feat: support SAP monitoring on IBM Cloud Monitoring using prometheus hana db exporter (#752)

---------

Co-authored-by: stafaniasaju <stafania.saju@ibm.com>
Co-authored-by: surajsbharadwaj <suraj.bharadwaj@ibm.com>
Co-authored-by: surajsbharadwaj <101711050+surajsbharadwaj@users.noreply.github.com>
Co-authored-by: Terraform IBM Modules Operations <106112202+terraform-ibm-modules-ops@users.noreply.github.com>

Author: 4 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-12-06T13:41:59Z",
+  "generated_at": "2024-12-17T18:27:59Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -77,6 +77,26 @@
     }
   ],
   "results": {
+    "modules/ansible/templates-ansible/configure-monitoring-sap/ansible_configure_monitoring.sh.tftpl": [
+      {
+        "hashed_secret": "3e4bdbe0b80e63c22b178576e906810777387b50",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 10,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "modules/ansible/templates-ansible/configure-monitoring-sap/playbook-configure-monitoring-sap.yml.tftpl": [
+      {
+        "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 53,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
     "modules/pi-sap-system-type1/README.md": [
       {
         "hashed_secret": "2254481e1661d8f017a712b0d1ad9a14fd9460a3",

ibm_catalog.json

@@ -352,7 +352,7 @@
                             {
                                 "diagram": {
                                     "caption": "Full SAP environment provisioned on a 'Power Virtual Server with VPC landing zone'",
-                                    "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/main/reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.svg",
+                                    "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/refs/tags/v3.4.0/reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.svg",
                                     "type": "image/svg+xml"
                                 },
                                 "description": "'SAP ready PowerVS' variation of 'Power Virtual Server for SAP HANA' creates a basic and expandable SAP system landscape builds on the foundation of the 'Power Virtual Server with VPC landing zone'. PowerVS instances for SAP HANA, SAP NetWeaver and optionally for shared SAP files are deployed and preconfigured for SAP installation.\n\nServices such as DNS, NTP and NFS running in VPC and provided by 'Power Virtual Server with VPC landing zone' are leveraged.\n\nThe resulting SAP landscape leverages the services such as Activity Tracker, Cloud Object Storage, Key Management and the network connectivity configuration provided by 'Power Virtual Server with VPC landing zone'."
@@ -599,6 +599,15 @@
                                 "type": "json_editor"
                             }
                         },
+                        {
+                            "key": "sap_monitoring_vars",
+                            "required": true,
+                            "custom_config": {
+                                "grouping": "deployment",
+                                "original_grouping": "deployment",
+                                "type": "json_editor"
+                            }
+                        },
                         {
                             "key": "sap_domain",
                             "required": true
@@ -692,6 +701,9 @@
                         },
                         {
                             "key": "sap_solution_vars"
+                        },
+                        {
+                            "key": "sap_monitoring_vars"
                         }
                     ],
                     "iam_permissions": [
@@ -739,7 +751,7 @@
                             {
                                 "diagram": {
                                     "caption": "Full SAP S/4HANA or BW/4HANA environment provisioned on a 'Power Virtual Server with VPC landing zone'",
-                                    "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/main/reference-architectures/sap-s4hana-bw4hana/deploy-arch-ibm-pvs-sap-s4hana-bw4hana.svg",
+                                    "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-sap/refs/tags/v3.4.0/reference-architectures/sap-s4hana-bw4hana/deploy-arch-ibm-pvs-sap-s4hana-bw4hana.svg",
                                     "type": "image/svg+xml"
                                 },
                                 "description": "'SAP S/4HANA or BW/4HANA' variation of 'Power Virtual Server for SAP HANA' creates a basic and expandable SAP system landscape builds on the foundation of 'Power Virtual Server with VPC landing zone'. PowerVS instances for SAP HANA, SAP NetWeaver and optionally for shared SAP files are deployed and preconfigured for SAP installation. S/4HANA or BW/4HANA solution is installed based on selected version. \n\nServices such as DNS, NTP and NFS running in VPC and provided by 'Power Virtual Server with VPC landing zone' are leveraged.\n\nThe resulting SAP landscape leverages the services such as Activity Tracker, Cloud Object Storage, Key Management and the network connectivity configuration provided by the 'Power Virtual Server with VPC landing zone'."

modules/ansible/main.tf

@@ -9,6 +9,7 @@ locals {
   dst_playbook_file_path   = "${local.dst_files_dir}/${var.dst_playbook_file_name}"
   src_inventory_tftpl_path = "${local.src_ansible_templates_dir}/${var.src_inventory_template_name}"
   dst_inventory_file_path  = "${local.dst_files_dir}/${var.dst_inventory_file_name}"
+  ibmcloud_api_key         = var.ibmcloud_api_key == null ? "" : nonsensitive(var.ibmcloud_api_key)
 
 }
 
@@ -202,7 +203,7 @@ resource "terraform_data" "execute_playbooks_with_vault" {
   provisioner "remote-exec" {
     inline = [
       "chmod +x ${local.dst_script_file_path}",
-      local.dst_script_file_path,
+      "export IBMCLOUD_API_KEY=${local.ibmcloud_api_key} && ${local.dst_script_file_path}",
     ]
   }
 

modules/ansible/templates-ansible/configure-monitoring-sap/ansible_configure_monitoring.sh.tftpl

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+### Using input variables from terraform
+ansible_playbook=${ansible_playbook_file}
+ansible_log_path=${ansible_log_path}
+ansible_inventory=${ansible_inventory}
+ansible_private_key_file=${ansible_private_key_file}
+
+# shell to get the ibmcloud api token
+ibmcloud_auth_response=$(curl -X POST 'https://iam.cloud.ibm.com/identity/token' -H 'Content-Type: application/x-www-form-urlencoded' -d "apikey=$IBMCLOUD_API_KEY&grant_type=urn:ibm:params:oauth:grant-type:apikey")
+ibmcloud_iam_token=$(echo "$ibmcloud_auth_response" | jq -r '.access_token')
+
+# Create ansible.cfg file
+ansible_playbook_name=$(basename $${ansible_playbook})
+echo -e "[defaults]\nhost_key_checking=False" >ansible.cfg
+export ANSIBLE_LOG_PATH=$${ansible_log_path}/$${ansible_playbook_name}.$(date "+%Y.%m.%d-%H.%M.%S").log
+export ANSIBLE_PRIVATE_KEY_FILE=$${ansible_private_key_file}
+
+#Execute ansible playbook
+unbuffer ansible-playbook -i $${ansible_inventory} $${ansible_playbook} --extra-vars ibmcloud_iam_token=$${ibmcloud_iam_token} --vault-password-file password_file
+if [ $? -ne 0 ]; then
+    rm -rf $${ansible_private_key_file}
+    exit 1
+fi
+echo \"Playbook command successful\"
+rm -rf $${ansible_private_key_file}

modules/ansible/templates-ansible/configure-monitoring-sap/playbook-configure-monitoring-sap.yml.tftpl

@@ -0,0 +1,57 @@
+# ------------------------------------------------------------------------
+# This playbook uses the ibm.power_linux_sap collection. This collection is
+# available on ansible galaxy
+# https://galaxy.ansible.com/ui/repo/published/ibm/power_linux_sap/ and can
+# be installed using 'ansible-galaxy collection install ibm.power_linux_sap'
+# ------------------------------------------------------------------------
+
+---
+- name: SAP monitoring configuration
+  hosts: all
+  become: true
+  vars:
+
+    ## variable group: monitoring meta parameters
+    sap_monitoring_action: '${sap_monitoring_action}'
+    config_override: '${config_override}'
+    sap_monitoring_nr: '${sap_monitoring_nr}'
+    sap_monitoring_solution_name: '${sap_monitoring_solution_name}'
+    sap_tools_directory: '${sap_tools_directory}'
+
+    ## variable group: hana parameters
+    sap_hana_ip: '${sap_hana_ip}'
+    sap_hana_http_port: '${sap_hana_http_port}'
+    sap_hana_sql_systemdb_port: '${sap_hana_sql_systemdb_port}'
+    sap_hana_sql_systemdb_user: '${sap_hana_sql_systemdb_user}'
+    sap_hana_sql_systemdb_password: '${sap_hana_sql_systemdb_password}'
+
+    ## variable group: application server parameters
+    sap_ascs_ip: '${sap_ascs_ip}'
+    sap_ascs_http_port: '${sap_ascs_http_port}'
+    sap_app_server: ${sap_app_server}
+
+    ## variable group: IBM cloud parameters
+    ibmcloud_monitoring_instance_url: '${ibmcloud_monitoring_instance_url}'
+    ibmcloud_monitoring_request_credential_url: '${ibmcloud_monitoring_request_credential_url}'
+    ibmcloud_monitoring_instance_guid: '${ibmcloud_monitoring_instance_guid}'
+
+  tasks:
+  # use token to get the monitoring auth cred
+  - name: Obtain IBM Cloud IAM token
+    ansible.builtin.uri:
+      url: "{{ ibmcloud_monitoring_request_credential_url }}"
+      method: GET
+      headers:
+        Content-Type: application/json
+        IBMInstanceID: "{{ ibmcloud_monitoring_instance_guid  }}"
+        Authorization: "Bearer {{ ibmcloud_iam_token }}"
+      return_content: yes
+    register: response
+
+  - name: Set fact for IBM Cloud Monitoring authorization credentials
+    ansible.builtin.set_fact:
+      ibmcloud_monitoring_authorization_credentials: "{{ response.json.token.key }}"
+
+  - name: Execute monitoring role for SAP
+    ansible.builtin.include_role:
+      name: ibm.power_linux_sap.monitoring_sap

modules/ansible/templates-ansible/monitoring-inventory.tftpl

@@ -0,0 +1 @@
+${monitoring_host_ip}

modules/ansible/templates-ansible/s4hanab4hana-solution/playbook-sap-swpm-install.yml.tftpl

@@ -78,3 +78,20 @@
 
     - name: SAP SWPM Post Install - Enforce Connection Info in hdbuserstore
       ansible.builtin.shell: "runuser -l {{sap_swpm_sid|lower}}adm -c 'hdbuserstore SET DEFAULT {{ sap_swpm_db_host }}:3{{ sap_swpm_db_instance_nr }}15 {{ sap_swpm_db_schema_abap }} '{{ sap_swpm_db_system_password }}"
+
+    - name: Update the service/protectedwebmethods line in the file DEFAULT.PFL profile
+      ansible.builtin.lineinfile:
+        path: /usr/sap/{{ sap_swpm_sid }}/SYS/profile/DEFAULT.PFL
+        regexp: '^service/protectedwebmethods ='
+        line: 'service/protectedwebmethods = ${sap_swpm_service_protectedwebmethods}'
+        backup: yes
+
+    - name: Restart ASCS instance for service/protectedwebmethods to take effect
+      ansible.builtin.shell: "runuser -l {{sap_swpm_sid|lower}}adm -c 'sapcontrol -nr {{ sap_swpm_ascs_instance_nr }} -function RestartService'"
+
+    - name: Pause for 30 seconds
+      ansible.builtin.pause:
+        seconds: 30
+
+    - name: Restart PAS instance for service/protectedwebmethods to take effect
+      ansible.builtin.shell: "runuser -l {{sap_swpm_sid|lower}}adm -c 'sapcontrol -nr {{ sap_swpm_pas_instance_nr }} -function RestartService'"

modules/ansible/variables.tf

@@ -65,3 +65,10 @@ variable "ansible_vault_password" {
   sensitive   = true
   default     = null
 }
+
+variable "ibmcloud_api_key" {
+  description = "IBM Cloud platform API key needed to deploy IAM enabled resources."
+  type        = string
+  sensitive   = true
+  default     = null
+}

reference-architectures/sap-ready-to-go/deploy-arch-ibm-pvs-sap-ready-to-go.md

@@ -2,7 +2,7 @@
 
 copyright:
   years: 2024
-lastupdated: "2024-12-13"
+lastupdated: "2025-01-14"
 keywords:
 subcollection: deployable-reference-architectures
 authors:
@@ -16,7 +16,7 @@ use-case: ITServiceManagement
 industry: Technology
 compliance: SAPCertified
 content-type: reference-architecture
-version: v3.3.0
+version: v3.4.0
 related_links:
   - title: 'SAP in IBM Cloud documentation'
     url: 'https://cloud.ibm.com/docs/sap'
@@ -38,7 +38,7 @@ related_links:
 {: toc-industry="Technology"}
 {: toc-use-case="ITServiceManagement"}
 {: toc-compliance="SAPCertified"}
-{: toc-version="3.3.0"}
+{: toc-version="3.4.0"}
 
 The SAP-ready PowerVS variation of the Power Virtual Server for SAP HANA creates a basic and expandable SAP system landscape. The variation builds on the foundation of the VPC landing zone and Power Virtual Server with VPC landing zone. PowerVS instances for SAP HANA, SAP NetWeaver, and optionally for shared SAP files are deployed and preconfigured for SAP installation.
 

reference-architectures/sap-s4hana-bw4hana/deploy-arch-ibm-pvs-sap-s4hana-bw4hana.md

@@ -2,7 +2,7 @@
 
 copyright:
   years: 2024
-lastupdated: "2024-12-13"
+lastupdated: "2025-01-14"
 keywords:
 subcollection: deployable-reference-architectures
 authors:
@@ -16,7 +16,7 @@ use-case: ITServiceManagement
 industry: Technology
 compliance: SAPCertified
 content-type: reference-architecture
-version: v3.3.0
+version: v3.4.0
 related_links:
   - title: 'SAP in IBM Cloud documentation'
     url: 'https://cloud.ibm.com/docs/sap'
@@ -38,7 +38,7 @@ related_links:
 {: toc-industry="Technology"}
 {: toc-use-case="ITServiceManagement"}
 {: toc-compliance="SAPCertified"}
-{: toc-version="3.3.0"}
+{: toc-version="3.4.0"}
 
 'SAP S/4HANA or BW/4HANA' variation of 'Power Virtual Server for SAP HANA' creates a basic and expandable SAP system landscape built on the foundation of 'Power Virtual Server with VPC landing zone'. PowerVS instances for SAP HANA, SAP NetWeaver, and optionally for shared SAP files are deployed and preconfigured for SAP installation. The S/4HANA or BW/4HANA solution is installed based on the selected version.