Merge branch 'dev' into main

.github/workflows/terraform_validate.yml

@@ -18,7 +18,7 @@ jobs:
       max-parallel: 10
       matrix:
         terraform_ver: [~1.0.0, ~1.1.0, ~1.2.0, ~1.3.0]
-        terraform_module_parent: [all, aws_ec2_instance, ibmcloud_vs, ibmcloud_powervs, ibmpowervc, msazure_vm]
+        terraform_module_parent: [all, aws_ec2_instance, ibmcloud_vs, ibmcloud_powervs, ibmpowervc, msazure_vm, vmware_vm]
     steps:
       - name: Checkout
         uses: actions/[email protected]

README.md

@@ -56,7 +56,7 @@ The below table lists the Terraform Modules for SAP, and any detailed documentat
 |  IBM Power Virtualization Center | N/A |
 |  Microsoft Azure Virtual Machine| N/A |
 |  ~~oVirt KVM Virtual Machine~~ | N/A |
-|  ~~VMware vSphere Virtual Machine~~ | N/A |
+|  VMware vSphere Virtual Machine | [/vmware_vm/host_provision](/docs/tf_modules/tf_mod_vmware_vm_host_provision.md) |
 | &emsp;Generic documentation | <ul><li>[**/host_network_access_sap](/docs/tf_modules/tf_mod_host_network_access_sap.md)</li></ul> |
 | **TF Modules as wrapper to Ansible for SAP solution scenarios** | - |
 | &emsp; SAP BW/4HANA single-node | /all/ansible_sap_bw4hana_install |

all/ansible_sap_ecc_sapase_install/create_ansible_extravars.tf

@@ -138,7 +138,7 @@ sap_swpm_templates_install_dictionary:
       - 'igsexe_13-80003187.sar' # IGS 7.53
       - 'igshelper_17-10010245.sar'
       - 'SYBCTRL_1110-80002616.SAR'
-      - '51055871_1' # SAP ASE 16.0.03.12 HF1 RDBMS Linux on x86_64 64bit
+      - '51056224_1' # SAP ASE 16.0.03.13 RDBMS Linux on x86_64 64bit
       - 'ASEBC16004P_3-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL03
       - '51050708_1' # SAP ERP 6.0 EHP8 Installation Export 1/4, Self-extract RAR EXE
       - '51050708_2'
@@ -203,7 +203,7 @@ sap_swpm_templates_install_dictionary:
       - 'igsexe_13-80003187.sar' # IGS 7.53
       - 'igshelper_17-10010245.sar'
       - 'SYBCTRL_1110-80002616.SAR'
-      - '51055871_1' # SAP ASE 16.0.03.12 HF1 RDBMS Linux on x86_64 64bit
+      - '51056224_1' # SAP ASE 16.0.03.13 RDBMS Linux on x86_64 64bit
       - 'ASEBC16004P_3-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL03
       - '51053216_1' # IDES SAP ERP 6.0 EHP8 - INSTALL. EXP. (1/2) 1/22
       - '51053216_2'

all/ansible_sap_nwas_abap_sapase_install/create_ansible_extravars.tf

@@ -132,7 +132,7 @@ sap_swpm_templates_install_dictionary:
       - 'igsexe_13-80003187.sar' # IGS 7.53
       - 'igshelper_17-10010245.sar'
       - 'SYBCTRL_1110-80002616.SAR'
-      - '51055871_1' # SAP ASE 16.0.03.12 HF1 RDBMS Linux on x86_64 64bit
+      - '51056224_1' # SAP ASE 16.0.03.13 RDBMS Linux on x86_64 64bit
       - 'ASEBC16004P_3-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL03
       - '51051806_1' # NetWeaver AS ABAP 7.52 Innovation Pkg - Installation Exp 1/2, RAR
       - '51051806_2' # NetWeaver AS ABAP 7.52 Innovation Pkg - Installation Exp 2/2, RAR
@@ -184,7 +184,7 @@ sap_swpm_templates_install_dictionary:
       - 'igsexe_13-80003187.sar' # IGS 7.53
       - 'igshelper_17-10010245.sar'
       - 'SYBCTRL_1110-80002616.SAR'
-      - '51055871_1' # SAP ASE 16.0.03.12 HF1 RDBMS Linux on x86_64 64bit
+      - '51056224_1' # SAP ASE 16.0.03.13 RDBMS Linux on x86_64 64bit
       - 'ASEBC16004P_3-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL03
       - '51050829_3' # SAP Netweaver 7.5 Installation Export, ZIP
 #      - '51050829_4' # NW 7.5 Language 1/2

all/ansible_sap_nwas_java_sapase_install/create_ansible_extravars.tf

@@ -134,7 +134,7 @@ sap_swpm_templates_install_dictionary:
       - 'SAPHOSTAGENT56_56-80004822.SAR' # SAP Host Agent 7.22
       - 'SAPJVM8_90-80000202.SAR' # SAP JVM 8.1
       - '51055106' # SAP Netweaver 7.5 SP22 Java, ZIP. Contains JAVA_EXPORT (SAP:JEXPORT:750:SP22:*:*), JAVA_EXPORT_JDMP (SAP:JDMP:750:SP22:*:SW-LABEL), JAVA_J2EE_OSINDEP (SAP:J2EE-CD:750:J2EE-CD:j2ee-cd:*), JAVA_J2EE_OSINDEP_J2EE_INST (SAP:J2EE-INST:750:SP22:*:*), JAVA_J2EE_OSINDEP_UT (SAP:UT:750:SP22:*:*)
-      - '51055622_1' # SAP ASE 16.0.04.03 RDBMS Linux on x86_64 64bit
+      - '51056021_1' # SAP ASE 16.0.04.03 HF1 RDBMS Linux on x86_64 64bit
       - 'ASEBC16004P_2-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL02
 
     softwarecenter_search_list_ppc64le:

aws_ec2_instance/account_bootstrap/network_security_groups.tf

@@ -11,6 +11,25 @@ resource "aws_security_group" "vpc_sg" {
 
 }
 
+# Allow Outbound DNS Port 53 connection to IBM Cloud VPC DNS resolvers
+resource "aws_security_group_rule" "vpc_sg_rule_outbound_dns_tcp" {
+  security_group_id = aws_security_group.vpc_sg.id
+  type              = "egress"
+  from_port         = 53
+  to_port           = 53
+  protocol          = "tcp"
+  cidr_blocks       = ["${local.target_subnet_ip_range}"]
+}
+
+# Allow Outbound DNS Port 53 connection to IBM Cloud VPC DNS resolvers
+resource "aws_security_group_rule" "vpc_sg_rule_outbound_dns_udp" {
+  security_group_id = aws_security_group.vpc_sg.id
+  type              = "egress"
+  from_port         = 53
+  to_port           = 53
+  protocol          = "udp"
+  cidr_blocks       = ["${local.target_subnet_ip_range}"]
+}
 
 # Allow Outbound HTTP Port 80 connection to any (e.g. via NAT Gateway)
 resource "aws_security_group_rule" "vpc_sg_rule_outbound_http_80" {

aws_ec2_instance/host_network_access_sap/module_variables.tf

@@ -4,6 +4,10 @@ variable "module_var_aws_vpc_subnet_id" {}
 
 variable "module_var_host_security_group_id" {}
 
+variable "module_var_sap_nwas_abap_ascs_instance_no" {
+  default = ""
+}
+
 variable "module_var_sap_nwas_abap_pas_instance_no" {
   default = ""
 }

aws_ec2_instance/host_network_access_sap/module_variables_locals.tf

@@ -1,6 +1,7 @@
 
 locals {
-  network_rules_sap_nwas_abap_boolean = var.module_var_sap_nwas_abap_pas_instance_no != "" ? true : false
+  network_rules_sap_nwas_abap_ascs_boolean = var.module_var_sap_nwas_abap_ascs_instance_no != "" ? true : false
+  network_rules_sap_nwas_abap_pas_boolean = var.module_var_sap_nwas_abap_pas_instance_no != "" ? true : false
   network_rules_sap_nwas_java_boolean = var.module_var_sap_nwas_java_ci_instance_no != "" ? true : false
   network_rules_sap_hana_boolean = var.module_var_sap_hana_instance_no != "" ? true : false
 

aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf → aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf

@@ -1,82 +1,67 @@
 
-# SAP NetWeaver PAS / SAP GUI, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" {
-  count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0
+# SAP HANA ICM HTTPS (Secure) Internal Web Dispatcher, access from within the same Subnet
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_icm_https" {
+  count = local.network_rules_sap_hana_boolean ? 1 : 0
   security_group_id = var.module_var_host_security_group_id
   type              = "ingress"
-  from_port         = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}")
-  to_port           = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}")
+  from_port         = tonumber("43${var.module_var_sap_hana_instance_no}")
+  to_port           = tonumber("43${var.module_var_sap_hana_instance_no}")
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
-
-# SAP NetWeaver PAS Gateway, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" {
-  count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_icm_https" {
+  count = local.network_rules_sap_hana_boolean ? 1 : 0
   security_group_id = var.module_var_host_security_group_id
-  type              = "ingress"
-  from_port         = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}")
-  to_port           = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}")
+  type              = "egress"
+  from_port         = tonumber("43${var.module_var_sap_hana_instance_no}")
+  to_port           = tonumber("43${var.module_var_sap_hana_instance_no}")
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
 
-# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapfiori" {
-  count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0
-  security_group_id = var.module_var_host_security_group_id
-  type              = "ingress"
-  from_port         = tonumber("443${var.module_var_sap_hana_instance_no}")
-  to_port           = tonumber("443${var.module_var_sap_hana_instance_no}")
-  protocol          = "tcp"
-  cidr_blocks  = ["${local.target_subnet_ip_range}"]
-}
 
-# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ctrl" {
-  count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0
+# SAP HANA ICM HTTP Internal Web Dispatcher, access from within the same Subnet
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_icm_http" {
+  count = local.network_rules_sap_hana_boolean ? 1 : 0
   security_group_id = var.module_var_host_security_group_id
   type              = "ingress"
-  from_port         = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13")
-  to_port           = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}14")
+  from_port         = tonumber("80${var.module_var_sap_hana_instance_no}")
+  to_port           = tonumber("80${var.module_var_sap_hana_instance_no}")
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
-
-
-# SAP HANA ICM HTTPS (Secure) Internal Web Dispatcher, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_icm_https" {
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_icm_http" {
   count = local.network_rules_sap_hana_boolean ? 1 : 0
   security_group_id = var.module_var_host_security_group_id
-  type              = "ingress"
-  from_port         = tonumber("43${var.module_var_sap_hana_instance_no}")
-  to_port           = tonumber("43${var.module_var_sap_hana_instance_no}")
+  type              = "egress"
+  from_port         = tonumber("80${var.module_var_sap_hana_instance_no}")
+  to_port           = tonumber("80${var.module_var_sap_hana_instance_no}")
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
 
-# SAP HANA ICM HTTP Internal Web Dispatcher, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_icm_http" {
+
+# SAP HANA Internal Web Dispatcher, webdispatcher process, access from within the same Subnet
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_webdisp" {
   count = local.network_rules_sap_hana_boolean ? 1 : 0
   security_group_id = var.module_var_host_security_group_id
   type              = "ingress"
-  from_port         = tonumber("80${var.module_var_sap_hana_instance_no}")
-  to_port           = tonumber("80${var.module_var_sap_hana_instance_no}")
+  from_port         = tonumber("3${var.module_var_sap_hana_instance_no}06")
+  to_port           = tonumber("3${var.module_var_sap_hana_instance_no}06")
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
-
-# SAP HANA Internal Web Dispatcher, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_webdisp" {
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_webdisp" {
   count = local.network_rules_sap_hana_boolean ? 1 : 0
   security_group_id = var.module_var_host_security_group_id
-  type              = "ingress"
+  type              = "egress"
   from_port         = tonumber("3${var.module_var_sap_hana_instance_no}06")
   to_port           = tonumber("3${var.module_var_sap_hana_instance_no}06")
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
 
+
 # SAP HANA indexserver MDC System Tenant SYSDB, access from within the same Subnet
 resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_index_mdc_sysdb" {
   count = local.network_rules_sap_hana_boolean ? 1 : 0
@@ -87,6 +72,16 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_index_mdc_sy
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_index_mdc_sysdb" {
+  count = local.network_rules_sap_hana_boolean ? 1 : 0
+  security_group_id = var.module_var_host_security_group_id
+  type              = "egress"
+  from_port         = tonumber("3${var.module_var_sap_hana_instance_no}13")
+  to_port           = tonumber("3${var.module_var_sap_hana_instance_no}13")
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}
+
 
 # SAP HANA indexserver MDC Tenant #1, access from within the same Subnet
 resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_index_mdc_1" {
@@ -98,6 +93,58 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_index_mdc_1"
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_index_mdc_1" {
+  count = local.network_rules_sap_hana_boolean ? 1 : 0
+  security_group_id = var.module_var_host_security_group_id
+  type              = "egress"
+  from_port         = tonumber("3${var.module_var_sap_hana_instance_no}15")
+  to_port           = tonumber("3${var.module_var_sap_hana_instance_no}15")
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}
+
+
+# SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_startsrv_http_soap" {
+  count = local.network_rules_sap_hana_boolean ? 1 : 0
+  security_group_id = var.module_var_host_security_group_id
+  type              = "ingress"
+  from_port         = tonumber("5${var.module_var_sap_hana_instance_no}13")
+  to_port           = tonumber("5${var.module_var_sap_hana_instance_no}13")
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_startsrv_http_soap" {
+  count = local.network_rules_sap_hana_boolean ? 1 : 0
+  security_group_id = var.module_var_host_security_group_id
+  type              = "egress"
+  from_port         = tonumber("5${var.module_var_sap_hana_instance_no}13")
+  to_port           = tonumber("5${var.module_var_sap_hana_instance_no}13")
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}
+
+
+# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_startsrv_https_soap" {
+  count = local.network_rules_sap_hana_boolean ? 1 : 0
+  security_group_id = var.module_var_host_security_group_id
+  type              = "ingress"
+  from_port         = tonumber("5${var.module_var_sap_hana_instance_no}14")
+  to_port           = tonumber("5${var.module_var_sap_hana_instance_no}14")
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_startsrv_https_soap" {
+  count = local.network_rules_sap_hana_boolean ? 1 : 0
+  security_group_id = var.module_var_host_security_group_id
+  type              = "egress"
+  from_port         = tonumber("5${var.module_var_sap_hana_instance_no}14")
+  to_port           = tonumber("5${var.module_var_sap_hana_instance_no}14")
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}
+
 
 
 # SAP HANA System Replication
@@ -202,48 +249,3 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_pacemaker_3" {
   protocol          = "udp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
-
-
-# SAP NetWeaver AS JAVA Central Instance (CI) ICM server process 0..n, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_icm" {
-  count = local.network_rules_sap_nwas_java_boolean ? 1 : 0
-  security_group_id = var.module_var_host_security_group_id
-  type              = "ingress"
-  from_port         = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}00")
-  to_port           = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}06")
-  protocol          = "tcp"
-  cidr_blocks  = ["${local.target_subnet_ip_range}"]
-}
-
-# SAP NetWeaver AS JAVA Central Instance (CI) Access server process 0..n, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_access" {
-  count = local.network_rules_sap_nwas_java_boolean ? 1 : 0
-  security_group_id = var.module_var_host_security_group_id
-  type              = "ingress"
-  from_port         = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}20")
-  to_port           = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}22")
-  protocol          = "tcp"
-  cidr_blocks  = ["${local.target_subnet_ip_range}"]
-}
-
-# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_admin_http" {
-  count = local.network_rules_sap_nwas_java_boolean ? 1 : 0
-  security_group_id = var.module_var_host_security_group_id
-  type              = "ingress"
-  from_port         = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}13")
-  to_port           = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}14")
-  protocol          = "tcp"
-  cidr_blocks  = ["${local.target_subnet_ip_range}"]
-}
-
-# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_admin_slcontroller" {
-  count = local.network_rules_sap_nwas_java_boolean ? 1 : 0
-  security_group_id = var.module_var_host_security_group_id
-  type              = "ingress"
-  from_port         = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}17")
-  to_port           = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}19")
-  protocol          = "tcp"
-  cidr_blocks  = ["${local.target_subnet_ip_range}"]
-}

aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hostctrl.tf

@@ -0,0 +1,37 @@
+
+# SAP Host Agent with SOAP over HTTP, saphostctrl process as 1128 port, access from within the same Subnet
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphostctrl_http_soap" {
+  security_group_id = var.module_var_host_security_group_id
+  type              = "ingress"
+  from_port         = 1128
+  to_port           = 1128
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphostctrl_http_soap" {
+  security_group_id = var.module_var_host_security_group_id
+  type              = "egress"
+  from_port         = 1128
+  to_port           = 1128
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}
+
+
+# SAP Host Agent with SOAP over HTTPS, saphostctrls process as 1129 port, access from within the same Subnet
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphostctrl_https_soap" {
+  security_group_id = var.module_var_host_security_group_id
+  type              = "ingress"
+  from_port         = 1129
+  to_port           = 1129
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}
+resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphostctrl_https_soap" {
+  security_group_id = var.module_var_host_security_group_id
+  type              = "egress"
+  from_port         = 1129
+  to_port           = 1129
+  protocol          = "tcp"
+  cidr_blocks  = ["${local.target_subnet_ip_range}"]
+}