diff --git a/deploy/ansible/roles-misc/0.3.sap-installation-media-storage-details/tasks/main.yaml b/deploy/ansible/roles-misc/0.3.sap-installation-media-storage-details/tasks/main.yaml index 4a3ba7c8ea..55e971e473 100644 --- a/deploy/ansible/roles-misc/0.3.sap-installation-media-storage-details/tasks/main.yaml +++ b/deploy/ansible/roles-misc/0.3.sap-installation-media-storage-details/tasks/main.yaml @@ -9,36 +9,36 @@ - name: "0.4 Installation Media: - Retrieve Deployer Keyvault details" block: - - name: Check required variables are present and not empty + - name: Check required variables are present and not empty ansible.builtin.assert: that: - "kv_name is defined" # Has the variable been defined - "kv_name | type_debug != 'NoneType'" # and given a value - "kv_name | string | length != 0 " # Detect null values - fail_msg: "Please define the kv_name parameter" + fail_msg: "Please define the kv_name parameter" - - name: "Parameters to be used..." + - name: "Parameters to be used..." ansible.builtin.debug: msg: # Best method for formatting output with Azure Devops Logs - - "kv_name: {{ kv_name }}" - - "deployer_kv_name_secret: {{ deployer_kv_name_secret }}" - verbosity: 2 + - "kv_name: {{ kv_name }}" + - "deployer_kv_name_secret: {{ deployer_kv_name_secret }}" + verbosity: 2 - - name: "0.4 Installation Media: - Get Deployer key vault name workload zone key vault" + - name: "0.4 Installation Media: - Get Deployer key vault name workload zone key vault" ansible.builtin.command: >- - az keyvault secret show - --vault-name {{ kv_name }} - --name {{ deployer_kv_name_secret }} - --query value - --output tsv - changed_when: false - register: deployer_kv_name_secret_result - when: bom_processing is not defined - - - name: "0.4 Installation Media: - Save Deployer key vault name" + az keyvault secret show + --vault-name {{ kv_name }} + --name {{ deployer_kv_name_secret }} + --query value + --output tsv + changed_when: false + register: deployer_kv_name_secret_result + when: bom_processing is not defined + + - name: "0.4 Installation Media: - Save Deployer key vault name" ansible.builtin.set_fact: - deployer_kv_name: "{{ deployer_kv_name_secret_result.stdout }}" - cacheable: true + deployer_kv_name: "{{ deployer_kv_name_secret_result.stdout }}" + cacheable: true when: deployer_kv_name is not defined @@ -50,6 +50,13 @@ - "deployer_kv_name: {{ deployer_kv_name }}" verbosity: 2 +- name: "0.4 Installation Media: - Get Control Plane Subscription" + ansible.builtin.set_fact: + control_plane_subscription_id: "{{ lookup('ansible.builtin.env', 'control_plane_subscription') | default('') }}" + +- name: "0.4 Installation Media: - Extract SAP Binaries Storage Account SAS (temp)" + ansible.builtin.set_fact: + subscription_parameter: "{%if control_plane_subscription_id | length > 0 %}--subscription {{ control_plane_subscription_id }}{% else %}{% endif %}" - name: "0.4 Installation Media: - Extract SAP Binaries Storage Account secrets" block: @@ -75,37 +82,41 @@ account_name: "{{ sapbits_location_base_path.rpartition('//')[2].split('.')[0] }}" when: sapbits_location_base_path is defined +- name: "0.4 Installation Media: - Extract Shared Key Access token flag" + ansible.builtin.set_fact: + allowSharedKeyAccess: true -- name: "0.4 Installation Media: - Check Binaries Storage Account" +- name: "0.4 Installation Media: - Check Binaries Storage Account for Shared Key Access with Control Plane Subscription" ansible.builtin.command: >- - az storage account show \ - --name {{ account_name }} \ - --query allowSharedKeyAccess \ + az storage account show \ + --name {{ account_name }} \ + --query allowSharedKeyAccess \ + {{ subscription_parameter }} \ --out tsv changed_when: false register: az_allowSharedKeyAccess -- name: "0.4 Installation Media: - Extract SAS token" +- name: "0.4 Installation Media: - Extract Shared Key Access token flag" ansible.builtin.set_fact: allowSharedKeyAccess: "{{ az_allowSharedKeyAccess.stdout | bool }}" - when: az_allowSharedKeyAccess is defined + when: az_allowSharedKeyAccess.stdout is defined and az_allowSharedKeyAccess.stdout | length > 0 - name: "Parameter review..." ansible.builtin.debug: msg: # Best method for formatting output with Azure Devops Logs - "account_name: {{ account_name }}" - - "allowSharedKeyAccess: {{ allowSharedKeyAccess }}" + - "allowSharedKeyAccess: {{ allowSharedKeyAccess | default(true) }}" verbosity: 2 - name: "0.4 Installation Media: - Retrieve Access Key secret" when: - sapbits_access_key is not defined - - allowSharedKeyAccess + - allowSharedKeyAccess | default(true) block: - name: "0.4 Installation Media: - Check if Access Key secret exists" ansible.builtin.command: >- az keyvault secret list - --vault-name {{ deployer_kv_name }} --query "[].{Name:name} | [? contains(Name,'sapbits-access-key')] | [0]" + --vault-name {{ deployer_kv_name }} --query "[?name=='sapbits-access-key'].name | [0]" --output tsv changed_when: false register: keyvault_secrets @@ -133,12 +144,13 @@ when: - sapbits_access_key is not defined - sapbits_sas_token is not defined or (sapbits_sas_token | string | length == 0) - - allowSharedKeyAccess block: - name: "0.4 Installation Media: - Check if SAS token secret exists" ansible.builtin.command: >- az keyvault secret list - --vault-name {{ deployer_kv_name }} --query "[].{Name:name} | [? contains(Name,'sapbits-sas-token')] | [0]" + --vault-name {{ deployer_kv_name }} + --query "[?name =='sapbits-sas-token'].name | [0]" + --output tsv changed_when: false register: keyvault_secrets @@ -158,7 +170,6 @@ ansible.builtin.set_fact: sapbits_sas_token: "{{ keyvault_secret_show_sas_token.stdout }}" cacheable: true - no_log: true when: keyvault_secret_show_sas_token is defined @@ -167,7 +178,6 @@ when: - sapbits_sas_token is not defined or (sapbits_sas_token | string | length == 0) - sapbits_access_key is defined - - allowSharedKeyAccess is defined - allowSharedKeyAccess block: @@ -179,7 +189,7 @@ ansible.builtin.command: "date +'%Y-%m-%d' -d '+3 days'" register: expiry - - name: "0.4 Installation Media: - Create SAP Binaries Storage Account SAS" + - name: "0.4 Installation Media: - Create SAP Binaries Storage Account SAS in Control Plane subscription" ansible.builtin.command: >- az storage account generate-sas \ --account-name {{ account_name }} \ @@ -188,18 +198,22 @@ --services b \ --resource-types sco \ --account-key {{ sapbits_access_key }} \ + {{ subscription_parameter }} \ --out tsv changed_when: false register: az_sapbits_sas_token - - name: "0.4 Installation Media: - Extract SAP Binaries Storage Account SAS (temp)" - ansible.builtin.set_fact: - sapbits_sas_token: "{{ az_sapbits_sas_token.stdout }}" + - name: "0.4 Installation Media: - Debug storage account details (sas)" + ansible.builtin.debug: + var: az_sapbits_sas_token + verbosity: 4 + - name: "0.4 Installation Media: - Extract SAP Binaries Storage Account SAS (temp)" + ansible.builtin.set_fact: + sapbits_sas_token: "{{ az_sapbits_sas_token.stdout }}" -- name: "0.0 Validations - Check required variables are present and not empty" +- name: "0.0 Validations - Check required variables are present and not empty" when: - - allowSharedKeyAccess is defined - allowSharedKeyAccess ansible.builtin.assert: that: @@ -219,7 +233,7 @@ ansible.builtin.debug: msg: - "SAS : {{ sapbits_sas_token }}" - verbosity: 2 + verbosity: 4 ... # /*---------------------------------------------------------------------------8 diff --git a/deploy/ansible/roles-sap/5.2-pas-install/tasks/main.yaml b/deploy/ansible/roles-sap/5.2-pas-install/tasks/main.yaml index c36850b6ae..be9f6aa214 100644 --- a/deploy/ansible/roles-sap/5.2-pas-install/tasks/main.yaml +++ b/deploy/ansible/roles-sap/5.2-pas-install/tasks/main.yaml @@ -467,7 +467,7 @@ when: - database_high_availability - platform == 'HANA' - - hdbuserstore_file | length > 0 + - hdbuserstore_file.matched > 0 - name: "PAS Install: show hdbuserstore path" ansible.builtin.debug: diff --git a/deploy/pipelines/05-DB-and-SAP-installation.yaml b/deploy/pipelines/05-DB-and-SAP-installation.yaml index 2e6ca25a1e..27c9b38760 100644 --- a/deploy/pipelines/05-DB-and-SAP-installation.yaml +++ b/deploy/pipelines/05-DB-and-SAP-installation.yaml @@ -233,14 +233,21 @@ stages: if [ -z ${az_var} ]; then export workload_key_vault=$(cat "${environment_file_name}" | grep workloadkeyvault | awk -F'=' '{print $2}' | xargs) ; echo 'Workload Key Vault' ${workload_key_vault} else - export workload_key_vault=${az_var} ; echo 'Workload Key Vault' ${workload_key_vault} ; echo 'Workload Key Vault' ${workload_key_vault} + export workload_key_vault=${az_var} ; echo 'Workload Key Vault' ${workload_key_vault} ; fi az_var=$(az pipelines variable-group variable list --group-id ${VARIABLE_GROUP_ID} --query "${NETWORK}"Workload_Secret_Prefix.value --output tsv) if [ -z ${az_var} ]; then export workload_prefix=$(cat "${environment_file_name}" | grep workload_zone_prefix | awk -F'=' '{print $2}' | xargs) ; echo 'Workload Prefix' ${workload_prefix} else - export workload_prefix=${az_var} ; echo 'Workload Prefix' ${workload_prefix}; echo 'Workload Prefix' ${workload_prefix} + export workload_prefix=${az_var} ; echo 'Workload Prefix' ${workload_prefix}; + fi + + az_var=$(az pipelines variable-group variable list --group-id ${VARIABLE_GROUP_ID} --query Terraform_Remote_Storage_Subscription.value --output tsv) + if [ -z ${az_var} ]; then + export control_plane_subscription=$(cat "${environment_file_name}" | grep STATE_SUBSCRIPTION | awk -F'=' '{print $2}' | xargs) ; echo 'Control Plane Subscription' ${control_plane_subscription} + else + export control_plane_subscription=${az_var} ; echo 'Control Plane Subscription' ${control_plane_subscription} fi if [[ $EXTRA_PARAMETERS = "'$(EXTRA_PARAMETERS)'" ]]; then @@ -255,6 +262,7 @@ stages: echo "##vso[task.setvariable variable=PASSWORD_KEY_NAME;isOutput=true]${workload_prefix}-sid-password" echo "##vso[task.setvariable variable=USERNAME_KEY_NAME;isOutput=true]${workload_prefix}-sid-username" echo "##vso[task.setvariable variable=NEW_PARAMETERS;isOutput=true]${new_parameters}" + echo "##vso[task.setvariable variable=CP_SUBSCRIPTION;isOutput=true]${control_plane_subscription}" echo -e "$green--- az login ---$reset" @@ -263,7 +271,7 @@ stages: if [ "$USE_MSI" = "true" ]; then echo "Using MSI" source /etc/profile.d/deploy_server.sh - az account set --subscription $ARM_SUBSCRIPTION_ID + az account set --subscription $control_plane_subscription else if [ ! -n $AZURE_CLIENT_ID ]; then @@ -287,7 +295,7 @@ stages: echo "##vso[task.logissue type=error]az login failed." exit $return_code fi - az account set --subscription $AZURE_SUBSCRIPTION_ID + az account set --subscription $control_plane_subscription fi return_code=$? @@ -297,7 +305,7 @@ stages: exit $return_code fi - az keyvault secret show --name ${workload_prefix}-sid-sshkey --vault-name $workload_key_vault --query value -o tsv > artifacts/${SAP_SYSTEM_CONFIGURATION_NAME}_sshkey + az keyvault secret show --name ${workload_prefix}-sid-sshkey --vault-name $workload_key_vault --subscription $AZURE_SUBSCRIPTION_ID --query value -o tsv > artifacts/${SAP_SYSTEM_CONFIGURATION_NAME}_sshkey cp sap-parameters.yaml artifacts/. cp ${SID}_hosts.yaml artifacts/. @@ -312,7 +320,7 @@ stages: AZURE_CLIENT_ID: $(ARM_CLIENT_ID) AZURE_CLIENT_SECRET: $(ARM_CLIENT_SECRET) AZURE_TENANT_ID: $(ARM_TENANT_ID) - AZURE_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID) + AZURE_SUBSCRIPTION_ID: $(Terraform_Remote_Storage_Subscription) ANSIBLE_COLLECTIONS_PATHS: /opt/ansible/collections CONFIG_REPO_PATH: ${{ parameters.config_repo_path }} BOM_BASE_NAME: ${{ parameters.bom_base_name }} diff --git a/deploy/pipelines/templates/run-ansible.yaml b/deploy/pipelines/templates/run-ansible.yaml index 8180e824b5..2e09dd9fe8 100644 --- a/deploy/pipelines/templates/run-ansible.yaml +++ b/deploy/pipelines/templates/run-ansible.yaml @@ -25,6 +25,7 @@ steps: #If the deployer_file exists we run on a deployer configured by the framework instead of a azdo hosted one + export control_plane_subscription=$(Terraform_Remote_Storage_Subscription) deployer_file=/etc/profile.d/deploy_server.sh if [ $USE_MSI == "true" ]; then diff --git a/deploy/scripts/New-SDAFDevopsProject.ps1 b/deploy/scripts/New-SDAFDevopsProject.ps1 index bd2e46e468..019b5e33e6 100644 --- a/deploy/scripts/New-SDAFDevopsProject.ps1 +++ b/deploy/scripts/New-SDAFDevopsProject.ps1 @@ -468,7 +468,8 @@ else { Add-Content -Path $templatename " type: GitHub" Add-Content -Path $templatename -Value (" endpoint: " + $ghConn) Add-Content -Path $templatename " name: Azure/sap-automation" - Add-Content -Path $templatename -Value (" ref: refs/tags/" + $versionLabel) + Add-Content -Path $templatename " ref: refs/heads/main" +# Add-Content -Path $templatename -Value (" ref: refs/tags/" + $versionLabel) $cont = Get-Content -Path $templatename -Raw @@ -517,7 +518,7 @@ else { Add-Content -Path $templatename " type: GitHub" Add-Content -Path $templatename -Value (" endpoint: " + $ghConn) Add-Content -Path $templatename " name: Azure/sap-automation" - Add-Content -Path $templatename -Value (" ref: refs/tags/" + $versionLabel) + Add-Content -Path $templatename " ref: refs/heads/main" Add-Content -Path $templatename " - repository: sap-samples" Add-Content -Path $templatename " type: GitHub" Add-Content -Path $templatename -Value (" endpoint: " + $ghConn)