feat: central ansible execution host support (#667)

BREAKING CHANGE: ansible module reworked

Author: surajsbharadwaj

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-04-29T13:31:31Z",
+  "generated_at": "2024-05-21T18:34:53Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -92,7 +92,7 @@
         "hashed_secret": "3bd02b996f65f3548c1a0b5d93b00bfa7c88341a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 57,
+        "line_number": 55,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -102,7 +102,7 @@
         "hashed_secret": "3bd02b996f65f3548c1a0b5d93b00bfa7c88341a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 62,
+        "line_number": 61,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -112,7 +112,7 @@
         "hashed_secret": "4d82fc4e8ef3a90cebdf3a1fc0e4abab79a41391",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 19,
+        "line_number": 18,
         "type": "Secret Keyword",
         "verified_result": null
       }

README.md

@@ -14,11 +14,11 @@ This repository contains deployable architecture solutions that help in deployin
 
 ### IBM catalog solutions that require a Schematics workspace ID of [Power Virtual Server with VPC landing zone](https://cloud.ibm.com/catalog/architecture/deploy-arch-ibm-pvs-inf-2dd486c7-b317-4aaa-907b-42671485ad96-global)
 1. [IBM catalog PowerVS SAP Ready variation](https://github.com/terraform-ibm-modules/terraform-ibm-powervs-sap/tree/main/solutions/ibm-catalog/sap-ready-to-go)
-    - Creates and configures **one HANA instance, zero to several NetWeaver instances, and one optional ShareFS** with **RHEL or SLES OS** distribution. Creates a private subnet for SAP communication for the entire landscape and attaches it to cloud connections (in non-PER DC).
+    - Creates and configures **one HANA instance, zero to several NetWeaver instances, and one optional ShareFS** with **RHEL or SLES OS** distribution. Creates a private subnet for SAP communication for the entire landscape.
     - Optionally configures OS network management services (NTP, NFS, and DNS services) using Ansible Galaxy Collection from [IBM](https://galaxy.ansible.com/ui/repo/published/ibm/power_linux_sap/): `power_linux_sap`
     - Additionally tunes the instances according to SAP's best practices, which are fully ready for hosting SAP applications.
 2. [IBM catalog PowerVS S/4HANA or BW/4HANA variation](https://github.com/terraform-ibm-modules/terraform-ibm-powervs-sap/tree/main/solutions/ibm-catalog/sap-s4hana-bw4hana)
-    - Creates and configures **one HANA instance, one NetWeaver instance, and one optional ShareFS** with **RHEL** OS distribution. Creates a private subnet for SAP communication for the entire landscape and attaches it to cloud connections (in non-PER DC).
+    - Creates and configures **one HANA instance, one NetWeaver instance, and one optional ShareFS** with **RHEL** OS distribution. Creates a private subnet for SAP communication for the entire landscape.
     - Optionally configures OS network management services (NTP, NFS, and DNS services) using Ansible Galaxy Collection from [IBM](https://galaxy.ansible.com/ui/repo/published/ibm/power_linux_sap/): `power_linux_sap`
     - Tunes the instances according to SAP's best practices.
     - Downloads user-provided preloaded SAP Installation binaries from IBM Cloud Object Storage Bucket.
@@ -27,12 +27,12 @@ This repository contains deployable architecture solutions that help in deployin
 
 ### Solutions independent of IBM Cloud prerequisite Schematics workspace ID:
 1. [PowerVS SAP Ready variation](https://github.com/terraform-ibm-modules/terraform-ibm-powervs-sap/tree/main/solutions/sap-ready-to-go)
-   - Creates and configures **one HANA instance, zero to several NetWeaver instances and one optional ShareFS** with **RHEL or SLES OS** distribution. Creates a private subnet for SAP communication for the entire landscape, and attaches it to cloud connections (in non-PER DC).
+   - Creates and configures **one HANA instance, zero to several NetWeaver instances and one optional ShareFS** with **RHEL or SLES OS** distribution. Creates a private subnet for SAP communication for the entire landscape
    - Optionally configures OS network management services (NTP, NFS, and DNS services) using Ansible Galaxy collection from [IBM](https://galaxy.ansible.com/ui/repo/published/ibm/power_linux_sap/)
    - Additionally tunes the instances according to SAP's best practices, which is fully ready for hosting SAP applications.
 2. [End-to-End Solution](https://github.com/terraform-ibm-modules/terraform-ibm-powervs-sap/tree/main/solutions/e2e)
-    - Creates a [Power Virtual Server with vpc landing zone](https://github.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/tree/main/modules/powervs-vpc-landing-zone) which creates a VPC Infrastructure and PowerVS infrastructure. Installs and configures the Squid Proxy, DNS Forwarder, NTP forwarder, and NFS on hosts, and sets the host as the server for the NTP, NFS, and DNS services by using Ansible Galaxy Collection from [IBM](https://galaxy.ansible.com/ui/repo/published/ibm/power_linux_sap/): `power_linux_sap`
-    - Creates and configures **one HANA instance, zero to several NetWeaver instances, and one optional ShareFS** with **RHEL or SLES OS** distribution. Creates a private subnet for SAP communication for the entire landscape, and attaches it to cloud connections (in non-PER DC).
+    - Creates a [Power Virtual Server with vpc landing zone](https://github.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/tree/main/modules/powervs-vpc-landing-zone) which creates a VPC Infrastructure and PowerVS infrastructure. Installs and configures the Squid Proxy, DNS Forwarder, NTP forwarder, and NFS as a service on hosts, and sets the host as the server for the NTP, SQUID proxy and DNS services by using Ansible Galaxy Collection from [IBM](https://galaxy.ansible.com/ui/repo/published/ibm/power_linux_sap/): `power_linux_sap`
+    - Creates and configures **one HANA instance, zero to several NetWeaver instances, and one optional ShareFS** with **RHEL or SLES OS** distribution. Creates a private subnet for SAP communication for the entire landscape.
     - Optionally configures OS network management services (NTP, NFS, and DNS services) using Ansible Galaxy Collection from [IBM](https://galaxy.ansible.com/ui/repo/published/ibm/power_linux_sap/): `power_linux_sap`
     - Additionally tunes the instances according to SAP's best practices, which is fully ready for hosting SAP applications.
 
@@ -52,14 +52,6 @@ This repository contains deployable architecture solutions that help in deployin
 |                      [ End-to-End ]( ./solutions/e2e/ )                     |            N/A           |                N/A               |           :heavy_check_mark:          |               1               |            0 to N            |     :heavy_check_mark:     |      :heavy_check_mark:     |          N/A         |
 
 
-<!-- BEGIN OVERVIEW HOOK -->
-## Overview
-* [terraform-ibm-powervs-sap](#terraform-ibm-powervs-sap)
-* [Submodules](./modules)
-    * [pi-sap-system-type1](./modules/pi-sap-system-type1)
-* [Contributing](#contributing)
-<!-- END OVERVIEW HOOK -->
-
 
 ## Required IAM access policies
 

cra-config.yaml

@@ -7,7 +7,6 @@ CRA_TARGETS:
       TF_VAR_prefix: "cra-sap"
       TF_VAR_powervs_zone: "syd05"
       TF_VAR_powervs_resource_group_name: "Default"
-      TF_VAR_landing_zone_configuration: "3VPC_RHEL"
       TF_VAR_external_access_ip: "0.0.0.0/0"
       TF_VAR_powervs_create_separate_sharefs_instance: false
       TF_VAR_os_image_distro: "RHEL"

cra-tf-validate-ignore-rules.json

@@ -11,6 +11,18 @@
             "description": "Check whether Flow Logs for VPC are enabled",
             "ignore_reason": "In order for this rule to pass, Context Based Restrictions (CBRs) support needs to be added to the module (tracking in https://github.ibm.com/GoldenEye/issues/issues/5626). Even after that is added, there is still a dependency on SCC to support scanning for CBR rules. SCC CBR support is being tracked in https://github.ibm.com/project-fortress/pm/issues/11800.",
             "is_valid": true
+        },
+        {
+            "scc_rule_id": "rule-8c923215-afdc-41b1-886c-64ce78741f8c",
+            "description": "Check whether Application Load Balancer for VPC has health check configured when created",
+            "ignore_reason": "In order for this rule to pass, Context Based Restrictions (CBRs) support needs to be added to the module (tracking in https://github.ibm.com/GoldenEye/issues/issues/5626). Even after that is added, there is still a dependency on SCC to support scanning for CBR rules. SCC CBR support is being tracked in https://github.ibm.com/project-fortress/pm/issues/11800.",
+            "is_valid": true
+        },
+        {
+            "scc_rule_id": "rule-65b61a0f-ffdb-41ba-873d-ad329e7fc0ee",
+            "description": "Check whether Application Load Balancer for VPC is configured to convert HTTP client requests to HTTPS",
+            "ignore_reason": "In order for this rule to pass, Context Based Restrictions (CBRs) support needs to be added to the module (tracking in https://github.ibm.com/GoldenEye/issues/issues/5626). Even after that is added, there is still a dependency on SCC to support scanning for CBR rules. SCC CBR support is being tracked in https://github.ibm.com/project-fortress/pm/issues/11800.",
+            "is_valid": true
         }
     ]
 }

ibm_catalog.json

@@ -53,12 +53,13 @@
                         {
                             "flavors": [
                                 "powervs-workspace",
-                                "powervs-import-workspace"
+                                "powervs-import-workspace",
+                                "powervs-quickstart"
                             ],
                             "id": "2dd486c7-b317-4aaa-907b-42671485ad96-global",
                             "name": "deploy-arch-ibm-pvs-inf",
                             "install_type": "fullstack",
-                            "version": ">=3.0.0"
+                            "version": ">=5.0.0"
                         }
                     ],
                     "configuration": [
@@ -69,7 +70,7 @@
                                 "config_constraints": {
                                     "catalogID": "1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc",
                                     "offeringID": "2dd486c7-b317-4aaa-907b-42671485ad96-global",
-                                    "versionConstraint": ">=3.0.0"
+                                    "versionConstraint": ">=5.0.0"
                                 },
                                 "grouping": "deployment",
                                 "original_grouping": "deployment",
@@ -353,7 +354,7 @@
                                     "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/main/reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.svg",
                                     "type": "image/svg+xml"
                                 },
-                                "description": "'SAP ready PowerVS' variation of 'Power Virtual Server for SAP HANA' creates a basic and expandable SAP system landscape builds on the foundation of the 'Power Virtual Server with VPC landing zone'. PowerVS instances for SAP HANA, SAP NetWeaver and optionally for shared SAP files are deployed and preconfigured for SAP installation.\n\nServices such as DNS, NTP and NFS running in VPC and provided by 'Power Virtual Server with VPC landing zone' are leveraged.\n\nRedundant IBM Cloud Connections provide the network bridge between the IBM Power infrastructure and the IBM VPC and public internet.\n\nThe resulting SAP landscape leverages the services such as Activity Tracker, Cloud Object Storage, Key Management and the network connectivity configuration provided by 'Power Virtual Server with VPC landing zone'."
+                                "description": "'SAP ready PowerVS' variation of 'Power Virtual Server for SAP HANA' creates a basic and expandable SAP system landscape builds on the foundation of the 'Power Virtual Server with VPC landing zone'. PowerVS instances for SAP HANA, SAP NetWeaver and optionally for shared SAP files are deployed and preconfigured for SAP installation.\n\nServices such as DNS, NTP and NFS running in VPC and provided by 'Power Virtual Server with VPC landing zone' are leveraged.\n\nThe resulting SAP landscape leverages the services such as Activity Tracker, Cloud Object Storage, Key Management and the network connectivity configuration provided by 'Power Virtual Server with VPC landing zone'."
                             }
                         ]
                     }
@@ -368,12 +369,13 @@
                         {
                             "flavors": [
                                 "powervs-workspace",
-                                "powervs-import-workspace"
+                                "powervs-import-workspace",
+                                "powervs-quickstart"
                             ],
                             "id": "2dd486c7-b317-4aaa-907b-42671485ad96-global",
                             "name": "deploy-arch-ibm-pvs-inf",
                             "install_type": "fullstack",
-                            "version": ">=3.0.0"
+                            "version": ">=5.0.0"
                         }
                     ],
                     "configuration": [
@@ -384,7 +386,7 @@
                                 "config_constraints": {
                                     "catalogID": "1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc",
                                     "offeringID": "2dd486c7-b317-4aaa-907b-42671485ad96-global",
-                                    "versionConstraint": ">=3.0.0"
+                                    "versionConstraint": ">=5.0.0"
                                 },
                                 "grouping": "deployment",
                                 "original_grouping": "deployment",
@@ -734,7 +736,7 @@
                                     "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/main/reference-architectures/sap-s4hana-bw4hana/deploy-arch-ibm-pvs-sap-s4hana-bw4hana.svg",
                                     "type": "image/svg+xml"
                                 },
-                                "description": "'SAP S/4HANA or BW/4HANA' variation of 'Power Virtual Server for SAP HANA' creates a basic and expandable SAP system landscape builds on the foundation of 'Power Virtual Server with VPC landing zone'. PowerVS instances for SAP HANA, SAP NetWeaver and optionally for shared SAP files are deployed and preconfigured for SAP installation. S/4HANA or BW/4HANA solution is installed based on selected version. \n\nServices such as DNS, NTP and NFS running in VPC and provided by 'Power Virtual Server with VPC landing zone' are leveraged.\n\nRedundant IBM Cloud Connections provide the network bridge between the IBM Power infrastructure and the IBM VPC and public internet.\n\nThe resulting SAP landscape leverages the services such as Activity Tracker, Cloud Object Storage, Key Management and the network connectivity configuration provided by the 'Power Virtual Server with VPC landing zone'."
+                                "description": "'SAP S/4HANA or BW/4HANA' variation of 'Power Virtual Server for SAP HANA' creates a basic and expandable SAP system landscape builds on the foundation of 'Power Virtual Server with VPC landing zone'. PowerVS instances for SAP HANA, SAP NetWeaver and optionally for shared SAP files are deployed and preconfigured for SAP installation. S/4HANA or BW/4HANA solution is installed based on selected version. \n\nServices such as DNS, NTP and NFS running in VPC and provided by 'Power Virtual Server with VPC landing zone' are leveraged.\n\nThe resulting SAP landscape leverages the services such as Activity Tracker, Cloud Object Storage, Key Management and the network connectivity configuration provided by the 'Power Virtual Server with VPC landing zone'."
                             }
                         ]
                     }

modules/ansible/ansible_node_packages.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+############################################################
+# OS_Support: RHEL only                                    #
+# This bash script performs                                #
+# - installation of packages                               #
+# - ansible galaxy collections.                            #
+# - updates the OS                                         #
+############################################################
+
+GLOBAL_RHEL_PACKAGES="rhel-system-roles rhel-system-roles-sap expect"
+GLOBAL_GALAXY_COLLLECTIONS="ibm.power_linux_sap:2.1.0 ansible.utils:3.1.0 ansible.posix:1.5.4 community.general:8.4.0"
+
+############################################################
+# Start functions
+############################################################
+
+main::get_os_version() {
+    if grep -q "Red Hat" /etc/os-release; then
+        readonly LINUX_DISTRO="RHEL"
+    else
+        main::log_error "Unsupported Linux distribution. Only RHEL is supported."
+    fi
+    #readonly LINUX_VERSION=$(grep VERSION_ID /etc/os-release | awk -F '\"' '{ print $2 }')
+}
+
+main::log_info() {
+    local log_entry=${1}
+    echo "INFO - ${log_entry}"
+}
+
+main::log_error() {
+    local log_entry=${1}
+    echo "ERROR - Deployment exited - ${log_entry}"
+    exit 1
+}
+
+main::subscription_mgr_check_process() {
+
+    main::log_info "Sleeping 30 seconds for all subscription-manager process to finish."
+    sleep 30
+
+    ## check if subscription-manager is still running
+    while pgrep subscription-manager; do
+        main::log_info "--- subscription-manager is still running. Waiting 10 seconds before attempting to continue"
+        sleep 10s
+    done
+
+}
+
+############################################################
+# RHEL : Install Packages                                  #
+############################################################
+main::install_packages() {
+
+    if [[ ${LINUX_DISTRO} = "RHEL" ]]; then
+
+        main::subscription_mgr_check_process
+
+        ## enable repository for RHEL sap roles
+        subscription-manager repos --enable="rhel-$(rpm -E %rhel)-for-$(uname -m)-sap-solutions-rpms"
+
+        ## Install packages
+        for package in $GLOBAL_RHEL_PACKAGES; do
+            local count=0
+            local max_count=3
+            while ! dnf -y install "${package}"; do
+                count=$((count + 1))
+                sleep 3
+                # shellcheck disable=SC2317
+                if [[ ${count} -gt ${max_count} ]]; then
+                    main::log_error "Failed to install ${package}"
+                    break
+                fi
+            done
+        done
+
+        ## Download and install collections from ansible-galaxy
+
+        for collection in $GLOBAL_GALAXY_COLLLECTIONS; do
+            local count=0
+            local max_count=3
+            while ! ansible-galaxy collection install "${collection}"; do
+                count=$((count + 1))
+                sleep 3
+                # shellcheck disable=SC2317
+                if [[ ${count} -gt ${max_count} ]]; then
+                    main::log_error "Failed to install ansible galaxy collection ${collection}"
+                    break
+                fi
+            done
+        done
+
+        main::log_info "All packages installed successfully"
+    fi
+
+}
+
+############################################################
+# Main start here                                          #
+############################################################
+main::get_os_version
+main::install_packages