documentation.suse.com / Introduction to Ansible Automation for SUSE Linux Enterprise Server for SAP applications 16
SUSE Linux Enterprise Server for SAP applications 16.0

Introduction to Ansible Automation for SUSE Linux Enterprise Server for SAP applications 16

Publication Date: 12 Nov 2025
WHAT?

Learn about a powerful set of Ansible collections and playbooks that are designed for SAP. This automation codifies best practices, allowing you to build and maintain your SAP landscapes with speed, reliability and consistency.

WHY?

Ansible Automation is essential for SAP environments for organizations to codify and standardize the complex, time-consuming, and high-risk administrative tasks associated with SAP infrastructure and operations.

EFFORT

It takes you up to an hour to read through this article.

GOAL

To transform the management of SAP environments from a complex, error-prone, and time-intensive manual process into a fast, consistent, and fully auditable Infrastructure as Code (IaC) workflow.

REQUIREMENTS

1 Introduction to Ansible Automation for for SUSE Linux Enterprise Server for SAP applications 16

 

Ansible Automation is required for SAP landscapes because manually managing the complex, critical and often vast SAP environments is time-consuming, error-prone and struggles to meet modern demands for agility and high availability. Leveraging Ansible allows organizations to implement Infrastructure-as-Code (IaC) principles for SAP, ensuring speed, consistency, and repeatability in vital tasks like provisioning new systems, patching, configuration management and performing complex operational procedures.

This automation minimizes the risk of human error, enables High Availability, significantly accelerates change management and frees up skilled SAP Basis administrators to focus on strategic, high-value work rather than repetitive and manual operations. SUSE provides you with a powerful set of Ansible collections and playbooks designed specifically for SUSE Linux Enterprise Server for SAP applications 16.

2 About the sles_sap_automation pattern

 

Using the SUSE package pattern is recommended because it is the simplest and most reliable method for installing all the required SAP automation components.

By using the pattern, you ensure all required Ansible collections and the playbook packages are installed together, preventing dependency problems. For SUSE Linux Enterprise Server for SAP applications 16, install the sles_sap_automation package pattern: 

> sudo zypper install --type pattern sles_sap_automation

This command installs the following packages:

  • ansible-sap-infrastructure

  • ansible-sap-install

  • ansible-sap-operations

  • ansible-sap-playbooks

Important
Important

Each package contains an Ansible Collection with a curated list of supported Ansible roles. To call out each role in a collection, you must use its fully qualified collection name (FQCN). This tells Ansible exactly where to find the role and prevents any naming conflicts with other collections. For example:

  ---
  - name: Ansible Play to install SAP Product
    hosts: all
    tasks:
      - name: Install SAP Product
        ansible.builtin.include_role:
          name: suse.sap_install.sap_swpm

3 Understanding the sles_sap_automation package pattern

 

The sles_sap_automation package pattern installs four packages: ansible-sap-install, ansible-sap-infrastructure, ansible-sap-operations and ansible-sap-playbooks. Each package contains an Ansible Collection with a curated list of supported Ansible roles.

3.1 The sap_install collection

 

The sap_install collection installs, configures and manages SAP software on Linux operating systems.

This collection covers the following tasks:

  • Ensure the operating system is configured, and all required SAP installation media are staged prior to system setup.

  • Install the SAP HANA database.

  • Install SAP products such as SAP S/4HANA, SAP NetWeaver, etc.

  • Enable SAP HANA system replication.

  • Configure a High Availability cluster for SAP HANA and ASCS/ERS.

The key roles in this collection include:

  • sap_general_preconfigure: installs required packages and performs basic OS configuration steps according to applicable SAP notes for installing and running SAP HANA or SAP ABAP Application Platform (formerly known as SAP NetWeaver).

  • sap_hana_preconfigure: installs additional required packages and performs additional OS configuration steps according to applicable SAP notes for installing and running SAP HANA after the role sap_general_preconfigure.

  • sap_netweaver_preconfigure: installs additional required packages and performs additional OS configuration steps according to applicable SAP notes for installing and running SAP ABAP Application Platform after the role sap_general_preconfigure.

  • sap_storage_setup: prepares a host with the storage requirements of a SAP system (prior to software installation).

  • sap_install_media_detect: detects and extracts SAP installation media.

  • sap_hana_install: installs SAP HANA using the SAP HANA database lifecycle manager (HDBLCM).

  • sap_ha_install_hana_hsr: configures and enables SAP HANA system replication between two nodes.

  • sap_swpm: installs various SAP systems installable by SAP Software Provisioning Manager (SWPM).

  • sap_ha_pacemaker_cluster: installs and configures Linux Pacemaker High Availability clusters for SAP HANA and SAP NetWeaver systems on various infrastructure platforms.

List of all roles:

>  /usr/share/ansible/collections/ansible_collections/suse/sap_install/roles ls
  sap_anydb_install_oracle  sap_ha_install_anydb_ibmdb2  sap_ha_pacemaker_cluster  sap_hana_preconfigure     sap_maintain_etc_hosts      sap_storage_setup
  sap_general_preconfigure  sap_ha_install_hana_hsr      sap_hana_install          sap_install_media_detect  sap_netweaver_preconfigure  sap_swpm

For more details about the roles and role variables in the sap_install collection, refer to the README.md, for example: 

>  /usr/share/ansible/collections/ansible_collections/suse/sap_install/roles/sap_swpm ls
   README.md  defaults  meta  tasks  templates

3.2 The sap_infrastructure collection

 

The sap_infrastructure collection provides a set of Ansible roles to automate various infrastructure-related tasks for SAP systems. The core focus is on creating and configuring the resources across diverse platforms, including cloud hyperscalers and hypervisors.

This collection covers the following tasks:

  • Provision virtual machines on target infrastructure platforms using Ansible. This includes the provisioning of High Availability resources such as routing and load balancing, where applicable.

  • Assign temporary virtual IP addresses (VIPs) for application installation before the cluster takes over management.

The key roles in this collection are:

  • sap_vm_provision: provisions virtual machines to host SAP software.

  • sap_vm_temp_vip: is a temporary virtual IP (VIP) assigned to OS network interface and will be replaced by the Cluster VIP resource once the cluster is configured.

The following infrastructure platforms are supported:

  • AWS EC2 virtual server instance

  • Google Cloud Compute Engine virtual machine

  • IBM Cloud, Intel virtual server

  • IBM Cloud, Power virtual server

  • Microsoft Azure virtual machine

  • IBM PowerVM virtual machine

List of all roles:

>  /usr/share/ansible/collections/ansible_collections/suse/sap_infrastructure/roles ls
  sap_vm_provision  sap_vm_temp_vip

For more details about the roles and role variables in the sap_infrastructure collection, refer to the README.md, for example: 

>  /usr/share/ansible/collections/ansible_collections/suse/sap_infrastructure/roles/sap_vm_provision ls
  PLATFORM_GUIDANCE.md  README.md  defaults  meta  tasks
Important
Important

Since this collection leverages native cloud automation tools, ensure you meet your target platform's specific prerequisites as detailed in the Infrastructure platform guidance. Requirements are not part of the pattern and are not supported.

3.3 The sap_operations collection

 

The sap_operations collection executes various day-to-day operation tasks for SAP systems.

This collection covers the following tasks:

  • Start, stop and restart of the SAP HANA database server.

  • Start, stop and restart of the SAP NetWeaver application server.

  • Operate the SAP system using sapcontrol and various functions.

  • Updating SAP profiles.

List of all roles:

>  /usr/share/ansible/collections/ansible_collections/suse/sap_operations/roles ls
  sap_control  sap_profile_update

For more details about the roles and role variables in the sap_operations collection, refer to the README.md, for example: 

>  /usr/share/ansible/collections/ansible_collections/suse/sap_operations/roles/sap_control ls
   README.md  defaults  tasks

3.4 About ansible.playbooks_for_sap

 

The ansible.playbooks_for_sap contains Ansible playbooks for deployment of various SAP software solution scenarios onto different cloud service providers.

To make the playbook easy to use and scalable, the following key principles are used in the design:

  • Modular configuration: The playbooks use modular configuration, which is a variable system that lets you focus only on the specific values for your environment, eliminating the need to sift through hundreds of unused settings.

  • Brownfield and Greenfield Support: Flexible by design, the playbooks support both greenfield deployments (creating a landscape from scratch) and brownfield operations (running against existing servers).

  • Interactive mode: For quick setups or for users who prefer not to manage variable files, an interactive mode is available. This mode will prompt you for all the necessary information, guiding you step-by-step.

  • (Optional) Automated Media Downloads: If the community.sap_launchpad Ansible Collection is installed, the playbooks can automatically download the required SAP installation media for you, saving significant manual effort. This feature requires a valid SAP S-User with the necessary download privileges.

The benefits of Ansible playbooks for SAP are:

  • The playbooks are designed for simplicity, making them accessible to users across all levels of Ansible experience.

  • Easily reconfigurable and extendable, they let you precisely tailor deployments to your needs. For instance, you can customize them for specific SAP versions, integrate monitoring tools, or adapt them to different network topologies.

  • Each playbook contains a complete deployment scenario, which ensures consistency and simplifies the process.

  • Deploy the same SAP solution across diverse infrastructure including different cloud service providers.

For more details about the ansible.playbooks_for_sap collection, refer to the README.md: 

>  /usr/share/ansible/playbooks/ansible.playbooks_for_sap ls
  LICENSE  README.md  deploy_scenarios  docs  special_actions

and

>  /usr/share/ansible/playbooks/ansible.playbooks_for_sap/docs ls
  CONTRIBUTING.md  CONTRIBUTORS.md  DEV_EXECUTION_FLOW.md  FAQ.md  GET_STARTED_AZURE_DEVOPS.md  GET_STARTED_MACOS.md  GET_STARTED_WINDOWS.md  README.md  images  sample

4 Ansible support coverage

 

The support matrix for Ansible and Python compatibility:

  • Control node:

    • Python 3.11 - 3.13

    • ansible-core 2.18

    • Ansible 11

  • Managed node:

    • Python 3.11 - 3.13

Important
Important

  • Python and Ansible versions in the control and managed nodes must be compatible.

  • Third-party software is not supported.

  • Only versions provided in packages that install into System Python are supported.

  • Python Virtual Environment or alternatives like pyenv are not supported.

5 Deploying a High Availability distributed SAP S/4HANA system on AWS

 

This is a detailed step-by-step procedure to deploy a High Availability and distributed SAP S/4HANA system on Amazon Web Services (AWS). The ansible-sap-playbooks package is used to automate infrastructure provisioning and SAP software installation, creating a resilient, scalable and enterprise-grade environment. This procedure uses the pay-as-you-go (PAYG) model for the SUSE operating system, where the subscription cost is included in the AWS instance pricing.

This procedure is intended for system administrators, DevOps engineers and SAP Basis consultants who have a working knowledge of AWS, Ansible and SAP principles.

With this procedure, you can:

  • Prepare the control node and the AWS cloud environment for automation.

  • Configure Ansible variables for a custom deployment.

  • Execute a single playbook to provision and configure the entire SAP S/4HANA system.

  • Achieve a fully functional and highly available system ready for post-installation activities.

The resulting High Availability distributed SAP S/4HANA system comprises of the following components:

  • Two SAP S/4HANA scale-up servers in a High Availability cluster

  • Two ASCS/ERS servers in a High Availability cluster

  • One primary application server (PAS)

  • One additional application server (AAS)

Procedure 1: Deployment in the AWS cloud environment
 

Provisioning with Ansible requires a pre-existing environment and a service user with the necessary permissions.

  1. Prepare your AWS cloud environment with the following:

    • VPC:

      • VPC access control list (ACL)

      • VPC Subnets

      • VPC Security Groups

    • Route 53 (private DNS)

    • Internet Gateway (SNAT)

    • Elastic File System (EFS) Network File System (NFS)

    • Bastion host (AWS EC2 VS)

    • Key Pair for hosts

    For more details on infrastructure prerequisites, refer to the infrastructure prerequisites.

  2. Create a new IAM role or policy appropriate access, using one of the following options:

    • Restricted access, refer to the authorization prerequisites.

    • Full access (not recommended):

      • arn:aws:iam::aws:policy/AmazonVPCFullAccess

      • arn:aws:iam::aws:policy/AmazonEC2FullAccess

      • arn:aws:iam::aws:policy/AmazonRoute53FullAccess

    Note
    Note

    A bastion host is required when provisioning to a private cloud from outside, but it can be ignored if your control node has direct access to your cloud account and VPC. This is accomplished by setting the variable sap_vm_provision_bastion_execution to false.

  3. Prepare the control node.

    1. Install the sles_sap_automation pattern, which contains all recommended packages for automation.

      > sudo  zypper install --type pattern sles_sap_automation

    2. Verify that the pattern and all the packages are installed. 

      > sudo  zypper info --type pattern sles_sap_automation

    Refreshing service 'SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64'.
    Retrieving repository 'SLE-Product-SLES_SAP-16.0' metadata .........................................................................[done]
    Building repository 'SLE-Product-SLES_SAP-16.0' cache ..............................................................................[done]
    Loading repository data...
    Reading installed packages...


    Information for pattern sles_sap_automation:
    --------------------------------------------
    Repository      : SLE-Product-SLES_SAP-16.0
    Name            : sles_sap_automation
    Version         : 16.0-160000.2.2
    Arch            : x86_64
    Vendor          : SUSE LLC <https://www.suse.com/>
    Installed       : Yes
    Visible to User : Yes
    Summary         : automation deployment
    Description     :
        ansible playbooks and roles
    Contents        :
        S  | Name                         | Type    | Dependency
        ---+------------------------------+---------+-----------
        i  | ansible                      | package | Required
        i  | ansible-linux-system-roles   | package | Required
        i  | ansible-sap-infrastructure   | package | Required
        i  | ansible-sap-install          | package | Required
        i  | ansible-sap-operations       | package | Required
        i  | ansible-sap-playbooks        | package | Required
        i+ | patterns-sap-automation      | package | Required
        i+ | patterns-sap-base_sap_server | package | Required

    3. Install the AWS requirements, refer to the prerequisites.

      > sudo   ansible-galaxy collection install amazon.aws
      > sudo   zypper install python313-boto3

  4. Ansible playbooks are installed in /usr/share/ansible/playbooks. To prevent changes from being overwritten by future package updates, these files should not be modified directly. For this procedure:

    1. Use the scenario directory /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_distributed_ha.

    2. For simplicity, this procedure stores all customizations in the /playbooks directory. Specifically, we will use /playbooks/S01 as the dedicated directory for our system.

    3. Define the minimal required variables and leave the predefined in place for a simplified configuration.

  5. You can encrypt variables for playbooks in different ways to ensure security compliance.

    1. Encrypt all variables in the scenario.

    2. Split variables for reusability and encrypt only what is needed. For example:

      • Cloud credentials and information encrypted in Ansible vault.

      • Scenario passwords encrypted in Ansible vault.

      • Scenario non-sensitive variables without using Ansible vault.

      In this procedure, we use a simplified variant for encrypting whole files.

  6. Copy the variable files from the source. Since we are provisioning new servers in AWS, only two variable files are required:

    • ansible_extravars.yml contains scenario-specific variables.

    • ansible_extravars_aws_ec2_vs.yml contains platform-specific variables.

    cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_distributed_ha/ansible_extravars.yml /playbooks/S01/
    cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_distributed_ha/ansible_extravars_aws_ec2_vs.yml /playbooks/S01/

  7. Update the variable file ansible_extravars.yml.

    1. The following variable defines the provisioning method and platform.

      sap_vm_provision_iac_type: "ansible"

    2. The following variable selects the desired topology from the sap_vm_provision_aws_ec2_vs_host_specifications_dictionary dictionary.

      • Predefined with minimum recommended instances for hosting an SAP system.

      • Customizable as you can edit an existing entry or define a new plan.

      sap_vm_provision_host_specification_plan: "xsmall_256gb"

    3. The value of the variable sap_software_product is the key predefined in the sap_software_install_dictionary dictionary. This dictionary follows the same rules as the one above. You can edit an existing entry or create a new one.

      sap_software_product: "sap_s4hana_2023_distributed"
      sap_install_media_detect_source_directory: "/software"
      Important
      Important

      The default execution ignores the list of SAP media files in the sap_software_install_dictionary dictionary because the optional package ansible-sap-launchpad is not present. This package is available in Package Hub and it allows you to download SAP Media Software when provided with valid S-User credentials with appropriate download authorization.

      If this package is not installed, the playbook expects you to have all required files present in the path defined in the sap_install_media_detect_source_directory directory. The variables used by sap_launchpad role are sap_id_user and sap_id_user_password.

      The password variables are simplified and use the master password. This procedure does not include plan text passwords, so you must define them when updating the variable files.

      sap_hana_install_use_master_password: "y"  # Use a master password for SAP HANA installation (y/n) (String).
      sap_hana_install_master_password: ''  # The master password for SAP HANA (String).
      sap_swpm_master_password: ''  # Master password for the SAP system (String).
      sap_swpm_ddic_000_password: '' # Password for the DDIC user in client 000 (String).
      sap_swpm_db_schema_abap_password: ''  # Password for the ABAP schema user (String).
      sap_swpm_db_sidadm_password: ''  # Password for the sid adm user in the database (String).
      sap_swpm_db_system_password: ''  # Password for the SYSTEM user in the SAP HANA database (String).
      sap_swpm_db_systemdb_password: ''  # Password for the SYSTEM user in the SAP HANA system database (String).

    4. The variables for virtual overlay IP addresses need to follow a specific convention for a given platform.

      AWS:                  the VIP must be **outside** of any VPC Subnet ranges (e.g. 192.168.100.102/32)
      sap_vm_provision_ha_vip_hana_primary: "ENTER_STRING_VALUE_HERE"
      sap_vm_provision_ha_vip_nwas_abap_ascs: "ENTER_STRING_VALUE_HERE"
      sap_vm_provision_ha_vip_nwas_abap_ers: "ENTER_STRING_VALUE_HERE"

  8. Update the variable file ansible_extravars_aws_ec2_vs.yml.

    1. The variables for connecting through a bastion host.

      sap_vm_provision_bastion_user: "ENTER_STRING_VALUE_HERE"  # Bastion user name (String).
      sap_vm_provision_bastion_ssh_port: "ENTER_STRING_VALUE_HERE"  # Bastion user password (String).
      sap_vm_provision_bastion_public_ip: "ENTER_STRING_VALUE_HERE"  # Public IP of the bastion server (String).
      sap_vm_provision_ssh_bastion_private_key_file_path: "ENTER_STRING_VALUE_HERE"  # Path to bastion server's SSH private key on the execution node (String).
      sap_vm_provision_ssh_host_private_key_file_path: "ENTER_STRING_VALUE_HERE"  # Path to target host's SSH private key on the execution node (String).

    2. The variables for connecting to a cloud environment.

      sap_vm_provision_aws_access_key: "ENTER_STRING_VALUE_HERE"  # Access key ID (String).
      sap_vm_provision_aws_secret_access_key: "ENTER_STRING_VALUE_HERE"  # Secret access key (String).
      sap_vm_provision_aws_vpc_availability_zone: "ENTER_STRING_VALUE_HERE"  # Availability zone (String).
      sap_vm_provision_aws_vpc_subnet_id: "ENTER_STRING_VALUE_HERE"
      sap_vm_provision_dns_root_domain: "ENTER_STRING_VALUE_HERE"  # Root domain for DNS entries (e.g., example.com) (String).
      sap_vm_provision_aws_key_pair_name_ssh_host_public_key: "ENTER_STRING_VALUE_HERE"  # SSH Key name in AWS Console (String).
      sap_vm_provision_aws_vpc_sg_names: "ENTER_STRING_VALUE_HERE"  # Comma separated list of AWS VPC Service Group names (String).

    3. The variables for selecting which OS image to use for provisioned instances are defined in the sap_vm_provision_aws_ec2_vs_host_os_image_dictionary dictionary, which defines the search pattern for images. In this procedure, a PAYG image is used. SUSE Linux Enterprise Server 16 images will be updated in the dictionary when cloud images are available.

      sap_vm_provision_aws_ec2_vs_host_os_image: "sles-15-6-sap-ha"

    4. The scenario specific variables for platform required for configuring High Availability.

      sap_vm_provision_nfs_mount_point: "ENTER_STRING_VALUE_HERE" # e.g. fs-0000.efs.eu-west-2.amazonaws.com:/
      sap_vm_provision_nfs_mount_point_separate_sap_transport_dir: "ENTER_STRING_VALUE_HERE" # e.g. fs-0000.efs.eu-west-2.amazonaws.com:/
      sap_vm_provision_nfs_mount_point_type: nfs4  # NFS version (String).
      sap_vm_provision_nfs_mount_point_opts:
  nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport,acl  # NFS Mount options (String).
      sap_ha_pacemaker_cluster_aws_vip_update_rt: "ENTER_STRING_VALUE_HERE"  # AWS Routing Table ID (String).

  9. Encrypt files with Ansible vault. Files can be encrypted either using a prompt or with a password file. This is easier in larger environments for reusability.

    Encryption with a prompt:

    > sudo ansible-vault encrypt ansible_extravars.yml ansible_extravars_aws_ec2_vs.yml

    Encryption with a password file, which requires appropriate permissions and protection for security compliance:

    > sudo ansible-vault encrypt --vault-password-file password.key ansible_extravars.yml ansible_extravars_aws_ec2_vs.yml

  10. Use the playbook directly from /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_distributed_ha without editing it. If you need to adjust the playbook, we recommend copying it outside of the package directory. Execute the Ansible playbook with the Ansible vault key file.

    > sudo  ansible-playbook /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_distributed_ha/ansible_playbook.yml \
	--extra-vars "@./ansible_extravars.yml" \
	--extra-vars "@./ansible_extravars_aws_ec2_vs.yml" \
	--vault-password-file password.key

Outcome

You now have a fully operational, High Availability and distributed SAP S/4HANA landscape on AWS.

Your new environment includes:

  • A clustered SAP HANA database: With automated failover to ensure continuous availability.

  • A clustered ASCS/ERS Instance: Protecting the central services, which are critical for system operation.

  • Multiple application servers: To distribute the workload and provide scalability.

  • Shared storage: For binaries and transport files, accessible across the landscape.

Next steps

You can now proceed with post-installation tasks, such as:

  • System Validation: Performing health checks and verifying the High Availability functionality.

  • SAP Configuration: Applying initial SAP basis configurations, such as SAP Transport Management System (STMS) and profile parameter tuning.

  • Backup and Recovery: Implementing a robust backup and recovery strategy for the SAP HANA database and application servers.

  • Monitoring: Integrating the new landscape with your existing monitoring solutions.

6 Deploying a sandbox SAP BW/4HANA system on GCP

 

This is a detailed step-by-step procedure to deploy a non-production sandbox SAP BW/4HANA system on Google Cloud Platform (GCP). The ansible-sap-playbooks package is used to automate infrastructure provisioning and SAP software installation, resulting in a compact, single-node environment suitable for development, testing or training. This procedures uses the bring-your-own-subscription (BYOS) model for the SUSE operating system.

This procedure is intended for system administrators, DevOps engineers and SAP Basis consultants who have a working knowledge of AWS, Ansible and SAP principles.

With this procedure, you can:

  • Prepare the control node and the GCP cloud environment for automation.

  • Configure Ansible variables for the sandbox deployment.

  • Execute a single playbook to provision and configure the entire SAP system.

  • Achieve a functional sandbox system ready for post-installation activities.

The resulting SAP S/4HANA system consists of a single server with the following components:

  • One SAP HANA database

  • One SAP ABAP SAP Central Services (ASCS)

  • One primary application server (PAS)

Procedure 2: Deployment on GCP cloud environment
 

Provisioning with Ansible requires a pre-existing environment and a service user with the necessary permissions.

  1. Prepare your GCP cloud environment with the following:

    • VPC:

      • VPC Subnetwork

    • Compute Firewall

    • Compute Router

      • Cloud NAT (SNAT)

    • DNS Managed Zone (Private DNS)

    • Filestore (NFS) or NFS server

    • Bastion host (GCP CE VM)

    For more details on infrastructure prerequisites, refer to the infrastructure prerequisites.

  2. Create a new IAM role or policy with appropriate restricted access. For details, refer to the authorization prerequisites.

    Note
    Note

    A bastion host is required when provisioning to a private cloud from outside, but it can be ignored if your control node has direct access to your cloud account and VPC. This is accomplished by setting the variable sap_vm_provision_bastion_execution to false.

  3. Prepare the control node.

    1. Install the sles_sap_automation pattern, which contains all recommended packages for automation.

      > sudo  zypper install --type pattern sles_sap_automation

    2. Verify that the pattern and all the packages are installed. 

      > sudo  zypper info --type pattern sles_sap_automation

    Refreshing service 'SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64'.
    Retrieving repository 'SLE-Product-SLES_SAP-16.0' metadata .........................................................................[done]
    Building repository 'SLE-Product-SLES_SAP-16.0' cache ..............................................................................[done]
    Loading repository data...
    Reading installed packages...


    Information for pattern sles_sap_automation:
    --------------------------------------------
    Repository      : SLE-Product-SLES_SAP-16.0
    Name            : sles_sap_automation
    Version         : 16.0-160000.2.2
    Arch            : x86_64
    Vendor          : SUSE LLC <https://www.suse.com/>
    Installed       : Yes
    Visible to User : Yes
    Summary         : automation deployment
    Description     :
        ansible playbooks and roles
    Contents        :
        S  | Name                         | Type    | Dependency
        ---+------------------------------+---------+-----------
        i  | ansible                      | package | Required
        i  | ansible-linux-system-roles   | package | Required
        i  | ansible-sap-infrastructure   | package | Required
        i  | ansible-sap-install          | package | Required
        i  | ansible-sap-operations       | package | Required
        i  | ansible-sap-playbooks        | package | Required
        i+ | patterns-sap-automation      | package | Required
        i+ | patterns-sap-base_sap_server | package | Required

    3. Install the GCP requirements, refer prerequisites.

      > sudo   ansible-galaxy collection install google.cloud
      > sudo   zypper install python313-google-auth

  4. Ansible playbooks are installed in /usr/share/ansible/playbooks . To prevent changes from being overwritten by future package updates, these files should not be modified directly. For this procedure:

    1. Use the scenario directory /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_bw4hana_sandbox.

    2. For simplicity, this procedure stores all customizations in the /playbooks directory. Specifically, we will use /playbooks/B01 as the dedicated directory for our system.

    3. Define the minimal required variables and leave the predefined in place for a simplified configuration.

  5. You can encrypt variables for playbooks in different ways to ensure security compliance.

    1. Encrypt all variables in the scenario.

    2. Split variables for reusability and encrypt only what is needed. For example:

      • Cloud credentials and information encrypted in Ansible vault.

      • Scenario passwords encrypted in Ansible vault.

      • Scenario non-sensitive variables without using Ansible vault.

      In this procedure, we use a simplified variant for encrypting whole files.

  6. Copy the variable files from the source. Since we are provisioning new servers in GCP, only two variable files are required:

    • ansible_extravars.yml contains scenario-specific variables.

    • ansible_extravars_gcp_ce_vm.yml contains platform-specific variables.

    cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_bw4hana_sandbox/ansible_extravars.yml /playbooks/B01/
    cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_bw4hana_sandbox/ansible_extravars_gcp_ce_vm.yml /playbooks/B01/

  7. Update the variable file ansible_extravars.yml.

    1. The following variable defines the provisioning method.

      sap_vm_provision_iac_type: "ansible"

    2. The following variable selects the desired topology from the sap_vm_provision_gcp_ce_vm_host_specifications_dictionary dictionary.

      • Predefined with minimum recommended instances for hosting an SAP system.

      • Customizable as you can edit an existing entry or define a new plan.

      sap_vm_provision_host_specification_plan: "xsmall_256gb"

    3. The value of the variable sap_software_product is the key predefined in the sap_software_install_dictionary dictionary. This dictionary follows the same rules as the one above. You can edit an existing entry or create a new one.

      sap_software_product: "sap_bw4hana_2023_sandbox"
      sap_install_media_detect_source_directory: "/software"
      Important
      Important

      The default execution ignores the list of SAP media files in the sap_software_install_dictionary dictionary because the optional package ansible-sap-launchpad is not present. This package is available in Package Hub and it allows you to download SAP Media Software when provided with valid S-User credentials with appropriate download authorization.

      If this package is not installed, the playbook expects you to have all required files present in the path defined in the sap_install_media_detect_source_directory directory. The variables used by sap_launchpad role are sap_id_user and sap_id_user_password.

  8. The password variables are simplified and use the master password. This procedure does not include plan text passwords, so you must define them when updating the variable files.

    sap_hana_install_use_master_password: "y"  # Use a master password for SAP HANA installation (y/n) (String).
    sap_hana_install_master_password: ''  # The master password for SAP HANA (String).
    sap_swpm_master_password: ''  # Master password for the SAP system (String).
    sap_swpm_ddic_000_password: '' # Password for the DDIC user in client 000 (String).
    sap_swpm_db_schema_abap_password: ''  # Password for the ABAP schema user (String).
    sap_swpm_db_sidadm_password: ''  # Password for the "sid" adm user in the database (String).
    sap_swpm_db_system_password: ''  # Password for the SYSTEM user in the SAP HANA database (String).
    sap_swpm_db_systemdb_password: ''  # Password for the SYSTEM user in the SAP HANA system database (String).

  9. Update the variable file ansible_extravars_gcp_ce_vm.yml.

    1. The variables for connecting through a bastion host.

      sap_vm_provision_bastion_user: "ENTER_STRING_VALUE_HERE"  # Bastion user name (String).
      sap_vm_provision_bastion_ssh_port: "ENTER_STRING_VALUE_HERE"  # Bastion user password (String).
      sap_vm_provision_bastion_public_ip: "ENTER_STRING_VALUE_HERE"  # Public IP of the bastion server (String).
      sap_vm_provision_ssh_bastion_private_key_file_path: "ENTER_STRING_VALUE_HERE"  # Path to bastion server's SSH private key on the execution node (String).
      sap_vm_provision_ssh_host_private_key_file_path: "ENTER_STRING_VALUE_HERE"  # Path to target host's SSH private key on the execution node (String).
      sap_vm_provision_ssh_host_public_key_file_path: "ENTER_STRING_VALUE_HERE"  # Path to bastion public host key on execution node (String).

    2. The variables for connecting to a cloud environment.

      sap_vm_provision_gcp_credentials_json: "ENTER_STRING_VALUE_HERE"  # Path to JSON credentials file (String).
      sap_vm_provision_gcp_project: "ENTER_STRING_VALUE_HERE"  # Project name (String).
      sap_vm_provision_gcp_region_zone: "ENTER_STRING_VALUE_HERE"  # Region zone (String).
      sap_vm_provision_gcp_vpc_name: "ENTER_STRING_VALUE_HERE"  # VPC name (String).
      sap_vm_provision_gcp_vpc_subnet_name: "ENTER_STRING_VALUE_HERE"  # VPC Subnet name (String).
      sap_vm_provision_dns_root_domain: "ENTER_STRING_VALUE_HERE"  # Root domain for DNS entries (e.g., example.com) (String).

  10. The variables for selecting which OS image to use for provisioned instances are defined in the sap_vm_provision_gcp_ce_vm_host_os_image_dictionary dictionary, which defines the search pattern for images. In this procedure, a BYOS image is used. SUSE Linux Enterprise Server 16 images will be updated in the dictionary when cloud images are available.

    sap_vm_provision_gcp_ce_vm_host_os_image: "sles-15-6-sap-byos"
    sap_vm_provision_os_online_registration_user: "ENTER_STRING_VALUE_HERE"  # User/Email for SUSEConnect registration (String).
    sap_vm_provision_os_online_registration_passcode:  "ENTER_STRING_VALUE_HERE"  # Registration code for SUSEConnect registration (String).

  11. Encrypt files with Ansible vault. Files can be encrypted either using a prompt or with a password file. This is easier in larger environments for reusability.

    Encryption with a prompt:

    > sudo ansible-vault encrypt ansible_extravars.yml ansible_extravars_gcp_ce_vm.yml

    Encryption with a password file, which requires appropriate permissions and protection for security compliance:

    > sudo ansible-vault encrypt --vault-password-file password.key ansible_extravars.yml ansible_extravars_gcp_ce_vm.yml

  12. Use the playbook directly from /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_bw4hana_sandbox without editing it. If you need to adjust the playbook, we recommend copying it outside of the package directory. Execute the Ansible playbook with the Ansible vault key file.

    > sudo ansible-playbook /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_bw4hana_sandbox/ansible_playbook.yml \
	--extra-vars "@./ansible_extravars.yml" \
	--extra-vars "@./ansible_extravars_gcp_ce_vm.yml" \
	--vault-password-file password.key

Outcome

You now have a fully operational, non-production sandbox SAP BW/4HANA system running on a single virtual machine in GCP.

Your new environment includes:

  • A Single GCP Compute Engine VM: Hosting all SAP instances.

  • SAP HANA Database: The underlying database for your BW/4HANA system.

  • SAP ASCS and PAS Instances: The central services and primary application server are installed on the same host.

Next steps

You can now proceed with post-installation tasks, such as:

  • System Validation: Perform basic health checks to ensure the SAP system is running correctly.

  • Development and Prototyping: Begin developing and testing new data models and reports in a safe, isolated environment.

  • SAP Configuration Apply any necessary post-installation configurations or client copies.

  • Learning and Exploration: Use the system to explore the features of SAP BW/4HANA.

7 Deploying a sandbox SAP ECC on SAP HANA system on existing hosts

 

This is a detailed step-by-step procedure to deploy a non-production sandbox SAP ECC on an SAP HANA system on existing hosts. The ansible-sap-playbooks package is used to automate infrastructure provisioning and SAP software installation, resulting in a compact, single-node environment suitable for development, testing or training.

This procedure is intended for system administrators, DevOps engineers and SAP Basis consultants who have a working knowledge of AWS, Ansible and SAP principles.

With this procedure, you can:

  • Prepare the control node and existing hosts.

  • Configure Ansible variables for the sandbox deployment.

  • Execute a single playbook to provision and configure the entire SAP system.

  • Achieve a fully functional system ready for post-installation activities.

The resulting SAP ECC system consists of a single server with the following components:

  • One SAP HANA database

  • One SAP ABAP SAP Central Services (ASCS)

  • One primary application server (PAS)

Procedure 3: Deployment on existing hosts
 

This procedure assumes you have an existing server or a virtual machine on which you will install the SAP ECC sandbox system. It is a must that you provide this host and ensure it is ready for Ansible automation. It is a requirement to establish a secure and passwordless SSH connection from your Ansible control node to the target host.

  1. Create an Ansible inventory file.

    1. Ansible needs to know which host(s) to target. Copy the predefined inventory /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_ecc_hana_sandbox/optional/ansible_inventory_noninteractive.yml to your working directory /playbooks/E01/.

    2. Update the file with the connection details of your hosts. For example:

        ---

  hana_primary:
    hosts:
      sap-s4hana:
        ansible_host: 192.168.1.100
        ansible_port: 22
        ansible_user: root
        ansible_ssh_private_key_file: "/playbook/E01/hosts_rsa"
      Note
      Note

      This group name is used in the example playbook and renaming it would require customizing the playbook to change all hosts: entries.

  2. Configure passwordless SSH authentication.

    For automation, the Ansible control node must be able to connect to the target host as root without a password prompt. This is achieved using SSH keys.

    Note
    Note

    For simplicity, this procedure uses root login, which is acceptable for a temporary sandbox environment. For production systems, using a dedicated, non-root user is the recommended security practice.

    1. Generate an SSH key if you do not have one. Press Enter to accept the default location and leave the passphrase empty for passwordless access. 

      #  ssh-keygen -t rsa

    2. Copy the SSH public key to the target host. The easiest way to copy your public key to the target host's authorized_keys file is using the ssh-copy-id utility. This command prompts you for the root password of the target host one last time.

      #  ssh-copy-id root@192.168.1.100

  3. Verify that Ansible can successfully connect to and gather facts from your target host.

    > sudo  ansible -i ansible_inventory_noninteractive.yml all -m ping

    A successful connection test shows a ping-pong response.

      192.168.1.100 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3.13"
    },
    "changed": false,
    "ping": "pong"
}

  4. Prepare the control node.

    1. Install the sles_sap_automation pattern, which contains all recommended packages for automation.

      > sudo  zypper install --type pattern sles_sap_automation

    2. Verify that the pattern and all the packages are installed. 

      > sudo  zypper info --type pattern sles_sap_automation

        Refreshing service 'SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64'.
        Retrieving repository 'SLE-Product-SLES_SAP-16.0' metadata .........................................................................[done]
        Building repository 'SLE-Product-SLES_SAP-16.0' cache ..............................................................................[done]
        Loading repository data...
        Reading installed packages...


        Information for pattern sles_sap_automation:
        --------------------------------------------
        Repository      : SLE-Product-SLES_SAP-16.0
        Name            : sles_sap_automation
        Version         : 16.0-160000.2.2
        Arch            : x86_64
        Vendor          : SUSE LLC <https://www.suse.com/>
        Installed       : Yes
        Visible to User : Yes
        Summary         : automation deployment
        Description     :
            ansible playbooks and roles
        Contents        :
            S  | Name                         | Type    | Dependency
            ---+------------------------------+---------+-----------
            i  | ansible                      | package | Required
            i  | ansible-linux-system-roles   | package | Required
            i  | ansible-sap-infrastructure   | package | Required
            i  | ansible-sap-install          | package | Required
            i  | ansible-sap-operations       | package | Required
            i  | ansible-sap-playbooks        | package | Required
            i+ | patterns-sap-automation      | package | Required
            i+ | patterns-sap-base_sap_server | package | Required

  5. Ansible playbooks are installed in /usr/share/ansible/playbooks . To prevent changes from being overwritten by future package updates, these files should not be modified directly. For this procedure:

    1. Use the scenario directory /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_ecc_hana_sandbox.

    2. For simplicity, this procedure stores all customizations in the /playbooks directory. Specifically, we will use /playbooks/E01 as the dedicated directory for our system.

    3. Define the minimal required variables and leave the predefined in place for a simplified configuration.

      Important
      Important

      Ansible playbooks for SAP are designed to skip provisioning when existing hosts are used, but the remaining tasks are all retained. This means that there will be some variables that are part of provisioning, but they can be used even for existing hosts. For example, the sap_vm_provision_existing_hosts_host_specifications_dictionary dictionary will not provision new infrastructure, but it will be used to configure storage if defined.

  6. You can encrypt variables for playbooks in different ways to ensure security compliance.

    1. Encrypt all variables in the scenario.

    2. Split variables for reusability and encrypt only what is needed. For example:

      • Cloud credentials and information encrypted in Ansible vault.

      • Scenario passwords encrypted in Ansible vault.

      • Scenario non-sensitive variables without using Ansible vault.

      In this procedure, we use a simplified variant for encrypting whole files.

  7. Copy the variable files from the source. Since we are using existing hosts, only two variable files are required:

    • ansible_extravars.yml contains scenario-specific variables.

    • optional/ansible_extravars_existing_hosts.yml contains platform-specific variables.

    cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_ecc_hana_sandbox/ansible_extravars.yml /playbooks/E01/
    cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_ecc_hana_sandbox/optional/ansible_extravars_existing_hosts.yml /playbooks/E01/

  8. Update the variable file ansible_extravars.yml.

    1. s the provisioning method.

      sap_vm_provision_iac_type: "ansible"

    2. The following variable selects the desired topology from the sap_vm_provision_existing_hosts_host_specifications_dictionary dictionary.

      • Predefined with minimum recommended instances for hosting an SAP system.

      • Customizable as you can edit an existing entry or define a new plan.

      sap_vm_provision_host_specification_plan: "xsmall_256gb"

    3. The value of the variable sap_software_product is the key predefined in the sap_software_install_dictionary dictionary. This dictionary follows the same rules as the one above. You can edit an existing entry or create a new one.

      sap_software_product: "sap_ecc6_ehp8_hana_sandbox"
      sap_install_media_detect_source_directory: "/software"
      Important
      Important

      The default execution ignores the list of SAP media files in the sap_software_install_dictionary dictionary because the optional package ansible-sap-launchpad is not present. This package is available in Package Hub and it allows you to download SAP Media Software when provided with valid S-User credentials with appropriate download authorization.

      If this package is not installed, the playbook expects you to have all required files present in the path defined in the sap_install_media_detect_source_directory directory. The variables used by sap_launchpad role are sap_id_user and sap_id_user_password.

  9. The password variables are simplified and use the master password. This procedure does not include plan text passwords, so you must define them when updating the variable files.

    sap_hana_install_use_master_password: "y"  # Use a master password for SAP HANA installation (y/n) (String).
    sap_hana_install_master_password: ''  # The master password for SAP HANA (String).
    sap_swpm_master_password: ''  # Master password for the SAP system (String).
    sap_swpm_ddic_000_password: '' # Password for the DDIC user in client 000 (String).
    sap_swpm_db_schema_abap_password: ''  # Password for the ABAP schema user (String).
    sap_swpm_db_sidadm_password: ''  # Password for the "sid" adm user in the database (String).
    sap_swpm_db_system_password: ''  # Password for the SYSTEM user in the SAP HANA database (String).
    sap_swpm_db_systemdb_password: ''  # Password for the SYSTEM user in the SAP HANA system database (String).

  10. Update the variable file ansible_extravars_existing_hosts.ym.

    1. The variables for connecting to existing hosts.

      # Path to target host's SSH private key on the execution node (String).
# This SSH key has to be added to authorized_keys on managed node.
sap_vm_provision_ssh_host_private_key_file_path: "ENTER_STRING_VALUE_HERE"
      Important
      Important

      Ansible playbooks for SAP use the Ansible fact ansible_domain, which requires a valid /etc/hosts configuration on your existing hosts with FQDN to obtain the domain name.

  11. Encrypt files with Ansible vault. Files can be encrypted either using a prompt or with a password file. This is easier in larger environments for reusability.

    Encryption with a prompt:

    > sudo ansible-vault encrypt ansible_extravars.yml ansible_extravars_existing_hosts.yml

    Encryption with a password file, which requires appropriate permissions and protection for security compliance:

    > sudo ansible-vault encrypt --vault-password-file password.key ansible_extravars.yml ansible_extravars_existing_hosts.yml

  12. Use the playbook directly from usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_ecc_hana_sandbox without editing it. If you need to adjust the playbook, we recommend copying it outside of the package directory. Execute the Ansible playbook with the Ansible vault key file.

    > sudo  ansible-playbook /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_ecc_hana_sandbox/ansible_playbook.yml \
        --extra-vars "@./ansible_extravars.yml" \
        --extra-vars "@./ansible_extravars_existing_hosts.yml" \
        --vault-password-file password.key \
        --inventory ansible_inventory_noninteractive.yml

Outcome

You now have a fully operational, non-production SAP ECC on an SAP HANA sandbox system installed on your existing host.

Your new sandbox environment includes:

  • SAP ECC 6.0 EHP8: The core application is installed and ready for use.

  • SAP HANA database: The system is running on an SAP HANA database.

  • Single-node architecture: The HANA database, ASCS and PAS instances are all running on the provided single host.

Next steps

You can now proceed with post-installation tasks, such as:

  • System Validation: Log in to the SAP GUI, run basic transaction codes like SM50 (Process Overview) or ST22 (ABAP Runtime Errors) to ensure the system is operational.

  • Initial Configuration: Perform any required basis configurations, such as setting up the SAP Transport Management System (STMS) or applying custom profile parameters via RZ10.

  • Development and Customization: Begin ABAP development, or use transaction code SPRO to start system customization.

  • Learning and Exploration: Use the system to explore standard SAP ECC modules and functionality in a safe, isolated environment.

8 For more information

 

Refer to the following resources: