v3.20.0.0

SDAF 3.20.0.0 - Release Notes

Release: May 2026 | Terraform: 1.15.1 | azurerm provider: 4.70.0 | Repository: Azure/sap-automation

---

What's New

Network Security Perimeter Support

SDAF now supports Azure Network Security Perimeter across all deployment layers. Terraform configurations for the deployer, library, landscape, and SAP system modules have been extended with full NSP association coverage — including storage accounts, Key Vault, App Configuration, Web App, and HANA shared resources. The access mode defaults to Enforced. This is a significant addition for customers with strict network isolation requirements.

Azure Extended Monitoring for SAP VMs

Enhanced monitoring is now deployable via an Ansible task that installs the Azure VM extension for SAP. The extension name is determined dynamically, and a new deploy_monitoring_extension variable controls whether deployment occurs. This replaces the previously removed monitoring extension logic and brings SAP monitoring back in a cleaner, parameterised form.

JAVA Stack Installation Support

SDAF can now automate the full installation of SAP JAVA-based products across SCS, PAS, and Application Server tiers. This includes conditional JAVA/ABAP detection paths for SCS, SAPHANADB and SAPJAVA1 schema handling, TCP parameter net.ipv4.tcp_retries2 configuration, and PD-path replacement for JAVA product IDs. Community contribution from LEGO's SAP team.

HANA-Only Deployments

The deployment playbooks now support HANA-only topologies — scenarios where the database tier is provisioned without a full SAP application stack. This addresses a recurring customer request for staged or standalone HANA deployments.

MSI-Based Deployments

Deployers can now authenticate using Managed Service Identity throughout the deployment lifecycle. The azurerm provider configuration conditionally applies use_msi, the ARM_USE_MSI condition handling has been corrected, and TF_VAR_subscription_id is consistently exported across both installer and remover scripts when MSI is in use.

New SAP Software Acquisition Pipeline

A dedicated pipeline for SAP software download is now available (04-sap-software-download.sh), alongside improvements to download_menu.sh and configuration_menu.sh for BOM-driven acquisition workflows.

---

Control Plane Scripts — Significant Overhaul

This release includes a comprehensive readability and correctness pass across the V1 and V2 control plane deployment scripts. The changes are structural rather than behavioural, but operators should be aware of several substantive corrections carried within:

• TFE_PARALLELISM — The environment variable was misspelled as TF_PARALLELLISM across multiple scripts. This has been corrected; the previously exported variable was silently ignored by Terraform.
• --auto-approve — Flag syntax was inconsistent (-auto-approve vs --auto-approve). Standardised throughout.
• Exit handling — Fixed set -e / -o errexit interaction when scripts are sourced rather than executed directly.
• Variable Group save failures — Scripts now exit and reset step = 0 on failure to persist state to ADO Variable Groups, preventing silent deployment state corruption.
• TF401019 error — Fixed the ADO az pipelines variable-group failure that occurred when BUILD_SOURCEDIRECTORY had changed.
• azure.azcollection — The Ansible collection is now explicitly registered in both configure_deployer.sh and its extension template.
• Parameter arrays — Terraform parameter construction now uses arrays throughout, improving readability and reducing quoting-related bugs.

---

Security & IAM

• Role assignment model updated: Role Based Access Control Administrator replaced with User Access Administrator across New-SDAFADOProject and New-SDAFADOWorkloadZone. Role assignment conditions now use GuidNotEquals for specific role definitions.
• Network Contributor added to role assignments in multiple functions to support network resource management by the service principal.
• Public network access now defaults to false across all Terraform variable files. Exceptions (e.g., SAP mount storage account) are handled explicitly.
• user_assigned_identity_id now validates for a correct Azure resource identifier format, rejecting blank or malformed values early.
• App Configuration Data Owner role added in New-SDAFADOProject.
• Key Vault Secrets Officer corrected from the previously misspelled Secret Officer.
• PAT secret management in Key Vault improved, with a corrected count condition to prevent spurious resource creation.

---

Terraform & Infrastructure

• Terraform upgraded to 1.15.1 (interim versions 1.14.8, 1.14.9, and 1.15.0 were evaluated during the release cycle).
• azurerm provider updated to 4.70.0.
• A wait_for_subnets resource has been added to gate VNET peering on subnet readiness, addressing a race condition in greenfield deployments.
• try() guard added in sap_library/transform.tf for deployer state access, eliminating an invalid-index risk during first-run provisioning.
• Retry attempts for Terraform import during apply have been increased, reducing failures in environments with eventual-consistency resource registration.
• deployer_tfstate_key variable added for explicit infrastructure state referencing.
• Terraform state storage account resource group and subscription IDs are now sourced from disk when the backend is remote, improving reliability in multi-subscription deployments.
• AFS/storage and inventory generation improved: Terraform modules now include storage blob resources for inventory management, and AFS handling logic has been refined across sap_landscape and sap_system.
• System-assigned identity null values in output.tf are now handled safely.

---

Ansible & OS Configuration

/etc/hosts Management

The hosts file role has been refactored to use a dedicated Ansible filter plugin (sap_hosts_filters.py) for generating and managing SAP entries. The plugin is topology-aware, handles scale-out scenarios, avoids duplicate entries, and includes a strip_sap_managed_blocks method for cleaning orphaned SAP-managed blocks. Unit tests are included.

Pacemaker — Scale-Out & iSCSI Fencing

• Concurrent fencing enabled in Pacemaker configuration, with refined stonith settings for improved fencing reliability in multi-node topologies.
• iSCSI-based fencing on Red Hat: iSCSI fencing support has been extended to RHEL environments, a capability previously limited to SUSE. ACL generation now covers both DB and observer nodes across both distributions, with consolidated host indexing and an explicit observer ACL count computation task.
• Retry logic added for secondary node cluster join operations.
• SAPHanaSR provider path is now configured for both SUSE and scale-out tasks.

BOM Processing

• Microsoft-supplied BOM is now searched across multiple directories, with improved debug output when not found.
• BOM media list aggregation and patch information handling refactored for correctness.
• Validation host list generation is now topology-aware.
• Platform checks added to repository and package handling in BOM tasks.
• SAPINST.CD.PACKAGE.CD1 parameter added; redundant CD package entries removed.

Oracle

• Oracle Linux 9.7 added to supported distributions.
• CV_ASSUME_DISTID logic updated across multiple roles to correctly identify distribution from kernel version.
• NFS service name determination updated to accommodate additional Oracle Linux versions.
• Stale process and shared memory cleanup in Oracle ASM database installation improved.

General

• oinstall group limits added to kernel parameter configuration with updated configuration file path.
• NVMe detection for swap setup improved: now uses lsblk and correctly identifies Microsoft NVMe Direct disks.
• requests library pinned to 2.32.5 in requirements.txt.
• Sybase disk sizes corrected to 256 GB (hotfix for incorrect sizing configuration).

---

Platform & Region Additions

Category	Additions
Distributions	New SUSE, Red Hat, Windows, and Oracle Linux entries in sdaf_distros.json
Azure Regions	New regions added including indonesiacentral; max_fault_domain_count.json updated
SAP IPs	sdaf_urls.json updated with revised SAP connectivity endpoints

---

Bug Fixes

Area	Fix
Key Vault secret lookup	Full workload zone name now used for KV secret resolution in sap_system (#1096)
SUSE subscription	Condition for suse_subscription_id handling in registration tasks corrected (#1094)
Python requirements	requests pinned to 2.32.5; Python version requirement corrected (#1086, #1087)
Sybase disk sizing	Disk sizes corrected to 256 GB in sybase_sizes.json (#1065)
HANA replication	Retry parameters updated; cluster type settings adjusted
iSCSI ACL generation	Scale-out nodes now correctly included in ACL computation
Key Vault existence check	Now validates key_vault_id rather than DEPLOYER_KEYVAULT variable
Pacemaker Azure fencing	Conditionals for Azure fencing agent updated; job status check in DBLOAD tasks refined
Role assignment	role_assignments.tf typo corrected; scope uses correct WorkloadZoneSubscriptionId
DBLOAD path	Path variable handling in SAP DB load playbook corrected
download_directory	Removed redundant conditional pre-check (#1066)
suse_subscription_id	Property is now non-nullable in SystemModel

---

*Full commit history available in the [sap-automation...

v3.19.0.0

SDAF 3.19.0.0 - Release Notes

Release: March 2026 | Terraform: 1.14.6 | Repository: Azure/sap-automation

---

What's New

HANA Scale-Out & High Availability

This release delivers the most substantial iteration yet on HANA scale-out Pacemaker support, with a focus on correctness and operational reliability in multi-node topologies.

• SAPHanaSR-angi support is now enabled for SLES-based HANA scale-out deployments, including automated hook registration for the HANA controller.
• Pacemaker cluster configuration now conditionally moves the SAP HANA clone to the primary node, gated on both the instance name and the Pacemaker package version — preventing erroneous resource movement in heterogeneous environments.
• Scale-out tasks now execute StartSystem and StopSystem on both sites, with HANA stop/start operations conditionally applied per node based on instance name.
• The meta failure-timeout parameter has been added to Pacemaker configuration for improved cluster stability under transient failures.
• global.ini checks and configuration steps are now included in the scale-out provisioning flow, with cleanup logic to remove the flag when the cluster was not created by the automation framework.
• HANA replication stabilization now uses an increased retry count, with explicit clear host errors tasks added to guard against stale cluster state.

Azure Files NFS (AFS) — Encryption in Transit

• A new AFS_enable_encryption_in_transit parameter has been introduced across sap_landscape and sap_system Terraform modules, enabling NFSv4.1-based encrypted mounts for Azure Files shares.
• NFS mount options are now set conditionally based on the fstype variable, with nolock removed from AFS mount configurations where it is incompatible.
• Export policy rules on Azure NetApp Volumes now dynamically derive the allowed client address space from the virtual network, replacing previously hardcoded values.
• HTTPS traffic enforcement is scoped correctly: enabled for general Azure Storage Accounts, disabled specifically for SAP mount storage accounts.

Oracle Data Guard

• The primary instance mount step is now correctly sequenced before the database open operation, resolving a reliability gap in Data Guard setup.
• Post-processing tasks have been refactored to include explicit database open mode checks and zombie standby process cleanup, improving idempotency.
• Listener and tnsnames configuration is streamlined in the Data Guard preparation phase.
• The RUNINSTALLER media path and MOPatch directory references have been corrected across installation tasks.
• Dynamic SID handling is now applied in Oracle installation environment variable setup.

---

Platform Additions

Platform	Detail
Red Hat 10.0	Base and HA images added to VM-Images.json
Indonesia Central	Region support added across configuration files, scripts, and Helper.cs

---

Infrastructure & Terraform

• Terraform upgraded to 1.14.6 across all scripts, pipelines, and configuration references.
• Azure and Microsoft.Identity package versions updated.
• The azurerm provider configuration now conditionally sets use_msi and use_spn, with a corresponding conditional export of TF_VAR_use_spn for GitHub Actions workflows using MSI.
• A typo in role_assignments.tf resource references has been corrected.
• Role assignment scope and principal ID for HANA DB nodes have been fixed.
• The Terraform plugin cache directory ownership is now corrected during deployer creation, resolving a permission failure on first-run provisioning.
• HANA shared storage account and private endpoint logic has been significantly refactored to correctly handle single vs. multiple HANA shared scenarios, with version-gated count logic (version >= 19) and corrected index references throughout.
• Dynamic identity block added for the Azure Linux VM observer to support managed identities.

---

Ansible & OS Configuration

SUSE / zypper

• zypper repository installation now uses community.general.zypper with auto_import_keys and disable_gpg_check to resolve GPG-related hang issues in automated pipelines.
• ZYPP_LOCK_TIMEOUT is now set to 60 for package installation and refresh tasks.
• Microsoft GPG public keys are downloaded and imported for both RHEL and SUSE before repository configuration.
• Microsoft Production repository URLs have been corrected and standardised across RHEL and SLES versions.
• aznfs package entries removed from os-packages.yaml; Microsoft Production repository entries removed from repos.yaml where they were causing conflicts.
• SUSE subscription handling now supports BYOS/BYOL images with updated activation commands for public cloud extensions.
• New parameters for SUSE subscription ID and disk controller types added to SystemModel and related files.

Red Hat

• passlib installation has been refactored to use the OS package manager with a pip fallback, now running correctly for all OS families.
• compat-openssl11 and libcanberra-gtk2 packages commented out due to compatibility concerns.
• compat-sap-c++ package specification updated to use a wildcard for version matching.
• RHEL package installation tasks refactored for clarity and idempotency.

General

• NVMe swap dependency installation added for both RHEL and SUSE in swap configuration tasks.
• Installation logs are now persisted as pipeline artifacts.
• SYSTEM_ACCESSTOKEN parameter added to Ansible run configuration for enhanced ADO authentication.
• SAP password generation suffix character set expanded to include additional special characters.

---

BOM Processing

• BOM registration now appends patch information and handles missing patch definitions with improved logging.
• BOM download conditions include platform checks to ensure correct extraction per OS target.
• Platform code handling added to the BOM template with updated product ID formatting.
• Conditional BOM object display added based on operation type.

---

Networking & Greenfield / Brownfield

• Virtual network subnet ID resolution now correctly accommodates both greenfield (defined) and brownfield (existing) network segments, resolving issue #1010.
• Key Vault duplicate role assignment conflict in the workload zone has been resolved (#998).

---

VM Naming

• Name override logic now standardises virtualmachine_names values to a list of strings.
• Generator-produced values correctly override blank JSON keys.
• Original naming generator output is preserved when keys are missing in the name override JSON.

---

Removed

• SAP CAL Integration has been decommissioned. All associated variables have been removed from sap-parameters.yml and related resources.
• The AFS_enable_encryption_in_transit variable has been removed from LandscapeTemplate.txt and LandscapeModel (superseded by the proper Terraform variable path).

---

Bug Fixes

Area	Fix
ADO WorkloadZone setup	Resolved multiple silent failure bugs; improved error handling and logging in New-SDAFADOWorkloadZone
Service Principal login	Fixed az login for SPN-based authentication
Conditional state path	Corrected conditional nesting for state_path assignment in installer script
HANA cluster resource move	Fixed condition checking primary instance name for SAP HANA clone movement on RedHat
NFS options	Updated NFSv4.1 condition check in AFS configuration
AFS mount formatting	Fixed nfs_fs_type formatting and mount options in AFS mount tasks
Microsoft repo URL	Corrected RPM download URL for Microsoft packages repository on both RHEL and SUSE

---

SDAF 3.18.0.0 Release Notes

SDAF 3.18.0.0 Release Notes

Release Date: December 2025
Version: 3.18.0.0

Overview

This release enhances the SAP Deployment Automation Framework with improved DevOps integration, expanded platform support, and significant reliability improvements. Key additions include GitHub Actions automation, Azure App Configuration integration, Oracle Grid updates and Ubuntu 25.04 support.

What's New

🚀 GitHub Actions Integration

Automated Workflow Setup: New Python-based tooling automates the creation and configuration of GitHub Actions workflows for SDAF deployments. This eliminates manual workflow configuration and reduces setup time from hours to minutes.

Container-Based Execution: Deploy SAP systems using Docker containers in GitHub Actions, providing consistent execution environments and improved portability across development and production pipelines.

Key Benefits:

• One-command workflow initialization
• Automated secret and variable management
• Built-in retry logic and error handling
• Terraform 1.14.0 support out of the box

🔧 Azure App Configuration Support

Centralized Configuration Management: Integration with Azure App Configuration enables centralized parameter storage across control plane and workload zones, replacing scattered configuration files.

Key Benefits:

• Single source of truth for deployment parameters
• Private endpoint support for secure access
• Automated DNS zone management
• Simplified parameter retrieval across deployment stages

🐧 Ubuntu 25.04 Support

Extended Platform Coverage: Deploy and manage SDAF infrastructure on Ubuntu 25.04 ("Oracular Oriole"), ensuring compatibility with the latest LTS release.

Key Benefits:

• Future-proof platform support
• Updated Azure CLI integration
• Terraform 1.14.0 compatibility
• Seamless upgrade path from earlier versions

📊 Enhanced Observability

Improved Deployment Visibility: Azure Portal links now appear directly in deployment outputs, providing instant access to deployed resources without manual navigation.

Better Logging: Enhanced markdown formatting in deployment logs makes it easier to identify configuration details, errors, and successful operations.

Reliability Improvements

Deployment Robustness

• State Management: Improved Terraform state handling eliminates errors caused by empty or corrupted state files
• Key Vault Integration: Consistent key vault reference patterns across all deployment scenarios prevent authentication failures
• Subscription Handling: Automated subscription ID extraction and validation reduce configuration errors

Oracle Database Deployments

• Grid Infrastructure: Enhanced provisioning with proper seperation of concerns for database and grid setup. Enable logical sector size handling
• Observer VMs: Marketplace plan configuration now properly applied to observer VMs, preventing deployment failures

High Availability Configurations

• SUSE Optimization: Reduced default vm.swappiness from 60 to 10 for SUSE HA clusters, improving overall system responsiveness
• Pacemaker Compatibility: Enhanced version detection and resource configuration for pacemaker clustering
• Distribution Detection: Ansible playbooks now have consistent access to distribution variables across all roles

Quality of Life Improvements

Parameter Management

• Refactored parameter passing using modern Python idioms (dict with zip)
• Streamlined APPLICATION_CONFIGURATION_ID retrieval with automatic fallbacks
• Improved environment variable exports across deployment scripts

Error Handling

• Enhanced error messages with actionable guidance
• Added validation checks for common misconfigurations
• Improved debug output with better filtering

Code Maintenance

• Removed unused variables and data blocks
• Eliminated redundant code across multiple modules
• Standardized naming conventions throughout

Security Updates

Dependency Updates

This release includes security updates for multiple dependencies:

• GitHub Actions: Updated to latest versions with security patches
• .NET Components: Major version updates for System.Runtime.Caching, NuGet.Packaging, and dotnet-ef
• Python Libraries: Updated requests library to 2.32.3
• Azure SDK: Updated Azure.ResourceManager.Compute to 1.13.0

Infrastructure Security

• Enhanced authentication handling in Terraform providers
• Improved secret retrieval patterns with proper error handling
• Streamlined role assignment logic for managed identities

Upgrade Instructions

From Previous Versions

1. Backup Current State: Ensure Terraform state files are backed up before upgrading
2. Update Scripts: Pull latest deployment scripts from the repository
3. Validate Terraform: Confirm Terraform 1.14.0 compatibility with custom modules
4. Test in Non-Production: Deploy to a test environment first to validate behavior

New Installations

Follow the standard SDAF installation procedure. This version includes all improvements automatically.

Configuration Changes Required

None - This release is fully backward compatible. Existing parameter files work without modification.

Known Issues

1. Container Images: Docker support for GitHub Actions requires container registry access configuration
2. App Configuration: Private endpoint creation may take up to 120 seconds in some regions

Breaking Changes

None - All existing deployments can upgrade in place without modifications.

Deprecation Notices

⚠️ SAP CAL features and pipelines will be deprecated in a future release.

Getting Started

GitHub Actions Setup

cd deploy/scripts/py_scripts/SDAF-GitHub-Actions
python New-SDAFGitHubActions.py

Azure App Configuration Integration

App Configuration is automatically provisioned when deploying landscapes with v2 scripts. No additional configuration required.

Ubuntu 25.04 Deployment

Deploy using standard SDAF procedures. Ubuntu version is detected automatically.

Documentation Updates

• New GitHub Actions setup guide
• Updated Azure App Configuration integration documentation
• Enhanced troubleshooting guides for common deployment scenarios

Support

For issues, questions, or feature requests:

• GitHub Issues: https://github.com/Azure/sap-automation/issues
• Documentation: https://aka.ms/sdaf

---

Full Changelog: View detailed changelog
Contributors: Special thanks to Kimmo Forss, Nadeen Noaman, Hemanth Damecharla, and all community contributors

Hotfix 3.17.0.1 release

What's Changed

Pacemaker fixes for scale-up scenarios

Control Plane removal script

Support for RedHat 10

Full Changelog: v3.17.0.0...v.3.17.0.1

v3.17.0.0

Release Notes v3.17.0.0

Table of Contents

• Overview
• Major Enhancements
  • Oracle Database Support
  • Enhanced NVMe Support
  • SAP HANA Scale-Out High Availability
  • Managed Identity Integration
• Improvements
  • Infrastructure and Terraform
  • Azure DevOps Pipeline Enhancements
  • Disk and Storage Management
  • Network Configuration
• Bug Fixes
• Dependency Updates
• Breaking Changes
• Upgrade Notes

---

Overview

Version 3.17.0.0 introduces comprehensive Oracle Data Guard capabilities with ASMLib v3 support, enhanced NVMe disk handling for Azure VMs, and substantial improvements to SAP HANA scale-out high availability configurations. The release also modernizes Azure DevOps integration with full Managed Identity support and refactors Terraform modules to align with the latest Azure provider standards.

Key highlights include Oracle Data Guard automation, improved disk management for ZRS backup scenarios, enhanced pipeline orchestration, and critical fixes for network and storage configurations in complex SAP landscapes.

---

Major Enhancements

Oracle Database Support

Oracle Data Guard Automation

• Full Data Guard Configuration: Comprehensive automation for Oracle Data Guard primary and standby database configurations, including:

  • Automated standby database creation with RMAN restore scripts
  • Service creation with high availability triggers
  • Log transport configuration with protection modes
  • Broker setup and verification with enhanced error handling
  • Stabilization procedures during finalization processes

• Oracle ASMLib v3 Support: Added support for the latest ASMLib version with improved disk management capabilities

• Oracle UEK7 Compatibility: Full support for Oracle Unbreakable Enterprise Kernel 7, ensuring compatibility with the latest Oracle Linux distributions

• Enhanced Environment Management: Sophisticated handling of ORACLE_HOME, ORACLE_SID, and ORACLE_BASE environment variables across all Oracle playbooks

• Improved Error Detection: Advanced checks for ORA-specific errors, zombie standby processes, and orphaned shared memory segments

• Post-Deployment Optimization: Enhanced post-processing tasks including:

  • ASM configuration validation
  • Database load balancer health checks
  • Shared memory cleanup procedures
  • SSFS file handling and verification

Enhanced NVMe Support

Azure NVMe Disk Management

• Backward Compatibility: Enhanced udev rules that work seamlessly with older distributions including SUSE 15 SP3 and RHEL 8.8

• Improved Device Identification: Advanced namespace ID (NSID) detection with multiple fallback mechanisms:

  • Primary detection via udevadm
  • Fallback extraction from ID_PATH
  • Direct reading from /sys/class/block/<device>/nsid

• LUN Mapping Calculator: Enhanced LUN-to-device mapping with improved accuracy across different Azure VM configurations

• Unified Cross-OS Support: Consistent NVMe handling scripts for both RHEL and SUSE platforms with standardized task naming

• Enhanced Diagnostics: Improved debug output and preflight checks for NVMe device detection and configuration

SAP HANA Scale-Out High Availability

Scale-Out Cluster Enhancements

• Improved Cluster Resource Management: Refined Pacemaker configuration for SAP HANA scale-out scenarios with proper resource constraints

• Observer VM Integration: Enhanced observer VM configuration with proper shared disk attachment and backend pool associations

• Shared Storage Management: Improved handling of observer shared disks in high availability configurations

• Directory Permissions: Proper permission settings for /hana/shared directory in scale-out deployments

• Streamlined Installation: Simplified preparation tasks for SAP HANA scale-out installations with reduced manual intervention

Managed Identity Integration

Azure DevOps Managed Identity Support

• Full MI Authentication: Complete Managed Identity support in Azure DevOps pipelines, eliminating the need for Service Principal secrets

• New PowerShell Functions:

  • Get-SDAFUserAssignedIdentity: Retrieve user-assigned identities from Azure
  • Set-AdoManagedIdentityCredentials: Configure MI credentials in variable groups
  • Set-AdoSPNCredentials: Configure SPN credentials with improved validation

• Enhanced Pipeline Parameters:

  • Added ManagedIdentityId parameter (mandatory when using MI authentication)
  • Improved ControlPlaneSubscriptionId parameter handling
  • Better role assignment logic with comprehensive logging

• Variable Group Migration: Utility scripts to migrate from SPN to Managed Identity authentication:

  • Upgrade-ControlPlaneVariableGroup.ps1
  • Upgrade-WorkloadZoneVariableGroup.ps1
  • Copy-AzDevOpsVariableGroupVariable function for variable migration

---

Improvements

Infrastructure and Terraform

Provider Compatibility Updates

• Migrated to latest Azure provider property names to eliminate deprecation warnings:

  • Key Vault: enable_rbac_authorization → rbac_authorization_enabled
  • Virtual Machines: enable_automatic_updates → automatic_updates_enabled
  • Load Balancers: enable_floating_ip → floating_ip_enabled
  • Azure NetApp Files: protocols_enabled → protocol

• Enhanced Role Assignments: Added Key Vault Administrator and Secrets Officer roles with appropriate conditions for improved security posture

• Resource Naming Flexibility: Introduced custom_random_id variable for resource name suffixes, removing dependencies on DEPLOYER_RANDOM_ID and LIBRARY_RANDOM_ID

• Improved Variable Handling: Enhanced handling of unset/null variables with better fallback logic throughout Terraform modules

Network Configuration Refinements

• Refactored subnet ID handling across all modules for improved clarity and error prevention
• Enhanced storage subnet output with robust fallback handling
• Optimized NSG count logic for application and web subnets
• Fixed subnet CIDR value trimming in output files
• Improved conditional checks for landscape_tfstate keys

Key Vault Management

• Refactored role assignment dependencies to reduce redundancy
• Enhanced access policy conditions with permission assignment options
• Improved secret existence checks using user ARM ID
• Streamlined secret name assignments using local variables

Azure DevOps Pipeline Enhancements

Pipeline Architecture

• Terraform Version Upgrade: Bumped from 1.12.2 to 1.13.3 across all deployment scripts

• Improved Parameter Management: Comprehensive refactoring of deployment YAML files with enhanced parameter definitions and validation

• Ansible Installation Control: Added dedicated Ansible installation script with:

  • Version pinning for ansible-core
  • Specified versions for community.general collection
  • Conditional JMESPath installation logic

• Variable Group Standardization:

  • Consistent use of DEPLOYER_ENVIRONMENT for variable group construction
  • Fixed VARIABLE_GROUP_ID usage in system deployment pipelines
  • Removed unused DEPLOYER_KEYVAULT variable

Script Improvements

• Enhanced error handling with proper return codes instead of exit calls
• Improved Azure login visibility controls with better debugging
• Added Azure account information display on Terraform failures
• Streamlined installer script calls with comprehensive error checking

Disk and Storage Management

Enhanced Backup Disk Handling

• ZRS storage type detection for backup disks with automatic zone assignment
• Intelligent zone placement logic when using ZRS backup disks
• Improved proximity placement group logic for Windows VMs

Standardized IOPS/MBPS Configuration

• Unified configuration approach for both UltraSSD_LRS and PremiumV2_LRS disk types
• Consistent IOPS and throughput settings across all disk configurations
• Optimized Ansible disk definitions for better performance

Sybase Storage Configuration

• Reorganized storage definitions for Sybase 512, 1024, and 2048 configurations
• Added accelerated networking support
• Corrected lun_start values for proper disk alignment

Network Configuration

Subnet Management

• Comprehensive refactoring of subnet ID handling with improved error prevention
• Enhanced fallback logic for storage subnet outputs
• Better handling of landscape_tfstate keys in conditional checks
• Simplified NSG assignment logic for clarity

DNS and Private Link

• Refactored DNS zone link count conditions for improved reliability:
  • vault_agent DNS zone links
  • blob_agent DNS zone links
  • vnet_mgmt_blob-agent DNS zone links
• Enhanced readability and maintainability of DNS configurations

---

Bug Fixes

Terraform Configuration Fixes

• Fixed disk attachment references for observer VMs in outputs.tf
• Corrected observer shared disks output to reference azurerm_linux_virtual_machine
• Fixed variable name consistency in disk output definitions
• Resolved syntax errors in subnet ID parsing
• Corrected return value handling in Terraform plan execution

Pipeline and Script Fixes

• Fixed VARIABLE_GROUP vs VARIABLE_GROUP_ID usage in 03-sap-system-deployment
• Resolved integer conversion errors in variable group operations
• Fixed control plane name constru...

v3.16.0.2

📦 Release Notes v3.16.0.2 – Managed DevOps & Install Enhancements

Table of Contents

• #overview
• #new-features
  • #suse-linux-support
  • #rhel-linux-support
• #improvements
  • #pacemaker-and-sbd-configuration
  • #error-handling-and-logging
  • #sap-and-package-management
  • #deployment-pipeline-enhancements
• #bug-fixes
• #miscellaneous

---

Overview

This is a hotfix for v3.16.0.1 and fixes issues with deploying some of the components.

This release introduces comprehensive support for the new SLES and RHEL for SAP Applications distribution, alongside critical updates to Pacemaker and SBD configurations for improved cluster reliability. It also enhances error handling in custom Python filters, refines SAP-related tasks, and standardizes deployment pipelines with improved tooling and variable management. These changes collectively improve system robustness, maintainability, and deployment consistency across environments.

---

🆕 New Features

• SUSE Linux Support

  • Added support for new SUSE OS release across package, repository, and variable definitions.
  • Updated conditional logic in cluster and mount tasks to ensure compatibility with the new distribution.

• RedHat Support

  • Added support for RHEL 9.6 OS release across package, repository, and variable definitions.

---

🔧 Improvements

Pacemaker and SBD Configuration

• Increased stonith-timeout from 144 to 210 seconds for both RedHat and SUSE roles to improve fencing reliability.
• Refactored SBD configuration:
  • Replaced static delay start with OS-specific values.
  • Moved timeout and dependency settings to systemd override files for better maintainability.

Error Handling and Logging

• Enhanced exception handling in custom Python filter plugins:
  • Added detailed exception messages and stack traces.
  • Introduced type checks to prevent runtime errors.

SAP and Package Management

• Updated SAP note references for accuracy.
• Corrected symlink creation for compat-sap-c++ version 13.
• Removed unnecessary installation of dbus-1-python in the iSCSI server role.

Deployment Pipeline Enhancements

• Terraform Installation

  • Added TerraformInstaller@1 task to pipelines:
    • 01-deploy-control-plane.yaml
    • 02-sap-workload-zone.yaml
    • 03-sap-system-deployment.yaml
    • 04-sap-software-download.yaml
    • 05-DB-and-SAP-installation.yaml
  • Ensures Terraform is installed before execution.

• Key Vault and Subscription Variable Standardization

  • Replaced $(Preparation.VAULT_NAME) with $(KEYVAULT) for clarity.
  • Updated $(ARM_SUBSCRIPTION_ID) to $(Preparation.ARM_SUBSCRIPTION_ID) for consistency.

• Ansible Installation Reinstatement

  • Re-enabled and updated inline Bash script for installing ansible-core and required collections.
  • Applied changes to 05-DB-and-SAP-installation.yaml and 04-sap-software-download.yaml.

• Environment Cleanup

  • Removed unused DEPLOYER_KEYVAULT variable from 01-deploy-control-plane.yaml.

---

🐞 Bug Fixes

• Corrected undefined variable issues in the chrony role related to Python interpreter selection.
• Improved compatibility and linting accuracy by updating Ansible and Ansible-Lint versions in GitHub Actions workflow.

---

📄 Miscellaneous

• Updated GRUB configuration tasks for RHEL 8.x to improve reliability and ensure consistent boot behavior.

---

Full Changelog: v3.16.0.1...v3.16.0.2

v3.16.0.1

📦 Release Notes v3.16.0.1 – Managed DevOps & Install Enhancements [Use v3.16.0.2]

Table of Contents

• #overview
• #new-features
• #improvements
  • #suse-linux-support
  • #pacemaker-and-sbd-configuration
  • #error-handling-and-logging
  • #sap-and-package-management
  • #deployment-pipeline-enhancements
• #bug-fixes
• #miscellaneous

---

Overview

This release introduces comprehensive support for the new SUSE Linux Enterprise Server for SAP Applications distribution, alongside critical updates to Pacemaker and SBD configurations for improved cluster reliability. It also enhances error handling in custom Python filters, refines SAP-related tasks, and standardizes deployment pipelines with improved tooling and variable management. These changes collectively improve system robustness, maintainability, and deployment consistency across environments.

---

🆕 New Features

• SUSE Linux Support
  • Added support for new SUSE OS release across package, repository, and variable definitions.
  • Updated conditional logic in cluster and mount tasks to ensure compatibility with the new distribution.

---

🔧 Improvements

Pacemaker and SBD Configuration

• Increased stonith-timeout from 144 to 210 seconds for both RedHat and SUSE roles to improve fencing reliability.
• Refactored SBD configuration:
  • Replaced static delay start with OS-specific values.
  • Moved timeout and dependency settings to systemd override files for better maintainability.

Error Handling and Logging

• Enhanced exception handling in custom Python filter plugins:
  • Added detailed exception messages and stack traces.
  • Introduced type checks to prevent runtime errors.

SAP and Package Management

• Updated SAP note references for accuracy.
• Corrected symlink creation for compat-sap-c++ version 13.
• Removed unnecessary installation of dbus-1-python in the iSCSI server role.

Deployment Pipeline Enhancements

• Terraform Installation

  • Added TerraformInstaller@1 task to pipelines:
    • 01-deploy-control-plane.yaml
    • 02-sap-workload-zone.yaml
    • 03-sap-system-deployment.yaml
    • 04-sap-software-download.yaml
    • 05-DB-and-SAP-installation.yaml
  • Ensures Terraform is installed before execution.

• Key Vault and Subscription Variable Standardization

  • Replaced $(Preparation.VAULT_NAME) with $(KEYVAULT) for clarity.
  • Updated $(ARM_SUBSCRIPTION_ID) to $(Preparation.ARM_SUBSCRIPTION_ID) for consistency.

• Ansible Installation Reinstatement

  • Re-enabled and updated inline Bash script for installing ansible-core and required collections.
  • Applied changes to 05-DB-and-SAP-installation.yaml and 04-sap-software-download.yaml.

• Environment Cleanup

  • Removed unused DEPLOYER_KEYVAULT variable from 01-deploy-control-plane.yaml.

---

🐞 Bug Fixes

• Corrected undefined variable issues in the chrony role related to Python interpreter selection.
• Improved compatibility and linting accuracy by updating Ansible and Ansible-Lint versions in GitHub Actions workflow.

---

📄 Miscellaneous

• Updated GRUB configuration tasks for RHEL 8.x to improve reliability and ensure consistent boot behavior.

---

v3.16.0.1 by @devanshjainms in #807

Full Changelog: v3.16.0.0...v3.16.0.1

v3.16.0.0

Release v3.16.0.0

Overview

This release delivers substantial enhancements to NVMe support for Azure VMs, particularly on RHEL and SUSE platforms. It introduces improved Terraform automation, refined Azure Key Vault integration, and more robust deployment scripting. The update also includes critical fixes, improved error handling, and better metadata extraction. Notably, this release incorporates support for STONITH SBD fencing in RHEL clusters, expanded OS compatibility, and automation improvements for disk preparation and validation.

---

🚀 New Features

NVMe Support Enhancements

• Enhanced GRUB configuration and NVMe timeout handling.
• Streamlined preflight checks with improved debug output.
• Improved detection of NVMe modules and reboot requirements across RHEL and SUSE.

STONITH SBD Configuration for RHEL

• Integrated logic to support SBD-based fencing in RHEL clusters using Azure shared disks.
• Addressed service dependencies (iscsi, iscsid, sbd) and ensured proper enablement on boot.
• Improved cluster initialization logic and clarified configuration steps for zonal deployments using ZRS disks.
• Documented fallback strategies and DR region reconfiguration steps for SBD devices.
• Updated test automation logic to reflect correct node names and handle skipped test cases gracefully.

Other enhancements

• Azure Metadata Retrieval
  • Added tasks to extract Subscription ID, Resource Group Name, and VM Name from Azure metadata.
• Terraform Enhancements
  • Exported TF_VAR_subscription_id for improved configuration.
  • Introduced new configurations for M832 and M896 VM series.
• SDAFWebApp Initialization
  • Bootstrapped with .NET 8.0 and essential package references.

---

🔧 Improvements

OS Compatibility and Automation

• Developed cross-OS scripts to automate NVMe preparation, including initramfs updates, FS tab validation, and GRUB parameter checks.
• Enhanced udev rules to support namespace ID (NSID) detection and LUN mapping, resolving compatibility issues on older OS versions like SUSE 15 SP3 and RHEL 8.8.
• Introduced fallback logic to extract NSID from ID_PATH or /sys/class/block/<device>/nsid when udevadm fails to return expected values.

Deployment Scripts

• Improved Azure login handling and environment variable management.
• Enhanced error reporting and debug logging across scripts.
• Streamlined control plane cleanup and variable group handling.

Key Vault Integration

• Refined retrieval logic using Azure Graph API.
• Improved secret existence checks and error handling.

Terraform State Management

• Refactored state resource ID retrieval.
• Simplified output definitions and variable assignments.

Logging and Debugging

• Replaced echo statements with structured banners.
• Improved traceability in secret retrieval and deployment stages.

---

🐞 Bug Fixes

• Corrected key vault existence checks using user ARM ID.
• Fixed output variable naming inconsistencies (random_identifier → random_id).
• Resolved GRUB configuration and NVMe timeout logic issues.
• Addressed Terraform apply failure handling.
• Corrected module names and region paths in SDAFUtilities.
• Fixed string comparison syntax and removed redundant flags.

---

🛠 Infrastructure & Configuration

• Provider Versions
  • Updated azurerm to 4.35.0 and azapi to 2.5.0.
• Variable Management
  • Improved handling of unset/null variables.
  • Streamlined variable group assignments and cleanup.
• Script Enhancements
  • Added support for MSI and ARM variables.
  • Improved script permissions and execution flow.
• Repository Maintenance
  • Removed obsolete scripts and variables.

---

📄 Miscellaneous

• Added documentation for RHEL 8.6 ambiguity.
• Refactored modules for improved readability and maintainability.
• Upgraded GitHub Actions and Azure SDK packages via Dependabot.

v3.15.0.0

Release Notes – Version v3.15.0.0

Overview

This release introduces enhancements across automation pipelines, SAP installation playbooks, and platform compatibility. It includes security updates, improved error handling, support for new OS versions, and refined configuration logic.

---

Key Enhancements

🔐 Security & Compliance

• Updated step-security/harden-runner to v2.12.1 across all GitHub workflows.
• Upgraded codeql-action to v3.29.0 for improved static analysis.
• Enforced CRL validation (SAPINST_ENFORCE_CRL=true) across SAP installation playbooks for enhanced certificate handling (SAP Note: 3207613).

⚙️ SAP Installation Improvements

• Refactored error handling in SAP installation playbooks to use select('search', 'ERROR') for cleaner diagnostics.
• Added support for web_sidadm_uid in Web Dispatcher templates.
• Improved conditional logic for Oracle observer and shared home tasks.
• Enhanced mount logic for AFS and ANF with better validation and fallback handling.

📦 Dependency Updates

• Updated multiple Azure SDK packages and Microsoft Identity libraries to latest stable versions.
• Upgraded Python setup and dependency review actions in CI workflows.

🧪 Testing & Validation

• Introduced cibadmin cluster readiness check for Pacemaker on SUSE.
• Improved SAPHanaSR hook deployment and validation for scale-out clusters on RHEL.

🖥️ Platform & OS Support

• Added support for:
  • Configurations based on RedHat 9.4.
  • RedHat 8.10 in cluster configuration.
  • SUSE SLES_SAP 15.6 in SAPHanaSR and pacemaker roles.

🧰 Tooling & Automation

• Added TerraformInstaller@1 to pipelines for dynamic Terraform provisioning.
• Refined Azure DevOps pipeline environment variables for consistency and clarity.
• Improved GitHub Actions for Ansible linting and Trivy scanning.

---

Bug Fixes

• Corrected logic for observer tier detection in Oracle deployments.
• Fixed mountpoint handling in /etc/fstab for HANA scale-out configurations.
• Addressed inconsistencies in SAPINST command formatting across roles.

---

Breaking Changes

• CRL enforcement is now enabled by default. For air-gapped environments, this may require manual override.
• Deprecated legacy error line extraction logic in favor of select('search', 'ERROR').

---

Upgrade Notes

• Ensure all pipeline variables are updated to reflect new environment variable names.
  • Upgrade steps for Azure DevOps, rename the "CP_" and "WL_" prefixes for all variables in the variable groups. CP_ARM_SUSCRIPTION_ID -> ARM_SUSCRIPTION_ID
• Review CRL enforcement implications for your deployment environment.
• Validate compatibility with new OS versions if applicable.

v3.14.1.0

What's Changed

This release includes several changes across multiple files to improve the functionality and configuration of the deployment scripts. The key changes include updates to Ansible playbooks and templates for SAP and Oracle installations, as well as minor adjustments to YAML configuration files.

Summary of Changes

• Ensure Terraform commands in shell scripts return the correct exit code
• An option has been added to each Terraform module to allow enabling Encryption at Host via encryption_at_host_enabled variable.
• Corrected directory ownership assignment for /hana/* directories from non-existent {{ sidadm }} to the proper {{ hdbadm }} user ID
• Preserved ARM_SUBSCRIPTION_ID throughout authentication processes when using Managed Service Identity (MSI)
• Fixed remediation logic for storage accounts to support provider upgrades with data_plane_available setting
• Refactored ReplaceResourceInStateFile function to accept direct input rather than relying on external context
• Enhanced robustness for workload zones by improving resource property handling for zones not recently redeployed
• Resolved infrastructure deployment failures in SYBASE standalone deployments when enable_app_tier_deployment is set to false
• Fixed circular mount issues of /sapmnt in standalone deployments using NFS_provider = NONE with supported_tiers for SCS and SYBASE

Acknowledgements

@pkrcm, @SteffenBoThomsen

Full Changelog: v3.14.0.0...v3.14.1.0