This guide provides comprehensive, step-by-step instructions for deploying a highly available and distributed SAP S/4HANA System on SUSE Linux Enterprise Server for SAP applications 16 in the Google Cloud Platform (GCP).
We will be executing playbooks on SUSE Linux Enterprise Server for SAP applications 16.0 and deploying on SUSE Linux Enterprise Server for SAP applications 16.0.
By leveraging Ansible for automation, you can achieve a resilient, scalable, and enterprise-grade environment with minimal manual intervention.
This guide uses a Pay-As-You-Go (PAYG) model for the SUSE operating system, where the subscription cost is included in the instance pricing.

This document is intended for system administrators, DevOps engineers, and SAP Basis consultants who have a working knowledge of GCP, Ansible, and SAP principles.

By following this guide, you will:

• Prepare a control node and the cloud environment for automation.
• Configure Ansible variables for a custom deployment.
• Execute a single playbook to provision and configure the entire SAP S/4HANA landscape.
• Achieve a fully functional, highly available system ready for post-installation activities.

The resulting SAP S/4HANA system will consist of the following components:

• Two SAP HANA scale-up servers in a high-availability cluster.
• Two ASCS/ERS servers in a high-availability cluster.
• One Primary Application Server (PAS).
• One Additional Application Server (AAS).

Prepare Cloud Environment

Before running the Ansible playbooks, you must have a properly configured cloud environment (often called a ‘landing zone’). This includes the foundational networking, security, and access components that the automation will build upon. You will also need an IAM service user with sufficient permissions to create and manage the required resources.

1. Create the environment for automation. More details can be found in the infrastructure prerequisites section.
   • VPC Network with subnets
   • Compute Firewall
   • Compute Router – Cloud NAT (SNAT)
   • DNS Managed Zone (Private DNS)
   • Filestore (NFS) or NFS server
   • Bastion host (GCP CE VM)

• Create a new IAM role or policy with one of the following access levels:
  • Recommended: A policy with restricted access, as documented in the authorization prerequisites section. This follows the principle of least privilege and is the most secure option.

Prepare Control Node

The sles_sap_automation pattern provides the core tools for SAP automation on SUSE, including Ansible and a collection of SAP-specific roles and playbooks. Installing this pattern is the first step in preparing your control node.

sudo zypper install --type pattern sles_sap_automation

Validate that the pattern is installed with all its components.

sudo zypper info --type pattern sles_sap_automation

Refreshing service 'SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64'.
Retrieving repository 'SLE-Product-SLES_SAP-16.0' metadata .........................................................................[done]
Building repository 'SLE-Product-SLES_SAP-16.0' cache ..............................................................................[done]
Loading repository data...
Reading installed packages...


Information for pattern sles_sap_automation:
--------------------------------------------
Repository      : SLE-Product-SLES_SAP-16.0
Name            : sles_sap_automation
Version         : 16.0-160000.2.2
Arch            : x86_64
Vendor          : SUSE LLC 
Installed       : Yes
Visible to User : Yes
Summary         : automation deployment
Description     :
    ansible playbooks and roles
Contents        :
    S  | Name                         | Type    | Dependency
    ---+------------------------------+---------+-----------
    i  | ansible                      | package | Required
    i  | ansible-linux-system-roles   | package | Required
    i  | ansible-sap-infrastructure   | package | Required
    i  | ansible-sap-install          | package | Required
    i  | ansible-sap-operations       | package | Required
    i  | ansible-sap-playbooks        | package | Required
    i+ | patterns-sap-automation      | package | Required
    i+ | patterns-sap-base_sap_server | package | Required

Install the requirements for GCP as defined in the prerequisites documentation.

sudo ansible-galaxy collection install google.cloud
sudo zypper install python313-google-auth

Generate SSH Keys

Ansible requires SSH keys to securely communicate with the newly provisioned cloud instances. If you do not already have an SSH key pair for this purpose, generate one on your control node now:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/gcp_sap_rsa -N ""

You will use the absolute paths to these keys (e.g., /root/.ssh/gcp_sap_rsa and /root/.ssh/gcp_sap_rsa.pub) in the variable configuration steps below.

Prepare playbooks and variables

Ansible Playbooks are installed in /usr/share/ansible/playbooks. To prevent changes from being overwritten by future package updates, we will not modify these files directly.

This guide will:

1. Use the scenario directory /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_distributed_ha
2. For simplicity, this guide stores all customizations in the /playbooks directory. Specifically, we will use /playbooks/S01 as the dedicated directory for our system.
3. Define the minimally required variables and leave the predefined ones in place for simplified configuration.

Considerations for using Ansible Vault

For security, it is crucial to encrypt sensitive information like passwords and cloud credentials. Ansible Vault is the standard tool for this. You have a few options for organizing your encrypted variables:

1. Encrypt all variables for the scenario.
2. Split variables for reusability and encrypt only what is needed. Example:
   1. Cloud credentials and information encrypted in Vault
   2. Scenario passwords encrypted in Vault
   3. Scenario non-sensitive variables without using Vault.

In this guide, we will use a simplified variant for encrypting whole files.

Copy the default variable files for editing

Since we are provisioning new servers in GCP, we will need only 2 variable files:

• ansible_extravars.yml – Contains scenario-specific variables.
• ansible_extravars_gcp_ce_vm.yml – Contains platform-specific variables.

cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_distributed_ha/ansible_extravars.yml /playbooks/S01/
cp /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_distributed_ha/ansible_extravars_gcp_ce_vm.yml /playbooks/S01/

Updating the variable file ansible_extravars.yml

The following variables define the provisioning method and platform.

sap_vm_provision_iac_type: "ansible"

The following variable selects the desired topology from the sap_vm_provision_gcp_ce_vm_host_specifications_dictionary:

• This dictionary contains predefined plans with recommended instance types for hosting the SAP system.
• The actual GCP instance types (e.g., n2-standard-16, n2-highmem-32) for each component are defined by the virtual_machine_profile key within each plan.
• You can customize your deployment by editing an existing plan or creating a new one within this dictionary.

sap_vm_provision_host_specification_plan: "xsmall_256gb"

The value of the variable sap_software_product is a key predefined in the dictionary sap_software_install_dictionary. This dictionary follows the same rules as the one above, and it can be edited or created anew.

sap_software_product: "sap_s4hana_2023_distributed"
sap_install_media_detect_source_directory: "/software"

For this guide, we use a master password for simplicity. In a production environment, you might choose to set individual passwords. You must provide values for the following password fields:

# Use a master password for SAP HANA installation (y/n) (String).
sap_hana_install_use_master_password: "y"

# The master password for SAP HANA (String).
sap_hana_install_master_password: ''

# Master password for the SAP system (String).
sap_swpm_master_password: ''

# Password for the DDIC user in client 000 (String).
sap_swpm_ddic_000_password: ''

# Password for the ABAP schema user (String).
sap_swpm_db_schema_abap_password: ''

# Password for the adm user in the database (String).
sap_swpm_db_sidadm_password: ''

# Password for the SYSTEM user in the SAP HANA database (String).
sap_swpm_db_system_password: ''

# Password for the SYSTEM user in the SAP HANA system database (String).
sap_swpm_db_systemdb_password: ''

The variables for Virtual Overlay IP addresses need to follow a specific convention for the given platform.

## Infrastructure Platform - High Availability Virtual IPs (VIPs)
# GCP:                  the VIP must be within the VPC Subnetwork range attached to GCP Backend Service
#                       for the Internal passthrough Network Load Balancer (e.g. 10.10.10.10/32)
sap_vm_provision_ha_vip_hana_primary: "ENTER_STRING_VALUE_HERE"
sap_vm_provision_ha_vip_nwas_abap_ascs: "ENTER_STRING_VALUE_HERE"
sap_vm_provision_ha_vip_nwas_abap_ers: "ENTER_STRING_VALUE_HERE"

Updating the variable file ansible_extravars_gcp_ce_vm.yml

The variables for connecting through a Bastion host.

# Bastion user name (String).
sap_vm_provision_bastion_user: "ENTER_STRING_VALUE_HERE"

# Bastion host SSH port number (String).
sap_vm_provision_bastion_ssh_port: "ENTER_STRING_VALUE_HERE"

# Public IP of the bastion server (String).
sap_vm_provision_bastion_public_ip: "ENTER_STRING_VALUE_HERE"

# Path to bastion server's SSH private key on the execution node (String).
sap_vm_provision_ssh_bastion_private_key_file_path: "ENTER_STRING_VALUE_HERE"

# Path to target host's SSH private key on the execution node (String).
sap_vm_provision_ssh_host_private_key_file_path: "ENTER_STRING_VALUE_HERE"

# Path to target host's SSH public key on execution node (String).
sap_vm_provision_ssh_host_public_key_file_path: "ENTER_STRING_VALUE_HERE"

The variables for connection to the cloud environment.

# Path to JSON credentials file (String).
sap_vm_provision_gcp_credentials_json: "ENTER_STRING_VALUE_HERE"

# Project name (String).
sap_vm_provision_gcp_project: "ENTER_STRING_VALUE_HERE"

# Region (String).
sap_vm_provision_gcp_region: "ENTER_STRING_VALUE_HERE"

# Region zone (String).
sap_vm_provision_gcp_region_zone: "ENTER_STRING_VALUE_HERE"

# VPC name (String).
sap_vm_provision_gcp_vpc_name: "ENTER_STRING_VALUE_HERE"

# VPC Subnet name (String).
sap_vm_provision_gcp_vpc_subnet_name: "ENTER_STRING_VALUE_HERE"

# Root domain for DNS entries (e.g., example.com) (String).
sap_vm_provision_dns_root_domain: "ENTER_STRING_VALUE_HERE"

The variables for selecting which OS image to use for provisioned instances.
They are defined in the dictionary sap_vm_provision_gcp_ce_vm_host_os_image_dictionary, which defines the search pattern for images.
This guide uses a Pay-As-You-Go (PAYG) image.

sap_vm_provision_gcp_ce_vm_host_os_image: "sles-16-0-sap-ha"

The scenario-specific variables for the platform are required because we are configuring High Availability.

# NFS mount e.g. 10.x.x.x:/gcp_filestore_share_name
sap_vm_provision_nfs_mount_point: "ENTER_STRING_VALUE_HERE"

# NFS mount e.g. 10.x.x.x:/gcp_filestore_share_name
sap_vm_provision_nfs_mount_point_separate_sap_transport_dir: "ENTER_STRING_VALUE_HERE"

# NFS version (String).
sap_vm_provision_nfs_mount_point_type: nfs

# NFS Mount options (String).
sap_vm_provision_nfs_mount_point_opts:
  vers=3,mountvers=3,rw,relatime,hard,proto=tcp,timeo=600,retrans=2,mountport=2050,mountproto=tcp

Encrypt files with Ansible Vault

Files can be encrypted either by using a prompt or a password file, which is easier for reusability in larger environments.

Encryption with Prompt

sudo ansible-vault encrypt ansible_extravars.yml ansible_extravars_gcp_ce_vm.yml

Encryption with a Password File is easier for reusability, but it requires appropriate permissions and protection for security compliance.

echo "YourSecureVaultPassword" > password.key
chmod 600 password.key
sudo ansible-vault encrypt --vault-password-file password.key ansible_extravars.yml ansible_extravars_gcp_ce_vm.yml

Executing Playbook

Now that your environment is prepared and your variables are defined, you can execute the main playbook. This command should be executed from your working directory for this system (e.g., /playbooks/S01). It will start the automated process of provisioning the infrastructure and installing the SAP software. The `–vault-password-file` option tells Ansible how to decrypt your sensitive variables.

sudo ansible-playbook /usr/share/ansible/playbooks/ansible.playbooks_for_sap/deploy_scenarios/sap_s4hana_distributed_ha/ansible_playbook.yml \
	--extra-vars "@./ansible_extravars.yml" \
	--extra-vars "@./ansible_extravars_gcp_ce_vm.yml" \
	--vault-password-file password.key

Final Outcome and Next Steps

Upon successful completion of the steps outlined in this guide, you will have a fully operational, highly available, and distributed SAP S/4HANA landscape on GCP. The entire deployment, from infrastructure provisioning to SAP software installation, will be automated through Ansible, ensuring consistency and repeatability.

Your new environment includes:

• A Clustered SAP HANA Database: With automated failover to ensure continuous availability.
• A Clustered ASCS/ERS Instance: Protecting the central services, which are critical for system operation.
• Multiple Application Servers: To distribute the workload and provide scalability.
• Shared Storage: For binaries and transport files, accessible across the landscape.

Next Steps

With the technical installation complete, you can now proceed with post-installation tasks, such as:

• System Validation: Performing health checks and verifying the high-availability functionality.
• SAP Configuration: Applying initial SAP basis configurations, such as STMS (SAP Transport Management System) and profile parameter tuning.
• Backup and Recovery: Implementing a robust backup and recovery strategy for the SAP HANA database and application servers.
• Monitoring: Integrating the new landscape with your existing monitoring solutions.

This automated approach not only accelerates the initial deployment but also provides a solid foundation for managing the lifecycle of your SAP systems.