v3.17.0.0

Release Notes v3.17.0.0

Table of Contents

• Overview
• Major Enhancements
  • Oracle Database Support
  • Enhanced NVMe Support
  • SAP HANA Scale-Out High Availability
  • Managed Identity Integration
• Improvements
  • Infrastructure and Terraform
  • Azure DevOps Pipeline Enhancements
  • Disk and Storage Management
  • Network Configuration
• Bug Fixes
• Dependency Updates
• Breaking Changes
• Upgrade Notes

---

Overview

Version 3.17.0.0 introduces comprehensive Oracle Data Guard capabilities with ASMLib v3 support, enhanced NVMe disk handling for Azure VMs, and substantial improvements to SAP HANA scale-out high availability configurations. The release also modernizes Azure DevOps integration with full Managed Identity support and refactors Terraform modules to align with the latest Azure provider standards.

Key highlights include Oracle Data Guard automation, improved disk management for ZRS backup scenarios, enhanced pipeline orchestration, and critical fixes for network and storage configurations in complex SAP landscapes.

---

Major Enhancements

Oracle Database Support

Oracle Data Guard Automation

• Full Data Guard Configuration: Comprehensive automation for Oracle Data Guard primary and standby database configurations, including:

  • Automated standby database creation with RMAN restore scripts
  • Service creation with high availability triggers
  • Log transport configuration with protection modes
  • Broker setup and verification with enhanced error handling
  • Stabilization procedures during finalization processes

• Oracle ASMLib v3 Support: Added support for the latest ASMLib version with improved disk management capabilities

• Oracle UEK7 Compatibility: Full support for Oracle Unbreakable Enterprise Kernel 7, ensuring compatibility with the latest Oracle Linux distributions

• Enhanced Environment Management: Sophisticated handling of ORACLE_HOME, ORACLE_SID, and ORACLE_BASE environment variables across all Oracle playbooks

• Improved Error Detection: Advanced checks for ORA-specific errors, zombie standby processes, and orphaned shared memory segments

• Post-Deployment Optimization: Enhanced post-processing tasks including:

  • ASM configuration validation
  • Database load balancer health checks
  • Shared memory cleanup procedures
  • SSFS file handling and verification

Enhanced NVMe Support

Azure NVMe Disk Management

• Backward Compatibility: Enhanced udev rules that work seamlessly with older distributions including SUSE 15 SP3 and RHEL 8.8

• Improved Device Identification: Advanced namespace ID (NSID) detection with multiple fallback mechanisms:

  • Primary detection via udevadm
  • Fallback extraction from ID_PATH
  • Direct reading from /sys/class/block/<device>/nsid

• LUN Mapping Calculator: Enhanced LUN-to-device mapping with improved accuracy across different Azure VM configurations

• Unified Cross-OS Support: Consistent NVMe handling scripts for both RHEL and SUSE platforms with standardized task naming

• Enhanced Diagnostics: Improved debug output and preflight checks for NVMe device detection and configuration

SAP HANA Scale-Out High Availability

Scale-Out Cluster Enhancements

• Improved Cluster Resource Management: Refined Pacemaker configuration for SAP HANA scale-out scenarios with proper resource constraints

• Observer VM Integration: Enhanced observer VM configuration with proper shared disk attachment and backend pool associations

• Shared Storage Management: Improved handling of observer shared disks in high availability configurations

• Directory Permissions: Proper permission settings for /hana/shared directory in scale-out deployments

• Streamlined Installation: Simplified preparation tasks for SAP HANA scale-out installations with reduced manual intervention

Managed Identity Integration

Azure DevOps Managed Identity Support

• Full MI Authentication: Complete Managed Identity support in Azure DevOps pipelines, eliminating the need for Service Principal secrets

• New PowerShell Functions:

  • Get-SDAFUserAssignedIdentity: Retrieve user-assigned identities from Azure
  • Set-AdoManagedIdentityCredentials: Configure MI credentials in variable groups
  • Set-AdoSPNCredentials: Configure SPN credentials with improved validation

• Enhanced Pipeline Parameters:

  • Added ManagedIdentityId parameter (mandatory when using MI authentication)
  • Improved ControlPlaneSubscriptionId parameter handling
  • Better role assignment logic with comprehensive logging

• Variable Group Migration: Utility scripts to migrate from SPN to Managed Identity authentication:

  • Upgrade-ControlPlaneVariableGroup.ps1
  • Upgrade-WorkloadZoneVariableGroup.ps1
  • Copy-AzDevOpsVariableGroupVariable function for variable migration

---

Improvements

Infrastructure and Terraform

Provider Compatibility Updates

• Migrated to latest Azure provider property names to eliminate deprecation warnings:

  • Key Vault: enable_rbac_authorization → rbac_authorization_enabled
  • Virtual Machines: enable_automatic_updates → automatic_updates_enabled
  • Load Balancers: enable_floating_ip → floating_ip_enabled
  • Azure NetApp Files: protocols_enabled → protocol

• Enhanced Role Assignments: Added Key Vault Administrator and Secrets Officer roles with appropriate conditions for improved security posture

• Resource Naming Flexibility: Introduced custom_random_id variable for resource name suffixes, removing dependencies on DEPLOYER_RANDOM_ID and LIBRARY_RANDOM_ID

• Improved Variable Handling: Enhanced handling of unset/null variables with better fallback logic throughout Terraform modules

Network Configuration Refinements

• Refactored subnet ID handling across all modules for improved clarity and error prevention
• Enhanced storage subnet output with robust fallback handling
• Optimized NSG count logic for application and web subnets
• Fixed subnet CIDR value trimming in output files
• Improved conditional checks for landscape_tfstate keys

Key Vault Management

• Refactored role assignment dependencies to reduce redundancy
• Enhanced access policy conditions with permission assignment options
• Improved secret existence checks using user ARM ID
• Streamlined secret name assignments using local variables

Azure DevOps Pipeline Enhancements

Pipeline Architecture

• Terraform Version Upgrade: Bumped from 1.12.2 to 1.13.3 across all deployment scripts

• Improved Parameter Management: Comprehensive refactoring of deployment YAML files with enhanced parameter definitions and validation

• Ansible Installation Control: Added dedicated Ansible installation script with:

  • Version pinning for ansible-core
  • Specified versions for community.general collection
  • Conditional JMESPath installation logic

• Variable Group Standardization:

  • Consistent use of DEPLOYER_ENVIRONMENT for variable group construction
  • Fixed VARIABLE_GROUP_ID usage in system deployment pipelines
  • Removed unused DEPLOYER_KEYVAULT variable

Script Improvements

• Enhanced error handling with proper return codes instead of exit calls
• Improved Azure login visibility controls with better debugging
• Added Azure account information display on Terraform failures
• Streamlined installer script calls with comprehensive error checking

Disk and Storage Management

Enhanced Backup Disk Handling

• ZRS storage type detection for backup disks with automatic zone assignment
• Intelligent zone placement logic when using ZRS backup disks
• Improved proximity placement group logic for Windows VMs

Standardized IOPS/MBPS Configuration

• Unified configuration approach for both UltraSSD_LRS and PremiumV2_LRS disk types
• Consistent IOPS and throughput settings across all disk configurations
• Optimized Ansible disk definitions for better performance

Sybase Storage Configuration

• Reorganized storage definitions for Sybase 512, 1024, and 2048 configurations
• Added accelerated networking support
• Corrected lun_start values for proper disk alignment

Network Configuration

Subnet Management

• Comprehensive refactoring of subnet ID handling with improved error prevention
• Enhanced fallback logic for storage subnet outputs
• Better handling of landscape_tfstate keys in conditional checks
• Simplified NSG assignment logic for clarity

DNS and Private Link

• Refactored DNS zone link count conditions for improved reliability:
  • vault_agent DNS zone links
  • blob_agent DNS zone links
  • vnet_mgmt_blob-agent DNS zone links
• Enhanced readability and maintainability of DNS configurations

---

Bug Fixes

Terraform Configuration Fixes

• Fixed disk attachment references for observer VMs in outputs.tf
• Corrected observer shared disks output to reference azurerm_linux_virtual_machine
• Fixed variable name consistency in disk output definitions
• Resolved syntax errors in subnet ID parsing
• Corrected return value handling in Terraform plan execution

Pipeline and Script Fixes

• Fixed VARIABLE_GROUP vs VARIABLE_GROUP_ID usage in 03-sap-system-deployment
• Resolved integer conversion errors in variable group operations
• Fixed control plane name construction to use DEPLOYER_ENVIRONMENT
• Corrected deployer environment file handling for v1 and v2 scripts
• Restored multi-network support in v1 pipelines

Oracle Installation Fixes

• Fixed SAPINST parameter file handling for Oracle installations where EXPORT and DB_EXPORT directories differ
• Resolved oracle-postprocessing supported_tiers check validation
• Corrected multiple SAPINST.CD.PACKAGE declarations causing HANA/Oracle precedence issues

SAP Installation Fixes

• Fixed version comparison for cloud-netconfig-azure in Pacemaker tasks
• Resolved undefined variable issues in chrony role related to Python interpreter
• Corrected file permissions to use string format in Oracle ASM tasks
• Fixed run_once and delegate_to usage in AFS mount tasks

Network and Storage Fixes

• Fixed ANF volume export policy rule configurations (protocols_enabled → protocol)
• Corrected backend pool association for SAP HANA scale-out scenarios
• Resolved key vault existence checks using proper user ARM ID validation

---

Dependency Updates

GitHub Actions

• github/codeql-action: 3.29.8 → 4.31.1
• actions/checkout: 4.2.2 → 5.0.0
• actions/dependency-review-action: 4.7.1 → 4.8.1
• actions/setup-python: 5.6.0 → 6.0.0
• aquasecurity/trivy-action: 0.31.0 → 0.33.1
• ossf/scorecard-action: 2.4.2 → 2.4.3
• step-security/harden-runner: 2.13.0 → 2.13.1

Azure SDK and Libraries

• Azure.Identity: 1.15.0 → 1.17.0
• Azure.ResourceManager.Compute: 1.11.0 → 1.12.0
• Azure.ResourceManager.Network: Updated to latest stable version
• Azure.ResourceManager.Storage: Updated to latest stable version
• Microsoft.Identity.Web and Microsoft.Identity.Web.UI: Updated to latest versions

.NET Tools

• dotnet-ef: 9.0.6 → 9.0.9

---

Breaking Changes

None

This release maintains backward compatibility with existing deployments. All infrastructure changes use conditional logic to preserve existing behavior.

---

Upgrade Notes

Required Actions

1. Terraform Provider Property Updates

   If you use custom Terraform modules or have extended the framework, update the following deprecated property names:

   # Key Vault
   enable_rbac_authorization = true  # OLD
   rbac_authorization_enabled = true # NEW
   
   # Virtual Machines
   enable_automatic_updates = true   # OLD
   automatic_updates_enabled = true  # NEW
   
   # Load Balancers
   enable_floating_ip = true         # OLD
   floating_ip_enabled = true        # NEW
   
   # Azure NetApp Files - Export Policy Rules
   protocols_enabled = ["NFSv4.1"]   # OLD
   protocol = ["NFSv4.1"]            # NEW

2. Azure DevOps Variable Groups Migration

   For environments using Azure DevOps pipelines, run the provided upgrade scripts to migrate variable naming conventions:

   # Migrate Control Plane variable group
   .\Upgrade-ControlPlaneVariableGroup.ps1 `
     -OrganizationName "yourorg" `
     -ProjectName "yourproject" `
     -ControlPlaneName "MGMT"
   
   # Migrate Workload Zone variable group
   .\Upgrade-WorkloadZoneVariableGroup.ps1 `
     -OrganizationName "yourorg" `
     -ProjectName "yourproject" `
     -ControlPlaneName "MGMT" `
     -WorkloadZoneName "DEV"

3. Managed Identity Authentication Setup

   If migrating to Managed Identity authentication for Azure DevOps:

   • Create a User-Assigned Managed Identity in Azure
   • Grant required permissions to the Managed Identity
   • Use the new ManagedIdentityId parameter in pipeline configurations
   • Update variable groups using the provided migration scripts

Recommended Actions

1. Oracle Database Deployments

   • Review Oracle Data Guard configurations if using standby databases
   • Validate ASMLib version compatibility if using Oracle ASM (v3 is now supported)
   • Test Oracle UEK7 compatibility in non-production environments before upgrading

2. NVMe Configuration Review

   For systems using NVMe disks, especially on older distributions (SUSE 15 SP3, RHEL 8.8):

   • Review enhanced udev rules in test environments
   • Validate namespace ID detection with new fallback mechanisms
   • Test LUN mapping with the improved calculator

3. SAP HANA Scale-Out Environments

   If running SAP HANA scale-out with high availability:

   • Review observer VM configurations and shared disk assignments
   • Validate Pacemaker resource constraints
   • Test failover scenarios with the enhanced cluster configuration

4. Pipeline Configuration Validation

   • Review custom pipeline implementations for variable naming updates
   • Test Terraform 1.13.3 compatibility in non-production environments
   • Validate Ansible collection versions if using custom playbooks

Compatibility Notes

• Terraform Version: Tested with Terraform 1.13.3
• Ansible Version: Compatible with ansible-core version 2.16.14
• Azure Provider: Compatible with azurerm 4.4.0+ and azuread 3.0.2+
• Operating Systems:
  • Oracle Linux with UEK7
  • RHEL 8.8, 8.10, 9.4, 9.6
  • SUSE SLES_SAP 15.3, 15.6
  • Windows Server 2025

Known Issues

None reported at the time of release.

---

Contributors

Special thanks to all contributors who made this release possible:

• Kimmo Forss (@KimForss) - Lead maintainer
• Hemanth Damecharla (@hdamecharla) - Oracle and infrastructure enhancements
• Devansh Jain (@devanshjainms) - Pipeline and validation improvements
• Nadeen Noaman (@nnoaman) - Testing and validation
• Steffen Bo Thomsen (@SteffenBoThomsen) - SAP quality integration
• Jesper Severinsen (@jesperseverinsen) - Database schema improvements
• Csaba Daradics (@daradicscsaba) - Terraform fixes
• GitHub Copilot (@Copilot) - Code suggestions and improvements
• dependabot[bot] - Automated dependency updates

---

Resources

• Documentation: SAP Deployment Automation Framework
• Repository: Azure/sap-automation
• Issues: GitHub Issues
• Contributing: Contributing Guidelines

---