terraform-ibm-modules
diff --git a/‎.secrets.baseline
Lines changed: 3 additions & 3 deletions b/‎.secrets.baseline
Lines changed: 3 additions & 3 deletions
diff --git a/‎ibm_catalog.json
Lines changed: 2 additions & 2 deletions b/‎ibm_catalog.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎modules/ansible/templates-ansible/configure-scc-wp-agent/ansible_configure_scc_wp_agent.sh.tftpl
Lines changed: 23 additions & 0 deletions b/‎modules/ansible/templates-ansible/configure-scc-wp-agent/ansible_configure_scc_wp_agent.sh.tftpl
Lines changed: 23 additions & 0 deletions
diff --git a/‎modules/ansible/templates-ansible/configure-scc-wp-agent/playbook-configure-scc-wp-agent.yml.tftpl
Lines changed: 56 additions & 0 deletions b/‎modules/ansible/templates-ansible/configure-scc-wp-agent/playbook-configure-scc-wp-agent.yml.tftpl
Lines changed: 56 additions & 0 deletions
diff --git a/‎modules/pi-sap-system-type1/README.md
Lines changed: 2 additions & 0 deletions b/‎modules/pi-sap-system-type1/README.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎modules/pi-sap-system-type1/main.tf
Lines changed: 42 additions & 9 deletions b/‎modules/pi-sap-system-type1/main.tf
Lines changed: 42 additions & 9 deletions
diff --git a/‎modules/pi-sap-system-type1/variables.tf
Lines changed: 16 additions & 0 deletions b/‎modules/pi-sap-system-type1/variables.tf
Lines changed: 16 additions & 0 deletions
diff --git a/‎reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.md
Lines changed: 7 additions & 5 deletions b/‎reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.md
Lines changed: 7 additions & 5 deletions
diff --git a/‎reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.svg
Lines changed: 1 addition & 1 deletion b/‎reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.svg
Lines changed: 1 addition & 1 deletion
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-01-30T15:02:17Z",
+  "generated_at": "2025-03-05T16:55:23Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -102,7 +102,7 @@
         "hashed_secret": "2254481e1661d8f017a712b0d1ad9a14fd9460a3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 56,
+        "line_number": 57,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -112,7 +112,7 @@
         "hashed_secret": "2254481e1661d8f017a712b0d1ad9a14fd9460a3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 65,
+        "line_number": 66,
         "type": "Secret Keyword",
         "verified_result": null
       }
 
@@ -379,7 +379,7 @@
                             {
                                 "diagram": {
                                     "caption": "Full SAP environment provisioned on a 'Power Virtual Server with VPC landing zone'",
-                                    "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/refs/tags/v3.5.2/reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.svg",
+                                    "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/refs/tags/v3.6.0/reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.svg",
                                     "type": "image/svg+xml"
                                 },
                                 "description": "'SAP ready PowerVS' variation of 'Power Virtual Server for SAP HANA' creates a basic and expandable SAP system landscape builds on the foundation of the 'Power Virtual Server with VPC landing zone'. PowerVS instances for SAP HANA, SAP NetWeaver and optionally for shared SAP files are deployed and preconfigured for SAP installation.\n\nServices such as DNS, NTP and NFS running in VPC and provided by 'Power Virtual Server with VPC landing zone' are leveraged.\n\nThe resulting SAP landscape leverages the services such as Activity Tracker, Cloud Object Storage, Key Management and the network connectivity configuration provided by 'Power Virtual Server with VPC landing zone'."
@@ -795,7 +795,7 @@
                             {
                                 "diagram": {
                                     "caption": "Full SAP S/4HANA or BW/4HANA environment provisioned on a 'Power Virtual Server with VPC landing zone'",
-                                    "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/refs/tags/v3.5.2/reference-architectures/sap-s4hana-bw4hana/deploy-arch-ibm-pvs-sap-s4hana-bw4hana.svg",
+                                    "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/refs/tags/v3.6.0/reference-architectures/sap-s4hana-bw4hana/deploy-arch-ibm-pvs-sap-s4hana-bw4hana.svg",
                                     "type": "image/svg+xml"
                                 },
                                 "description": "'SAP S/4HANA or BW/4HANA' variation of 'Power Virtual Server for SAP HANA' creates a basic and expandable SAP system landscape builds on the foundation of 'Power Virtual Server with VPC landing zone'. PowerVS instances for SAP HANA, SAP NetWeaver and optionally for shared SAP files are deployed and preconfigured for SAP installation. S/4HANA or BW/4HANA solution is installed based on selected version. \n\nServices such as DNS, NTP and NFS running in VPC and provided by 'Power Virtual Server with VPC landing zone' are leveraged.\n\nThe resulting SAP landscape leverages the services such as Activity Tracker, Cloud Object Storage, Key Management and the network connectivity configuration provided by the 'Power Virtual Server with VPC landing zone'. Additionally if a Monitoring Instance was configured in the 'Power Virtual Server with VPC landing zone' deployment, this solution will then install and enable SAP monitoring Dashboard."
 
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+### Using input variables from terraform
+ansible_playbook=${ansible_playbook_file}
+ansible_log_path=${ansible_log_path}
+ansible_inventory=${ansible_inventory}
+ansible_private_key_file=${ansible_private_key_file}
+
+# Create ansible.cfg file
+ansible_playbook_name=$(basename $${ansible_playbook})
+echo -e "[defaults]\nhost_key_checking=False" >ansible.cfg
+export ANSIBLE_LOG_PATH=$${ansible_log_path}/$${ansible_playbook_name}.$(date "+%Y.%m.%d-%H.%M.%S").log
+export ANSIBLE_PRIVATE_KEY_FILE=$${ansible_private_key_file}
+
+#Execute ansible playbook
+unbuffer ansible-playbook -i $${ansible_inventory} $${ansible_playbook} --vault-password-file password_file
+if [ $? -ne 0 ]; then
+    rm -rf $${ansible_private_key_file}
+    rm -rf password_file
+    exit 1
+fi
+echo \"Playbook command successful\"
+rm -rf $${ansible_private_key_file}
@@ -0,0 +1,56 @@
+# ------------------------------------------------------------------------
+# This playbook installs the sysdig agent and connects it to a
+# Security and Compliance Center Workload Protection instance
+# ------------------------------------------------------------------------
+
+---
+
+- name: Install and connect Sysdig Agent
+  hosts: all
+  vars:
+    wp_guid: "${SCC_WP_GUID}"
+    collector_endpoint: "${COLLECTOR_ENDPOINT}"
+    wp_api_endpoint: "${API_ENDPOINT}"
+    access_key: "${ACCESS_KEY}"
+  tasks:
+    - name: Check if agent is already running
+      ansible.builtin.stat:
+        path: /opt/draios/logs/running
+      register: file_exists_before
+
+    - name: Download Sysdig agent installation script
+      ansible.builtin.get_url:
+        url: https://ibm.biz/install-sysdig-agent
+        dest: /tmp/install-agent.sh
+        mode: "0755"
+      when: not file_exists_before.stat.exists
+      retries: 3
+      delay: 20
+
+    - name: Install Sysdig agent
+      ansible.builtin.command:
+        argv:
+          - /tmp/install-agent.sh
+          - --access_key
+          - "{{ access_key }}"
+          - --collector
+          - "{{ collector_endpoint }}"
+          - --collector_port
+          - 6443
+          - --secure
+          - true
+          - "{{ '--universal_ebpf' if ansible_kernel is version('5.8','>=') else '--kmod' }}"
+          - --additional_conf
+          - "sysdig_api_endpoint: {{ wp_api_endpoint }}\nhost_scanner:\n enabled: true\n scan_on_start: true\nkspm_analyzer:\n enabled: true"
+      when: not file_exists_before.stat.exists
+
+    - name: Ensure Sysdig agent is enabled and started
+      ansible.builtin.service:
+        name: dragent
+        state: started
+        enabled: true
+
+    - name: Wait for Sysdig agent to report as running
+      ansible.builtin.wait_for:
+        path: /opt/draios/logs/running
+        timeout: 120
@@ -34,6 +34,7 @@ The Power Virtual Server for SAP module automates the following tasks:
 | <a name="module_ansible_netweaver_sapmnt_mount"></a> [ansible\_netweaver\_sapmnt\_mount](#module\_ansible\_netweaver\_sapmnt\_mount) | ../ansible | n/a |
 | <a name="module_ansible_sap_instance_init"></a> [ansible\_sap\_instance\_init](#module\_ansible\_sap\_instance\_init) | ../ansible | n/a |
 | <a name="module_ansible_sharefs_instance_exportfs"></a> [ansible\_sharefs\_instance\_exportfs](#module\_ansible\_sharefs\_instance\_exportfs) | ../ansible | n/a |
+| <a name="module_configure_scc_wp_agent"></a> [configure\_scc\_wp\_agent](#module\_configure\_scc\_wp\_agent) | ..//ansible | n/a |
 | <a name="module_pi_hana_instance"></a> [pi\_hana\_instance](#module\_pi\_hana\_instance) | terraform-ibm-modules/powervs-instance/ibm | 2.4.2 |
 | <a name="module_pi_hana_storage_calculation"></a> [pi\_hana\_storage\_calculation](#module\_pi\_hana\_storage\_calculation) | ../pi-hana-storage-config | n/a |
 | <a name="module_pi_netweaver_instance"></a> [pi\_netweaver\_instance](#module\_pi\_netweaver\_instance) | terraform-ibm-modules/powervs-instance/ibm | 2.4.2 |
@@ -63,6 +64,7 @@ The Power Virtual Server for SAP module automates the following tasks:
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Unique prefix for resources to be created (e.g., SAP system name). | `string` | n/a | yes |
 | <a name="input_sap_domain"></a> [sap\_domain](#input\_sap\_domain) | SAP network domain name. | `string` | `"sap.com"` | no |
 | <a name="input_sap_network_services_config"></a> [sap\_network\_services\_config](#input\_sap\_network\_services\_config) | Configures network services NTP, NFS and DNS on PowerVS instance. Requires 'pi\_instance\_init\_linux' to be specified. | <pre>object(<br/>    {<br/>      squid = object({ enable = bool, squid_server_ip_port = string, no_proxy_hosts = string })<br/>      nfs   = object({ enable = bool, nfs_server_path = string, nfs_client_path = string, opts = string, fstype = string })<br/>      dns   = object({ enable = bool, dns_server_ip = string })<br/>      ntp   = object({ enable = bool, ntp_server_ip = string })<br/>    }<br/>  )</pre> | <pre>{<br/>  "dns": {<br/>    "dns_server_ip": "",<br/>    "enable": false<br/>  },<br/>  "nfs": {<br/>    "enable": false,<br/>    "fstype": "",<br/>    "nfs_client_path": "",<br/>    "nfs_server_path": "",<br/>    "opts": ""<br/>  },<br/>  "ntp": {<br/>    "enable": false,<br/>    "ntp_server_ip": ""<br/>  },<br/>  "squid": {<br/>    "enable": false,<br/>    "no_proxy_hosts": "",<br/>    "squid_server_ip_port": ""<br/>  }<br/>}</pre> | no |
+| <a name="input_scc_wp_instance"></a> [scc\_wp\_instance](#input\_scc\_wp\_instance) | SCC Workload Protection instance to connect to. Leave empty to not use it. | <pre>object({<br/>    guid               = string,<br/>    access_key         = string,<br/>    api_endpoint       = string,<br/>    ingestion_endpoint = string<br/>  })</pre> | <pre>{<br/>  "access_key": "",<br/>  "api_endpoint": "",<br/>  "guid": "",<br/>  "ingestion_endpoint": ""<br/>}</pre> | no |
 
 ### Outputs
 
 
@@ -50,14 +50,9 @@ locals {
   valid_sharefs_nfs_config = var.pi_sharefs_instance.enable && var.pi_sharefs_instance.storage_config != null ? var.pi_sharefs_instance.storage_config[0].name != "" ? true : false : false
   pi_sharefs_instance_nfs_server_config = {
     nfs = {
-      enable = local.valid_sharefs_nfs_config ? true : false,
-      nfs_file_system = local.valid_sharefs_nfs_config ? [
-        for volume in var.pi_sharefs_instance.storage_config :
-        { name       = volume.name,
-          mount_path = volume.mount,
-          size       = volume.size
-        }
-    ] : [] }
+      enable      = local.valid_sharefs_nfs_config ? true : false,
+      directories = local.valid_sharefs_nfs_config ? [for volume in var.pi_sharefs_instance.storage_config : volume.mount] : []
+    }
   }
 }
 
@@ -170,7 +165,9 @@ locals {
     nfs = {
       enable          = local.valid_sharefs_nfs_config ? true : false,
       nfs_server_path = local.valid_sharefs_nfs_config ? join(";", [for volume in var.pi_sharefs_instance.storage_config : "${module.pi_sharefs_instance[0].pi_instance_primary_ip}:${volume.mount}"]) : "",
-      nfs_client_path = local.valid_sharefs_nfs_config ? join(";", [for volume in var.pi_sharefs_instance.storage_config : volume.mount]) : ""
+      nfs_client_path = local.valid_sharefs_nfs_config ? join(";", [for volume in var.pi_sharefs_instance.storage_config : volume.mount]) : "",
+      opts            = "sec=sys,nfsvers=4.1,nofail",
+      fstype          = "nfs4"
     }
   }
 }
@@ -235,3 +232,39 @@ module "ansible_sap_instance_init" {
   dst_inventory_file_name     = "${local.sap_instance_names[count.index]}-instance-inventory"
   inventory_template_vars     = { "pi_instance_management_ip" : local.target_server_ips[count.index] }
 }
+
+#######################################################################
+# Ansible Install Sysdig agent and connect to SCC Workload Protection
+#######################################################################
+
+locals {
+  enable_scc_wp = var.scc_wp_instance.guid != "" && var.scc_wp_instance.ingestion_endpoint != "" && var.scc_wp_instance.api_endpoint != "" && var.scc_wp_instance.access_key != ""
+  scc_wp_playbook_template_vars = {
+    SCC_WP_GUID : var.scc_wp_instance.guid,
+    COLLECTOR_ENDPOINT : var.scc_wp_instance.ingestion_endpoint,
+    API_ENDPOINT : var.scc_wp_instance.api_endpoint,
+    ACCESS_KEY : var.scc_wp_instance.access_key
+  }
+}
+module "configure_scc_wp_agent" {
+
+  source     = "..//ansible"
+  depends_on = [module.pi_hana_instance, module.pi_netweaver_instance, module.ansible_netweaver_sapmnt_mount, module.ansible_sap_instance_init]
+  count      = local.enable_scc_wp ? 1 : 0
+
+  bastion_host_ip        = var.pi_instance_init_linux.bastion_host_ip
+  ansible_host_or_ip     = var.pi_instance_init_linux.ansible_host_or_ip
+  ssh_private_key        = var.pi_instance_init_linux.ssh_private_key
+  ansible_vault_password = var.ansible_vault_password
+  configure_ansible_host = false
+
+  src_script_template_name = "configure-scc-wp-agent/ansible_configure_scc_wp_agent.sh.tftpl"
+  dst_script_file_name     = "${var.prefix}-configure_scc_wp_agent.sh"
+
+  src_playbook_template_name  = "configure-scc-wp-agent/playbook-configure-scc-wp-agent.yml.tftpl"
+  dst_playbook_file_name      = "${var.prefix}-playbook-configure-scc-wp-agent.yml"
+  playbook_template_vars      = local.scc_wp_playbook_template_vars
+  src_inventory_template_name = "pi-instance-inventory.tftpl"
+  dst_inventory_file_name     = "${var.prefix}-scc-wp-inventory"
+  inventory_template_vars     = { "pi_instance_management_ip" : join("\n", [module.pi_hana_instance.pi_instance_primary_ip], var.pi_netweaver_instance.instance_count >= 1 ? module.pi_netweaver_instance[*].pi_instance_primary_ip : [], var.pi_sharefs_instance.enable ? [module.pi_sharefs_instance[0].pi_instance_primary_ip] : []) }
+}
@@ -221,3 +221,19 @@ variable "sap_domain" {
   type        = string
   default     = "sap.com"
 }
+
+variable "scc_wp_instance" {
+  description = "SCC Workload Protection instance to connect to. Leave empty to not use it."
+  type = object({
+    guid               = string,
+    access_key         = string,
+    api_endpoint       = string,
+    ingestion_endpoint = string
+  })
+  default = {
+    guid               = "",
+    access_key         = "",
+    api_endpoint       = "",
+    ingestion_endpoint = ""
+  }
+}
@@ -2,12 +2,13 @@
 
 copyright:
   years: 2024, 2025
-lastupdated: "2025-02-27"
+lastupdated: "2025-03-18"
 keywords:
 subcollection: deployable-reference-architectures
 authors:
   - name: Arnold Beilmann
   - name: Suraj Bharadwaj
+  - name: Ludwig Mueller
 production: true
 deployment-url: https://cloud.ibm.com/catalog/architecture/deploy-arch-ibm-pvs-sap-9aa6135e-75d5-467e-9f4a-ac2a21c069b8-global
 docs: https://cloud.ibm.com/docs/sap-powervs
@@ -16,7 +17,7 @@ use-case: ITServiceManagement
 industry: Technology
 compliance: SAPCertified
 content-type: reference-architecture
-version: v3.5.2
+version: v3.6.0
 related_links:
   - title: 'SAP in IBM Cloud documentation'
     url: 'https://cloud.ibm.com/docs/sap'
@@ -38,15 +39,15 @@ related_links:
 {: toc-industry="Technology"}
 {: toc-use-case="ITServiceManagement"}
 {: toc-compliance="SAPCertified"}
-{: toc-version="3.5.2"}
+{: toc-version="v3.6.0"}
 
-The SAP-ready PowerVS variation of the Power Virtual Server for SAP HANA creates a basic and expandable SAP system landscape. The variation builds on the foundation of the VPC landing zone and Power Virtual Server with VPC landing zone. PowerVS instances for SAP HANA, SAP NetWeaver, and optionally for shared SAP files are deployed and preconfigured for SAP installation.
+The SAP-ready PowerVS variation of the Power Virtual Server for SAP HANA creates a basic and expandable SAP system landscape. The variation builds on the foundation of the VPC landing zone and Power Virtual Server with VPC landing zone. PowerVS instances for SAP HANA, SAP NetWeaver, and optionally for shared SAP files are deployed and pre-configured for SAP installation.
 
 Services such as DNS, NTP, and NFS running in VPC and provided by Power Virtual Server with VPC landing zone are leveraged.
 
 The transit gateway provide the network bridge between the IBM Power infrastructure and the IBM Cloud® VPC and public internet.
 
-The resulting SAP landscape leverages the services such as Activity Tracker, Cloud Object Storage, Key Management from the VPC landing zone and the network connectivity configuration provided by Power Virtual Server with VPC landing zone.
+The resulting SAP landscape leverages services such as Activity Tracker, Cloud Object Storage, Key Management from the VPC landing zone and the network connectivity configuration provided by Power Virtual Server with VPC landing zone. Additionally, it will also setup SCC Workload Protection if the feature was enabled during the landing zone deployment.
 
 ## Architecture diagram
 {: #sap-ready-to-go-architecture-diagram}
@@ -81,6 +82,7 @@ IBM Cloud Power Virtual Servers (PowerVS) is a public cloud offering that allows
 |* Deploy PowerVS instance for SAP HANA workload  \n * Use SAP certified configurations regarding CPU and memory combinations (t-shirt sizes)  \n * Prepare operating system for SAP HANA workload | PowerVS instance | * Allow customer to specify certified SAP configuration and calculate all additional parameters automatically  \n * Attach all required storage filesystems based on PowerVS instance memory size  \n * Attach networks for management, backup and for SAP system internal communication  \n * Connect instance with infrastructure management services like DNS, NTP, NFS  \n * Perform OS configuration for SAP HANA| Allow customer to specify additional parameters, like non-standard file system sizes |
 |* Deploy PowerVS instances for SAP NetWeaver workload  \n * Prepare operating system for SAP NetWeaver workload | PowerVS instance | * Allow customer to specify number of instances that must be deployed and CPU and memory for every instance  \n * Attach all required storage filesystems  \n * Attach networks for management, backup and for SAP system internal communication  \n * Connect instance with infrastructure management services like DNS, NTP, NFS  \n * Perform OS configuration for SAP NetWeaver | Allow customer to specify additional parameters, like non-standard file system sizes |
 |* Deploy PowerVS instance for hosting shared SAP system files  \n * Prepare operating system | PowerVS instance | Host shared SAP system files on one of PowerVS instances for SAP NetWeaver and do not deploy a separate PowerVS instance | * Allow customer to deploy PowerVS instance with specified CPU and memory  \n * Attach specified storage filesystems  \n * Attach networks for management, backup and for SAP system internal communication  \n * Connect instance with infrastructure management services like DNS, NTP, NFS  \n * Perform OS configuration  \n * Allow customer to specify additional parameters, like non-standard file system sizes |
+|* Optionally, enable [Security and Compliance Center Workload Protection](/docs/workload-protection) on the PowerVS instances \n * Collect posture management information, enable vulnerability scanning and threat detection|IBM Cloud® Security and Compliance Center Workload Protection, Sysdig agent on all PowerVS instances in the deployment.|Optionally, install and configure the sysdig agent on PowerVS instances in the deployment | The automation automatically picks up the configuration from the landing zone. If SCC Workload Protection is enabled in the landing zone, the Sysdig agent will be installed and configured on all PowerVS instances in this deployment. |
 {: caption="Table 2. PowerVS workspace architecture decisions" caption-side="bottom"}
 
 ### Key and password management architecture decisions