Skip to content

v3.20.0.0

Latest
Latest

Choose a tag to compare

View all tags
@hdamecharla hdamecharla released this 11 May 12:35
v3.20.0.0
3b663e8

SDAF 3.20.0.0 - Release Notes

Release: May 2026 | Terraform: 1.15.1 | azurerm provider: 4.70.0 | Repository: Azure/sap-automation

What's New

Network Security Perimeter Support

SDAF now supports Azure Network Security Perimeter across all deployment layers. Terraform configurations for the deployer, library, landscape, and SAP system modules have been extended with full NSP association coverage — including storage accounts, Key Vault, App Configuration, Web App, and HANA shared resources. The access mode defaults to Enforced. This is a significant addition for customers with strict network isolation requirements.

Azure Extended Monitoring for SAP VMs

Enhanced monitoring is now deployable via an Ansible task that installs the Azure VM extension for SAP. The extension name is determined dynamically, and a new deploy_monitoring_extension variable controls whether deployment occurs. This replaces the previously removed monitoring extension logic and brings SAP monitoring back in a cleaner, parameterised form.

JAVA Stack Installation Support

SDAF can now automate the full installation of SAP JAVA-based products across SCS, PAS, and Application Server tiers. This includes conditional JAVA/ABAP detection paths for SCS, SAPHANADB and SAPJAVA1 schema handling, TCP parameter net.ipv4.tcp_retries2 configuration, and PD-path replacement for JAVA product IDs. Community contribution from LEGO's SAP team.

HANA-Only Deployments

The deployment playbooks now support HANA-only topologies — scenarios where the database tier is provisioned without a full SAP application stack. This addresses a recurring customer request for staged or standalone HANA deployments.

MSI-Based Deployments

Deployers can now authenticate using Managed Service Identity throughout the deployment lifecycle. The azurerm provider configuration conditionally applies use_msi, the ARM_USE_MSI condition handling has been corrected, and TF_VAR_subscription_id is consistently exported across both installer and remover scripts when MSI is in use.

New SAP Software Acquisition Pipeline

A dedicated pipeline for SAP software download is now available (04-sap-software-download.sh), alongside improvements to download_menu.sh and configuration_menu.sh for BOM-driven acquisition workflows.

Control Plane Scripts — Significant Overhaul

This release includes a comprehensive readability and correctness pass across the V1 and V2 control plane deployment scripts. The changes are structural rather than behavioural, but operators should be aware of several substantive corrections carried within:

  • TFE_PARALLELISM — The environment variable was misspelled as TF_PARALLELLISM across multiple scripts. This has been corrected; the previously exported variable was silently ignored by Terraform.
  • --auto-approve — Flag syntax was inconsistent (-auto-approve vs --auto-approve). Standardised throughout.
  • Exit handling — Fixed set -e / -o errexit interaction when scripts are sourced rather than executed directly.
  • Variable Group save failures — Scripts now exit and reset step = 0 on failure to persist state to ADO Variable Groups, preventing silent deployment state corruption.
  • TF401019 error — Fixed the ADO az pipelines variable-group failure that occurred when BUILD_SOURCEDIRECTORY had changed.
  • azure.azcollection — The Ansible collection is now explicitly registered in both configure_deployer.sh and its extension template.
  • Parameter arrays — Terraform parameter construction now uses arrays throughout, improving readability and reducing quoting-related bugs.

Security & IAM

  • Role assignment model updated: Role Based Access Control Administrator replaced with User Access Administrator across New-SDAFADOProject and New-SDAFADOWorkloadZone. Role assignment conditions now use GuidNotEquals for specific role definitions.
  • Network Contributor added to role assignments in multiple functions to support network resource management by the service principal.
  • Public network access now defaults to false across all Terraform variable files. Exceptions (e.g., SAP mount storage account) are handled explicitly.
  • user_assigned_identity_id now validates for a correct Azure resource identifier format, rejecting blank or malformed values early.
  • App Configuration Data Owner role added in New-SDAFADOProject.
  • Key Vault Secrets Officer corrected from the previously misspelled Secret Officer.
  • PAT secret management in Key Vault improved, with a corrected count condition to prevent spurious resource creation.

Terraform & Infrastructure

  • Terraform upgraded to 1.15.1 (interim versions 1.14.8, 1.14.9, and 1.15.0 were evaluated during the release cycle).
  • azurerm provider updated to 4.70.0.
  • A wait_for_subnets resource has been added to gate VNET peering on subnet readiness, addressing a race condition in greenfield deployments.
  • try() guard added in sap_library/transform.tf for deployer state access, eliminating an invalid-index risk during first-run provisioning.
  • Retry attempts for Terraform import during apply have been increased, reducing failures in environments with eventual-consistency resource registration.
  • deployer_tfstate_key variable added for explicit infrastructure state referencing.
  • Terraform state storage account resource group and subscription IDs are now sourced from disk when the backend is remote, improving reliability in multi-subscription deployments.
  • AFS/storage and inventory generation improved: Terraform modules now include storage blob resources for inventory management, and AFS handling logic has been refined across sap_landscape and sap_system.
  • System-assigned identity null values in output.tf are now handled safely.

Ansible & OS Configuration

/etc/hosts Management

The hosts file role has been refactored to use a dedicated Ansible filter plugin (sap_hosts_filters.py) for generating and managing SAP entries. The plugin is topology-aware, handles scale-out scenarios, avoids duplicate entries, and includes a strip_sap_managed_blocks method for cleaning orphaned SAP-managed blocks. Unit tests are included.

Pacemaker — Scale-Out & iSCSI Fencing

  • Concurrent fencing enabled in Pacemaker configuration, with refined stonith settings for improved fencing reliability in multi-node topologies.
  • iSCSI-based fencing on Red Hat: iSCSI fencing support has been extended to RHEL environments, a capability previously limited to SUSE. ACL generation now covers both DB and observer nodes across both distributions, with consolidated host indexing and an explicit observer ACL count computation task.
  • Retry logic added for secondary node cluster join operations.
  • SAPHanaSR provider path is now configured for both SUSE and scale-out tasks.

BOM Processing

  • Microsoft-supplied BOM is now searched across multiple directories, with improved debug output when not found.
  • BOM media list aggregation and patch information handling refactored for correctness.
  • Validation host list generation is now topology-aware.
  • Platform checks added to repository and package handling in BOM tasks.
  • SAPINST.CD.PACKAGE.CD1 parameter added; redundant CD package entries removed.

Oracle

  • Oracle Linux 9.7 added to supported distributions.
  • CV_ASSUME_DISTID logic updated across multiple roles to correctly identify distribution from kernel version.
  • NFS service name determination updated to accommodate additional Oracle Linux versions.
  • Stale process and shared memory cleanup in Oracle ASM database installation improved.

General

  • oinstall group limits added to kernel parameter configuration with updated configuration file path.
  • NVMe detection for swap setup improved: now uses lsblk and correctly identifies Microsoft NVMe Direct disks.
  • requests library pinned to 2.32.5 in requirements.txt.
  • Sybase disk sizes corrected to 256 GB (hotfix for incorrect sizing configuration).

Platform & Region Additions

Category Additions
Distributions New SUSE, Red Hat, Windows, and Oracle Linux entries in sdaf_distros.json
Azure Regions New regions added including indonesiacentral; max_fault_domain_count.json updated
SAP IPs sdaf_urls.json updated with revised SAP connectivity endpoints

Bug Fixes

Area Fix
Key Vault secret lookup Full workload zone name now used for KV secret resolution in sap_system (#1096)
SUSE subscription Condition for suse_subscription_id handling in registration tasks corrected (#1094)
Python requirements requests pinned to 2.32.5; Python version requirement corrected (#1086, #1087)
Sybase disk sizing Disk sizes corrected to 256 GB in sybase_sizes.json (#1065)
HANA replication Retry parameters updated; cluster type settings adjusted
iSCSI ACL generation Scale-out nodes now correctly included in ACL computation
Key Vault existence check Now validates key_vault_id rather than DEPLOYER_KEYVAULT variable
Pacemaker Azure fencing Conditionals for Azure fencing agent updated; job status check in DBLOAD tasks refined
Role assignment role_assignments.tf typo corrected; scope uses correct WorkloadZoneSubscriptionId
DBLOAD path Path variable handling in SAP DB load playbook corrected
download_directory Removed redundant conditional pre-check (#1066)
suse_subscription_id Property is now non-nullable in SystemModel

Full commit history available in the sap-automation repository.

Assets 2
Loading