Three Tier SAP S/4HANA Stack Deployment

Description

This automation solution is designed for the deployment of Three Tier SAP S/4HANA Stack. The SAP solution will be deployed on top of one of the following Operating Systems: SUSE Linux Enterprise Server 15 SP 3 for SAP, Red Hat Enterprise Linux 8.4 for SAP, Red Hat Enterprise Linux 7.6 for SAP in an existing IBM Cloud Gen2 VPC, using an existing bastion host with secure remote SSH access.

Installation media

SAP HANA installation media used for this deployment is the default one for SAP HANA, platform edition 2.0 SPS05 available at SAP Support Portal under INSTALLATION AND UPGRADE area and it has to be provided manually in the input parameter file.

SAP S/4HANA installation media used for this deployment is the default one for SAP S/4HANA 2020 available at SAP Support Portal under INSTALLATION AND UPGRADE area and it has to be provided manually in the input parameter file.

VSI Configuration

The VSIs are deployed with one of the following Operating Systems for DB server: Suse Linux Enterprise Server 15 SP 3 for SAP HANA (amd64), Red Hat Enterprise Linux 8.4 for SAP HANA (amd64) or Red Hat Enterprise Linux 7.6 for SAP HANA (amd64) and with one of the following Operating Systems for APP server: Suse Enterprise Linux 1 SP3 for SAP Applications (amd64), Red Hat Enterprise Linux 8.4 for SAP Applications (amd64), Red Hat Enterprise Linux 7.6 for SAP Applications (amd64). The SSH keys are configured to allow root user access. The following storage volumes are creating during the provisioning:

HANA DB VSI Disks:

• 3 x 500 GB disks with 10000 IOPS - DATA

SAP APPs VSI Disks:

• 1x 40 GB disk with 10 IOPS / GB - SWAP
• 1 x 128 GB disk with 10 IOPS / GB - DATA

In order to perform the deployment you can use either the CLI component or the GUI component (Schematics) of the automation solution.

1.1 Executing the deployment of Three Tier SAP S/4HANA Stack in GUI (Schematics)

The solution is based on Terraform remote-exec and Ansible playbooks executed by Schematics and it is implementing a 'reasonable' set of best practices for SAP VSI host configuration.

It contains:

• Terraform scripts for the deployment of two VSIs, in an EXISTING VPC, with Subnet and Security Group. The VSIs are intended to be used: one for the data base instance and the other for the application instance.
• Bash scripts used for the checking of the prerequisites required by SAP VSIs deployment and for the integration into a single step in IBM Schematics GUI of the VSI provisioning and the Three Tier SAP S/4HANA Stack installation.
• Ansible scripts to configure Three Tier SAP S/4HANA primary application server and a HANA 2.0 node.

IBM Cloud API Key

The IBM Cloud API Key should be provided as input value of type sensitive for "ibmcloud_api_key" variable, in IBM Schematics -> Workspaces -> <Workspace name> -> Settings menu. The IBM Cloud API Key can be created here.

Input parameters

The following parameters can be set in the Schematics workspace: VPC, Subnet, Security group, Resource group, Hostname, Profile, Image, SSH Keys and your SAP system configuration variables, as below:

VSI input parameters:

Parameter	Description
ibmcloud_api_key	IBM Cloud API key (Sensitive* value).
private_ssh_key	id_rsa private key content (Sensitive* value).
SSH_KEYS	List of SSH Keys UUIDs that are allowed to SSH as root to the VSI. Can contain one or more IDs. The list of SSH Keys is available here. Sample input (use your own SSH UUIDs from IBM Cloud): [ "r010-57bfc315-f9e5-46bf-bf61-d87a24a9ce7a" , "r010-3fcd9fe7-d4a7-41ce-8bb3-d96e936b2c7e" ]
BASTION_FLOATING_IP	The FLOATING IP from the Bastion Server.
RESOURCE_GROUP	The name of an EXISTING Resource Group for VSIs and Volumes resources. Default value: "Default". The list of Resource Groups is available here.
REGION	The cloud region where to deploy the solution. The regions and zones for VPC are listed here. Review supported locations in IBM Cloud Schematics here. Sample value: eu-de.
ZONE	The cloud zone where to deploy the solution. Sample value: eu-de-2.
VPC	The name of an EXISTING VPC. The list of VPCs is available here
SUBNET	The name of an EXISTING Subnet. The list of Subnets is available here.
SECURITY_GROUP	The name of an EXISTING Security group. The list of Security Groups is available here.
DB-HOSTNAME	The Hostname for the HANA VSI. The hostname should be up to 13 characters as required by SAP. For more information on rules regarding hostnames for SAP systems, check SAP Note 611361: Hostnames of SAP ABAP Platform servers
DB-PROFILE	The instance profile used for the HANA VSI. A list of profiles is available here For more information about supported DB/OS and IBM Gen 2 Virtual Server Instances (VSI), check SAP Note 2927211: SAP Applications on IBM Virtual Private Cloud Default value: "mx2-16x128"
DB-IMAGE	The OS image used for HANA VSI. A list of images is available here. Default value: ibm-redhat-7-6-amd64-sap-hana-3
APP-HOSTNAME	The Hostname for the SAP Application VSI. The hostname must have up to 13 characters as required by SAP. For more information on rules regarding hostnames for SAP systems, check SAP Note 611361: Hostnames of SAP ABAP Platform servers
APP-PROFILE	The instance profile used for SAP Application VSI. A list of profiles is available here For more information about supported DB/OS and IBM Gen 2 Virtual Server Instances (VSI), check SAP Note 2927211: SAP Applications on IBM Virtual Private Cloud Default value: "bx2-4x16"
APP-IMAGE	The OS image used for SAP Application VSI. A list of images is available here. Default value: ibm-redhat-7-6-amd64-sap-applications-3

SAP input parameters:

Parameter	Description	Requirements
hana_sid	The SAP system ID identifies the SAP HANA system	Consists of exactly three alphanumeric characters Has a letter for the first character Does not include any of the reserved IDs listed in SAP Note 1979280
hana_sysno	Specifies the instance number of the SAP HANA system	Two-digit number from 00 to 97 Must be unique on a host
hana_main_password	Common password for all users that are created during the installation	It must be 8 to 14 characters long It must consist of at least one digit (0-9), one lowercase letter (a-z), and one uppercase letter (A-Z). It can only contain the following characters: a-z, A-Z, 0-9, !, @, #, $, _ It must not start with a digit or an underscore ( _ ) (Sensitive* value)
hana_system_usage	System Usage	Default: custom Valid values: production, test, development, custom
hana_components	SAP HANA Components	Default: server Valid values: all, client, es, ets, lcapps, server, smartda, streaming, rdsync, xs, studio, afl, sca, sop, eml, rme, rtl, trp
kit_saphana_file	Path to SAP HANA ZIP file	As downloaded from SAP Support Portal
sap_sid	The SAP system ID identifies the entire SAP system	Consists of exactly three alphanumeric characters Has a letter for the first character Does not include any of the reserved IDs listed in SAP Note 1979280
sap_ascs_instance_number	Technical identifier for internal processes of ASCS	Two-digit number from 00 to 97 Must be unique on a host
sap_ci_instance_number	Technical identifier for internal processes of CI	Two-digit number from 00 to 97 Must be unique on a host
sap_main_password	Common password for all users that are created during the installation	It must be 10 to 14 characters long It must contain at least one digit (0-9) It can only contain the following characters: a-z, A-Z, 0-9, @, #, $, _ It must not start with a digit or an underscore ( _ ) (Sensitive* value)
hdb_concurrent_jobs	Number of concurrent jobs used to load and/or extract archives to HANA Host	Default: 23
kit_sapcar_file	Path to sapcar binary	As downloaded from SAP Support Portal
kit_swpm_file	Path to SWPM archive (SAR)	As downloaded from SAP Support Portal
kit_sapexe_file	Path to SAP Kernel OS archive (SAR)	As downloaded from SAP Support Portal
kit_sapexedb_file	Path to SAP Kernel DB archive (SAR)	As downloaded from SAP Support Portal
kit_igsexe_file	Path to IGS archive (SAR)	As downloaded from SAP Support Portal
kit_igshelper_file	Path to IGS Helper archive (SAR)	As downloaded from SAP Support Portal
kit_saphostagent_file	Path to SAP Host Agent archive (SAR)	As downloaded from SAP Support Portal
kit_hdbclient_file	Path to HANA DB client archive (SAR)	As downloaded from SAP Support Portal
kit_s4hana_export	Path to S/4HANA Installation Export dir	The archives downloaded from SAP Support Portal should be present in this path

Obs*:

• SAP Main Password. The password for the SAP system will be hidden during the schematics apply step and will not be available after the deployment.

Parameter	Description	Requirements
sap_main_password	Common password for all users that are created during the installation	It must be 8 to 14 characters long It must contain at least one digit (0-9) It must not contain \ (backslash) and " (double quote)

• Sensitive - The variable value is not displayed in your Schematics logs and it is hidden in the input field.
  
• The following parameters should have the same values as the ones set for the BASTION server: REGION, ZONE, VPC, SUBNET, SECURITYGROUP.
• For any manual change in the terraform code, you have to make sure that you use a certified image based on the SAP NOTE: 2927211.
• OS image for DB VSI. Supported OS images for DB VSIs: ibm-sles-15-3-amd64-sap-hana-2, ibm-redhat-8-4-amd64-sap-hana-2, ibm-redhat-7-6-amd64-sap-hana-3.
  • The list of available VPC Operating Systems supported by SAP: SAP note '2927211 - SAP Applications on IBM Virtual Private Cloud (VPC) Infrastructure environment' https://launchpad.support.sap.com/#/notes/2927211; The list of all available OS images: https://cloud.ibm.com/docs/vpc?topic=vpc-about-images
  • Default variable: DB-IMAGE = "ibm-redhat-8-4-amd64-sap-hana-2"
• OS image for SAP APP VSI. Supported OS images for APP VSIs: ibm-sles-15-3-amd64-sap-applications-2, ibm-redhat-8-4-amd64-sap-applications-2, ibm-redhat-7-6-amd64-sap-applications-3.
  • The list of available VPC Operating Systems supported by SAP: SAP note '2927211 - SAP Applications on IBM Virtual Private Cloud (VPC) Infrastructure environment' https://launchpad.support.sap.com/#/notes/2927211; The list of all available OS images: https://cloud.ibm.com/docs/vpc?topic=vpc-about-images
  • Default variable: APP-IMAGE = "ibm-redhat-8-4-amd64-sap-applications-2"
• SAP HANA Installation path kit
  • Supported SAP HANA versions on Red Hat 8.4 and Suse 15.3: HANA 2.0 SP 5 Rev 57, kit file: 51055299.ZIP
  • Supported SAP HANA versions on Red Hat 7.6: HANA 2.0 SP 5 Rev 52, kit file: 51054623.ZIP
  • Example for Red Hat 7: kit_saphana_file = "/storage/HANADB/51054623.ZIP"
  • Example for Red Hat 8 or Suse 15: kit_saphana_file = "/storage/HANADB/51055299.ZIP"
  • Default variable: kit_saphana_file = "/storage/HANADB/51055299.ZIP"

VPC Configuration

The Security Rules inherited from BASTION deployment are the following:

• Allow all traffic in the Security group for private networks.
• Allow outbound traffic (ALL for port 53, TCP for ports 80, 443, 8443)
• Allow inbound SSH traffic (TCP for port 22) from IBM Schematics Servers.

Files description and structure:

• modules - directory containing the terraform modules
• main.tf - contains the configuration of the VSI for the deployment of the current SAP solution.
• output.tf - contains the code for the information to be displayed after the VSI is created (Hostname, Private IP)
• integration*.tf - contains the integration code that makes the SAP variabiles from Terraform available to Ansible.
• provider.tf - contains the IBM Cloud Provider data in order to run terraform init command.
• terraform.tfvars - contains the IBM Cloud API key referenced in provider.tf (dynamically generated)
• variables.tf - contains variables for the VPC and VSI
• versions.tf - contains the minimum required versions for terraform and IBM Cloud provider.

Steps to follow:

1. Make sure that you have the required IBM Cloud IAM permissions to create and work with VPC infrastructure and you are assigned the correct permissions to create the workspace in Schematics and deploy resources.

2. Generate an SSH key. The SSH key is required to access the provisioned VPC virtual server instances via the bastion host. After you have created your SSH key, make sure to upload this SSH key to your IBM Cloud account in the VPC region and resource group where you want to deploy the SAP solution

3. Create the Schematics workspace:

   1. From the IBM Cloud menu select Schematics.
   • Click Create a workspace.
   • Enter a name for your workspace.
   • Click Create to create your workspace.
   2. On the workspace Settings page, enter the URL of this solution in the Schematics examples Github repository.
   • Select the latest Terraform version.
   • Click Save template information.
   • In the Input variables section, review the default input variables and provide alternatives if desired.
   • Click Save changes.

4. From the workspace Settings page, click Generate plan 

5. Click View log to review the log files of your Terraform execution plan.

6. Apply your Terraform template by clicking Apply plan.

7. Review the log file to ensure that no errors occurred during the provisioning, modification, or deletion process.

The output of the Schematics Apply Plan will list the public/private IP addresses of the VSI host, the hostname and the VPC.

Related links:

• How to create a BASTION/STORAGE VSI for SAP in IBM Schematics
• Securely Access Remote Instances with a Bastion Host
• VPNs for VPC overview: Site-to-site gateways and Client-to-site servers.
• IBM Cloud Schematics

1.2 Executing the deployment of Three Tier SAP S/4HANA Stack in CLI

The solution is based on Terraform scripts and Ansible playbooks executed in CLI and it is implementing a 'reasonable' set of best practices for SAP VSI host configuration.

It contains:

• Terraform scripts for the deployment of two VSIs, in an EXISTING VPC, with Subnet and Security Group. The VSIs are intended to be used: one for the data base instance and the other for the application instance.
• Ansible scripts to configure Three Tier SAP S/4HANA primary application server and a HANA 2.0 node. Please note that Ansible is started by Terraform and must be available on the same host.

Installation media

SAP HANA installation media used for this deployment is the default one for SAP HANA, platform edition 2.0 SPS05 available at SAP Support Portal under INSTALLATION AND UPGRADE area and it has to be provided manually in the input parameter file.

SAP S/4HANA installation media used for this deployment is the default one for SAP S/4HANA 2020 available at SAP Support Portal under INSTALLATION AND UPGRADE area and it has to be provided manually in the input parameter file.

VSI Configuration

The VSIs are deployed with one of the following Operating Systems for DB server: Suse Linux Enterprise Server 15 SP 3 for SAP HANA (amd64), Red Hat Enterprise Linux 8.4 for SAP HANA (amd64) or Red Hat Enterprise Linux 7.6 for SAP HANA (amd64) and with one of the following Operating Systems for APP server: Suse Enterprise Linux 1 SP3 for SAP Applications (amd64), Red Hat Enterprise Linux 8.4 for SAP Applications (amd64), Red Hat Enterprise Linux 7.6 for SAP Applications (amd64). The SSH keys are configured to allow root user access. The following storage volumes are creating during the provisioning:

HANA DB VSI Disks:

• 3 x 500 GB disks with 10000 IOPS - DATA

SAP APPs VSI Disks:

• 1x 40 GB disk with 10 IOPS / GB - SWAP
• 1 x 128 GB disk with 10 IOPS / GB - DATA

IBM Cloud API Key

For the script configuration add your IBM Cloud API Key in terraform planning phase command 'terraform plan --out plan1'. You can create an API Key here.

Input parameter file

The solution is configured by editing your variables in the file input.auto.tfvars Edit your VPC, Subnet, Security group, Hostname, Profile, Image, SSH Keys like so:

##########################################################
# General VPC variables:
######################################################

REGION = "eu-de"
# Region for the VSI. Supported regions: https://cloud.ibm.com/docs/containers?topic=containers-regions-and-zones#zones-vpc
# Example: REGION = "eu-de"

ZONE = "eu-de-2"
# Availability zone for VSI. Supported zones: https://cloud.ibm.com/docs/containers?topic=containers-regions-and-zones#zones-vpc
# Example: ZONE = "eu-de-2"

VPC = "ic4sap"
# EXISTING VPC, previously created by the user in the same region as the VSI. The list of available VPCs: https://cloud.ibm.com/vpc-ext/network/vpcs
# Example: VPC = "ic4sap"

SECURITY_GROUP = "ic4sap-securitygroup"
# EXISTING Security group, previously created by the user in the same VPC. The list of available Security Groups: https://cloud.ibm.com/vpc-ext/network/securityGroups
# Example: SECURITY_GROUP = "ic4sap-securitygroup"

RESOURCE_GROUP = "wes-automation"
# EXISTING Resource group, previously created by the user. The list of available Resource Groups: https://cloud.ibm.com/account/resource-groups
# Example: RESOURCE_GROUP = "wes-automation"

SUBNET = "ic4sap-subnet"
# EXISTING Subnet in the same region and zone as the VSI, previously created by the user. The list of available Subnets: https://cloud.ibm.com/vpc-ext/network/subnets
# Example: SUBNET = "ic4sap-subnet"

SSH_KEYS = ["r010-57bfc315-f9e5-46bf-bf61-d87a24a9ce7a", "r010-e372fc6f-4aef-4bdf-ade6-c4b7c1ad61ca", "r010-09325e15-15be-474e-9b3b-21827b260717", "r010-5cfdb578-fc66-4bf7-967e-f5b4a8d03b89" , "r010-7b85d127-7493-4911-bdb7-61bf40d3c7d4", "r010-771e15dd-8081-4cca-8844-445a40e6a3b3", "r010-d941534b-1d30-474e-9494-c26a88d4cda3"]
# List of SSH Keys UUIDs that are allowed to SSH as root to the VSI. The SSH Keys should be created for the same region as the VSI. The list of available SSH Keys UUIDs: https://cloud.ibm.com/vpc-ext/compute/sshKeys
# Example: SSH_KEYS = ["r010-8f72b994-c17f-4500-af8f-d05680374t3c", "r011-8f72v884-c17f-4500-af8f-d05900374t3c"]

##########################################################
# DB VSI variables:
##########################################################

DB-HOSTNAME = "saps4hnmar1"
# The Hostname for the DB VSI. The hostname should be up to 13 characters, as required by SAP
# Example: HOSTNAME = "ic4sap"

DB-PROFILE = "mx2-16x128"
# The DB VSI profile. Supported profiles for DB VSI: mx2-16x128. The list of available profiles: https://cloud.ibm.com/docs/vpc?topic=vpc-profiles&interface=ui

DB-IMAGE = "ibm-redhat-8-4-amd64-sap-hana-2"
# OS image for DB VSI. Supported OS images for DB VSIs: ibm-sles-15-3-amd64-sap-hana-2, ibm-redhat-8-4-amd64-sap-hana-2, ibm-redhat-7-6-amd64-sap-hana-3.
# The list of available VPC Operating Systems supported by SAP: SAP note '2927211 - SAP Applications on IBM Virtual Private Cloud (VPC) Infrastructure environment' https://launchpad.support.sap.com/#/notes/2927211; The list of all available OS images: https://cloud.ibm.com/docs/vpc?topic=vpc-about-images
# Example: DB-IMAGE = "ibm-redhat-7-6-amd64-sap-applications-2" 

##########################################################
# SAP APP VSI variables:
##########################################################

APP-HOSTNAME = "saps4apmar1"
# The Hostname for the SAP APP VSI. The hostname should be up to 13 characters, as required by SAP
# Example: HOSTNAME = "ic4sap"

APP-PROFILE = "bx2-4x16"
# The APP VSI profile. Supported profiles: bx2-4x16. The list of available profiles: https://cloud.ibm.com/docs/vpc?topic=vpc-profiles&interface=ui

APP-IMAGE = "ibm-redhat-8-4-amd64-sap-applications-2"
# OS image for SAP APP VSI. Supported OS images for APP VSIs: ibm-sles-15-3-amd64-sap-applications-2, ibm-redhat-8-4-amd64-sap-applications-2, ibm-redhat-7-6-amd64-sap-applications-3.
# The list of available VPC Operating Systems supported by SAP: SAP note '2927211 - SAP Applications on IBM Virtual Private Cloud (VPC) Infrastructure environment' https://launchpad.support.sap.com/#/notes/2927211; The list of all available OS images: https://cloud.ibm.com/docs/vpc?topic=vpc-about-images
# Example: APP-IMAGE = "ibm-redhat-7-6-amd64-sap-applications-2" 
......

Parameter	Description
ibmcloud_api_key	IBM Cloud API key (Sensitive* value).
SSH_KEYS	List of SSH Keys IDs that are allowed to SSH as root to the VSI. Can contain one or more IDs. The list of SSH Keys is available here. Sample input (use your own SSH IDS from IBM Cloud): [ "r010-57bfc315-f9e5-46bf-bf61-d87a24a9ce7a" , "r010-3fcd9fe7-d4a7-41ce-8bb3-d96e936b2c7e" ]
REGION	The cloud region where to deploy the solution. The regions and zones for VPC are listed here. Sample value: eu-de.
ZONE	The cloud zone where to deploy the solution. Sample value: eu-de-2.
VPC	The name of an EXISTING VPC. The list of VPCs is available here
SUBNET	The name of an EXISTING Subnet. The list of Subnets is available here.
SECURITY_GROUP	The name of an EXISTING Security group. The list of Security Groups is available here.
RESOURCE_GROUP	The name of an EXISTING Resource Group for VSIs and Volumes resources. The list of Resource Groups is available here.
[DB/APP]-HOSTNAME	The Hostname for the HANA/APP VSI. The hostname should be up to 13 characters as required by SAP. For more information on rules regarding hostnames for SAP systems, check SAP Note 611361: Hostnames of SAP ABAP Platform servers
[DB/APP]-PROFILE	The profile used for the HANA/APP VSI. A list of profiles is available here. For more information about supported DB/OS and IBM Gen 2 Virtual Server Instances (VSI), check SAP Note 2927211: SAP Applications on IBM Virtual Private Cloud
[DB/APP]-IMAGE	The OS image used for the HANA/APP VSI. A list of images is available here

Edit your SAP system configuration variables that will be passed to the ansible automated deployment:

##########################################################
# SAP HANA configuration
##########################################################

hana_sid = "HDB"
# SAP HANA system ID. Should follow the SAP rules for SID naming.
# Example: hana_sid = "HDB"

hana_sysno = "00"
# SAP HANA instance number. Should follow the SAP rules for instance number naming.
# Example: hana_sysno = "01"

hana_system_usage = "custom"
# System usage. Default: custom. Suported values: production, test, development, custom
# Example: hana_system_usage = "custom"

hana_components = "server"
# SAP HANA Components. Default: server. Supported values: all, client, es, ets, lcapps, server, smartda, streaming, rdsync, xs, studio, afl, sca, sop, eml, rme, rtl, trp
# Example: hana_components = "server"

kit_saphana_file = "/storage/HANADB/51055299.ZIP"
# SAP HANA Installation kit path
# Supported SAP HANA versions on Red Hat 8.4 and Suse 15.3: HANA 2.0 SP 5 Rev 57, kit file: 51055299.ZIP
# Supported SAP HANA versions on Red Hat 7.6: HANA 2.0 SP 5 Rev 52, kit file: 51054623.ZIP
# Example for Red Hat 7: kit_saphana_file = "/storage/HANADB/51054623.ZIP"
# Example for Red Hat 8 or Suse 15: kit_saphana_file = "/storage/HANADB/51055299.ZIP"

##########################################################
# SAP system configuration
##########################################################

sap_sid = "S4A"
# SAP System ID

sap_ascs_instance_number = "01"
# The central ABAP service instance number. Should follow the SAP rules for instance number naming.
# Example: sap_ascs_instance_number = "01"

sap_ci_instance_number = "00"
# The SAP central instance number. Should follow the SAP rules for instance number naming.
# Example: sap_ci_instance_number = "06"

hdb_concurrent_jobs = "23"
# Number of concurrent jobs used to load and/or extract archives to HANA Host

##########################################################
# SAP S/4HANA APP Kit Paths
##########################################################

kit_sapcar_file = "/storage/S4HANA/SAPCAR_1010-70006178.EXE"
kit_swpm_file = "/storage/S4HANA/SWPM20SP09_4-80003424.SAR"
kit_sapexe_file = "/storage/S4HANA/SAPEXE_100-70005283.SAR"
kit_sapexedb_file = "/storage/S4HANA/SAPEXEDB_100-70005282.SAR"
kit_igsexe_file = "/storage/S4HANA/igsexe_1-70005417.sar"
kit_igshelper_file = "/storage/S4HANA/igshelper_17-10010245.sar"
kit_saphotagent_file = "/storage/S4HANA/SAPHOSTAGENT51_51-20009394.SAR"
kit_hdbclient_file = "/storage/S4HANA/IMDB_CLIENT20_009_28-80002082.SAR"
kit_s4hana_export = "/storage/S4HANA/export"

SAP input parameters:

Parameter	Description	Requirements
hana_sid	The SAP system ID identifies the SAP HANA system	Consists of exactly three alphanumeric characters Has a letter for the first character Does not include any of the reserved IDs listed in SAP Note 1979280
hana_sysno	Specifies the instance number of the SAP HANA system	Two-digit number from 00 to 97 Must be unique on a host
hana_main_password	Common password for all users that are created during the installation	It must be 8 to 14 characters long It must consist of at least one digit (0-9), one lowercase letter (a-z), and one uppercase letter (A-Z). It can only contain the following characters: a-z, A-Z, 0-9, !, @, #, $, _ It must not start with a digit or an underscore ( _ )
hana_system_usage	System Usage	Default: custom Valid values: production, test, development, custom
hana_components	SAP HANA Components	Default: server Valid values: all, client, es, ets, lcapps, server, smartda, streaming, rdsync, xs, studio, afl, sca, sop, eml, rme, rtl, trp
kit_saphana_file	Path to SAP HANA ZIP file	As downloaded from SAP Support Portal
sap_sid	The SAP system ID identifies the entire SAP system	Consists of exactly three alphanumeric characters Has a letter for the first character Does not include any of the reserved IDs listed in SAP Note 1979280
sap_ascs_instance_number	Technical identifier for internal processes of ASCS	Two-digit number from 00 to 97 Must be unique on a host
sap_ci_instance_number	Technical identifier for internal processes of CI	Two-digit number from 00 to 97 Must be unique on a host
sap_main_password	Common password for all users that are created during the installation	It must be 10 to 14 characters long It must contain at least one digit (0-9) It can only contain the following characters: a-z, A-Z, 0-9, @, #, $, _ It must not start with a digit or an underscore ( _ )
hdb_concurrent_jobs	Number of concurrent jobs used to load and/or extract archives to HANA Host	Default: 23
kit_sapcar_file	Path to sapcar binary	As downloaded from SAP Support Portal
kit_swpm_file	Path to SWPM archive (SAR)	As downloaded from SAP Support Portal
kit_sapexe_file	Path to SAP Kernel OS archive (SAR)	As downloaded from SAP Support Portal
kit_sapexedb_file	Path to SAP Kernel DB archive (SAR)	As downloaded from SAP Support Portal
kit_igsexe_file	Path to IGS archive (SAR)	As downloaded from SAP Support Portal
kit_igshelper_file	Path to IGS Helper archive (SAR)	As downloaded from SAP Support Portal
kit_saphostagent_file	Path to SAP Host Agent archive (SAR)	As downloaded from SAP Support Portal
kit_hdbclient_file	Path to HANA DB client archive (SAR)	As downloaded from SAP Support Portal
kit_s4hana_export	Path to S/4HANA Installation Export dir	The archives downloaded from SAP Support Portal should be present in this path

Obs*:

• Sensitive - The variable value is not displayed in your tf files details after terrafrorm plan&apply commands.
  
• The following variables should be the same like the bastion ones: REGION, ZONE, VPC, SUBNET, SECURITY_GROUP.

VPC Configuration

The Security Rules are the following:

• Allow all traffic in the Security group
• Allow all outbound traffic
• Allow inbound DNS traffic (UDP port 53)
• Allow inbound SSH traffic (TCP port 22)
• Option to Allow inbound TCP traffic with a custom port or a range of ports.

Files description and structure:

• modules - directory containing the terraform modules
• input.auto.tfvars - contains the variables that will need to be edited by the user to customize the solution
• integration-*.tf - contains the integration code that brings the SAP variabiles from Terraform to Ansible.
• main.tf - contains the configuration of the VSI for SAP single tier deployment.
• provider.tf - contains the IBM Cloud Provider data in order to run terraform init command.
• variables.tf - contains variables for the VPC and VSI
• versions.tf - contains the minimum required versions for terraform and IBM Cloud provider.
• output.tf - contains the code for the information to be displayed after the VSI is created (Hostname, Private IP, Public IP)

Steps to follow:

For initializing terraform:

terraform init

For planning phase:

terraform plan --out plan1
# you will be asked for the following sensitive variables: 'ibmcloud_api_key', 'sap_main_password' and 'hana_main_password'.

For apply phase:

terraform apply "plan1"

For destroy:

terraform destroy
# you will be asked for the following sensitive variables as a destroy confirmation phase: 'ibmcloud_api_key', 'sap_main_password' and 'hana_main_password'.

Related links:

• See how to create a BASTION/STORAGE VSI for SAP in IBM Schematics
• Securely Access Remote Instances with a Bastion Host
• VPNs for VPC overview: Site-to-site gateways and Client-to-site servers.