Edit

Workload zone deployment in the SAP automation framework

  • Article

An SAP application typically has multiple development tiers. For example, you might have development, quality assurance, and production tiers. SAP Deployment Automation Framework calls these tiers workload zones.

You can use workload zones in multiple Azure regions. Each workload zone then has its own instance of Azure Virtual Network.

The following services are provided by the SAP workload zone:

  • A virtual network, including subnets and network security groups
  • An Azure Key Vault instance, for system credentials
  • An Azure Storage account for boot diagnostics
  • A Storage account for cloud witnesses
  • An Azure NetApp Files account and capacity pools (optional)
  • Azure Files NFS shares (optional)
  • Azure Monitor for SAP (optional)

Diagram that shows an SAP workload zone.

The workload zones are typically deployed in spokes in a hub-and-spoke architecture. They can be in their own subscriptions.

The private DNS is supported from the control plane or from a configurable source.

Core configuration

The following example parameter file shows only required parameters.

# The environment value is a mandatory field, it is used for partitioning the environments, for example (PROD and NP)
environment="DEV"

# The location value is a mandatory field, it is used to control where the resources are deployed
location="westeurope"

# The network logical name is mandatory - it is used in the naming convention and should map to the workload virtual network logical name
network_name="SAP01"

# network_address_space is a mandatory parameter when an existing virtual network is not used
network_address_space="10.110.0.0/16"

# admin_subnet_address_prefix is a mandatory parameter if the subnets are not defined in the workload or if existing subnets are not used
admin_subnet_address_prefix="10.110.0.0/19"

# db_subnet_address_prefix is a mandatory parameter if the subnets are not defined in the workload or if existing subnets are not used
db_subnet_address_prefix="10.110.96.0/19"

# app_subnet_address_prefix is a mandatory parameter if the subnets are not defined in the workload or if existing subnets are not used
app_subnet_address_prefix="10.110.32.0/19"

# The automation_username defines the user account used by the automation
automation_username="azureadm"

Prepare the workload zone deployment credentials

SAP Deployment Automation Framework uses service principals when doing the deployment. To create the service principal for the workload zone deployment, use an account with permissions to create service principals.

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscriptionID>" --name="<environment>-Deployment-Account"

Important

The name of the service principal must be unique.

Record the output values from the command:

  • appId
  • password
  • tenant

Assign the correct permissions to the service principal.

az role assignment create --assignee <appId> \
    --scope /subscriptions/<subscriptionID> \
    --role "User Access Administrator"

Deploy the SAP workload zone

The sample workload zone configuration file DEV-WEEU-SAP01-INFRASTRUCTURE.tfvars is located in the ~/Azure_SAP_Automated_Deployment/samples/Terraform/WORKSPACES/LANDSCAPE/DEV-WEEU-SAP01-INFRASTRUCTURE folder.

Run the following command to deploy the SAP workload zone.

Perform this task from the deployer.

You can copy the sample configuration files to start testing the deployment automation framework.

cd ~/Azure_SAP_Automated_Deployment

cp -R sap-automation/samples/WORKSPACES config



export  ARM_SUBSCRIPTION_ID="<subscriptionId>"
export        ARM_CLIENT_ID="<appId>"
export    ARM_CLIENT_SECRET="<password>"
export        ARM_TENANT_ID="<tenantId>"
export             env_code="DEV"
export          region_code="<region_code>"
export            vnet_code="SAP02"
export deployer_environment="MGMT"


export DEPLOYMENT_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation"
export CONFIG_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/config/WORKSPACES"
export SAP_AUTOMATION_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation"

az login --service-principal -u "${ARM_CLIENT_ID}" -p="${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"


cd "${CONFIG_REPO_PATH}/LANDSCAPE/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE"
parameterFile="${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE.tfvars"

$SAP_AUTOMATION_REPO_PATH/deploy/scripts/install_workloadzone.sh   \
    --parameterfile "${parameterFile}"                             \
    --deployer_environment "${deployer_environment}"               \ 
    --subscription "${ARM_SUBSCRIPTION_ID}"                        \
    --spn_id "${ARM_CLIENT_ID}"                                    \
    --spn_secret "${ARM_CLIENT_SECRET}"                            \
    --tenant_id "${ARM_TENANT_ID}"

Tip

If the scripts fail to run, it can sometimes help to clear the local cache files by removing the ~/.sap_deployment_automation/ and ~/.terraform.d/ directories before you run the scripts again.

Next step

SAP system deployment with the automation framework