Terraform your SAP Infrastructure on AWS

Infrastructure as Code

Customers’ SAP systems are critical for business operations, so when architects and administrators plan their deployments and operations there is a focus on following SAP best practices. Moreover, as workload requirements change, teams must iterate and adapt quickly to provision the required infrastructure keeping in mind all the security tenets, performance best practices, and other non-functional requirements.

The minimally required resources for a single SAP system would typically include:

Virtual Private Clouds and subnets
SAP application and database specific security group configuration
EC2 instances
EBS Volumes
Amazon EFS file system for sapmnt and DIR_TRANS folders
KMS Keys for encryption at rest
S3 buckets for installation files, SAP backups, and file archival
IAM roles for instances, application administrators, auditors, and others

Furthermore, to maximize efficiency, improve operational excellence, and take advantage of other AWS services for SAP operations customers also configure:

CloudWatch monitoring metrics, alarms, and events
Backup Tools (e.g. AWS Backint Agent)
Systems Manager Playbooks for operational automations
- EC2 Start/Stop
- Patch Management
- SAP Profile Management
AWS Config Rules for compliance monitoring
Serverless applications for extending SAP capabilities

And this list is by no means complete. As the SAP systems in customer landscapes increase, the number of resources and services which need to be created and managed within AWS also grow. Now, all these resources can be very easily created through the AWS Console and this is an obvious first step to quickly get your first SAP system in the cloud up and running.

However, customers seldom need just one system in isolation. Customers are looking for a more simplistic way to automate their deployments that allow better collaboration and reduce their time and effort spent doing so.

Here is where the concept of Infrastructure as a Code comes into the picture.

Infrastructure as code is a practice in which infrastructure is provisioned and managed using code and software development techniques, such as version control and continuous integration. The AWS cloud offers an API-driven model which enables developers and system administrators to interact with infrastructure programmatically, at scale, instead of manually setting up and configuring resources. Because the resources and services are defined as code, infrastructure and servers can quickly be deployed using standardized patterns, updated with the latest patches/versions, and duplicated in repeatable ways.

This concept allows you to define AWS cloud resources as text-based configuration files and enables your teams to:

Collaborate and share configurations
Evolve and version your infrastructure
Automate provisioning

AWS CloudFormation and AWS Cloud Development Kit are native AWS tools you can use to describe the required resources in JSON, YAML, TypeScript, Python, or Java.

This enables customers to quickly deploy SAP infrastructure on AWS by utilizing SAP QuickStarts as well as AWS Launch Wizard . With AWS Launch Wizard, customer teams can build SAP systems that align with AWS best practices rapidly from the AWS Console following a guided experience designed for SAP administrators.

DevOps for SAP Infrastructure

Having your infrastructure defined as code brings another benefit. It allows you to implement a DevOps model in the SAP Basis world.

Automating the SAP provisioning in all the layers brings the following advantages:

Rapid delivery
Scale
Reliability
Improved collaboration
Security

You can find additional information on this topic by the following link.

Hashicorp Terraform

Hashicorp’s Terraform is one of the most popular infrastructure as code tools in the cloud business—in fact, 68% of developers that use it love it.

There are multiple reasons for this:

Easy to learn and read configuration language
200+ providers that allow you to configure multiple parts of your system in a single configuration
Strong community with over 300+ modules

In the SAP Practice of AWS Professional Services, we help customers who prefer Terraform as the tool of choice to build their automation factory. We realized that for customers to do this all by themselves, it could take several months in a typical project.

Being customer-obsessed and focusing on the feedback from our clients, we decided to build SAP systems that take into account SAP best practices and AWS Best Practices.

We want to share some of the modules we developed internally as open source and have published them on GitHub.

We have also registered our modules with the Terraform Registry so you can natively use them within the Hashicorp suite of tools.

These modules are easy to add into your existing terraform configuration or if you are starting your journey with Terraform you can simply clone the repository and get started with a new terraform configuration.

For example, this is how provisioning of HANA infrastructure would look like:

```hcl
module hana_host {
  source = "./../../../../modules/sap-netweaver-instances/hana-host"

  # If you want high availability
  instance_count = 2
  # Instance type - should be from the list of certified HANA instance sizes
  instance_type = "r5.4xlarge"
  enabled                           = true
  ami_id                            = "ami-xyz123"

  # General

  # KMS Key for EBS Volumes Encryption
  kms_key_arn = "arn:aws:kms:us-east-1:12345678910:key/xyz12345-xyz1-xyz1-xyz12-xyz12345678910"

  # Networking
  vpc_id                            = "vpc-xyz123"

  # The list of subnets to deploy the instances
  subnet_ids                 = ["subnet-xyz123", "subnet-xyz789"]
  # The Route53 private Zone name to create the host entry
  dns_zone_name                 = "customer.com"
  # The CIDR block for the onPremise Network
  customer_cidr_blocks                = ["10.0.0.0/16"]
  # The default security group to be added
  customer_default_sg_id = "default"
  
  # Instance Role
  iam_instance_role = "sap-instance-role"

  # Tags
  app_code = "S4H"
  environment = "prod"
  application_name = "ECC"
  
  # SAP
  sid = "DWE"
}
```

Conditional Creation

Often you need to have a way to create instances conditionally but Terraform does not allow us to use `count` inside `module` block, so the solution is to specify argument `enabled`.

This argument is available with all the modules

```hcl
# This VPC will not be created
module hana_host {
  source = "./../../../../modules/sap-netweaver-instances/hana-host"

  enabled = false
  # ... omitted
}
```

High Availability

If you are setting up a highly available system, you can specify how many instances of the Hana module you need by utilizing the `instance_count` parameter.

In the case of HANA scale-out – double the number of nodes.

```hcl
# Two copies of hana instance will be provisioned
module hana_host {
  source = "./../../../../modules/sap-netweaver-instances/hana-host"

  instance_count = 2
  # ... omitted
}
```

Instance Roles

Instances can be provided with the default role with AWS Systems Manager authorizations by setting up `default_iam_role` to `true`

If you want to provide a custom role for the instances – provide the role ARN the required role as an `iam_role` parameter

```hcl
# The provided role will be attached
module hana_host {
  source = "./../../../../modules/sap-netweaver-instances/hana-host"

  iam_role = <instance_role_arn>
  # ... omitted
}
```

```hcl
# The default role will be created and attached
module hana_host {
  source = "./../../../../modules/sap-netweaver-instances/hana-host"

  default_iam_role = true
  # ... omitted
}
```

Encryption at rest

If you want to enable encryption for the EFS or EBS volumes – provide the KMS key ARN as an input parameter. Otherwise, leave it empty and encryption will stay inactive.

```hcl
# The default role will be created and attached
module hana_host {
  source = "./../../../../modules/sap-netweaver-instances/hana-host"

  kms_key_arn = <kms_key_arn>
  # ... omitted
}
```

EC2 Instance Auto-Recovery

With AWS you can arrange for automatic recovery of an EC2 instance when a system status check of the underlying hardware fails. The instance will be rebooted (on new hardware if necessary) but will retain its Instance ID, IP Address, Elastic IP Addresses, EBS Volume attachments, and other configuration details. For the recovery to be complete, you’ll need to make sure that the instance automatically starts up any services or applications as part of its initialization process.

The instance auto-recovery is automatically built-in into the modules.

Instance User Data

Instances can be provided with the default initialization script. This script will install AWS CLI, AWS SSM agent, and CloudWatch Agent.

If you want to change this behavior, please provide the user data in the respective module input.

```hcl
# The provided user data will be attached
module hana_host {
  source = "./../../../../modules/sap-netweaver-instances/hana-host"

  user_data = <user_data_script>
  # ... omitted
}
```

Conclusion

But as we have demonstrated with our Terraform modules here on GitHub and here on the Terraform Registry, by defining SAP as code, infrastructure and servers can quickly be deployed using standardized patterns, updated with the latest patches/versions, and duplicated in repeatable ways to overcome some of the initial learning curve hurdles.

Terraform along with the AWS cloud API-driven model enables developers and system administrators to interact with infrastructure programmatically, at scale, instead of manually setting up and configuring resources.

This solution makes it easy to add into your existing terraform configuration or if you are starting your journey with Terraform you can simply clone the repository and get started with a new terraform configuration.

Are you interested in learning more or maybe you would like a better understanding of how you can extend this solution for your project?

For more information, contact us at sap-on-aws@amazon.com.

AWS for SAP