Release/netcoreapp3.1/publish/

sudo apt install zip
zip -r .

az webapp deploy --resource-group <group-name> --name <app-name> --src-path

az webapp config appsettings set -g <group-name> -n <app-name> --settings \

Accessing the web app

By default there will be no inbound public internet access to the web app apart from the deployer virtual network. To allow additional access to the web app, navigate to the Azure portal. In the deployer resource group, find the web app. Then under settings on the left hand side, click on networking. From here, click Access restriction. Add any allow or deny rules you would like. For more information on configuring access restrictions, see Set up Azure App Service access restrictions.

You will also need to grant reader permissions to the app service system-assigned managed identity. Navigate to the app service resource. On the left hand side, click "Identity". In the "system assigned" tab, click on "Azure role assignments" > "Add role assignment". Select "subscription" as the scope, and "reader" as the role. Then click save. Without this step, the web app dropdown functionality will not work.

You can log in and visit the web app by following the URL from earlier or clicking browse inside the app service resource. With the web app, you are able to configure SAP workload zones and system infrastructure. Click download to obtain a parameter file of the workload zone or system you specified, for use in the later deployment steps.

Next step