From e7b6a0178d50a69c00eab403a96ba4b5f58361d7 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Thu, 12 Jan 2023 01:37:34 +0000 Subject: [PATCH 01/18] fix: missing dns sg rule --- .../network_security_groups.tf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/aws_ec2_instance/account_bootstrap/network_security_groups.tf b/aws_ec2_instance/account_bootstrap/network_security_groups.tf index 733ae6d..75e2c3a 100644 --- a/aws_ec2_instance/account_bootstrap/network_security_groups.tf +++ b/aws_ec2_instance/account_bootstrap/network_security_groups.tf @@ -11,6 +11,25 @@ resource "aws_security_group" "vpc_sg" { } +# Allow Outbound DNS Port 53 connection to IBM Cloud VPC DNS resolvers +resource "aws_security_group_rule" "vpc_sg_rule_outbound_dns_tcp" { + security_group_id = aws_security_group.vpc_sg.id + type = "egress" + from_port = 53 + to_port = 53 + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +# Allow Outbound DNS Port 53 connection to IBM Cloud VPC DNS resolvers +resource "aws_security_group_rule" "vpc_sg_rule_outbound_dns_udp" { + security_group_id = aws_security_group.vpc_sg.id + type = "egress" + from_port = 53 + to_port = 53 + protocol = "udp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} # Allow Outbound HTTP Port 80 connection to any (e.g. via NAT Gateway) resource "aws_security_group_rule" "vpc_sg_rule_outbound_http_80" { From b73df068d4602bba5aa195f576adbb004668c995 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Thu, 12 Jan 2023 09:49:01 +0000 Subject: [PATCH 02/18] fix: missing sg rule for nwas ms --- .../module_variables.tf | 4 +++ .../module_variables_locals.tf | 3 ++- .../network_security_groups_sap.tf | 20 +++++++++++--- .../tf_mod_host_network_access_sap.md | 2 +- .../module_variables.tf | 4 +++ .../module_variables_locals.tf | 3 ++- .../network_security_groups_sap.tf | 20 +++++++++++--- .../module_variables.tf | 4 +++ .../module_variables_locals.tf | 3 ++- .../network_security_groups_sap.tf | 26 ++++++++++++++++--- 10 files changed, 73 insertions(+), 16 deletions(-) diff --git a/aws_ec2_instance/host_network_access_sap/module_variables.tf b/aws_ec2_instance/host_network_access_sap/module_variables.tf index 314757a..4fd82a3 100644 --- a/aws_ec2_instance/host_network_access_sap/module_variables.tf +++ b/aws_ec2_instance/host_network_access_sap/module_variables.tf @@ -4,6 +4,10 @@ variable "module_var_aws_vpc_subnet_id" {} variable "module_var_host_security_group_id" {} +variable "module_var_sap_nwas_abap_ascs_instance_no" { + default = "" +} + variable "module_var_sap_nwas_abap_pas_instance_no" { default = "" } diff --git a/aws_ec2_instance/host_network_access_sap/module_variables_locals.tf b/aws_ec2_instance/host_network_access_sap/module_variables_locals.tf index 3417dd7..89e485a 100644 --- a/aws_ec2_instance/host_network_access_sap/module_variables_locals.tf +++ b/aws_ec2_instance/host_network_access_sap/module_variables_locals.tf @@ -1,6 +1,7 @@ locals { - network_rules_sap_nwas_abap_boolean = var.module_var_sap_nwas_abap_pas_instance_no != "" ? true : false + network_rules_sap_nwas_abap_ascs_boolean = var.module_var_sap_nwas_abap_ascs_instance_no != "" ? true : false + network_rules_sap_nwas_abap_pas_boolean = var.module_var_sap_nwas_abap_pas_instance_no != "" ? true : false network_rules_sap_nwas_java_boolean = var.module_var_sap_nwas_java_ci_instance_no != "" ? true : false network_rules_sap_hana_boolean = var.module_var_sap_hana_instance_no != "" ? true : false diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf index 92a68ff..e847c06 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf @@ -1,7 +1,19 @@ +# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("36${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("36${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + + # SAP NetWeaver PAS / SAP GUI, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" from_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") @@ -12,7 +24,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" { # SAP NetWeaver PAS Gateway, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" from_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") @@ -23,7 +35,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" { # SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapfiori" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" from_port = tonumber("443${var.module_var_sap_hana_instance_no}") @@ -34,7 +46,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapfiori" { # SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ctrl" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" from_port = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") diff --git a/docs/tf_modules/tf_mod_host_network_access_sap.md b/docs/tf_modules/tf_mod_host_network_access_sap.md index b3e045e..2a83eac 100644 --- a/docs/tf_modules/tf_mod_host_network_access_sap.md +++ b/docs/tf_modules/tf_mod_host_network_access_sap.md @@ -19,7 +19,7 @@ The below table includes some of the key Ports to use with SAP Systems that use | | SAP Router | 3200 | | | SAP Router | 3299 | | SAP NetWeaver AS ABAP Central Services (ASCS),
using Instance Number `01` | | | -| | SAP NetWeaver AS Messenger Server (ASCS MS) | 36`01` | +| | SAP NetWeaver AS Messenge Server (ASCS MS) | 36`01` | | SAP NetWeaver AS ABAP PAS,
using Instance Number `00` | | | | | `*` SAP NetWeaver AS Primary App Server (PAS Dialog) **[SAP GUI]** | 32`00` | | | SAP NetWeaver AS PAS Gateway | 33`00` | diff --git a/ibmcloud_vs/host_network_access_sap/module_variables.tf b/ibmcloud_vs/host_network_access_sap/module_variables.tf index 69918a1..858a0f5 100644 --- a/ibmcloud_vs/host_network_access_sap/module_variables.tf +++ b/ibmcloud_vs/host_network_access_sap/module_variables.tf @@ -3,6 +3,10 @@ variable "module_var_ibmcloud_vpc_subnet_name" {} variable "module_var_host_security_group_id" {} +variable "module_var_sap_nwas_abap_ascs_instance_no" { + default = "" +} + variable "module_var_sap_nwas_abap_pas_instance_no" { default = "" } diff --git a/ibmcloud_vs/host_network_access_sap/module_variables_locals.tf b/ibmcloud_vs/host_network_access_sap/module_variables_locals.tf index b6a3839..ea8fe27 100644 --- a/ibmcloud_vs/host_network_access_sap/module_variables_locals.tf +++ b/ibmcloud_vs/host_network_access_sap/module_variables_locals.tf @@ -1,6 +1,7 @@ locals { - network_rules_sap_nwas_abap_boolean = var.module_var_sap_nwas_abap_pas_instance_no != "" ? true : false + network_rules_sap_nwas_abap_ascs_boolean = var.module_var_sap_nwas_abap_ascs_instance_no != "" ? true : false + network_rules_sap_nwas_abap_pas_boolean = var.module_var_sap_nwas_abap_pas_instance_no != "" ? true : false network_rules_sap_nwas_java_boolean = var.module_var_sap_nwas_java_ci_instance_no != "" ? true : false network_rules_sap_hana_boolean = var.module_var_sap_hana_instance_no != "" ? true : false diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf index 8f73914..6f26311 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf @@ -1,7 +1,19 @@ +# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} + # SAP NetWeaver PAS / SAP GUI, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_sapgui" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -13,7 +25,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_sapgui" { # SAP NetWeaver PAS Gateway, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_gw" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_sapgui] group = var.module_var_host_security_group_id direction = "inbound" @@ -26,7 +38,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_gw" { # SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapfiori" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] group = var.module_var_host_security_group_id direction = "inbound" @@ -39,7 +51,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapfiori" { # SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ctrl" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapfiori] group = var.module_var_host_security_group_id direction = "inbound" diff --git a/msazure_vm/host_network_access_sap/module_variables.tf b/msazure_vm/host_network_access_sap/module_variables.tf index c939542..15320bb 100644 --- a/msazure_vm/host_network_access_sap/module_variables.tf +++ b/msazure_vm/host_network_access_sap/module_variables.tf @@ -7,6 +7,10 @@ variable "module_var_az_vnet_subnet_name" {} variable "module_var_host_security_group_name" {} +variable "module_var_sap_nwas_abap_ascs_instance_no" { + default = "" +} + variable "module_var_sap_nwas_abap_pas_instance_no" { default = "" } diff --git a/msazure_vm/host_network_access_sap/module_variables_locals.tf b/msazure_vm/host_network_access_sap/module_variables_locals.tf index 8df4234..1886e39 100644 --- a/msazure_vm/host_network_access_sap/module_variables_locals.tf +++ b/msazure_vm/host_network_access_sap/module_variables_locals.tf @@ -1,6 +1,7 @@ locals { - network_rules_sap_nwas_abap_boolean = var.module_var_sap_nwas_abap_pas_instance_no != "" ? true : false + network_rules_sap_nwas_abap_ascs_boolean = var.module_var_sap_nwas_abap_ascs_instance_no != "" ? true : false + network_rules_sap_nwas_abap_pas_boolean = var.module_var_sap_nwas_abap_pas_instance_no != "" ? true : false network_rules_sap_nwas_java_boolean = var.module_var_sap_nwas_java_ci_instance_no != "" ? true : false network_rules_sap_hana_boolean = var.module_var_sap_hana_instance_no != "" ? true : false diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf index fe3b051..b113b33 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf @@ -1,7 +1,25 @@ +# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_ascs_ms" + priority = 200 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + # SAP NetWeaver PAS / SAP GUI, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgui" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_sapgui" priority = 201 direction = "Inbound" @@ -19,7 +37,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgu # SAP NetWeaver PAS Gateway, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_gw" priority = 202 direction = "Inbound" @@ -38,7 +56,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { # SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapfiori" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapfiori" priority = 203 direction = "Inbound" @@ -56,7 +74,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapfiori" { # SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ctrl" { - count = local.network_rules_sap_nwas_abap_boolean ? 1 : 0 + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_ctrl" priority = 204 direction = "Inbound" From 3ca93b728c72c4dd74a5e3a1bb5e0d58c88b42c0 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Thu, 12 Jan 2023 13:24:07 +0000 Subject: [PATCH 03/18] fix: outbound nwas ms sg rule --- .../network_security_groups_sap.tf | 14 ++++++- .../network_security_groups_sap.tf | 12 ++++++ .../network_security_groups_sap.tf | 38 ++++++++++++++----- 3 files changed, 52 insertions(+), 12 deletions(-) diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf index e847c06..28629fc 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf @@ -4,8 +4,18 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" - from_port = tonumber("36${var.module_var_sap_nwas_abap_pas_instance_no}") - to_port = tonumber("36${var.module_var_sap_nwas_abap_pas_instance_no}") + from_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf index 6f26311..9750684 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf @@ -11,6 +11,18 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_ms" } } +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} + + # SAP NetWeaver PAS / SAP GUI, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf index b113b33..2094a12 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf @@ -3,7 +3,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_ascs_ms" - priority = 200 + priority = 201 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -17,11 +17,29 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ network_security_group_name = var.module_var_host_security_group_name } +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_ascs_ms" + priority = 202 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + + # SAP NetWeaver PAS / SAP GUI, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_sapgui" - priority = 201 + priority = 203 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -39,7 +57,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgu resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_gw" - priority = 202 + priority = 204 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -58,7 +76,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapfiori" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapfiori" - priority = 203 + priority = 205 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -76,7 +94,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapfiori" { resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ctrl" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_ctrl" - priority = 204 + priority = 206 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -94,7 +112,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ctrl" resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_https" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_icm_https" - priority = 205 + priority = 207 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -112,7 +130,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_h resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_http" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_icm_http" - priority = 206 + priority = 208 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -131,7 +149,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_h resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_webdisp" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_webdisp" - priority = 207 + priority = 209 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -149,7 +167,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_webdi resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index_mdc_sysdb" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_index_mdc_sysdb" - priority = 208 + priority = 210 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -167,7 +185,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index_mdc_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_index_mdc_1" - priority = 209 + priority = 211 direction = "Inbound" access = "Allow" protocol = "Tcp" From df828cf097eb70508a1301a7c018fbbb39918314 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Fri, 13 Jan 2023 10:31:38 +0000 Subject: [PATCH 04/18] fix: outbound sg rules for hdb mdc --- .../network_security_groups_sap.tf | 19 ++++++++++- .../network_security_groups_sap.tf | 24 ++++++++++++-- .../network_security_groups_sap.tf | 33 ++++++++++++++++++- 3 files changed, 72 insertions(+), 4 deletions(-) diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf index 28629fc..bc00c1a 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf @@ -9,7 +9,6 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_ms" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } - resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id @@ -109,6 +108,15 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_index_mdc_sy protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } +resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_index_mdc_sysdb" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("3${var.module_var_sap_hana_instance_no}13") + to_port = tonumber("3${var.module_var_sap_hana_instance_no}13") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} # SAP HANA indexserver MDC Tenant #1, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_index_mdc_1" { @@ -120,6 +128,15 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_index_mdc_1" protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } +resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_index_mdc_1" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("3${var.module_var_sap_hana_instance_no}15") + to_port = tonumber("3${var.module_var_sap_hana_instance_no}15") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} # SAP HANA System Replication diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf index 9750684..a577830 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf @@ -10,7 +10,6 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_ms" port_max = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") } } - resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 group = var.module_var_host_security_group_id @@ -126,6 +125,17 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_index_mdc port_max = tonumber("3${var.module_var_sap_hana_instance_no}13") } } +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_index_mdc_sysdb" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_webdisp] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("3${var.module_var_sap_hana_instance_no}13") + port_max = tonumber("3${var.module_var_sap_hana_instance_no}13") + } +} # SAP HANA indexserver MDC Tenant #1, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_index_mdc_1" { @@ -139,7 +149,17 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_index_mdc port_max = tonumber("3${var.module_var_sap_hana_instance_no}15") } } - +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_index_mdc_1" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("3${var.module_var_sap_hana_instance_no}15") + port_max = tonumber("3${var.module_var_sap_hana_instance_no}15") + } +} # SAP HANA System Replication ## The port offset is +10000 from the SAP HANA configured ports (e.g. `3<>15` for MDC Tenant #1). diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf index 2094a12..e3f9caf 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf @@ -180,12 +180,28 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_index_mdc_sysdb" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + name = "tcp_outbound_saphana_index_mdc_sysdb" + priority = 211 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("3${var.module_var_sap_hana_instance_no}13") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} # SAP HANA indexserver MDC Tenant #1, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index_mdc_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_index_mdc_1" - priority = 211 + priority = 212 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -198,7 +214,22 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_index_mdc_1" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + name = "tcp_outbound_saphana_index_mdc_1" + priority = 213 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("3${var.module_var_sap_hana_instance_no}15") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} # SAP HANA System Replication ## The port offset is +10000 from the SAP HANA configured ports (e.g. `3<>15` for MDC Tenant #1). From c49c6073726dd964a308812fb586658098fb08d6 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Sun, 15 Jan 2023 21:31:54 +0000 Subject: [PATCH 05/18] fix: sap hana sapcontrol port --- .../network_security_groups_sap.tf | 41 ++++++++++ .../network_security_groups_sap.tf | 50 +++++++++++++ .../network_security_groups_sap.tf | 74 +++++++++++++++++++ 3 files changed, 165 insertions(+) diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf index bc00c1a..9745794 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf @@ -138,6 +138,47 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_index_mdc_1" cidr_blocks = ["${local.target_subnet_ip_range}"] } +# SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_startsrv_http_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("5${var.module_var_sap_hana_instance_no}13") + to_port = tonumber("5${var.module_var_sap_hana_instance_no}13") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_startsrv_http_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("5${var.module_var_sap_hana_instance_no}13") + to_port = tonumber("5${var.module_var_sap_hana_instance_no}13") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_startsrv_https_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("5${var.module_var_sap_hana_instance_no}14") + to_port = tonumber("5${var.module_var_sap_hana_instance_no}14") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_startsrv_https_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("5${var.module_var_sap_hana_instance_no}14") + to_port = tonumber("5${var.module_var_sap_hana_instance_no}14") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + + # SAP HANA System Replication ## The port offset is +10000 from the SAP HANA configured ports (e.g. `3<>15` for MDC Tenant #1). diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf index a577830..eec5b1b 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf @@ -161,6 +161,56 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_index_md } } +# SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_startsrv_http_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb] + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_hana_instance_no}13") + port_max = tonumber("5${var.module_var_sap_hana_instance_no}13") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv_http_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_hana_instance_no}13") + port_max = tonumber("5${var.module_var_sap_hana_instance_no}13") + } +} + +# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_startsrv_https_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb] + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_hana_instance_no}14") + port_max = tonumber("5${var.module_var_sap_hana_instance_no}14") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv_https_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_hana_instance_no}14") + port_max = tonumber("5${var.module_var_sap_hana_instance_no}14") + } +} + + + # SAP HANA System Replication ## The port offset is +10000 from the SAP HANA configured ports (e.g. `3<>15` for MDC Tenant #1). ## More details in README diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf index e3f9caf..1d37d62 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf @@ -231,6 +231,80 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_inde network_security_group_name = var.module_var_host_security_group_name } + + + + +# SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_startsrv_http_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + name = "tcp_inbound_saphana_startsrv_http_soap" + priority = 214 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("5${var.module_var_sap_hana_instance_no}13") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_startsrv_http_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + name = "tcp_outbound_saphana_startsrv_http_soap" + priority = 215 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("5${var.module_var_sap_hana_instance_no}13") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + +# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_startsrv_https_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + name = "tcp_inbound_saphana_startsrv_https_soap" + priority = 216 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("5${var.module_var_sap_hana_instance_no}14") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_startsrv_https_soap" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + name = "tcp_outbound_saphana_startsrv_https_soap" + priority = 217 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("5${var.module_var_sap_hana_instance_no}14") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + + + # SAP HANA System Replication ## The port offset is +10000 from the SAP HANA configured ports (e.g. `3<>15` for MDC Tenant #1). ## More details in README From c031e329d47b34eebc608b297e8324a928cf84af Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Sun, 15 Jan 2023 21:33:15 +0000 Subject: [PATCH 06/18] fix: blank lines --- .../host_network_access_sap/network_security_groups_sap.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf index 1d37d62..9b129c3 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf @@ -231,10 +231,6 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_inde network_security_group_name = var.module_var_host_security_group_name } - - - - # SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_startsrv_http_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 From 15f2e59fe623fd37f0cfa0d23a21a922b974fbf6 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Mon, 16 Jan 2023 14:20:18 +0000 Subject: [PATCH 07/18] fix: more fw rules for nwas pas --- .../network_security_groups_sap.tf | 43 ++++++++++- .../network_security_groups_sap.tf | 47 +++++++++++- .../network_security_groups_sap.tf | 71 ++++++++++++++++++- 3 files changed, 154 insertions(+), 7 deletions(-) diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf index 9745794..967fad5 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf @@ -19,8 +19,28 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_ms" { cidr_blocks = ["${local.target_subnet_ip_range}"] } +# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} -# SAP NetWeaver PAS / SAP GUI, access from within the same Subnet + +# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id @@ -30,8 +50,18 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_sapgui" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} -# SAP NetWeaver PAS Gateway, access from within the same Subnet + +# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id @@ -41,6 +71,15 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_gw" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} # SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapfiori" { diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf index eec5b1b..97e20c3 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf @@ -21,8 +21,30 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_ms" } } +# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} + -# SAP NetWeaver PAS / SAP GUI, access from within the same Subnet +# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 group = var.module_var_host_security_group_id @@ -33,8 +55,18 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_sapgui" { port_max = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") } } +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_sapgui" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + } +} -# SAP NetWeaver PAS Gateway, access from within the same Subnet +# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_sapgui] @@ -46,6 +78,17 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_gw" { port_max = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") } } +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_gw" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_sapgui] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + } +} # SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapfiori" { diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf index 9b129c3..fa2d3b6 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap.tf @@ -16,7 +16,6 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } - resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 name = "tcp_outbound_sapnwas_ascs_ms" @@ -34,8 +33,42 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs network_security_group_name = var.module_var_host_security_group_name } +# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_ascs_en" + priority = 201 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_ascs_en" + priority = 202 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + -# SAP NetWeaver PAS / SAP GUI, access from within the same Subnet +# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_sapgui" @@ -52,8 +85,24 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgu resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_sapgui" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_sapgui" + priority = 203 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} -# SAP NetWeaver PAS Gateway, access from within the same Subnet +# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_gw" @@ -70,6 +119,22 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_gw" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_gw" + priority = 204 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} # SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet From 87287410176d51ba22d419ce3d3c932710e0c15b Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Mon, 16 Jan 2023 14:31:37 +0000 Subject: [PATCH 08/18] fix: split sg rules into separate files --- ...tf => network_security_groups_sap_hana.tf} | 150 ---------- ...work_security_groups_sap_nwas_abap_ascs.tf | 40 +++ ...twork_security_groups_sap_nwas_abap_pas.tf | 63 ++++ ...etwork_security_groups_sap_nwas_java_ci.tf | 44 +++ ...tf => network_security_groups_sap_hana.tf} | 168 ----------- ...work_security_groups_sap_nwas_abap_ascs.tf | 44 +++ ...twork_security_groups_sap_nwas_abap_pas.tf | 72 +++++ ...etwork_security_groups_sap_nwas_java_ci.tf | 49 ++++ ...tf => network_security_groups_sap_hana.tf} | 269 +----------------- ...work_security_groups_sap_nwas_abap_ascs.tf | 68 +++++ ...twork_security_groups_sap_nwas_abap_pas.tf | 105 +++++++ ...etwork_security_groups_sap_nwas_java_ci.tf | 72 +++++ 12 files changed, 568 insertions(+), 576 deletions(-) rename aws_ec2_instance/host_network_access_sap/{network_security_groups_sap.tf => network_security_groups_sap_hana.tf} (55%) create mode 100644 aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf create mode 100644 aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf create mode 100644 aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf rename ibmcloud_vs/host_network_access_sap/{network_security_groups_sap.tf => network_security_groups_sap_hana.tf} (58%) create mode 100644 ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf create mode 100644 ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf create mode 100644 ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf rename msazure_vm/host_network_access_sap/{network_security_groups_sap.tf => network_security_groups_sap_hana.tf} (56%) create mode 100644 msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf create mode 100644 msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf create mode 100644 msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf similarity index 55% rename from aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf rename to aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf index 967fad5..f013664 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf @@ -1,109 +1,4 @@ -# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_ms" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - to_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_ms" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "egress" - from_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - to_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} - -# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_en" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - to_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_en" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "egress" - from_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - to_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} - - -# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - to_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_sapgui" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "egress" - from_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - to_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} - - -# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - to_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_gw" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "egress" - from_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - to_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} - -# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapfiori" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("443${var.module_var_sap_hana_instance_no}") - to_port = tonumber("443${var.module_var_sap_hana_instance_no}") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} - -# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ctrl" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") - to_port = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}14") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} - - # SAP HANA ICM HTTPS (Secure) Internal Web Dispatcher, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_icm_https" { count = local.network_rules_sap_hana_boolean ? 1 : 0 @@ -321,48 +216,3 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_pacemaker_3" { protocol = "udp" cidr_blocks = ["${local.target_subnet_ip_range}"] } - - -# SAP NetWeaver AS JAVA Central Instance (CI) ICM server process 0..n, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_icm" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}00") - to_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}06") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} - -# SAP NetWeaver AS JAVA Central Instance (CI) Access server process 0..n, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_access" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}20") - to_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}22") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} - -# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_admin_http" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}13") - to_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}14") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} - -# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_admin_slcontroller" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - security_group_id = var.module_var_host_security_group_id - type = "ingress" - from_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}17") - to_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}19") - protocol = "tcp" - cidr_blocks = ["${local.target_subnet_ip_range}"] -} diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf new file mode 100644 index 0000000..38395ce --- /dev/null +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf @@ -0,0 +1,40 @@ + +# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf new file mode 100644 index 0000000..93e7947 --- /dev/null +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf @@ -0,0 +1,63 @@ + +# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_sapgui" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + + +# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_gw" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapfiori" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("443${var.module_var_sap_hana_instance_no}") + to_port = tonumber("443${var.module_var_sap_hana_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ctrl" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") + to_port = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}14") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf new file mode 100644 index 0000000..c9be979 --- /dev/null +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf @@ -0,0 +1,44 @@ + +# SAP NetWeaver AS JAVA Central Instance (CI) ICM server process 0..n, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_icm" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}00") + to_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}06") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +# SAP NetWeaver AS JAVA Central Instance (CI) Access server process 0..n, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_access" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}20") + to_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}22") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_admin_http" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}13") + to_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}14") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_admin_slcontroller" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}17") + to_port = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}19") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hana.tf similarity index 58% rename from ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf rename to ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hana.tf index 97e20c3..4631618 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hana.tf @@ -1,122 +1,4 @@ -# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_ms" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - port_max = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - } -} -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_ms" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "outbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - port_max = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - } -} - -# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_en" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - port_max = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - } -} -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_en" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "outbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - port_max = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - } -} - - -# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_sapgui" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - port_max = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - } -} -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_sapgui" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "outbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - port_max = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - } -} - -# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_gw" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_sapgui] - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - port_max = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - } -} -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_gw" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_sapgui] - group = var.module_var_host_security_group_id - direction = "outbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - port_max = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - } -} - -# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapfiori" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("443${var.module_var_sap_hana_instance_no}") - port_max = tonumber("443${var.module_var_sap_hana_instance_no}") - } -} - -# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ctrl" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapfiori] - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") - port_max = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}14") - } -} - - # SAP HANA ICM HTTPS (Secure) Internal Web Dispatcher, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_icm_https" { count = local.network_rules_sap_hana_boolean ? 1 : 0 @@ -375,53 +257,3 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_pacemaker_3" { port_max = 5412 } } - - -# SAP NetWeaver AS JAVA Central Instance (CI) ICM server process 0..n, access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_icm" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}00") - port_max = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}06") - } -} - - -# SAP NetWeaver AS JAVA Central Instance (CI) Access server process 0..n, access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_access" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}20") - port_max = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}22") - } -} - -# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_admin_http" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}13") - port_max = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}14") - } -} - -# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_admin_slcontroller" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - group = var.module_var_host_security_group_id - direction = "inbound" - remote = local.target_vpc_subnet_range - tcp { - port_min = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}17") - port_max = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}19") - } -} diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf new file mode 100644 index 0000000..e1a0000 --- /dev/null +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf @@ -0,0 +1,44 @@ + +# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} + +# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf new file mode 100644 index 0000000..811f91b --- /dev/null +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf @@ -0,0 +1,72 @@ + +# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_sapgui" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_sapgui" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + } +} + +# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_gw" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_sapgui] + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_gw" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_sapgui] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + } +} + +# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapfiori" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("443${var.module_var_sap_hana_instance_no}") + port_max = tonumber("443${var.module_var_sap_hana_instance_no}") + } +} + +# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ctrl" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapfiori] + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") + port_max = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}14") + } +} diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf new file mode 100644 index 0000000..d60e489 --- /dev/null +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf @@ -0,0 +1,49 @@ + +# SAP NetWeaver AS JAVA Central Instance (CI) ICM server process 0..n, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_icm" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}00") + port_max = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}06") + } +} + + +# SAP NetWeaver AS JAVA Central Instance (CI) Access server process 0..n, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_access" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}20") + port_max = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}22") + } +} + +# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_admin_http" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}13") + port_max = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}14") + } +} + +# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_admin_slcontroller" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}17") + port_max = tonumber("5${var.module_var_sap_nwas_java_ci_instance_no}19") + } +} diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_hana.tf similarity index 56% rename from msazure_vm/host_network_access_sap/network_security_groups_sap.tf rename to msazure_vm/host_network_access_sap/network_security_groups_sap_hana.tf index fa2d3b6..658d382 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_hana.tf @@ -1,183 +1,9 @@ -# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ms" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_ascs_ms" - priority = 201 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs_ms" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - name = "tcp_outbound_sapnwas_ascs_ms" - priority = 202 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} - -# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_en" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_ascs_en" - priority = 201 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs_en" { - count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - name = "tcp_outbound_sapnwas_ascs_en" - priority = 202 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} - - -# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgui" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_sapgui" - priority = 203 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_sapgui" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_outbound_sapnwas_sapgui" - priority = 203 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} - -# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_gw" - priority = 204 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_gw" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_outbound_sapnwas_gw" - priority = 204 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} - - -# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapfiori" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_inbound_sapfiori" - priority = 205 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("443${var.module_var_sap_hana_instance_no}") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} - -# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ctrl" { - count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_ctrl" - priority = 206 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} - # SAP HANA ICM HTTPS (Secure) Internal Web Dispatcher, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_https" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_icm_https" - priority = 207 + priority = 250 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -195,7 +21,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_h resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_http" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_icm_http" - priority = 208 + priority = 251 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -214,7 +40,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_h resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_webdisp" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_webdisp" - priority = 209 + priority = 252 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -232,7 +58,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_webdi resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index_mdc_sysdb" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_index_mdc_sysdb" - priority = 210 + priority = 253 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -248,7 +74,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_index_mdc_sysdb" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_outbound_saphana_index_mdc_sysdb" - priority = 211 + priority = 254 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -266,7 +92,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_inde resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index_mdc_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_index_mdc_1" - priority = 212 + priority = 255 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -282,7 +108,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_index_mdc_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_outbound_saphana_index_mdc_1" - priority = 213 + priority = 256 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -300,7 +126,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_inde resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_startsrv_http_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_startsrv_http_soap" - priority = 214 + priority = 257 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -316,7 +142,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_start resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_startsrv_http_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_outbound_saphana_startsrv_http_soap" - priority = 215 + priority = 258 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -334,7 +160,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_star resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_startsrv_https_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_startsrv_https_soap" - priority = 216 + priority = 259 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -350,7 +176,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_start resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_startsrv_https_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_outbound_saphana_startsrv_https_soap" - priority = 217 + priority = 260 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -538,76 +364,3 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_udp_outbound_pacemaker3" resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } - - -# SAP NetWeaver AS JAVA Central Instance (CI) ICM server process 0..n, access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_icm" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_java_ci_icm" - priority = 401 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_ranges = ["5${var.module_var_sap_nwas_java_ci_instance_no}00-5${var.module_var_sap_nwas_java_ci_instance_no}06"] - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} - -# SAP NetWeaver AS JAVA Central Instance (CI) Access server process 0..n, access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_access" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_java_ci_access" - priority = 402 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_ranges = ["5${var.module_var_sap_nwas_java_ci_instance_no}20-5${var.module_var_sap_nwas_java_ci_instance_no}22"] - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} - -# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_admin_http" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_java_ci_admin_http" - priority = 403 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_ranges = ["5${var.module_var_sap_nwas_java_ci_instance_no}13-5${var.module_var_sap_nwas_java_ci_instance_no}14"] - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} - -# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_admin_slcontroller" { - count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_java_ci_admin_slcontroller" - priority = 403 - direction = "Outbound" - access = "Allow" - protocol = "Tcp" - - source_port_range = "*" - source_address_prefix = local.target_vnet_subnet_range - destination_port_ranges = ["5${var.module_var_sap_nwas_java_ci_instance_no}17-5${var.module_var_sap_nwas_java_ci_instance_no}19"] - destination_address_prefix = local.target_vnet_subnet_range - - resource_group_name = var.module_var_az_resource_group_name - network_security_group_name = var.module_var_host_security_group_name -} diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf new file mode 100644 index 0000000..4c86b55 --- /dev/null +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf @@ -0,0 +1,68 @@ + +# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_ascs_ms" + priority = 201 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_ascs_ms" + priority = 202 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + +# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_ascs_en" + priority = 203 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs_en" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_ascs_en" + priority = 204 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf new file mode 100644 index 0000000..2178981 --- /dev/null +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf @@ -0,0 +1,105 @@ + +# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgui" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_sapgui" + priority = 205 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_sapgui" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_sapgui" + priority = 206 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + +# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_gw" + priority = 207 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_gw" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_gw" + priority = 208 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + + +# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapfiori" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_inbound_sapfiori" + priority = 209 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("443${var.module_var_sap_hana_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + +# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ctrl" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_ctrl" + priority = 210 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf new file mode 100644 index 0000000..0b4ee96 --- /dev/null +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf @@ -0,0 +1,72 @@ + +# SAP NetWeaver AS JAVA Central Instance (CI) ICM server process 0..n, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_icm" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_java_ci_icm" + priority = 401 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_ranges = ["5${var.module_var_sap_nwas_java_ci_instance_no}00-5${var.module_var_sap_nwas_java_ci_instance_no}06"] + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + +# SAP NetWeaver AS JAVA Central Instance (CI) Access server process 0..n, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_access" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_java_ci_access" + priority = 402 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_ranges = ["5${var.module_var_sap_nwas_java_ci_instance_no}20-5${var.module_var_sap_nwas_java_ci_instance_no}22"] + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + +# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_admin_http" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_java_ci_admin_http" + priority = 403 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_ranges = ["5${var.module_var_sap_nwas_java_ci_instance_no}13-5${var.module_var_sap_nwas_java_ci_instance_no}14"] + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + +# SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_admin_slcontroller" { + count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_java_ci_admin_slcontroller" + priority = 403 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_ranges = ["5${var.module_var_sap_nwas_java_ci_instance_no}17-5${var.module_var_sap_nwas_java_ci_instance_no}19"] + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} From fc0b72f15490c4ffe0c0f53af9fc2cb6d1e0774b Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Mon, 16 Jan 2023 19:14:49 +0000 Subject: [PATCH 09/18] fix: clearer sg rules for aws --- .../network_security_groups_sap_hana.tf | 32 ++++++++++- .../network_security_groups_sap_hostctrl.tf | 36 ++++++++++++ ...work_security_groups_sap_nwas_abap_ascs.tf | 26 ++++++++- ...twork_security_groups_sap_nwas_abap_pas.tf | 55 ++++++++++++++++--- 4 files changed, 139 insertions(+), 10 deletions(-) create mode 100644 aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hostctrl.tf diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf index f013664..0de0add 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf @@ -9,6 +9,16 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_icm_https" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } +resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_icm_https" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("43${var.module_var_sap_hana_instance_no}") + to_port = tonumber("43${var.module_var_sap_hana_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + # SAP HANA ICM HTTP Internal Web Dispatcher, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_icm_http" { @@ -20,8 +30,18 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_icm_http" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } +resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_icm_http" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("80${var.module_var_sap_hana_instance_no}") + to_port = tonumber("80${var.module_var_sap_hana_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + -# SAP HANA Internal Web Dispatcher, access from within the same Subnet +# SAP HANA Internal Web Dispatcher, webdispatcher process, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_webdisp" { count = local.network_rules_sap_hana_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id @@ -31,6 +51,16 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_webdisp" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } +resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_webdisp" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("3${var.module_var_sap_hana_instance_no}06") + to_port = tonumber("3${var.module_var_sap_hana_instance_no}06") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + # SAP HANA indexserver MDC System Tenant SYSDB, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_index_mdc_sysdb" { diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hostctrl.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hostctrl.tf new file mode 100644 index 0000000..7d3a17e --- /dev/null +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hostctrl.tf @@ -0,0 +1,36 @@ + +# SAP Host Agent with SOAP over HTTP, saphostctrl process as 1128 port, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphostctrl_http_soap" { + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = 1128 + to_port = 1128 + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphostctrl_http_soap" { + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = 1128 + to_port = 1128 + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + +# SAP Host Agent with SOAP over HTTPS, saphostctrls process as 1129 port, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphostctrl_https_soap" { + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = 1129 + to_port = 1129 + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphostctrl_https_soap" { + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = 1129 + to_port = 1129 + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf index 38395ce..2095a7b 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf @@ -1,5 +1,26 @@ -# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet +# SAP NetWeaver AS ABAP Central Services (ASCS) Dispatcher, sapdp process as 32 port, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_dp" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_dp" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + to_port = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + + +# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), sapms process as 36 port, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id @@ -19,7 +40,8 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_ms" { cidr_blocks = ["${local.target_subnet_ip_range}"] } -# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet + +# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), sapdp process as 39 port, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_en" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf index 93e7947..1c2c73e 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf @@ -1,5 +1,5 @@ -# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet +# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher, sapdp process as 32 port, for SAP GUI, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id @@ -20,7 +20,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_sapgui" { } -# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet +# SAP NetWeaver AS Primary Application Server (PAS) Gateway, sapgw process as 33 port, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id @@ -40,18 +40,29 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_gw" { cidr_blocks = ["${local.target_subnet_ip_range}"] } -# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapfiori" { + +# SAP NetWeaver AS Primary Application Server (PAS) Gateway Secured, sapgws process as 48 port, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw_secure" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" - from_port = tonumber("443${var.module_var_sap_hana_instance_no}") - to_port = tonumber("443${var.module_var_sap_hana_instance_no}") + from_port = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_gw_secure" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet + +# SAP NetWeaver sapctrl HTTP and HTTPS, sapctrl and sapctrls processes as 513 and 514 ports, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ctrl" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id @@ -61,3 +72,33 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ctrl" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ctrl" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") + to_port = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}14") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} + + +# SAP NetWeaver AS Primary Application Server (PAS) ICM HTTPS for Web GUI and SAP Fiori Launchpad (HTTPS), icman process as 443, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_icm" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_icm" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") + to_port = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} From 839cf88bf429b527e696621e471e18a876fbfcfe Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Tue, 17 Jan 2023 20:01:24 +0000 Subject: [PATCH 10/18] fix: rename aws vpc sg resources for clarity --- ...work_security_groups_sap_nwas_abap_ascs.tf | 33 +++++++++++++++---- ...twork_security_groups_sap_nwas_abap_pas.tf | 22 ++++++------- 2 files changed, 38 insertions(+), 17 deletions(-) diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf index 2095a7b..acc0bc8 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf @@ -1,6 +1,6 @@ # SAP NetWeaver AS ABAP Central Services (ASCS) Dispatcher, sapdp process as 32 port, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_dp" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_ascs_dp" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" @@ -9,7 +9,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_dp" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_dp" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_ascs_dp" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "egress" @@ -21,7 +21,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_dp" { # SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), sapms process as 36 port, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_ms" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" @@ -30,7 +30,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_ms" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_ms" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "egress" @@ -42,7 +42,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_ms" { # SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), sapdp process as 39 port, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_en" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_ascs_en" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" @@ -51,7 +51,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ascs_en" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_en" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_ascs_en" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "egress" @@ -60,3 +60,24 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ascs_en" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } + + +# SAP NetWeaver AS ABAP Central Services (ASCS) SAP Start Service (i.e. SAPControl SOAP Web Service) HTTP and HTTPS, sapctrl and sapctrls processes as 513 and 514 ports, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_ascs_ctrl" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "ingress" + from_port = tonumber("5${var.module_var_sap_nwas_abap_ascs_instance_no}13") + to_port = tonumber("5${var.module_var_sap_nwas_abap_ascs_instance_no}14") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_ascs_ctrl" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + security_group_id = var.module_var_host_security_group_id + type = "egress" + from_port = tonumber("5${var.module_var_sap_nwas_abap_ascs_instance_no}13") + to_port = tonumber("5${var.module_var_sap_nwas_abap_ascs_instance_no}14") + protocol = "tcp" + cidr_blocks = ["${local.target_subnet_ip_range}"] +} diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf index 1c2c73e..61271da 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf @@ -1,6 +1,6 @@ # SAP NetWeaver AS Primary Application Server (PAS) Dispatcher, sapdp process as 32 port, for SAP GUI, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_pas_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" @@ -9,7 +9,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_sapgui" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_sapgui" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_pas_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "egress" @@ -21,7 +21,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_sapgui" { # SAP NetWeaver AS Primary Application Server (PAS) Gateway, sapgw process as 33 port, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_pas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" @@ -30,7 +30,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_gw" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_pas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "egress" @@ -42,7 +42,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_gw" { # SAP NetWeaver AS Primary Application Server (PAS) Gateway Secured, sapgws process as 48 port, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw_secure" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_pas_gw_secure" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" @@ -51,7 +51,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_gw_secure" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_gw_secure" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_pas_gw_secure" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "egress" @@ -62,8 +62,8 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_gw_secure" { } -# SAP NetWeaver sapctrl HTTP and HTTPS, sapctrl and sapctrls processes as 513 and 514 ports, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ctrl" { +# SAP NetWeaver AS Primary Application Server (PAS) SAP Start Service (i.e. SAPControl SOAP Web Service) HTTP and HTTPS, sapctrl and sapctrls processes as 513 and 514 ports, access from within the same Subnet +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_pas_ctrl" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" @@ -72,7 +72,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_ctrl" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ctrl" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_pas_ctrl" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "egress" @@ -84,7 +84,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_ctrl" { # SAP NetWeaver AS Primary Application Server (PAS) ICM HTTPS for Web GUI and SAP Fiori Launchpad (HTTPS), icman process as 443, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_icm" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_pas_icm" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" @@ -93,7 +93,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_icm" { protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_icm" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_pas_icm" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "egress" From caecb5ee5880b24aaf4cc7d47c30cc5d811027fe Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Thu, 19 Jan 2023 10:15:04 +0000 Subject: [PATCH 11/18] fix: sap ase client updates --- .../create_ansible_extravars.tf | 4 ++-- .../create_ansible_extravars.tf | 4 ++-- .../create_ansible_extravars.tf | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/all/ansible_sap_ecc_sapase_install/create_ansible_extravars.tf b/all/ansible_sap_ecc_sapase_install/create_ansible_extravars.tf index 8754a96..1f263f6 100644 --- a/all/ansible_sap_ecc_sapase_install/create_ansible_extravars.tf +++ b/all/ansible_sap_ecc_sapase_install/create_ansible_extravars.tf @@ -138,7 +138,7 @@ sap_swpm_templates_install_dictionary: - 'igsexe_13-80003187.sar' # IGS 7.53 - 'igshelper_17-10010245.sar' - 'SYBCTRL_1036-80002616.SAR' - - '51055871_1' # SAP ASE 16.0.03.12 HF1 RDBMS Linux on x86_64 64bit + - '51056224_1' # SAP ASE 16.0.03.13 RDBMS Linux on x86_64 64bit - 'ASEBC16004P_3-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL03 - '51050708_1' # SAP ERP 6.0 EHP8 Installation Export 1/4, Self-extract RAR EXE - '51050708_2' @@ -203,7 +203,7 @@ sap_swpm_templates_install_dictionary: - 'igsexe_13-80003187.sar' # IGS 7.53 - 'igshelper_17-10010245.sar' - 'SYBCTRL_1036-80002616.SAR' - - '51055871_1' # SAP ASE 16.0.03.12 HF1 RDBMS Linux on x86_64 64bit + - '51056224_1' # SAP ASE 16.0.03.13 RDBMS Linux on x86_64 64bit - 'ASEBC16004P_3-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL03 - '51053216_1' # IDES SAP ERP 6.0 EHP8 - INSTALL. EXP. (1/2) 1/22 - '51053216_2' diff --git a/all/ansible_sap_nwas_abap_sapase_install/create_ansible_extravars.tf b/all/ansible_sap_nwas_abap_sapase_install/create_ansible_extravars.tf index b5b0f49..5b757b0 100644 --- a/all/ansible_sap_nwas_abap_sapase_install/create_ansible_extravars.tf +++ b/all/ansible_sap_nwas_abap_sapase_install/create_ansible_extravars.tf @@ -132,7 +132,7 @@ sap_swpm_templates_install_dictionary: - 'igsexe_13-80003187.sar' # IGS 7.53 - 'igshelper_17-10010245.sar' - 'SYBCTRL_1036-80002616.SAR' - - '51055871_1' # SAP ASE 16.0.03.12 HF1 RDBMS Linux on x86_64 64bit + - '51056224_1' # SAP ASE 16.0.03.13 RDBMS Linux on x86_64 64bit - 'ASEBC16004P_3-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL03 - '51051806_1' # NetWeaver AS ABAP 7.52 Innovation Pkg - Installation Exp 1/2, RAR - '51051806_2' # NetWeaver AS ABAP 7.52 Innovation Pkg - Installation Exp 2/2, RAR @@ -184,7 +184,7 @@ sap_swpm_templates_install_dictionary: - 'igsexe_13-80003187.sar' # IGS 7.53 - 'igshelper_17-10010245.sar' - 'SYBCTRL_1036-80002616.SAR' - - '51055871_1' # SAP ASE 16.0.03.12 HF1 RDBMS Linux on x86_64 64bit + - '51056224_1' # SAP ASE 16.0.03.13 RDBMS Linux on x86_64 64bit - 'ASEBC16004P_3-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL03 - '51050829_3' # SAP Netweaver 7.5 Installation Export, ZIP # - '51050829_4' # NW 7.5 Language 1/2 diff --git a/all/ansible_sap_nwas_java_sapase_install/create_ansible_extravars.tf b/all/ansible_sap_nwas_java_sapase_install/create_ansible_extravars.tf index ebd045b..3bddc8b 100644 --- a/all/ansible_sap_nwas_java_sapase_install/create_ansible_extravars.tf +++ b/all/ansible_sap_nwas_java_sapase_install/create_ansible_extravars.tf @@ -134,7 +134,7 @@ sap_swpm_templates_install_dictionary: - 'SAPHOSTAGENT56_56-80004822.SAR' # SAP Host Agent 7.22 - 'SAPJVM8_90-80000202.SAR' # SAP JVM 8.1 - '51055106' # SAP Netweaver 7.5 SP22 Java, ZIP. Contains JAVA_EXPORT (SAP:JEXPORT:750:SP22:*:*), JAVA_EXPORT_JDMP (SAP:JDMP:750:SP22:*:SW-LABEL), JAVA_J2EE_OSINDEP (SAP:J2EE-CD:750:J2EE-CD:j2ee-cd:*), JAVA_J2EE_OSINDEP_J2EE_INST (SAP:J2EE-INST:750:SP22:*:*), JAVA_J2EE_OSINDEP_UT (SAP:UT:750:SP22:*:*) - - '51055622_1' # SAP ASE 16.0.04.03 RDBMS Linux on x86_64 64bit + - '51056021_1' # SAP ASE 16.0.04.03 HF1 RDBMS Linux on x86_64 64bit - 'ASEBC16004P_2-20012477.SAR' # SAP ASE 16.0 FOR BUS. SUITE DBCLIENT SP04 PL02 softwarecenter_search_list_ppc64le: From a126728819b077d7ac7ac12c7e634548da59d688 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Sat, 21 Jan 2023 14:37:51 +0000 Subject: [PATCH 12/18] fix: consistent firewall rules --- .../network_security_groups_sap_hana.tf | 3 + .../network_security_groups_sap_hostctrl.tf | 1 + ...twork_security_groups_sap_nwas_abap_pas.tf | 4 +- ...etwork_security_groups_sap_nwas_java_ci.tf | 3 + .../network_security_groups_sap_hana.tf | 68 +++++++--- .../network_security_groups_sap_hostctrl.tf | 41 ++++++ ...work_security_groups_sap_nwas_abap_ascs.tf | 55 +++++++- ...twork_security_groups_sap_nwas_abap_pas.tf | 82 +++++++++--- ...etwork_security_groups_sap_nwas_java_ci.tf | 2 + .../network_security_groups_sap_hana.tf | 75 +++++++++-- .../network_security_groups_sap_hostctrl.tf | 65 ++++++++++ ...work_security_groups_sap_nwas_abap_ascs.tf | 95 ++++++++++++-- ...twork_security_groups_sap_nwas_abap_pas.tf | 117 ++++++++++++++---- ...etwork_security_groups_sap_nwas_java_ci.tf | 5 +- 14 files changed, 531 insertions(+), 85 deletions(-) create mode 100644 ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hostctrl.tf create mode 100644 msazure_vm/host_network_access_sap/network_security_groups_sap_hostctrl.tf diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf index 0de0add..47e57c5 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf @@ -82,6 +82,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_index_mdc_sys cidr_blocks = ["${local.target_subnet_ip_range}"] } + # SAP HANA indexserver MDC Tenant #1, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_index_mdc_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 @@ -102,6 +103,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_index_mdc_1" cidr_blocks = ["${local.target_subnet_ip_range}"] } + # SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_startsrv_http_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 @@ -122,6 +124,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_startsrv_http cidr_blocks = ["${local.target_subnet_ip_range}"] } + # SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_startsrv_https_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hostctrl.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hostctrl.tf index 7d3a17e..31dfab3 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hostctrl.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hostctrl.tf @@ -17,6 +17,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphostctrl_http_soap cidr_blocks = ["${local.target_subnet_ip_range}"] } + # SAP Host Agent with SOAP over HTTPS, saphostctrls process as 1129 port, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphostctrl_https_soap" { security_group_id = var.module_var_host_security_group_id diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf index 61271da..d1166ee 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf @@ -1,6 +1,6 @@ # SAP NetWeaver AS Primary Application Server (PAS) Dispatcher, sapdp process as 32 port, for SAP GUI, access from within the same Subnet -resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_pas_sapgui" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_pas_dp_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "ingress" @@ -9,7 +9,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_pas_sap protocol = "tcp" cidr_blocks = ["${local.target_subnet_ip_range}"] } -resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_pas_sapgui" { +resource "aws_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_pas_dp_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 security_group_id = var.module_var_host_security_group_id type = "egress" diff --git a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf index c9be979..440535c 100644 --- a/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf +++ b/aws_ec2_instance/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf @@ -10,6 +10,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_icm" cidr_blocks = ["${local.target_subnet_ip_range}"] } + # SAP NetWeaver AS JAVA Central Instance (CI) Access server process 0..n, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_access" { count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 @@ -21,6 +22,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_acce cidr_blocks = ["${local.target_subnet_ip_range}"] } + # SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_admin_http" { count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 @@ -32,6 +34,7 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_admi cidr_blocks = ["${local.target_subnet_ip_range}"] } + # SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_sapnwas_java_ci_admin_slcontroller" { count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hana.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hana.tf index 4631618..5014aa8 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hana.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hana.tf @@ -2,7 +2,6 @@ # SAP HANA ICM HTTPS (Secure) Internal Web Dispatcher, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_icm_https" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_gw] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -11,6 +10,17 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_icm_https port_max = tonumber("43${var.module_var_sap_hana_instance_no}") } } +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_icm_https" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("43${var.module_var_sap_hana_instance_no}") + port_max = tonumber("43${var.module_var_sap_hana_instance_no}") + } +} + # SAP HANA ICM HTTP Internal Web Dispatcher, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_icm_http" { @@ -24,8 +34,20 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_icm_http" port_max = tonumber("80${var.module_var_sap_hana_instance_no}") } } +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_icm_http" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_icm_https] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("80${var.module_var_sap_hana_instance_no}") + port_max = tonumber("80${var.module_var_sap_hana_instance_no}") + } +} + -# SAP HANA Internal Web Dispatcher, access from within the same Subnet +# SAP HANA Internal Web Dispatcher, webdispatcher process, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_webdisp" { count = local.network_rules_sap_hana_boolean ? 1 : 0 depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_icm_http] @@ -37,6 +59,18 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_webdisp" port_max = tonumber("3${var.module_var_sap_hana_instance_no}06") } } +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_webdisp" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_icm_http] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("3${var.module_var_sap_hana_instance_no}06") + port_max = tonumber("3${var.module_var_sap_hana_instance_no}06") + } +} + # SAP HANA indexserver MDC System Tenant SYSDB, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb" { @@ -62,6 +96,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_index_md } } + # SAP HANA indexserver MDC Tenant #1, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_index_mdc_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 @@ -86,10 +121,11 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_index_md } } + # SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_startsrv_http_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -100,7 +136,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_startsrv_ } resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv_http_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] group = var.module_var_host_security_group_id direction = "outbound" remote = local.target_vpc_subnet_range @@ -110,10 +146,11 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv } } + # SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_startsrv_https_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_startsrv_http_soap] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -124,7 +161,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_startsrv_ } resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv_https_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_sysdb] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_startsrv_http_soap] group = var.module_var_host_security_group_id direction = "outbound" remote = local.target_vpc_subnet_range @@ -141,6 +178,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv ## More details in README resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_saphana_hsr1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_startsrv_https_soap] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -152,7 +190,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_saphana_hsr1" { resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_saphana_hsr1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_saphana_hsr1] group = var.module_var_host_security_group_id direction = "outbound" remote = local.target_vpc_subnet_range @@ -164,7 +202,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_saphana_hsr1" { resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_saphana_hsr2" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_saphana_hsr1] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -176,7 +214,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_saphana_hsr2" { resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_saphana_hsr2" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_saphana_hsr1] group = var.module_var_host_security_group_id direction = "outbound" remote = local.target_vpc_subnet_range @@ -188,7 +226,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_saphana_hsr2" { resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_pacemaker_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_saphana_hsr1] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -200,7 +238,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_pacemaker_1" { resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_pacemaker_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_saphana_hsr1] group = var.module_var_host_security_group_id direction = "outbound" remote = local.target_vpc_subnet_range @@ -212,7 +250,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_pacemaker_1" { resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_pacemaker_2" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_saphana_hsr1] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -224,7 +262,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_pacemaker_2" { resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_pacemaker_2" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_saphana_hsr1] group = var.module_var_host_security_group_id direction = "outbound" remote = local.target_vpc_subnet_range @@ -236,7 +274,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_pacemaker_2" { resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_pacemaker_3" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_saphana_hsr1] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -248,7 +286,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_pacemaker_3" { resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_pacemaker_3" { count = local.network_rules_sap_hana_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_saphana_hsr1] group = var.module_var_host_security_group_id direction = "outbound" remote = local.target_vpc_subnet_range diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hostctrl.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hostctrl.tf new file mode 100644 index 0000000..f08a792 --- /dev/null +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hostctrl.tf @@ -0,0 +1,41 @@ + +# SAP Host Agent with SOAP over HTTP, saphostctrl process as 1128 port, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphostctrl_http_soap" { + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = 1128 + port_max = 1128 + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphostctrl_http_soap" { + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = 1128 + port_max = 1128 + } +} + + +# SAP Host Agent with SOAP over HTTPS, saphostctrls process as 1129 port, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphostctrl_https_soap" { + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = 1129 + port_max = 1129 + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphostctrl_https_soap" { + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = 1129 + port_max = 1129 + } +} diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf index e1a0000..f9916cc 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf @@ -1,5 +1,28 @@ -# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet +# SAP NetWeaver AS ABAP Central Services (ASCS) Dispatcher, sapdp process as 32 port, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_abap_ascs_dp" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_abap_ascs_dp" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + port_max = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + } +} + + +# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), sapms process as 36 port, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 group = var.module_var_host_security_group_id @@ -21,8 +44,9 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_ms" } } -# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_en" { + +# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), sapdp process as 39 port, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_abap_ascs_en" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 group = var.module_var_host_security_group_id direction = "inbound" @@ -32,7 +56,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ascs_en" port_max = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") } } -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_en" { +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_abap_ascs_en" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 group = var.module_var_host_security_group_id direction = "outbound" @@ -42,3 +66,26 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_ascs_en" port_max = tonumber("39${var.module_var_sap_nwas_abap_ascs_instance_no}") } } + + +# SAP NetWeaver AS ABAP Central Services (ASCS) SAP Start Service (i.e. SAPControl SOAP Web Service) HTTP and HTTPS, sapctrl and sapctrls processes as 513 and 514 ports, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_abap_ascs_ctrl" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_nwas_abap_ascs_instance_no}13") + port_max = tonumber("5${var.module_var_sap_nwas_abap_ascs_instance_no}14") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_abap_ascs_ctrl" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_nwas_abap_ascs_instance_no}13") + port_max = tonumber("5${var.module_var_sap_nwas_abap_ascs_instance_no}14") + } +} diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf index 811f91b..dfaf4c8 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf @@ -1,6 +1,6 @@ -# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_sapgui" { +# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher, sapdp process as 32 port, for SAP GUI, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 group = var.module_var_host_security_group_id direction = "inbound" @@ -10,7 +10,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_sapgui" { port_max = tonumber("32${var.module_var_sap_nwas_abap_pas_instance_no}") } } -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_sapgui" { +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_abap_pas_dp_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 group = var.module_var_host_security_group_id direction = "outbound" @@ -21,10 +21,11 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_sapgui" } } -# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_gw" { + +# SAP NetWeaver AS Primary Application Server (PAS) Gateway, sapgw process as 33 port, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_abap_pas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_sapgui] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -33,9 +34,9 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_gw" { port_max = tonumber("33${var.module_var_sap_nwas_abap_pas_instance_no}") } } -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_gw" { +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_abap_pas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_sapgui] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui] group = var.module_var_host_security_group_id direction = "outbound" remote = local.target_vpc_subnet_range @@ -45,23 +46,36 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_gw" { } } -# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapfiori" { + +# SAP NetWeaver AS Primary Application Server (PAS) Gateway Secured, sapgws process as 48 port, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_abap_pas_gw_secure" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range tcp { - port_min = tonumber("443${var.module_var_sap_hana_instance_no}") - port_max = tonumber("443${var.module_var_sap_hana_instance_no}") + port_min = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_abap_pas_gw_secure" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") } } -# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet -resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ctrl" { + +# SAP NetWeaver AS Primary Application Server (PAS) SAP Start Service (i.e. SAPControl SOAP Web Service) HTTP and HTTPS, sapctrl and sapctrls processes as 513 and 514 ports, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_ingress_sapnwas_abap_pas_ctrl" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapfiori] + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui] group = var.module_var_host_security_group_id direction = "inbound" remote = local.target_vpc_subnet_range @@ -70,3 +84,39 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_ctrl" { port_max = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}14") } } +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_egress_sapnwas_abap_pas_ctrl" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") + port_max = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}14") + } +} + + +# SAP NetWeaver AS Primary Application Server (PAS) ICM HTTPS for Web GUI and SAP Fiori Launchpad (HTTPS), icman process as 443, access from within the same Subnet +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_abap_pas_icm" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui] + group = var.module_var_host_security_group_id + direction = "inbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") + } +} +resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_outbound_sapnwas_abap_pas_icm" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + depends_on = [ibm_is_security_group_rule.vpc_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui] + group = var.module_var_host_security_group_id + direction = "outbound" + remote = local.target_vpc_subnet_range + tcp { + port_min = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") + port_max = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") + } +} diff --git a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf index d60e489..b9adb52 100644 --- a/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf +++ b/ibmcloud_vs/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf @@ -24,6 +24,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_a } } + # SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_admin_http" { count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 @@ -36,6 +37,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_a } } + # SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_sapnwas_java_ci_admin_slcontroller" { count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_hana.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_hana.tf index 658d382..93fa132 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap_hana.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_hana.tf @@ -16,12 +16,29 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_h resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_icm_https" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + name = "tcp_outbound_saphana_icm_https" + priority = 251 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("43${var.module_var_sap_hana_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + # SAP HANA ICM HTTP Internal Web Dispatcher, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_http" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_icm_http" - priority = 251 + priority = 252 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -34,13 +51,29 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_icm_h resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_icm_http" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + name = "tcp_outbound_saphana_icm_http" + priority = 253 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("80${var.module_var_sap_hana_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} -# SAP HANA Internal Web Dispatcher, access from within the same Subnet +# SAP HANA Internal Web Dispatcher, webdispatcher process, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_webdisp" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_webdisp" - priority = 252 + priority = 254 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -53,12 +86,29 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_webdi resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_webdisp" { + count = local.network_rules_sap_hana_boolean ? 1 : 0 + name = "tcp_outbound_saphana_webdisp" + priority = 255 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("3${var.module_var_sap_hana_instance_no}06") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + # SAP HANA indexserver MDC System Tenant SYSDB, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index_mdc_sysdb" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_index_mdc_sysdb" - priority = 253 + priority = 256 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -74,7 +124,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_index_mdc_sysdb" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_outbound_saphana_index_mdc_sysdb" - priority = 254 + priority = 257 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -88,11 +138,12 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_inde network_security_group_name = var.module_var_host_security_group_name } + # SAP HANA indexserver MDC Tenant #1, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index_mdc_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_index_mdc_1" - priority = 255 + priority = 258 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -108,7 +159,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_index resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_index_mdc_1" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_outbound_saphana_index_mdc_1" - priority = 256 + priority = 259 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -122,11 +173,12 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_inde network_security_group_name = var.module_var_host_security_group_name } + # SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_startsrv_http_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_startsrv_http_soap" - priority = 257 + priority = 260 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -142,7 +194,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_start resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_startsrv_http_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_outbound_saphana_startsrv_http_soap" - priority = 258 + priority = 261 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -156,11 +208,12 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_star network_security_group_name = var.module_var_host_security_group_name } + # SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_startsrv_https_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_inbound_saphana_startsrv_https_soap" - priority = 259 + priority = 262 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -176,7 +229,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_start resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_startsrv_https_soap" { count = local.network_rules_sap_hana_boolean ? 1 : 0 name = "tcp_outbound_saphana_startsrv_https_soap" - priority = 260 + priority = 263 direction = "Outbound" access = "Allow" protocol = "Tcp" diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_hostctrl.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_hostctrl.tf new file mode 100644 index 0000000..9e3b531 --- /dev/null +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_hostctrl.tf @@ -0,0 +1,65 @@ + +# SAP Host Agent with SOAP over HTTP, saphostctrl process as 1128 port, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphostctrl_http_soap" { + name = "tcp_inbound_saphostctrl_http_soap" + priority = 240 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = 1128 + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphostctrl_http_soap" { + name = "tcp_outbound_saphostctrl_http_soap" + priority = 241 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = 1128 + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + + +# SAP Host Agent with SOAP over HTTPS, saphostctrls process as 1129 port, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphostctrl_https_soap" { + name = "tcp_inbound_saphostctrl_https_soap" + priority = 242 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = 1129 + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphostctrl_httsp_soap" { + name = "tcp_outbound_saphostctrl_https_soap" + priority = 243 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = 1129 + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf index 4c86b55..b7df515 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf @@ -1,13 +1,48 @@ -# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ms" { +# SAP NetWeaver AS ABAP Central Services (ASCS) Dispatcher, sapdp process as 32 port, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_ascs_dp" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_ascs_ms" + name = "tcp_inbound_sapnwas_abap_abap_ascs_dp" priority = 201 direction = "Inbound" access = "Allow" protocol = "Tcp" + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_abap_ascs_dp" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_abap_abap_ascs_dp" + priority = 202 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("32${var.module_var_sap_nwas_abap_ascs_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + + +# SAP NetWeaver AS ABAP Central Services (ASCS) Message Server (MS), sapms process as 36 port, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ms" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_abap_ascs_ms" + priority = 203 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" source_address_prefix = local.target_vnet_subnet_range destination_port_range = tonumber("36${var.module_var_sap_nwas_abap_ascs_instance_no}") @@ -18,8 +53,8 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ } resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs_ms" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - name = "tcp_outbound_sapnwas_ascs_ms" - priority = 202 + name = "tcp_outbound_sapnwas_abap_ascs_ms" + priority = 204 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -33,11 +68,12 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs network_security_group_name = var.module_var_host_security_group_name } -# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_en" { + +# SAP NetWeaver AS ABAP Central Services (ASCS) Enqueue Server (EN), sapdp process as 39 port, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_ascs_en" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_ascs_en" - priority = 203 + name = "tcp_inbound_sapnwas_abap_ascs_en" + priority = 205 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -50,10 +86,10 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ascs_ resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs_en" { +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_abap_ascs_en" { count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 - name = "tcp_outbound_sapnwas_ascs_en" - priority = 204 + name = "tcp_outbound_sapnwas_abap_ascs_en" + priority = 206 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -66,3 +102,38 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_ascs resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } + + +# SAP NetWeaver AS ABAP Central Services (ASCS) SAP Start Service (i.e. SAPControl SOAP Web Service) HTTP and HTTPS, sapctrl and sapctrls processes as 513 and 514 ports, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_ascs_ctrl" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_abap_ascs_ctrl" + priority = 207 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = ["5${var.module_var_sap_nwas_abap_ascs_instance_no}13-5${var.module_var_sap_nwas_abap_ascs_instance_no}14"] + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_abap_ascs_ctrl" { + count = local.network_rules_sap_nwas_abap_ascs_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_abap_ascs_ctrl" + priority = 208 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = ["5${var.module_var_sap_nwas_abap_ascs_instance_no}13-5${var.module_var_sap_nwas_abap_ascs_instance_no}14"] + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf index 2178981..f55b939 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf @@ -1,9 +1,9 @@ -# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher (sapdp), for SAP GUI, access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgui" { +# SAP NetWeaver AS Primary Application Server (PAS) Dispatcher, sapdp process as 32 port, for SAP GUI, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_pas_dp_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_sapgui" - priority = 205 + name = "tcp_inbound_sapnwas_abap_pas_dp_sapgui" + priority = 220 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -16,10 +16,10 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_sapgu resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_sapgui" { +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_abap_pas_dp_sapgui" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_outbound_sapnwas_sapgui" - priority = 206 + name = "tcp_outbound_sapnwas_abap_pas_dp_sapgui" + priority = 221 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -33,11 +33,12 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_sapg network_security_group_name = var.module_var_host_security_group_name } -# SAP NetWeaver AS Primary Application Server (PAS) Gateway (sapgw), access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { + +# SAP NetWeaver AS Primary Application Server (PAS) Gateway, sapgw process as 33 port, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_pas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_gw" - priority = 207 + name = "tcp_inbound_sapnwas_abap_pas_gw" + priority = 222 direction = "Inbound" access = "Allow" protocol = "Tcp" @@ -50,10 +51,10 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_gw" { resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_gw" { +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_abap_pas_gw" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_outbound_sapnwas_gw" - priority = 208 + name = "tcp_outbound_sapnwas_abap_pas_gw" + priority = 223 direction = "Outbound" access = "Allow" protocol = "Tcp" @@ -68,36 +69,104 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_gw" } -# SAP Web GUI and SAP Fiori Launchpad (HTTPS), access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapfiori" { +# SAP NetWeaver AS Primary Application Server (PAS) Gateway Secured, sapgws process as 48 port, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_pas_gw_secure" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_inbound_sapnwas_abap_pas_gw_secure" + priority = 224 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_abap_pas_gw_secure" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_abap_pas_gw_secure" + priority = 225 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("48${var.module_var_sap_nwas_abap_pas_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} + + +# SAP NetWeaver AS Primary Application Server (PAS) SAP Start Service (i.e. SAPControl SOAP Web Service) HTTP and HTTPS, sapctrl and sapctrls processes as 513 and 514 ports, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_pas_ctrl" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_inbound_sapfiori" - priority = 209 + name = "tcp_inbound_sapnwas_abap_pas_ctrl" + priority = 226 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("443${var.module_var_sap_hana_instance_no}") + destination_port_range = ["5${var.module_var_sap_nwas_abap_pas_instance_no}13-5${var.module_var_sap_nwas_abap_pas_instance_no}14"] + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_abap_pas_ctrl" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_abap_pas_ctrl" + priority = 227 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = ["5${var.module_var_sap_nwas_abap_pas_instance_no}13-5${var.module_var_sap_nwas_abap_pas_instance_no}14"] destination_address_prefix = local.target_vnet_subnet_range resource_group_name = var.module_var_az_resource_group_name network_security_group_name = var.module_var_host_security_group_name } -# SAP NetWeaver sapctrl HTTP and HTTPS, access from within the same Subnet -resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_ctrl" { + +# SAP NetWeaver AS Primary Application Server (PAS) ICM HTTPS for Web GUI and SAP Fiori Launchpad (HTTPS), icman process as 443, access from within the same Subnet +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_pas_icm" { count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 - name = "tcp_inbound_sapnwas_ctrl" - priority = 210 + name = "tcp_inbound_sapnwas_abap_pas_icm" + priority = 228 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" source_address_prefix = local.target_vnet_subnet_range - destination_port_range = tonumber("5${var.module_var_sap_nwas_abap_pas_instance_no}13") + destination_port_range = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") + destination_address_prefix = local.target_vnet_subnet_range + + resource_group_name = var.module_var_az_resource_group_name + network_security_group_name = var.module_var_host_security_group_name +} +resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound__sapnwas_abap_pas_icm" { + count = local.network_rules_sap_nwas_abap_pas_boolean ? 1 : 0 + name = "tcp_outbound_sapnwas_abap_pas_icm" + priority = 229 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + source_address_prefix = local.target_vnet_subnet_range + destination_port_range = tonumber("443${var.module_var_sap_nwas_abap_pas_instance_no}") destination_address_prefix = local.target_vnet_subnet_range resource_group_name = var.module_var_az_resource_group_name diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf index 0b4ee96..55b6133 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_java_ci.tf @@ -17,6 +17,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ network_security_group_name = var.module_var_host_security_group_name } + # SAP NetWeaver AS JAVA Central Instance (CI) Access server process 0..n, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_access" { count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 @@ -35,6 +36,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ network_security_group_name = var.module_var_host_security_group_name } + # SAP NetWeaver AS JAVA Central Instance (CI) Admin Services HTTP server process 0..n, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_admin_http" { count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 @@ -53,11 +55,12 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ network_security_group_name = var.module_var_host_security_group_name } + # SAP NetWeaver AS JAVA Central Instance (CI) Admin Services SL Controller server process 0..n, access from within the same Subnet resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_java_ci_admin_slcontroller" { count = local.network_rules_sap_nwas_java_boolean ? 1 : 0 name = "tcp_inbound_sapnwas_java_ci_admin_slcontroller" - priority = 403 + priority = 404 direction = "Outbound" access = "Allow" protocol = "Tcp" From e97f33e701d2a5c8dc02acba4995ca8a551561ea Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Sat, 21 Jan 2023 14:41:46 +0000 Subject: [PATCH 13/18] fix: wrong azure firewall param --- .../network_security_groups_sap_nwas_abap_ascs.tf | 4 ++-- .../network_security_groups_sap_nwas_abap_pas.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf index b7df515..c3bd2bc 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_ascs.tf @@ -115,7 +115,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_ source_port_range = "*" source_address_prefix = local.target_vnet_subnet_range - destination_port_range = ["5${var.module_var_sap_nwas_abap_ascs_instance_no}13-5${var.module_var_sap_nwas_abap_ascs_instance_no}14"] + destination_port_ranges = ["5${var.module_var_sap_nwas_abap_ascs_instance_no}13-5${var.module_var_sap_nwas_abap_ascs_instance_no}14"] destination_address_prefix = local.target_vnet_subnet_range resource_group_name = var.module_var_az_resource_group_name @@ -131,7 +131,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_abap source_port_range = "*" source_address_prefix = local.target_vnet_subnet_range - destination_port_range = ["5${var.module_var_sap_nwas_abap_ascs_instance_no}13-5${var.module_var_sap_nwas_abap_ascs_instance_no}14"] + destination_port_ranges = ["5${var.module_var_sap_nwas_abap_ascs_instance_no}13-5${var.module_var_sap_nwas_abap_ascs_instance_no}14"] destination_address_prefix = local.target_vnet_subnet_range resource_group_name = var.module_var_az_resource_group_name diff --git a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf index f55b939..9d5a685 100644 --- a/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf +++ b/msazure_vm/host_network_access_sap/network_security_groups_sap_nwas_abap_pas.tf @@ -115,7 +115,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_inbound_sapnwas_abap_ source_port_range = "*" source_address_prefix = local.target_vnet_subnet_range - destination_port_range = ["5${var.module_var_sap_nwas_abap_pas_instance_no}13-5${var.module_var_sap_nwas_abap_pas_instance_no}14"] + destination_port_ranges = ["5${var.module_var_sap_nwas_abap_pas_instance_no}13-5${var.module_var_sap_nwas_abap_pas_instance_no}14"] destination_address_prefix = local.target_vnet_subnet_range resource_group_name = var.module_var_az_resource_group_name @@ -131,7 +131,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_sap_outbound_sapnwas_abap source_port_range = "*" source_address_prefix = local.target_vnet_subnet_range - destination_port_range = ["5${var.module_var_sap_nwas_abap_pas_instance_no}13-5${var.module_var_sap_nwas_abap_pas_instance_no}14"] + destination_port_ranges = ["5${var.module_var_sap_nwas_abap_pas_instance_no}13-5${var.module_var_sap_nwas_abap_pas_instance_no}14"] destination_address_prefix = local.target_vnet_subnet_range resource_group_name = var.module_var_az_resource_group_name From 614ae35bea1dfeb1bdb6438110d92211e74793fa Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Wed, 25 Jan 2023 12:38:55 +0000 Subject: [PATCH 14/18] fix: rename dirs --- {ovirt_rhv => ovirt_kvm_vm}/.gitkeep | 0 {vmware => vmware_vm}/.gitkeep | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {ovirt_rhv => ovirt_kvm_vm}/.gitkeep (100%) rename {vmware => vmware_vm}/.gitkeep (100%) diff --git a/ovirt_rhv/.gitkeep b/ovirt_kvm_vm/.gitkeep similarity index 100% rename from ovirt_rhv/.gitkeep rename to ovirt_kvm_vm/.gitkeep diff --git a/vmware/.gitkeep b/vmware_vm/.gitkeep similarity index 100% rename from vmware/.gitkeep rename to vmware_vm/.gitkeep From e65be9cda314835803736a4adca7f3a947d3d7c4 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Wed, 25 Jan 2023 12:43:59 +0000 Subject: [PATCH 15/18] feat: initial vmware vm tf modules --- .../tf_mod_vmware_vm_host_provision.md | 42 ++ vmware_vm/.gitkeep | 0 vmware_vm/host_bootstrap/module_outputs.tf | 8 + vmware_vm/host_bootstrap/module_versions.tf | 5 + vmware_vm/host_bootstrap/ssh_keys.tf | 5 + vmware_vm/host_provision/build_execution.tf | 47 ++ .../host_provision/build_filesystem_setup.tf | 575 ++++++++++++++++++ vmware_vm/host_provision/build_os_prepare.tf | 58 ++ .../host_provision/build_os_subscriptions.tf | 80 +++ .../build_web_proxy_noninteractive.tf | 52 ++ .../cloudinit_config_metadata.yml | 9 + .../cloudinit_config_userdata.yml | 51 ++ vmware_vm/host_provision/data_sddc.tf | 40 ++ vmware_vm/host_provision/host.tf | 176 ++++++ vmware_vm/host_provision/host_storage.tf | 154 +++++ vmware_vm/host_provision/module_outputs.tf | 8 + vmware_vm/host_provision/module_variables.tf | 182 ++++++ vmware_vm/host_provision/module_versions.tf | 26 + 18 files changed, 1518 insertions(+) create mode 100644 docs/tf_modules/tf_mod_vmware_vm_host_provision.md delete mode 100644 vmware_vm/.gitkeep create mode 100644 vmware_vm/host_bootstrap/module_outputs.tf create mode 100644 vmware_vm/host_bootstrap/module_versions.tf create mode 100644 vmware_vm/host_bootstrap/ssh_keys.tf create mode 100644 vmware_vm/host_provision/build_execution.tf create mode 100644 vmware_vm/host_provision/build_filesystem_setup.tf create mode 100644 vmware_vm/host_provision/build_os_prepare.tf create mode 100644 vmware_vm/host_provision/build_os_subscriptions.tf create mode 100644 vmware_vm/host_provision/build_web_proxy_noninteractive.tf create mode 100644 vmware_vm/host_provision/cloudinit_config_metadata.yml create mode 100644 vmware_vm/host_provision/cloudinit_config_userdata.yml create mode 100644 vmware_vm/host_provision/data_sddc.tf create mode 100644 vmware_vm/host_provision/host.tf create mode 100644 vmware_vm/host_provision/host_storage.tf create mode 100644 vmware_vm/host_provision/module_outputs.tf create mode 100644 vmware_vm/host_provision/module_variables.tf create mode 100644 vmware_vm/host_provision/module_versions.tf diff --git a/docs/tf_modules/tf_mod_vmware_vm_host_provision.md b/docs/tf_modules/tf_mod_vmware_vm_host_provision.md new file mode 100644 index 0000000..9993c1e --- /dev/null +++ b/docs/tf_modules/tf_mod_vmware_vm_host_provision.md @@ -0,0 +1,42 @@ +# Terraform Module - VMware Virtual Machine + +## VMware VM Template setup + +- **OS Image with cloud-init installed** + - Edit the default cloud-init configuration file, found at `/etc/cloud`. It must contain the data source for VMware (and not OVF), and force use of cloud-init metadata and userdata files. + ``` + disable_vmware_customization: true + datasource: + VMware: + allow_raw_data: true + vmware_cust_file_max_wait: 10 # seconds + ``` + - Prior to VM shutdown and marking as a VMware VM Template, run command `vmware-toolbox-cmd config set deployPkg enable-custom-scripts true` + - Prior to VM shutdown and marking as a VMware VM Template, run command `sudo cloud-init clean --seed --logs --machine-id` to remove cloud-init logs, remove cloud-init seed directory /var/lib/cloud/seed , and remove /etc/machine-id. If using cloud-init versions prior to 22.3.0 then do not use `--machine-id` parameter + - Once VM is shutdown, then run 'Convert to VM Template' + - Debug by checking `grep userdata /var/log/vmware-imc/toolsDeployPkg.log` and `/var/log/cloud-init.log` + - See documentation for further information: + - VMware KB 59557 - How to switch vSphere Guest OS Customization engine for Linux virtual machine (https://kb.vmware.com/s/article/59557) + - VMware KB 74880 - Setting the customization script for virtual machines in vSphere 7.x and 8.x (https://kb.vmware.com/s/article/74880) + - cloud-init documentation - Reference - Datasources - VMware (https://cloudinit.readthedocs.io/en/latest/reference/datasources/vmware.html) + + +## VMware vCenter and vSphere clusters with VMware NSX virtualized network overlays + +For VMware vCenter and vSphere clusters with VMware NSX virtualized network overlays using Segments (e.g. 192.168.0.0/16) connected to Tier-0/Tier-1 Gateways (which are bound to the backbone network subnet, e.g. 10.0.0.0/8), the following are required: + +- **CRITICAL: Routable access from host executing Terraform Template for SAP (and thereby Ansible subsequently triggered by the Terraform Template)**. For example, if the Terraform Template for SAP is executed on a macOS laptop running a VPN with connectivity to the VMware vCenter - then the VPN must also have access to the provisioned Subnet, otherwise initialised SSH connections to the VMware VM from Terraform and Ansible will not be successful. + - It is recommended to investigate proper DNAT configuration for any VMware NSX Segments (this could be automated using Terraform Provider for VMware NSX-T, i.e. https://registry.terraform.io/providers/vmware/nsxt/latest/docs/resources/policy_nat_rule). +- **DHCP Server** must be created (e.g. NSX > Networking > Networking Profiles > DHCP Profile), set in the Gateway (e.g. NSX > Networking > Gateway > Edit > DHCP Config > ), then set for the Subnet (e.g. NSX > Networking > Segment > <> > Set DHCP Config) which the VMware VM Template is attached to; this allows subsequent cloned VMs to obtain an IPv4 Address +- **Internet Access**: Option 1 - Configured SNAT (e.g. rule added on NSX Gateway) set for the Subnet which the VMware VM Template is attached to; this allows Public Internet access. Option 2 - Web Proxy. +- **DNS Server (Private)** is recommended to assist custom/private root domain resolution (e.g. poc.cloud) + + +## VMware vCenter and vSphere clusters with direct network subnet IP allocation + +For VMware vCenter and vSphere clusters with direct network subnet IP allocations to the VMXNet network adapter (no VMware NSX network overlays), the following are required: + +- **CRITICAL: Routable access from host executing Terraform Template for SAP (and thereby Ansible subsequently triggered by the Terraform Template)**. For example, if the Terraform Template for SAP is executed on a macOS laptop running a VPN with connectivity to the VMware vCenter - then the VPN must also have access to the provisioned Subnet, otherwise initialised SSH connections to the VMware VM from Terraform and Ansible will not be successful. +- **DHCP Server** must be created (e.g. NSX > Networking > Networking Profiles > DHCP Profile), set in the Gateway (e.g. NSX > Networking > Gateway > Edit > DHCP Config > ), then set for the Subnet (e.g. NSX > Networking > Segment > <> > Set DHCP Config) which the VMware VM Template is attached to; this allows subsequent cloned VMs to obtain an IPv4 Address +- **Internet Access**: Option 1 - Configured SNAT (e.g. rule added on NSX Gateway) set for the Subnet which the VMware VM Template is attached to; this allows Public Internet access. Option 2 - Web Proxy. +- **DNS Server (Private)** is recommended to assist custom/private root domain resolution (e.g. poc.cloud) diff --git a/vmware_vm/.gitkeep b/vmware_vm/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/vmware_vm/host_bootstrap/module_outputs.tf b/vmware_vm/host_bootstrap/module_outputs.tf new file mode 100644 index 0000000..b1b30b9 --- /dev/null +++ b/vmware_vm/host_bootstrap/module_outputs.tf @@ -0,0 +1,8 @@ + +output "output_host_public_ssh_key" { + value = tls_private_key.host_ssh.public_key_openssh +} + +output "output_host_private_ssh_key" { + value = tls_private_key.host_ssh.private_key_pem +} diff --git a/vmware_vm/host_bootstrap/module_versions.tf b/vmware_vm/host_bootstrap/module_versions.tf new file mode 100644 index 0000000..5828053 --- /dev/null +++ b/vmware_vm/host_bootstrap/module_versions.tf @@ -0,0 +1,5 @@ + +# Terraform declaration +terraform { + required_version = ">= 1.0" +} diff --git a/vmware_vm/host_bootstrap/ssh_keys.tf b/vmware_vm/host_bootstrap/ssh_keys.tf new file mode 100644 index 0000000..781b92c --- /dev/null +++ b/vmware_vm/host_bootstrap/ssh_keys.tf @@ -0,0 +1,5 @@ + +# Create private SSH key for ssh connection +resource "tls_private_key" "host_ssh" { + algorithm = "RSA" +} diff --git a/vmware_vm/host_provision/build_execution.tf b/vmware_vm/host_provision/build_execution.tf new file mode 100644 index 0000000..d45c74e --- /dev/null +++ b/vmware_vm/host_provision/build_execution.tf @@ -0,0 +1,47 @@ + +# Execute all scripts pushed to target + +resource "null_resource" "execute_os_scripts" { + + depends_on = [ + vsphere_virtual_disk.virtual_disk_hana_data, + vsphere_virtual_disk.virtual_disk_hana_log, + vsphere_virtual_disk.virtual_disk_hana_shared, + vsphere_virtual_disk.virtual_disk_anydb, + vsphere_virtual_disk.virtual_disk_usr_sap, + vsphere_virtual_disk.virtual_disk_sapmnt, + vsphere_virtual_disk.virtual_disk_swap, + vsphere_virtual_disk.virtual_disk_software, + null_resource.build_script_fs_init, + null_resource.build_script_os_prepare, + null_resource.os_subscription_files, + vsphere_virtual_machine.host_provision + ] + + connection { + type = "ssh" + user = "root" + host = vsphere_virtual_machine.host_provision.default_ip_address + private_key = var.module_var_host_private_ssh_key + timeout = "30s" + + # Required when using RHEL 8.x because /tmp is set with noexec + # Path must already exist and must not use Bash shell special variable, e.g. cannot use $HOME/terraform/tmp/ + # https://www.terraform.io/language/resources/provisioners/connection#executing-scripts-using-ssh-scp + script_path = "/root/terraform_tmp_remote_exec_inline.sh" + } + + # Execute, including all files provisioned by Terraform into $HOME + provisioner "remote-exec" { + inline = [ + "echo 'Show HOME directory for reference Shell scripts were transferred'", + "ls -lha $HOME", + "chmod +x $HOME/terraform_*", + "$HOME/terraform_os_prep.sh", + "$HOME/terraform_web_proxy_noninteractive.sh", + "$HOME/terraform_os_subscriptions.sh", + "$HOME/terraform_fs_init.sh" + ] + } + +} diff --git a/vmware_vm/host_provision/build_filesystem_setup.tf b/vmware_vm/host_provision/build_filesystem_setup.tf new file mode 100644 index 0000000..f1d433d --- /dev/null +++ b/vmware_vm/host_provision/build_filesystem_setup.tf @@ -0,0 +1,575 @@ + +resource "null_resource" "build_script_fs_init" { + + depends_on = [ + vsphere_virtual_machine.host_provision + ] + + # Specify the ssh connection + connection { + type = "ssh" + user = "root" + host = vsphere_virtual_machine.host_provision.default_ip_address + private_key = var.module_var_host_private_ssh_key + timeout = "30s" + } + + # Path must already exist and must not use Bash shell special variable, e.g. cannot use $HOME/file.sh + # "By default, OpenSSH's scp implementation runs in the remote user's home directory and so you can specify a relative path to upload into that home directory" + # https://www.terraform.io/language/resources/provisioners/file#destination-paths + provisioner "file" { + destination = "terraform_fs_init.sh" + content = <1 && $2 = "") print "/dev/"$1; else print $0}') + physical_disks_list_with_megabytes=$(lsblk --nodeps --bytes --noheadings -io KNAME,SIZE | awk 'BEGIN{OFS="\t"} {if (FNR>1) print $1,$2/1024/1024; else print $0}') + physical_disks_list_with_gigabytes=$(lsblk --nodeps --bytes --noheadings -io KNAME,SIZE | awk 'BEGIN{OFS="\t"} {if (FNR>1) print $1,$2/1024/1024/1024; else print $0}') + echo "$physical_disks_list_with_gigabytes" > $HOME/physical_disks_list_with_gigabytes.txt + + + #### + # Create LVM Physical Volumes + # + # This initialises the whole Disk or a Disk Partition as LVM Physical Volumes for use as part of LVM Logical Volumes + # + # First physical extent begins at 1MB which is defined by default_data_alignment in lvm.conf and this can be overriden by --dataalignment. + # Default 1MB offset from disk start before first LVM PV Physical Extent is used, + # and an additional offset after can be set using --dataalignmentoffset. + # + # I/O from the LVM Volume Group to the LVM Physical Volume will use the extent size defined + # by the LVM Volume Group, starting at the point defined by the LVM Physical Volume data alignment offset + #### + + # Workaround to while running in subshell and inability to re-use variables (the volume group target lists) + while IFS= read -r line + do + disk_id=$(echo $line | awk '{ print $1}') + disk_capacity_gb=$(echo $line | awk '{ print $2}') + if [[ $existing_disks_list = *"$disk_id"* ]] + then + echo "No action on existing formatted /dev/$disk_id" + elif [[ $disk_capacity_gb = "$disk_capacity_gb_specified" ]] + then + echo "Creating LVM Physical Volume for /dev/$disk_id using data alignment offset $lvm_pv_data_alignment" + pvcreate "/dev/$disk_id" --dataalignment $lvm_pv_data_alignment + echo "Adding /dev/$disk_id to a list for the LVM Volume Group for $mount_point" + lvm_volume_group_target_list=$(echo "/dev/$disk_id" & echo $lvm_volume_group_target_list) + echo "" + fi + done <<< "$(echo -e "$physical_disks_list_with_gigabytes")" + + #### + # Create LVM Volume Groups and add LVM Physical Volumes + # Default is 1MiB offset from disk start before first LVM VG Physical Extent is used + # Default is 4MiB for the physical extent size (aka. block size), once set this is difficult to change + # + # I/O from the LVM Logical Volume to the LVM Volume Group will use the extent size defined + # by the LVM Volume Group, starting at the point defined by the LVM Volume Group data alignment offset + # + # Therefore the LVM Volume Group extent size acts as the block size from LVM virtualization to the physical disks + #### + + echo "Creating $lvm_volume_group_name volume group with $(echo $lvm_volume_group_target_list | tr -d '\n'), using $lvm_volume_group_data_alignment data alignment and $lvm_volume_group_physical_extent_size extent size (block size)" + vgcreate --dataalignment $lvm_volume_group_data_alignment --physicalextentsize $lvm_volume_group_physical_extent_size $lvm_volume_group_name $(echo $lvm_volume_group_target_list | tr -d '\n') + echo "" + + ####### + # Create expandable LVM Logical Volume, using single or multiple physical disk volumes + # Default is 64K for the stripe size (aka. block size) + # + # I/O from the OS/Applications to the LVM Logical Volume will use the stripe size defined + # + # Therefore the LVM Logical Volume stripe size acts as the block size from OS to LVM virtualization + # IMPORTANT: Correct setting of this stripe size has impact on performance of OS and Applications read/write + ####### + + # Count number of LVM Physical Volumes in the LVM Volume Group + count_physical_volumes=$(echo "$lvm_volume_group_target_list" | wc -w) + + # Create LVM Logical Volume + # Stripe across all LVM Physical Volumes available in the LVM Volume Group + echo "Creating $lvm_logical_volume_name logical volume for $lvm_volume_group_name volume group, using $lvm_logical_volume_stripe_size extent size (block size)" + lvcreate $lvm_volume_group_name --yes --extents "100%FREE" --stripesize $lvm_logical_volume_stripe_size --stripes $count_physical_volumes --name "$lvm_logical_volume_name" + echo "" + + + ####### + # Create File System formatting for the LVM Logical Volume + # Filesystem is either XFS or EXT4 + ####### + + echo "Create File System formatting for the LVM Logical Volume" + mkfs.$filesystem_format "/dev/$lvm_volume_group_name/$lvm_logical_volume_name" + echo "" + + + ####### + # Permenant mount point + ####### + + # Note: After enabling multipath on the Linux host and rebooting the system, disk paths might appear in “/dev/UUID” form with a unique alphanumeric identifier. + # This can be seen by using the “lsblk” command on Linux. The preferred method is to use this disk path as opposed to the “/dev/sdX” path when formatting and mounting file systems. + + # Note: When adding an /etc/fstab entry for iSCSI based disk devices, use the “_netdev” mount option to ensure + # that the network link is ready before the operating system attempts to mount the disk. + + echo "Create fstab entries for $lvm_volume_group_name" + echo "# fstab entries for $lvm_volume_group_name" >> /etc/fstab + echo "/dev/$lvm_volume_group_name/$lvm_logical_volume_name $mount_point $filesystem_format defaults,noatime 0 0" >> /etc/fstab + echo "" + +} + + + + +############################################# +# Physical Volume Partition formatting +############################################# + +function physical_volume_partition_runner() { + + mount_point="$1" + disk_capacity_gb_specified="$2" + physical_partition_filesystem_block_size="$3" + physical_partition_name="$4" + filesystem_format="$5" + + # Ensure directory is available + mkdir --parents $mount_point + + # Clear any previous data entries on previously formatted disks + unset existing_disks_list + unset lvm_volume_group_target_list + unset physical_disks_list_with_gigabytes + + # Find existing disk devices and partitions + for disk in $(blkid -o device) + do + existing_disk_no_partition=$(echo "$disk" | sed 's/[0-9]\+$//') + export existing_disks_list=$(echo $existing_disk_no_partition & echo $existing_disks_list) + unset existing_disk_no_partition + done + + # Run calculations + physical_disks_list=$(lsblk --nodeps --bytes --noheadings -io KNAME,FSTYPE | awk 'BEGIN{OFS="\t"} {if (FNR>1 && $2 = "") print "/dev/"$1; else print $0}') + physical_disks_list_with_megabytes=$(lsblk --nodeps --bytes --noheadings -io KNAME,SIZE | awk 'BEGIN{OFS="\t"} {if (FNR>1) print $1,$2/1024/1024; else print $0}') + physical_disks_list_with_gigabytes=$(lsblk --nodeps --bytes --noheadings -io KNAME,SIZE | awk 'BEGIN{OFS="\t"} {if (FNR>1) print $1,$2/1024/1024/1024; else print $0}') + echo "$physical_disks_list_with_gigabytes" > $HOME/physical_disks_list_with_gigabytes.txt + + + if [[ $filesystem_format == "xfs" ]] + then + echo "#### XFS on Linux supports only filesystems with block sizes EQUAL to the system page size. ####" + echo "#### The disk can be formatted with up to 64 KiB, however it will fail to mount with the following error ####" + echo "# mount(2) system call failed: Function not implemented." + echo "" + echo "#### The default page size is hardcoded and cannot be changed. ####" + echo "" + echo "#### Red Hat KB: What is the maximum supported XFS block size in RHEL? - https://access.redhat.com/solutions/1614393 ####" + echo "#### Red Hat KB: Is it possible to change Page Size in Red Hat Enterprise Linux? - https://access.redhat.com/solutions/4854441 ####" + echo "" + echo "Page Size currently set to:" + getconf PAGESIZE + echo "" + fi + + page_size=$(getconf PAGESIZE) + + if [[ $filesystem_format == "xfs" ]] && [[ $(( page_size/1024 )) != $(echo $physical_partition_filesystem_block_size | sed 's/[^0-9]*//g') ]] + then + echo "Requested XFS Block Sizes are not equal to the Page Size, amend to Page Size" + echo "$mount_point requested as xfs with block size $physical_partition_filesystem_block_size, resetting to $page_size" + block_size_definition=$page_size + else + block_size_definition=$physical_partition_filesystem_block_size + fi + + + # Mount options for filesystem table. + # With only 4 KiB Page Size, only 2 in-memory log buffers are available so increase to each buffer's size (default 32kc) may increase performance + mount_options="defaults,noatime" + #mount_options="defaults,logbsize=256k" + + # Workaround to while running in subshell and inability to re-use variables (the volume group target lists) + while IFS= read -r line + do + disk_id=$(echo $line | awk '{ print $1}') + disk_capacity_gb=$(echo $line | awk '{ print $2}') + if [[ $existing_disks_list = *"$disk_id"* ]] + then + echo "No action on existing formatted /dev/$disk_id" + elif [[ $disk_capacity_gb = $disk_capacity_gb_specified ]] + then + echo "Creating Whole Disk Physical Volume Partition and File System for /dev/$disk_id at $mount_point with GPT Partition Table, start at 1MiB" + parted --script /dev/$disk_id \ + mklabel gpt \ + mkpart primary $filesystem_format 1MiB 100% \ + name 1 $physical_partition_name + echo "Format Disk Partition with File System, with block size $block_size_definition" + mkfs.$${filesystem_format} -f -b size=$block_size_definition /dev/$disk_id + echo "Write Mount Points to Linux File System Table" + PhysicalDiskUUID=$(blkid /dev/$disk_id -sUUID -ovalue) + echo "UUID=$PhysicalDiskUUID $mount_point $${filesystem_format} $mount_options 0 0"\ >> /etc/fstab + echo "" + fi + done <<< "$(echo -e "$physical_disks_list_with_gigabytes")" + +} + + + + +############################################# +# Swap file or partition +############################################# + +function create_swap_file() { + + echo "Create swapfile" + + swap_gb="$1" + swap_bs="128" + + swap_calc_bs=$swap_bs"M" + swap_calc_count="$((x=$swap_gb*1024,x/$swap_bs))" + dd if=/dev/zero of=/swapfile bs=$swap_calc_bs count=$swap_calc_count + chmod 600 /swapfile + mkswap /swapfile + swapon /swapfile + echo '/swapfile swap swap defaults 0 0' >> /etc/fstab + swapon --show + free -h + +} + + +function create_swap_partition() { + + find_swap_partition_by_size="$1" + + physical_disks_list_with_gigabytes=$(lsblk --nodeps --bytes --noheadings -io KNAME,SIZE | awk 'BEGIN{OFS="\t"} {if (FNR>1) print $1,$2/1024/1024/1024; else print $0}') + + while IFS= read -r line + do + disk_id=$(echo $line | awk '{ print $1}') + disk_capacity_gb=$(echo $line | awk '{ print $2}') + if [[ $existing_disks_list = *"$disk_id"* ]] + then + echo "No action on existing formatted /dev/$disk_id" + elif [[ $disk_capacity_gb = $find_swap_partition_by_size ]] + then + echo "Create swap partition" + mkswap /dev/$disk_id + swapon /dev/$disk_id + echo "/dev/$disk_id swap swap defaults 0 0" >> /etc/fstab + swapon --show + free -h + echo "" + break + fi + done <<< "$(echo -e "$physical_disks_list_with_gigabytes")" + +} + + + + +############################################# +# Verify/Debug +############################################# + +storage_debug="false" + +function storage_debug_run() { + +if [ "$storage_debug" == "true" ] +then + + echo "--- Show Mount points ---" + df -h + printf "\n----------------\n\n" + + echo "--- Show /etc/fstab file ---" + cat /etc/fstab + printf "\n----------------\n\n" + + echo "--- Show Block devices ---" + blkid + printf "\n----------------\n\n" + + echo "--- Show Block devices information ---" + lsblk -o NAME,MAJ:MIN,RM,SIZE,RO,TYPE,MOUNTPOINT,PHY-SEC,LOG-SEC + printf "\n----------------\n\n" + + echo "--- Show Hardware List of Disks and Volumes ---" + lshw -class disk -class volume + ###lshw -json -class disk -class volume | jq '[.logicalname, .configuration.sectorsize, .configuration.logicalsectorsize]' + ###tail -n +1 /sys/block/vd*/queue/*_block_size + printf "\n----------------\n\n" + + echo "--- Show LVM Physical Volumes ---" + pvs + # pvs -v + printf "\n----------------\n\n" + + echo "--- Show LVM Physical Volumes information ---" + pvdisplay + printf "\n----------------\n\n" + + echo "--- Show LVM Volume Groups ---" + vgs + # vgs -v + printf "\n----------------\n\n" + + echo "--- Show LVM Volume Groups information ---" + vgdisplay + printf "\n----------------\n\n" + + echo "--- Show LVM Logical Volumes ---" + lvs + # lvs -v + printf "\n----------------\n\n" + + echo "--- Show LVM Logical Volumes information ---" + lvdisplay + printf "\n----------------\n\n" + +fi + +} + + + + +############################################# +# MAIN +############################################# + +function main() { + + check_os_distribution + + # Bash Functions use logic of "If injected Terraform value is true (i.e. LVM is used for the mount point) then run Bash Function". + # Ensure Bash Function is called with quotes surrounding Bash Variable of list, otherwise will expand and override other Bash Function Arguments + + printf "\n----------------\n\n" + echo '--- Rescan SCSI bus for new SCSI/iSCSI devices ---' + /usr/bin/rescan-scsi-bus.sh + printf "\n----------------\n\n" + + #echo 'Install jq' + #if [ "$os_type" = "rhel" ] ; then yum --assumeyes --debuglevel=1 install jq ; elif [ "$os_type" = "sles" ] ; then zypper install --no-confirm jq ; fi + ##web_proxy_ip_port=$(echo ${var.module_var_web_proxy_url} | awk -F '^http[s]?://' '{print $2}') + ##if [ ! -f /usr/local/bin/jq ]; then curl -L --proxy $web_proxy_ip_port 'https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64' -o jq && chmod +x jq && mv jq /usr/local/bin; fi + + # Create the required directories + mkdir --parents /hana/{shared,data,log} --mode 755 + mkdir --parents /usr/sap --mode 755 + mkdir --parents /sapmnt --mode 755 + + + # If any mount point uses LVM. i.e. IF with OR operator + if [[ "${var.module_var_lvm_enable_hana_data}" == "true" ]] || [[ "${var.module_var_lvm_enable_hana_log}" == "true" ]] || [[ "${var.module_var_lvm_enable_hana_shared}" == "true" ]] || [[ "${var.module_var_lvm_enable_anydb}" == "true" ]] + then + lvm_install + fi + + + if [[ ${var.module_var_disk_volume_count_hana_data} -gt 0 ]] + then + if [[ "${var.module_var_lvm_enable_hana_data}" == "true" ]] + then + lvm_filesystem_runner "/hana/data" "${var.module_var_disk_volume_capacity_hana_data}" "${var.module_var_lvm_pv_data_alignment_hana_data}" "vg_hana_data" "${var.module_var_lvm_vg_data_alignment_hana_data}" "${var.module_var_lvm_vg_physical_extent_size_hana_data}" "${var.module_var_lvm_lv_stripe_size_hana_data}" "${var.module_var_filesystem_hana_data}" + + elif [[ "${var.module_var_lvm_enable_hana_data}" == "false" ]] + then + physical_volume_partition_runner "/hana/data" "${var.module_var_disk_volume_capacity_hana_data}" "${var.module_var_physical_partition_filesystem_block_size_hana_data}" "hana_data" "${var.module_var_filesystem_hana_data}" + fi + fi + + + if [[ ${var.module_var_disk_volume_count_hana_log} -gt 0 ]] + then + if [[ "${var.module_var_lvm_enable_hana_log}" == "true" ]] + then + lvm_filesystem_runner "/hana/log" "${var.module_var_disk_volume_capacity_hana_log}" "${var.module_var_lvm_pv_data_alignment_hana_log}" "vg_hana_log" "${var.module_var_lvm_vg_data_alignment_hana_log}" "${var.module_var_lvm_vg_physical_extent_size_hana_log}" "${var.module_var_lvm_lv_stripe_size_hana_log}" "${var.module_var_filesystem_hana_log}" + + elif [[ "${var.module_var_lvm_enable_hana_log}" == "false" ]] + then + physical_volume_partition_runner "/hana/log" "${var.module_var_disk_volume_capacity_hana_log}" "${var.module_var_physical_partition_filesystem_block_size_hana_log}" "hana_log" "${var.module_var_filesystem_hana_log}" + fi + fi + + + if [[ ${var.module_var_disk_volume_count_hana_shared} -gt 0 ]] + then + if [[ "${var.module_var_lvm_enable_hana_shared}" == "true" ]] + then + lvm_filesystem_runner "/hana/shared" "${var.module_var_disk_volume_capacity_hana_shared}" "${var.module_var_lvm_pv_data_alignment_hana_shared}" "vg_hana_shared" "${var.module_var_lvm_vg_data_alignment_hana_shared}" "${var.module_var_lvm_vg_physical_extent_size_hana_shared}" "${var.module_var_lvm_lv_stripe_size_hana_shared}" "${var.module_var_filesystem_hana_shared}" + + elif [[ "${var.module_var_lvm_enable_hana_shared}" == "false" ]] + then + physical_volume_partition_runner "/hana/shared" "${var.module_var_disk_volume_capacity_hana_shared}" "${var.module_var_physical_partition_filesystem_block_size_hana_shared}" "hana_shared" "${var.module_var_filesystem_hana_shared}" + fi + fi + + + if [[ ${var.module_var_disk_volume_count_anydb} -gt 0 ]] + then + if [[ "${var.module_var_lvm_enable_anydb}" == "true" ]] + then + lvm_filesystem_runner "${var.module_var_filesystem_mount_path_anydb}" "${var.module_var_disk_volume_capacity_anydb}" "${var.module_var_lvm_pv_data_alignment_anydb}" "vg_anydb" "${var.module_var_lvm_vg_data_alignment_anydb}" "${var.module_var_lvm_vg_physical_extent_size_anydb}" "${var.module_var_lvm_lv_stripe_size_anydb}" "${var.module_var_filesystem_anydb}" + + elif [[ "${var.module_var_lvm_enable_anydb}" == "false" ]] + then + physical_volume_partition_runner "${var.module_var_filesystem_mount_path_anydb}" "${var.module_var_disk_volume_capacity_anydb}" "${var.module_var_physical_partition_filesystem_block_size_anydb}" "anydb" "${var.module_var_filesystem_anydb}" + fi + fi + + + if [[ ${var.module_var_disk_volume_count_usr_sap} -gt 0 ]] + then + physical_volume_partition_runner "/usr/sap" "${var.module_var_disk_volume_capacity_usr_sap}" "4k" "usr_sap" "${var.module_var_filesystem_usr_sap}" + fi + + + if [[ ${var.module_var_disk_volume_count_sapmnt} -gt 0 ]] + then + physical_volume_partition_runner "/sapmnt" "${var.module_var_disk_volume_capacity_sapmnt}" "4k" "sapmnt" "${var.module_var_filesystem_sapmnt}" + fi + + + if [[ ${var.module_var_disk_swapfile_size_gb} -gt 0 ]] + then + create_swap_file "${var.module_var_disk_swapfile_size_gb}" + else + create_swap_partition "${var.module_var_disk_volume_capacity_swap}" + fi + + + physical_volume_partition_runner "${var.module_var_sap_software_download_directory}" "${var.module_var_disk_volume_capacity_software}" "4k" "software" "xfs" + + + mount -a + +} + + +# Run script by calling 'main' Bash Function +main + + +EOF + } + +} diff --git a/vmware_vm/host_provision/build_os_prepare.tf b/vmware_vm/host_provision/build_os_prepare.tf new file mode 100644 index 0000000..7d88b81 --- /dev/null +++ b/vmware_vm/host_provision/build_os_prepare.tf @@ -0,0 +1,58 @@ + +resource "null_resource" "build_script_os_prepare" { + + depends_on = [ + vsphere_virtual_machine.host_provision + ] + + # Specify the ssh connection + connection { + type = "ssh" + user = "root" + host = vsphere_virtual_machine.host_provision.default_ip_address + private_key = var.module_var_host_private_ssh_key + timeout = "30s" + } + + # Path must already exist and must not use Bash shell special variable, e.g. cannot use $HOME/file.sh + # "By default, OpenSSH's scp implementation runs in the remote user's home directory and so you can specify a relative path to upload into that home directory" + # https://www.terraform.io/language/resources/provisioners/file#destination-paths + provisioner "file" { + destination = "terraform_os_prep.sh" + content = <> /etc/hosts + + +EOF + } + +} diff --git a/vmware_vm/host_provision/build_os_subscriptions.tf b/vmware_vm/host_provision/build_os_subscriptions.tf new file mode 100644 index 0000000..858c13a --- /dev/null +++ b/vmware_vm/host_provision/build_os_subscriptions.tf @@ -0,0 +1,80 @@ + +# VMware Virtual Machine - RHEL OS registration + +resource "null_resource" "os_subscription_files" { + + depends_on = [ + vsphere_virtual_machine.host_provision + ] + + connection { + type = "ssh" + user = "root" + host = vsphere_virtual_machine.host_provision.default_ip_address + private_key = var.module_var_host_private_ssh_key + timeout = "30s" + } + + # Path must already exist and must not use Bash shell special variable, e.g. cannot use $HOME/file.sh + # "By default, OpenSSH's scp implementation runs in the remote user's home directory and so you can specify a relative path to upload into that home directory" + # https://www.terraform.io/language/resources/provisioners/file#destination-paths + provisioner "file" { + destination = "terraform_os_subscriptions.sh" + content = <> /root/.bashrc + + echo 'web_proxy_url="${var.module_var_web_proxy_url}" && array=("http_proxy" "https_proxy" "ftp_proxy" "HTTP_PROXY" "HTTPS_PROXY" "FTP_PROXY" ) && for i in "$${array[@]}"; do export $i="$web_proxy_url"; done' >> /root/.bashrc + + echo 'web_proxy_exclusion="${var.module_var_web_proxy_exclusion}" && array=("no_proxy" "NO_PROXY" ) && for i in "$${array[@]}"; do export $i="$web_proxy_exclusion"; done' >> /root/.bashrc + + echo '---- Sleep 60s to ensure Web Proxy connection is ready -----' && sleep 60 + + web_proxy_ip_port=$(echo ${var.module_var_web_proxy_url} | awk -F '^http[s]?://' '{print $2}') + web_proxy_ip_only=$(echo $web_proxy_ip_port | awk -F ':' '{print $1}') + + echo 'Show ip route get to the Web Proxy IP' + ip route get $web_proxy_ip_only + + echo 'Run cURL test to launchpad.support.sap.com to check internet connectivity' + curl --connect-timeout 5 --max-time 60 --retry 5 --retry-delay 30 --proxy $web_proxy_ip_port -L launchpad.support.sap.com + #curl --silent $web_proxy_ip_only >/dev/null && echo 'Connected to squid web proxy' || echo 'Failed to test direct connection to squid web proxy' + fi + +EOF + } + +} diff --git a/vmware_vm/host_provision/cloudinit_config_metadata.yml b/vmware_vm/host_provision/cloudinit_config_metadata.yml new file mode 100644 index 0000000..6a9b9ac --- /dev/null +++ b/vmware_vm/host_provision/cloudinit_config_metadata.yml @@ -0,0 +1,9 @@ +instance-id: ${template_var_hostname} # Otherwise uses /sys/class/dmi/id/product_uuid +local-hostname: ${template_var_hostname} +network: + version: 2 + ethernets: + nics: + match: + name: ens* + dhcp4: yes diff --git a/vmware_vm/host_provision/cloudinit_config_userdata.yml b/vmware_vm/host_provision/cloudinit_config_userdata.yml new file mode 100644 index 0000000..ad96955 --- /dev/null +++ b/vmware_vm/host_provision/cloudinit_config_userdata.yml @@ -0,0 +1,51 @@ +#cloud-config +hostname: ${template_var_hostname}abc.${template_var_dns_root_domain_name} +fqdn: ${template_var_hostname}.${template_var_dns_root_domain_name} + +# Enable the traditional VMware Linux Guest Customisation configuration +## To ensure VMware datasource is found in ds-identify, VMware Customization should be enabled. This has been ignored to force cloud-init native behaviour. +## To ensure cloud-init uses VMware Customization (instead of directly via metadata and userdata files), allow raw data for cloud-init should be disabled. This has been ignored to force cloud-init native behaviour. +## Set the maximum waiting time for the VMware customisation file to 10 seconds +## When using multi line datasource array, then the single datasource_list array will be ignored +disable_vmware_customization: true +datasource: + VMware: + allow_raw_data: true + vmware_cust_file_max_wait: 10 # seconds + +# Ensure root login is enabled +disable_root: false + +# Ensure SSH password authentication is disabled for all users +ssh_pwauth: false + +# Ensure all existing SSH Keys are removed from host +ssh_deletekeys: true + +# By default, (most) ssh host keys are printed to the console +# Set emit_keys_to_console to false suppresses this output +ssh: + emit_keys_to_console: false + +# By default, the fingerprints of the authorized keys for the users +# cloud-init adds are printed to the console. Setting +# no_ssh_fingerprints to true suppresses this output +no_ssh_fingerprints: false + +# For first user in the cloud-init configuration, set the SSH Public Key +ssh_authorized_keys: + - ${template_public_key_openssh} + +# Add entry to /root/.ssh/authorized_keys +users: + - name: 'root' + lock_passwd: false # Do not lock password once access to host, however password authentication for SSH remains disabled + ssh_pwauth: false # Ensure SSH password authentication is disabled for root + ssh_authorized_keys: + - ${template_public_key_openssh} + +# After first boot of the VMware VM Template, disable cloud-init from running again +write_files: + - path: /etc/cloud/cloud-init.disabled + permissions: "0644" + content: "" diff --git a/vmware_vm/host_provision/data_sddc.tf b/vmware_vm/host_provision/data_sddc.tf new file mode 100644 index 0000000..ee2b687 --- /dev/null +++ b/vmware_vm/host_provision/data_sddc.tf @@ -0,0 +1,40 @@ + +data "vsphere_datacenter" "datacenter" { + name = var.module_var_vmware_vsphere_datacenter_name +} + + +data "vsphere_compute_cluster" "cluster" { + name = var.module_var_vmware_vsphere_datacenter_compute_cluster_name + datacenter_id = data.vsphere_datacenter.datacenter.id +} + + +data "vsphere_host" "host" { + name = var.module_var_vmware_vsphere_datacenter_compute_cluster_host_fqdn + datacenter_id = data.vsphere_datacenter.datacenter.id +} + + +# Select VM and Template Folder +data "vsphere_folder" "folder" { + path = var.module_var_vmware_vsphere_datacenter_compute_cluster_folder_name +} + + +data "vsphere_datastore" "datastore" { + name = var.module_var_vmware_vsphere_datacenter_storage_datastore_name + datacenter_id = data.vsphere_datacenter.datacenter.id +} + + +data "vsphere_network" "network" { + name = var.module_var_vmware_vsphere_datacenter_network_primary_name + datacenter_id = data.vsphere_datacenter.datacenter.id +} + + +data "vsphere_virtual_machine" "provision_template" { + name = "${var.module_var_vmware_vsphere_datacenter_compute_cluster_folder_name}/${var.module_var_vmware_vm_template_name}" + datacenter_id = data.vsphere_datacenter.datacenter.id +} diff --git a/vmware_vm/host_provision/host.tf b/vmware_vm/host_provision/host.tf new file mode 100644 index 0000000..621ac59 --- /dev/null +++ b/vmware_vm/host_provision/host.tf @@ -0,0 +1,176 @@ + +# Cloud-init directive metadata +data "template_file" "cloud_init_metadata" { + template = file("${path.module}/cloudinit_config_metadata.yml") + + vars = { + template_var_hostname = var.module_var_vmware_vm_hostname + } + +} + +# Cloud-init directive user_data +data "template_file" "cloud_init_user_data" { + template = file("${path.module}/cloudinit_config_userdata.yml") + + vars = { + template_var_hostname = var.module_var_vmware_vm_hostname + template_var_dns_root_domain_name = var.module_var_vmware_vm_dns_root_domain_name + template_public_key_openssh = var.module_var_host_public_ssh_key + } + +} + + + +resource "vsphere_virtual_machine" "host_provision" { + + depends_on = [ + vsphere_virtual_disk.virtual_disk_hana_data, + vsphere_virtual_disk.virtual_disk_hana_log, + vsphere_virtual_disk.virtual_disk_hana_shared, + vsphere_virtual_disk.virtual_disk_anydb, + vsphere_virtual_disk.virtual_disk_usr_sap, + vsphere_virtual_disk.virtual_disk_sapmnt, + vsphere_virtual_disk.virtual_disk_swap, + vsphere_virtual_disk.virtual_disk_software + ] + + name = var.module_var_vmware_vm_hostname + + resource_pool_id = data.vsphere_compute_cluster.cluster.resource_pool_id + host_system_id = data.vsphere_host.host.id + + datastore_id = data.vsphere_datastore.datastore.id + + folder = var.module_var_vmware_vsphere_datacenter_compute_cluster_folder_name + + guest_id = data.vsphere_virtual_machine.provision_template.guest_id + + + # Firmware Interface configuration + # Required to avoid cloning error "Operating System not found" in VMware vSphere 7.x + firmware = data.vsphere_virtual_machine.provision_template.efi_secure_boot_enabled ? "efi" : "bios" + nested_hv_enabled = false + + + # CPU Processors + num_cpus = var.module_var_vmware_vm_compute_cpu_threads + cpu_hot_add_enabled = false + cpu_hot_remove_enabled = false +# cpu_reservation = + + + # Memory + memory = abs(var.module_var_vmware_vm_compute_ram_gb * 1024) + memory_hot_add_enabled = false +# memory_reservation = + + + # Storage + scsi_controller_count = 1 + scsi_type = data.vsphere_virtual_machine.provision_template.scsi_type + enable_disk_uuid = true + + + # Boot disk copied from VMware VM Template + disk { + datastore_id = data.vsphere_datastore.datastore.id + unit_number = data.vsphere_virtual_machine.provision_template.disks[0].unit_number + label = "${var.module_var_vmware_vm_hostname}-boot" + size = data.vsphere_virtual_machine.provision_template.disks[0].size + thin_provisioned = data.vsphere_virtual_machine.provision_template.disks[0].thin_provisioned + eagerly_scrub = data.vsphere_virtual_machine.provision_template.disks[0].eagerly_scrub + } + + + # Attach Data Volumes to the host + # Use for loop to create objects with ID and Size, then use the for_each on these objects to populate the content of disk blocks + dynamic "disk" { + + for_each = [ + for virtual_disks in concat(vsphere_virtual_disk.virtual_disk_hana_data,vsphere_virtual_disk.virtual_disk_hana_log,vsphere_virtual_disk.virtual_disk_hana_shared,vsphere_virtual_disk.virtual_disk_anydb,vsphere_virtual_disk.virtual_disk_usr_sap,vsphere_virtual_disk.virtual_disk_sapmnt,vsphere_virtual_disk.virtual_disk_swap,vsphere_virtual_disk.virtual_disk_software) : { + path = virtual_disks.vmdk_path +# size = virtual_disks.size + } + ] + + content { + datastore_id = data.vsphere_datastore.datastore.id + unit_number = disk.key + 1 // Maximum 14 disks per 1 SCSI controller + label = "${format("${var.module_var_vmware_vm_hostname}-disk-%03s", disk.key + 1)}" + ## Use existing Virtual Disk (via vsphere_virtual_disk Terraform Resource) + attach = true + path = disk.value.path + ## Inline create new Virtual Disks for the Virtual Machine (no separate Terraform Resources) + #size = disk.value.size + #thin_provisioned + #eagerly_scrub + } + + } + + + # Network + network_interface { + network_id = data.vsphere_network.network.id + adapter_type = data.vsphere_virtual_machine.provision_template.network_interface_types[0] + } + + + wait_for_guest_net_timeout = 5 // Timeout for available guest IP address on the virtual machine + wait_for_guest_ip_timeout = 5 // Legacy vSphere, Timeout for available guest IP address on the virtual machine + + + # VMware 'Clone to Virtual Machine' task + clone { + template_uuid = data.vsphere_virtual_machine.provision_template.id + timeout = 10 // Timeout to complete cloning/provisioning + + customize { + + timeout = 10 // Timeout to complete host configuration + + # linux_options must exist in VM customization options for Linux operating systems + linux_options { + host_name = var.module_var_vmware_vm_hostname // Required + domain = var.module_var_vmware_vm_dns_root_domain_name // Required + hw_clock_utc = false + time_zone = "UTC" + } + + # Declare network_interface blocks, which are matched to interfaces in sequence + # To use DHCP, declare an empty network_interface block for each interface + network_interface { + } + +# ipv4_gateway = var.vm_ipv4_gateway +# dns_suffix_list = "${split(",", var.module_var_vmware_vm_dns_root_domain_name)}" +# +# # this will to allow to specify multiple values for dns servers +# dns_server_list = var.vm_dns_servers + } + } + + + # Please be aware of security concerns when enabling copy/paste from VMware Remote Console (isolation.* parameters) + extra_config = { + "isolation.tools.copy.disable" = "FALSE" // Should be uppercase to avoid 'updated in-place' if re-executed + "isolation.tools.paste.disable" = "FALSE" // Should be uppercase to avoid 'updated in-place' if re-executed + "isolation.tools.setGUIOptions.enable" = "TRUE" // Should be uppercase to avoid 'updated in-place' if re-executed + "guestinfo.metadata" = base64encode(data.template_file.cloud_init_metadata.rendered) + "guestinfo.metadata.encoding" = "base64" + "guestinfo.userdata" = base64encode(data.template_file.cloud_init_user_data.rendered) + "guestinfo.userdata.encoding" = "base64" + } + + + # VMware Tools settings for the Virtual Machine + run_tools_scripts_after_power_on = true + run_tools_scripts_after_resume = false + run_tools_scripts_before_guest_reboot = false + run_tools_scripts_before_guest_shutdown = false + run_tools_scripts_before_guest_standby = false + + +} diff --git a/vmware_vm/host_provision/host_storage.tf b/vmware_vm/host_provision/host_storage.tf new file mode 100644 index 0000000..16d1e77 --- /dev/null +++ b/vmware_vm/host_provision/host_storage.tf @@ -0,0 +1,154 @@ + +# To enable the dynamic block for disks attachment to the VMware Virtual Machine, must use count on each Virtual Disk +# When using count = 1, the Virtual Disk is returned as a set. Without count it is returned as an object and will fail the for loop on the dynamic block + +resource "vsphere_virtual_disk" "virtual_disk_hana_data" { + count = var.module_var_disk_volume_count_hana_data + datacenter = data.vsphere_datacenter.datacenter.name + datastore = data.vsphere_datastore.datastore.name + vmdk_path = "/${var.module_var_vmware_vm_hostname}_data/${var.module_var_vmware_vm_hostname}-hana-data${count.index}.vmdk" + create_directories = true + + size = var.module_var_disk_volume_capacity_hana_data + type = "lazy" # Thick Provision Lazy Zeroed (allocate then zero on first write) + + lifecycle { + ignore_changes = [ + type + ] + } + +} + + +resource "vsphere_virtual_disk" "virtual_disk_hana_log" { + count = var.module_var_disk_volume_count_hana_log + datacenter = data.vsphere_datacenter.datacenter.name + datastore = data.vsphere_datastore.datastore.name + vmdk_path = "/${var.module_var_vmware_vm_hostname}_data/${var.module_var_vmware_vm_hostname}-hana-log${count.index}.vmdk" + create_directories = true + + size = var.module_var_disk_volume_capacity_hana_log + type = "lazy" # Thick Provision Lazy Zeroed (allocate then zero on first write) + + lifecycle { + ignore_changes = [ + type + ] + } + +} + + +resource "vsphere_virtual_disk" "virtual_disk_hana_shared" { + count = var.module_var_disk_volume_count_hana_shared + datacenter = data.vsphere_datacenter.datacenter.name + datastore = data.vsphere_datastore.datastore.name + vmdk_path = "/${var.module_var_vmware_vm_hostname}_data/${var.module_var_vmware_vm_hostname}-hana-shared${count.index}.vmdk" + create_directories = true + + size = var.module_var_disk_volume_capacity_hana_shared + type = "lazy" # Thick Provision Lazy Zeroed (allocate then zero on first write) + + lifecycle { + ignore_changes = [ + type + ] + } + +} + + +resource "vsphere_virtual_disk" "virtual_disk_anydb" { + count = var.module_var_disk_volume_count_anydb + datacenter = data.vsphere_datacenter.datacenter.name + datastore = data.vsphere_datastore.datastore.name + vmdk_path = "/${var.module_var_vmware_vm_hostname}_data/${var.module_var_vmware_vm_hostname}-anydb${count.index}.vmdk" + create_directories = true + + size = var.module_var_disk_volume_capacity_anydb + type = "lazy" # Thick Provision Lazy Zeroed (allocate then zero on first write) + + lifecycle { + ignore_changes = [ + type + ] + } + +} + + +resource "vsphere_virtual_disk" "virtual_disk_usr_sap" { + count = var.module_var_disk_volume_count_usr_sap // Must be no more than 1 + datacenter = data.vsphere_datacenter.datacenter.name + datastore = data.vsphere_datastore.datastore.name + vmdk_path = "/${var.module_var_vmware_vm_hostname}_data/${var.module_var_vmware_vm_hostname}-usr-sap${count.index}.vmdk" + create_directories = true + + size = var.module_var_disk_volume_capacity_usr_sap + type = "lazy" # Thick Provision Lazy Zeroed (allocate then zero on first write) + + lifecycle { + ignore_changes = [ + type + ] + } + +} + + +resource "vsphere_virtual_disk" "virtual_disk_sapmnt" { + count = var.module_var_disk_volume_count_sapmnt // Must be no more than 1 + datacenter = data.vsphere_datacenter.datacenter.name + datastore = data.vsphere_datastore.datastore.name + vmdk_path = "/${var.module_var_vmware_vm_hostname}_data/${var.module_var_vmware_vm_hostname}-sapmnt.vmdk" + create_directories = true + + size = var.module_var_disk_volume_capacity_sapmnt + type = "lazy" # Thick Provision Lazy Zeroed (allocate then zero on first write) + + lifecycle { + ignore_changes = [ + type + ] + } + +} + + +resource "vsphere_virtual_disk" "virtual_disk_swap" { + count = var.module_var_disk_volume_count_swap // Must be no more than 1 + datacenter = data.vsphere_datacenter.datacenter.name + datastore = data.vsphere_datastore.datastore.name + vmdk_path = "/${var.module_var_vmware_vm_hostname}_data/${var.module_var_vmware_vm_hostname}-swap.vmdk" + create_directories = true + + size = var.module_var_disk_volume_capacity_swap + type = "lazy" # Thick Provision Lazy Zeroed (allocate then zero on first write) + + lifecycle { + ignore_changes = [ + type + ] + } + +} + + +resource "vsphere_virtual_disk" "virtual_disk_software" { + count = 1 // Must be no more than 1 + datacenter = data.vsphere_datacenter.datacenter.name + datastore = data.vsphere_datastore.datastore.name + vmdk_path = "/${var.module_var_vmware_vm_hostname}_data/${var.module_var_vmware_vm_hostname}-software.vmdk" + create_directories = true + + size = var.module_var_disk_volume_capacity_software + type = "lazy" # Thick Provision Lazy Zeroed (allocate then zero on first write) + + lifecycle { + ignore_changes = [ + type + ] + } + +} diff --git a/vmware_vm/host_provision/module_outputs.tf b/vmware_vm/host_provision/module_outputs.tf new file mode 100644 index 0000000..03febd1 --- /dev/null +++ b/vmware_vm/host_provision/module_outputs.tf @@ -0,0 +1,8 @@ + +output "output_host_private_ip" { + value = vsphere_virtual_machine.host_provision.default_ip_address +} + +output "output_host_name" { + value = vsphere_virtual_machine.host_provision.name +} diff --git a/vmware_vm/host_provision/module_variables.tf b/vmware_vm/host_provision/module_variables.tf new file mode 100644 index 0000000..d1319e6 --- /dev/null +++ b/vmware_vm/host_provision/module_variables.tf @@ -0,0 +1,182 @@ + +variable "module_var_resource_prefix" {} + +variable "module_var_vmware_vcenter_user" {} + +variable "module_var_vmware_vcenter_user_password" {} + +variable "module_var_vmware_vcenter_server" {} + +variable "module_var_vmware_vsphere_datacenter_name" { + description = "Target vSphere Datacenter name" +} + +variable "module_var_vmware_vsphere_datacenter_compute_cluster_name" { + description = "Target vSphere Datacenter Compute Cluster name, to host the VMware Virtual Machine" +} + +variable "module_var_vmware_vsphere_datacenter_compute_cluster_host_fqdn" { + description = "Target vSphere Datacenter Compute specificed vSphere Host FQDN, to host the VMware Virtual Machine" +} + +variable "module_var_vmware_vsphere_datacenter_compute_cluster_folder_name" { + description = "Target vSphere Datacenter Compute Cluster Folder name, the logical directory for the VMware Virtual Machine" +} + +variable "module_var_vmware_vsphere_datacenter_storage_datastore_name" {} + +variable "module_var_vmware_vsphere_datacenter_network_primary_name" {} + + +variable "module_var_vmware_vm_template_name" { + description = "VMware VM Template name to use for provisioning" +} + +variable "module_var_vmware_vm_compute_cpu_threads" {} + +variable "module_var_vmware_vm_compute_ram_gb" {} + +variable "module_var_vmware_vm_hostname" { + description = "Hostname of Virtual Machine" + validation { + condition = length(var.module_var_vmware_vm_hostname) <= 13 + error_message = "Hostname must be equal to or lower than 13 characters in length." + } +} + +variable "module_var_vmware_vm_dns_root_domain_name" { + description = "Domain Name of virtual machine" +} + + +variable "module_var_host_public_ssh_key" {} + +variable "module_var_host_private_ssh_key" {} + +variable "module_var_web_proxy_url" {} +variable "module_var_web_proxy_exclusion" {} + +variable "module_var_os_vendor_account_user" {} +variable "module_var_os_vendor_account_user_passcode" {} +variable "module_var_os_systems_mgmt_host" { + default = "" +} + + +variable "module_var_disk_volume_count_hana_data" {} +variable "module_var_disk_volume_capacity_hana_data" {} +variable "module_var_lvm_enable_hana_data" {} +variable "module_var_lvm_pv_data_alignment_hana_data" { + default = "1M" +} +variable "module_var_lvm_vg_data_alignment_hana_data" { + default = "1M" +} +variable "module_var_lvm_vg_physical_extent_size_hana_data" { + default = "4M" +} +variable "module_var_lvm_lv_stripe_size_hana_data" { + default = "64K" +} +variable "module_var_filesystem_hana_data" { + default = "xfs" +} +variable "module_var_physical_partition_filesystem_block_size_hana_data" {} + + +variable "module_var_disk_volume_count_hana_log" {} +variable "module_var_disk_volume_capacity_hana_log" {} +variable "module_var_lvm_enable_hana_log" {} +variable "module_var_lvm_pv_data_alignment_hana_log" { + default = "1M" +} +variable "module_var_lvm_vg_data_alignment_hana_log" { + default = "1M" +} +variable "module_var_lvm_vg_physical_extent_size_hana_log" { + default = "4M" +} +variable "module_var_lvm_lv_stripe_size_hana_log" { + default = "64K" +} +variable "module_var_filesystem_hana_log" { + default = "xfs" +} +variable "module_var_physical_partition_filesystem_block_size_hana_log" {} + + +variable "module_var_disk_volume_count_hana_shared" {} +variable "module_var_disk_volume_capacity_hana_shared" {} +variable "module_var_lvm_enable_hana_shared" {} +variable "module_var_lvm_pv_data_alignment_hana_shared" { + default = "1M" +} +variable "module_var_lvm_vg_data_alignment_hana_shared" { + default = "1M" +} +variable "module_var_lvm_vg_physical_extent_size_hana_shared" { + default = "4M" +} +variable "module_var_lvm_lv_stripe_size_hana_shared" { + default = "64K" +} +variable "module_var_filesystem_hana_shared" { + default = "xfs" +} +variable "module_var_physical_partition_filesystem_block_size_hana_shared" {} + + +variable "module_var_disk_volume_count_anydb" {} +variable "module_var_disk_volume_capacity_anydb" {} +variable "module_var_disk_volume_iops_anydb" { + default = null +} +variable "module_var_lvm_enable_anydb" { + default = false +} +variable "module_var_lvm_pv_data_alignment_anydb" { + default = "1M" +} +variable "module_var_lvm_vg_data_alignment_anydb" { + default = "1M" +} +variable "module_var_lvm_vg_physical_extent_size_anydb" { + default = "4M" +} +variable "module_var_lvm_lv_stripe_size_anydb" { + default = "64K" +} +variable "module_var_filesystem_mount_path_anydb" { +} +variable "module_var_filesystem_anydb" { + default = "xfs" +} +variable "module_var_physical_partition_filesystem_block_size_anydb" { + default = "4k" +} + + +variable "module_var_disk_volume_count_usr_sap" {} +variable "module_var_disk_volume_capacity_usr_sap" {} +variable "module_var_filesystem_usr_sap" { + default = "xfs" +} + +variable "module_var_disk_volume_count_sapmnt" {} +variable "module_var_disk_volume_capacity_sapmnt" {} +variable "module_var_filesystem_sapmnt" { + default = "xfs" +} + +variable "module_var_disk_swapfile_size_gb" {} +variable "module_var_disk_volume_count_swap" {} +variable "module_var_disk_volume_capacity_swap" {} +variable "module_var_filesystem_swap" { + default = "xfs" +} + +variable "module_var_sap_software_download_directory" { + default = "/software" +} +variable "module_var_disk_volume_capacity_software" { +} diff --git a/vmware_vm/host_provision/module_versions.tf b/vmware_vm/host_provision/module_versions.tf new file mode 100644 index 0000000..494568c --- /dev/null +++ b/vmware_vm/host_provision/module_versions.tf @@ -0,0 +1,26 @@ + +# Terraform declaration +terraform { + required_version = ">= 1.0" + required_providers { + vsphere = { +# source = "localdomain/provider/vsphere" // Local, on macOS path to place files would be $HOME/.terraform.d/plugins/localdomain/provider/vsphere/1.xx.xx/darwin_amd6 + source = "hashicorp/vsphere" + version = ">=2.2.0" + } + } +} + + +# Terraform Provider declaration +#provider "vsphere" { +# +# # Define Provider inputs from given Terraform Variables +# user = var.module_var_vmware_vcenter_user +# password = var.module_var_vmware_vcenter_user_password +# vsphere_server = var.module_var_vmware_vcenter_server +# +# # Self-signed certificate +# allow_unverified_ssl = true +# +#} From c8f7de4cfdf6973448edbd0299c64ad4f5d1b888 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Wed, 25 Jan 2023 12:46:53 +0000 Subject: [PATCH 16/18] fix: add vmware vm to gh action --- .github/workflows/terraform_validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform_validate.yml b/.github/workflows/terraform_validate.yml index 20a30d1..5a9be07 100644 --- a/.github/workflows/terraform_validate.yml +++ b/.github/workflows/terraform_validate.yml @@ -18,7 +18,7 @@ jobs: max-parallel: 10 matrix: terraform_ver: [~1.0.0, ~1.1.0, ~1.2.0, ~1.3.0] - terraform_module_parent: [all, aws_ec2_instance, ibmcloud_vs, ibmcloud_powervs, ibmpowervc, msazure_vm] + terraform_module_parent: [all, aws_ec2_instance, ibmcloud_vs, ibmcloud_powervs, ibmpowervc, msazure_vm, vmware_vm] steps: - name: Checkout uses: actions/checkout@v3.1.0 From 844eb6148051ebd14711398258e498a527ebea64 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Wed, 25 Jan 2023 12:52:54 +0000 Subject: [PATCH 17/18] fix: update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 42e545a..f8d3230 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ The below table lists the Terraform Modules for SAP, and any detailed documentat |  IBM Power Virtualization Center | N/A | |  Microsoft Azure Virtual Machine| N/A | |  ~~oVirt KVM Virtual Machine~~ | N/A | -|  ~~VMware vSphere Virtual Machine~~ | N/A | +|  VMware vSphere Virtual Machine | [/vmware_vm/host_provision](/docs/tf_modules/tf_mod_vmware_vm_host_provision.md) | |  Generic documentation |
  • [**/host_network_access_sap](/docs/tf_modules/tf_mod_host_network_access_sap.md)
| | **TF Modules as wrapper to Ansible for SAP solution scenarios** | - | |   SAP BW/4HANA single-node | /all/ansible_sap_bw4hana_install | From 21af49f40d4db60b4c3f4afe128fcd8ae5960688 Mon Sep 17 00:00:00 2001 From: sean-freeman Date: Wed, 25 Jan 2023 13:33:51 +0000 Subject: [PATCH 18/18] fix: minor doc updates --- .../tf_mod_vmware_vm_host_provision.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/tf_modules/tf_mod_vmware_vm_host_provision.md b/docs/tf_modules/tf_mod_vmware_vm_host_provision.md index 9993c1e..2d7348c 100644 --- a/docs/tf_modules/tf_mod_vmware_vm_host_provision.md +++ b/docs/tf_modules/tf_mod_vmware_vm_host_provision.md @@ -1,7 +1,15 @@ # Terraform Module - VMware Virtual Machine +## Requirements + +- VMware vCenter and VMware vSphere (7.x and above) +- Network access setup for successful VMware Virtual Machine provisioning and subsequent SSH access from Terraform/Ansible, see below for more details + + ## VMware VM Template setup +The following are required setup items for provisioning VMware Virtual Machines: + - **OS Image with cloud-init installed** - Edit the default cloud-init configuration file, found at `/etc/cloud`. It must contain the data source for VMware (and not OVF), and force use of cloud-init metadata and userdata files. ``` @@ -21,7 +29,11 @@ - cloud-init documentation - Reference - Datasources - VMware (https://cloudinit.readthedocs.io/en/latest/reference/datasources/vmware.html) -## VMware vCenter and vSphere clusters with VMware NSX virtualized network overlays +## VMware networking setup + +The following are required setup items for provisioning VMware Virtual Machines. + +### VMware vCenter and vSphere clusters with VMware NSX virtualized network overlays For VMware vCenter and vSphere clusters with VMware NSX virtualized network overlays using Segments (e.g. 192.168.0.0/16) connected to Tier-0/Tier-1 Gateways (which are bound to the backbone network subnet, e.g. 10.0.0.0/8), the following are required: @@ -32,7 +44,7 @@ For VMware vCenter and vSphere clusters with VMware NSX virtualized network over - **DNS Server (Private)** is recommended to assist custom/private root domain resolution (e.g. poc.cloud) -## VMware vCenter and vSphere clusters with direct network subnet IP allocation +### VMware vCenter and vSphere clusters with direct network subnet IP allocation For VMware vCenter and vSphere clusters with direct network subnet IP allocations to the VMXNet network adapter (no VMware NSX network overlays), the following are required: