Merge pull request #22 from sap-linuxlab/dev

release: merge dev to main for 1.0.1

Author: sean-freeman

.github/workflows/ansible-lint-sap_vm_provision.yml

@@ -41,6 +41,9 @@ jobs:
           pip3 install ansible-lint==6.22.1
           pip3 install jmespath==1.0.1
 
+      - name: Install dependencies for Ansible
+        run: ansible-galaxy collection install -r /home/runner/work/community.sap_infrastructure/community.sap_infrastructure/requirements.yml
+
       - name: Run ansible-lint
         working-directory: /home/runner/work/community.sap_infrastructure/community.sap_infrastructure/roles/sap_vm_provision
         run: ansible-lint

CHANGELOG.rst

@@ -4,6 +4,36 @@ community.sap_infrastructure Release Notes
 
 .. contents:: Topics
 
+v1.0.1
+======
+
+Release Summary
+---------------
+
+| Release Date: 2024-04-29
+| collection: Bug fix for GH Action requirements
+| collection: Bug fix for Ansible Collection dependencies
+| sap_hypervisor_node_preconfigure: Bug fix for when condition typo and trident version update
+| sap_vm_provision: Documentation update for AWS IAM
+| sap_vm_provision: Documentation update for design assumptions with execution impact
+| sap_vm_provision: Feature add for all to ensure short hostname is not longer than 13 characters (SAP Note 611361)
+| sap_vm_provision: Feature add for all internal variable names prefix with __sap_vm_provision_
+| sap_vm_provision: Feature add for all with rescue block to output errors without revealing credential secrets
+| sap_vm_provision: Feature add for SAP HANA Scale-Out user-defined variable name prefix with sap_vm_provision
+| sap_vm_provision: Feature add for all Ansible Tasks calling Infrastructure Platform APIs default to no_log instead of Environment
+| sap_vm_provision: Feature add sample Ansible Playbook for blank Virtual Machine provision
+| sap_vm_provision: Feature add for MS Azure SSH Key Pair from new dependency Ansible Module
+| sap_vm_provision: Feature add for MS Azure and IBM Cloud Private DNS in separate Resource Group
+| sap_vm_provision: Feature add for all Cloud vendors with updated regex for OS Image releases
+| sap_vm_provision: Feature add for IBM Power VS using newer hardware machine type (Power10)
+| sap_vm_provision: Bug fix for OS Package Repository registration task not triggering
+| sap_vm_provision: Bug fix for Web Forward Proxy task not triggering
+| sap_vm_provision: Bug fix for ignoring undefined variables (e.g. sap_id_user_password) set on hosts
+| sap_vm_provision: Bug fix for IBM Power VS using Power Edge Router default instead of legacy cloud connections
+| sap_vm_provision: Bug fix for IBM Power VS OS Image clone from stock and provision
+| sap_vm_provision: Bug fix for MS Azure Virtual Machine info response changed data path for IP Address migrating from 1.x to 2.x Ansible Collection
+| sap_vm_provision: Bug fix for MS Azure Virtual Machine vm_identity syntax changed migrating from 1.x to 2.x Ansible Collection
+
 v1.0.0
 ======
 

galaxy.yml

@@ -10,7 +10,7 @@ namespace: community
 name: sap_infrastructure
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 1.0.0
+version: 1.0.1
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

playbooks/sample-sap-vm-provision-aws-ec2-vs.yml

@@ -0,0 +1,39 @@
+---
+
+# This sample Ansible Playbook is not a full example,
+# which would pass additional variables onto other
+# Ansible Roles such as sap_storage_setup.
+# It is only to test the provisioning process
+# of a small Virtual Machine.
+
+- name: Ansible Play to include_vars
+  hosts: all
+  become: true
+  pre_tasks:
+
+    # Alternative to executing ansible-playbook with -e for Ansible Extravars file
+    - name: Include sample variables for AWS EC2
+      ansible.builtin.include_vars: ./vars/sample-variables-sap-vm-provision-aws-ec2-vs.yml
+
+
+- name: Ansible Play to create dynamic inventory group for provisioning
+  hosts: localhost
+  gather_facts: false
+  tasks:
+
+    - name: Create dynamic inventory group for Ansible Role sap_vm_provision
+      ansible.builtin.add_host:
+        name: "{{ item }}"
+        group: sap_vm_provision_target_inventory_group
+      loop: "{{ sap_vm_provision_ibmcloud_vs_host_specifications_dictionary[sap_vm_provision_host_specification_plan].keys() }}"
+
+
+- name: Ansible Play to provision hosts for SAP
+  hosts: sap_vm_provision_target_inventory_group # Ansible Play target hosts pattern, use Inventory Group created by previous Ansible Task (add_host)
+  gather_facts: false
+  tasks:
+
+    - name: Execute Ansible Role sap_vm_provision
+      ansible.builtin.include_role:
+        name: community.sap_infrastructure.sap_vm_provision
+      when: sap_vm_provision_iac_type == "ansible" or sap_vm_provision_iac_type == "ansible_to_terraform"

playbooks/vars/sample-variables-sap-vm-provision-aws-ec2-vs.yml

@@ -0,0 +1,70 @@
+---
+
+# This sample Ansible Playbook is not a full example,
+# which would pass additional variables onto other
+# Ansible Roles such as sap_storage_setup.
+# It is only to test the provisioning process
+# of a small Virtual Machine.
+
+####
+# Infrastructure Provisioning selection
+####
+
+sap_vm_provision_iac_type: "ansible"  # ansible , ansible_to_terraform , existing_hosts
+sap_vm_provision_iac_platform: "aws_ec2_vs"  # aws_ec2_vs , gcp_ce_vm , ibmcloud_vs , ibmcloud_powervs , msazure_vm , ibmpowervm_vm , kubevirt_vm , ovirt_vm , vmware_vm
+
+sap_vm_provision_host_specification_plan: "test_plan_16gb"
+sap_vm_provision_dns_root_domain: "poc.cloud"
+
+
+####
+# Infrastructure Provisioning selection
+# AWS
+#
+# Only for use when 'aws_ec2_vs' is value provided for variable sap_vm_provision_iac_platform
+####
+
+sap_vm_provision_aws_access_key: "ENTER_STRING_VALUE_HERE"
+sap_vm_provision_aws_secret_access_key: "ENTER_STRING_VALUE_HERE"
+sap_vm_provision_aws_region: "{{ sap_vm_provision_aws_vpc_availability_zone[:-1] }}"
+sap_vm_provision_aws_vpc_availability_zone: "eu-west-2c"
+sap_vm_provision_aws_vpc_subnet_create_boolean: "{{ true | default(false) if aws_vpc_subnet_id == 'new' else false }}"
+sap_vm_provision_aws_vpc_subnet_id: "ENTER_STRING_VALUE_HERE" # if ansible_to_terraform, use "new"
+sap_vm_provision_aws_ec2_vs_host_os_image: "ENTER_STRING_VALUE_HERE"
+sap_vm_provision_bastion_user: "ENTER_STRING_VALUE_HERE"
+sap_vm_provision_bastion_ssh_port: "ENTER_STRING_VALUE_HERE"
+
+# Only for use when 'ansible' is value provided for variable sap_vm_provision_iac_type
+####
+sap_vm_provision_bastion_public_ip: "ENTER_STRING_VALUE_HERE"
+sap_vm_provision_ssh_bastion_private_key_file_path: "./bastion_rsa"
+sap_vm_provision_ssh_host_private_key_file_path: "./hosts_rsa"
+sap_vm_provision_aws_key_pair_name_ssh_host_public_key: "ENTER_STRING_VALUE_HERE"
+sap_vm_provision_aws_vpc_sg_names: "ENTER_STRING_VALUE_HERE"
+
+
+####
+# Infrastructure Definitions
+# AWS
+####
+
+sap_vm_provision_aws_ec2_vs_host_os_image_dictionary:
+  rhel-8-6: "*RHEL-8.6*_HVM*x86_64*"
+  rhel-8-6-sap-ha: "*RHEL-SAP-8.6.0*"
+  sles-15-4: "*suse-sles-15-sp4-v202*-hvm-ssd-x86_64*"
+  sles-15-4-sap-ha: "*suse-sles-sap-15-sp4-v202*-hvm-ssd-x86_64*"
+
+sap_vm_provision_aws_ec2_vs_host_specifications_dictionary:
+  test_plan_16gb:
+    test-ec2-vs: # Hostname, must be 13 characters or less
+      sap_host_type: hana_primary # hana_primary, hana_secondary, nwas_ascs, nwas_ers, nwas_pas, nwas_aas
+      virtual_machine_profile: r7i.large
+      disable_ip_anti_spoofing: true
+      storage_definition:
+        - name: hana_data
+          mountpoint: /hana/data
+          #disk_count: 1                 # default: 1, if more then then LVM logical volume will be striped across the defined disks
+          disk_size: 384                 # size in GB, integer
+          #disk_type: gp3                # default: gp3, for AWS EBS disk type
+          #disk_iops:                    # default: null, for AWS EBS with custom IOPS
+          filesystem_type: xfs           # default: xfs

requirements.yml

@@ -6,13 +6,13 @@ collections:
     version: 1.1.0
   - name: amazon.aws
     type: galaxy
-    version: 5.4.0
+    version: 7.2.0
   - name: community.aws
     type: galaxy
-    version: 5.4.0
+    version: 7.1.0
   - name: azure.azcollection
     type: galaxy
-    version: 1.15.0
+    version: 2.2.0
   - name: google.cloud
     type: galaxy
     version: 1.1.3

roles/sap_hypervisor_node_preconfigure/tasks/platform/redhat_ocp_virt/main.yml

@@ -83,7 +83,7 @@
 
 - name: Include setup worker nodes
   ansible.builtin.include_tasks: "platform/{{ sap_hypervisor_node_platform }}/setup-worker-nodes.yml"
-  when: sap_hypervisor_node_preconfigure_setup_workers
+  when: sap_hypervisor_node_preconfigure_setup_worker_nodes
 
 # How to wait for node to be scheduleable? (NodeSchedulable)
 - name: Wait for all k8s nodes to be ready

roles/sap_hypervisor_node_preconfigure/vars/platform_defaults_redhat_ocp_virt.yml

@@ -9,7 +9,7 @@ sap_hypervisor_node_preconfigure_install_hpp: false
 sap_hypervisor_node_preconfigure_install_trident: false
 
 # URL of the trident installer package to use
-sap_hypervisor_node_preconfigure_install_trident_url: https://github.com/NetApp/trident/releases/download/v23.01.0/trident-installer-23.01.0.tar.gz
+sap_hypervisor_node_preconfigure_install_trident_url: https://github.com/NetApp/trident/releases/download/v23.10.0/trident-installer-23.10.0.tar.gz
 
 # should SRIOV be enabled for unsupported NICs
 sap_hypervisor_node_preconfigure_sriov_enable_unsupported_nics: true
@@ -27,4 +27,4 @@ sap_hypervisor_node_preconfigure_ignore_minimal_memory_check: false
 sap_hypervisor_node_preconfigure_install_operators: true
 
 # Configure the workers?
-sap_hypervisor_node_preconfigure_setup_workers: true
+sap_hypervisor_node_preconfigure_setup_worker_nodes: true

roles/sap_vm_provision/PLATFORM_GUIDANCE.md

@@ -148,6 +148,56 @@ aws iam attach-group-policy --group-name 'ag-sap-automation' --policy-arn arn:aw
 aws iam attach-group-policy --group-name 'ag-sap-automation' --policy-arn arn:aws:iam::aws:policy/AmazonRoute53FullAccess
 ```
 
+It is recommended to create new AWS IAM Policy with detailed actions to improve security.
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "VisualEditor0",
+			"Effect": "Allow",
+			"Action": [
+				"ec2:DescribeImages",
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags",
+				"ec2:DescribeInstanceAttribute",
+				"ec2:DescribeSubnets",
+				"ec2:DescribeSecurityGroups",
+				"ec2:RunInstances",
+				"ec2:CreateTags",
+				"ec2:DescribeInstanceStatus",
+				"ec2:ModifyInstanceAttribute",
+				"ec2:DescribeRouteTables",
+				"route53:ListHostedZones",
+				"route53:ListResourceRecordSets",
+				"route53:ChangeResourceRecordSets",
+				"route53:GetChange",
+				"ec2:DescribeVolumes",
+				"ec2:CreateVolume",
+				"ec2:DeleteVolume",
+				"ec2:AttachVolume",
+				"ec2:DetachVolume",
+				"ec2:TerminateInstances",
+				"ec2:CreateRoute",
+				"iam:GetRole",
+				"iam:CreateRole",
+				"iam:ListInstanceProfilesForRole",
+				"iam:CreateInstanceProfile",
+				"iam:AddRoleToInstanceProfile",
+				"iam:ListAttachedRolePolicies",
+				"iam:ListRoleTags",
+				"iam:PutRolePolicy",
+				"iam:GetInstanceProfile",
+				"iam:PassRole",
+				"ec2:AssociateIamInstanceProfile",
+				"ec2:ReplaceRoute"
+			],
+			"Resource": "*"
+		}
+	]
+}
+```
+
 </details>
 
 <details>

roles/sap_vm_provision/README.md

@@ -162,6 +162,12 @@ This required structure will:
         var: groups
 ```
 
+### Design assumptions with execution impact
+
+- For Hyperscaler Cloud Service Providers that use Resource Groups (IBM Cloud, Microsoft Azure):
+    - Virtual Machine and associated resources (Disks, Network Interfaces, Load Balancer etc.) will be provisioned to the same Resource Group as the targeted network/subnet.
+    - Optional: Private DNS may be allocated to another Resource Group, and an optional variable is provided for this.
+
 ### Tags to control execution
 
 There are no tags used to control the execution of this Ansible Role