sap_profile_update: Complete redesign and rework

roles/sap_profile_update/README.md

@@ -1,80 +1,173 @@
+<!-- BEGIN Title -->
 # sap_profile_update Ansible Role
-
-Ansible role for updating SAP profiles
-
-- **DEFAULT** profile
-- **Instance** profile
-
-## Overview
-
-### Variables
-
-| **Variable**                                  | **Info**                                             | **Default** | **Required** |
-| :---                                          | :---                                                 | :---        | :---         |
-| sap_update_profile_sid                        | SAP system SID                                       | <none>      | yes          |
-| sap_update_profile_instance_nr                | SAP system instance number                           | <none>      | yes          |
-| sap_update_profile_default_profile_params     | List of parameters to update in the default profile  | <none>      | no           |
-| sap_update_profile_instance_profile_params    | List of parameters to update in the instance profile | <none>      | no           |
-
-### Input and Execution
-
-- Sample execution:
-
-    ```bash
-    ansible-playbook --connection=local --limit localhost -i "localhost," sap-profile-update.yml -e "@input_file.yml"
-    ```
-
-- Sample direct input
-
-    ```yaml
-    sap_update_profile_sid: "S20"
-    sap_update_profile_instance_nr: "00"
-    sap_update_profile_default_profile_params:
-      - sapgui/user_scripting = TRUE
-      - ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
-      - ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
-    sap_update_profile_instance_profile_params:
-      - PHYS_MEMSIZE = 32768
-      - icm/server_port_0 = PROT=HTTP,PORT=80$$,PROCTIMEOUT=600,TIMEOUT=3600
-      - icm/server_port_1 = PROT=HTTPS,PORT=443$$,PROCTIMEOUT=600,TIMEOUT=3600
-      - icm/server_port_2 = PROT=SMTP,PORT=25$$,PROCTIMEOUT=120,TIMEOUT=120
-    ```
-
-- Sample playbook using `sap_facts` module to get all SAP systems in the host
-
-    ```yaml
-    ---
-    - hosts: all
-      become: true
-
+<!-- END Title -->
+
+## Description
+<!-- BEGIN Description -->
+The Ansible role `sap_profile_update` manages parameters in SAP profile files.
+<!-- END Description -->
+
+<!-- BEGIN Dependencies -->
+<!-- END Dependencies -->
+
+<!-- BEGIN Prerequisites -->
+<!-- END Prerequisites -->
+
+## Execution
+<!-- BEGIN Execution -->
+<!-- BEGIN Execution -->
+
+### Execution Flow
+<!-- BEGIN Execution Flow -->
+1. Assert all variables.
+2. Validate all variables against target host and its profiles.
+3. Manage parameters in profiles.
+4. Add audit comment in profile file if change occurred.
+
+#### Examples of audit comments
+```bassh
+# 2025-12-09 09:58:34 'rdisp/wp_no_btc' added with value '6' by Ansible Role community.sap_operations.sap_profile_update.
+# 2025-12-09 10:00:25 'rdisp/wp_no_btc' changed from '6' to '7' by Ansible Role community.sap_operations.sap_profile_update.
+# 2025-12-09 10:01:04 'rdisp/wp_no_btc' commented out by Ansible Role community.sap_operations.sap_profile_update.
+```
+
+<!-- END Execution Flow -->
+
+### Example
+<!-- BEGIN Execution Example -->
+Example of changing the parameter `rdisp/wp_no_btc` for one System `B01`.
+```yaml
+- name: Ansible Play for SAP Profile update
+  hosts: host
+  become: true
+  tasks:
+    - name: Execute Ansible Role sap_profile_update
+      ansible.builtin.include_role:
+        name: community.sap_operations.sap_profile_update
       vars:
-
-        sap_update_profile_default_profile_params:
-            - sapgui/user_scripting = TRUE
-            - ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
-            - ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
-        sap_update_profile_instance_profile_params:
-            - PHYS_MEMSIZE = 32768
-            - icm/server_port_0 = PROT=HTTP,PORT=80$$,PROCTIMEOUT=600,TIMEOUT=3600
-            - icm/server_port_1 = PROT=HTTPS,PORT=443$$,PROCTIMEOUT=600,TIMEOUT=3600
-            - icm/server_port_2 = PROT=SMTP,PORT=25$$,PROCTIMEOUT=120,TIMEOUT=120
-
-      tasks:
-
-        # Gather SAP facts of the host
-        - name: Run sap_facts module to gather SAP facts
-          community.sap_operations.sap_facts:
-            param: "all"
-          register: sap_facts_register
-
-        # Update all the profiles of the SAP systems in the host
-        - name: Update all the profiles of the SAP systems in the host
-          vars:
-            sap_update_profile_sid: "{{ item.SID }}"
-            sap_update_profile_instance_nr: "{{ item.InstanceNumber }}"
-          ansible.builtin.include_role:
-            name: community.sap_operations.sap_profile_update
-          loop: "{{ sap_facts_register.sap_facts }}"
-          when:
-            - item.Type == 'nw'
-    ```
+        sap_profile_update_definitions:
+          - sid: 'B01'
+            profiles:
+              - type: 'instance'
+                instance_number: '01'
+                parameters:
+                  - name: 'rdisp/wp_no_btc'
+                    value: '10'
+```
+
+Example of resizing instances for multiple Systems on one host with custom path to profiles.
+```yaml
+- name: Ansible Play for SAP Profile update
+  hosts: host
+  become: true
+  tasks:
+    - name: Execute Ansible Role sap_profile_update
+      ansible.builtin.include_role:
+        name: community.sap_operations.sap_profile_update
+      vars:
+        sap_profile_update_definitions:
+          - sid: 'B01'
+            profiles:
+              - type: 'instance'
+                instance_number: '10'
+                path: '/usr/sap/B01/SYS/profile/B01_D10_b01hana_custom'
+                parameters:
+                  - name: 'PHYS_MEMSIZE'
+                    value: '12880'
+          - sid: 'B02'
+            profiles:
+              - type: 'instance'
+                instance_number: '20'
+                path: '/sapmnt/B02/profile/B02_D20_b02hana_custom'
+                parameters:
+                  - name: 'PHYS_MEMSIZE'
+                    value: '12880'
+```
+
+Example of removing obsolete parameter for one System `B01`.
+```yaml
+- name: Ansible Play for SAP Profile update
+  hosts: host
+  become: true
+  tasks:
+    - name: Execute Ansible Role sap_profile_update
+      ansible.builtin.include_role:
+        name: community.sap_operations.sap_profile_update
+      vars:
+        sap_profile_update_definitions:
+          - sid: 'B01'
+            profiles:
+              - type: 'default'
+                parameters:
+                  - name: 'icf/user_recheck'
+                    state: 'absent'
+```
+<!-- END Execution Example -->
+
+## License
+<!-- BEGIN License -->
+Apache 2.0
+<!-- END License -->
+
+## Maintainers
+<!-- BEGIN Maintainers -->
+- [Marcel Mamula](https://github.com/marcelmamula)
+<!-- END Maintainers -->
+
+## Role Variables
+<!-- BEGIN Role Variables -->
+### sap_profile_update_definitions
+- _Type:_ `list` of type `list` of type `dict`
+
+This variable defines all SAP systems, profiles, and parameters to be managed or updated on the current host.</br>
+It is structured as a list of dictionaries, where each top-level dictionary defines a specific SAP System ID (SID). </br>
+
+Key fields:
+* `sid`: The 3-letter SAP System ID (e.g., 'PRD', 'QAS').
+* `profiles`: A list of profile files to manage for this SID.
+  * `type`: `default` or `instance`. Used for dynamic path calculation.
+  * `instance_number`: Required if type is `instance` (e.g., '00', '10').
+  * `path`: (Optional) Explicit file path to the profile. If omitted, the path
+          will be constructed based on 'sid', 'type', and discovered facts.
+  * `parameters`: The list of parameters to apply to this profile file.
+    * `name`: Parameter name to update (e.g., `ssl/ciphersuites`).
+    * `value`: New value for the parameter. Not required if state is `absent`.
+    * `state`: (Optional) `present` (default) or `absent`.
+
+Example:
+```yaml
+sap_profile_update_definitions:
+  - sid: 'B01'
+    profiles:
+      - type: 'default'
+        parameters:
+          - name: 'ssl/ciphersuites'
+            value: '135:PFS:HIGH::EC_P256:EC_HIGH'
+          - name: 'rdisp/TRACE_LOGGING'
+            state: 'absent'
+      - type: 'instance'
+        instance_number: '10'
+        path: '/usr/sap/B01/SYS/profile/B01_D10_b01hana_custom'
+        parameters:
+          - name: 'rdisp/wp_no_btc'
+            value: '6'
+          - name: 'rdisp/wp_no_vb2'
+            value: '2'
+  - sid: 'B02'
+    profiles:
+      - type: 'default'
+        path: '/sapmnt/B02/profile/DEFAULT.PFL'
+        parameters:
+          - name: 'ssl/ciphersuites'
+            value: '135:PFS:HIGH::EC_P256:EC_HIGH'
+```
+
+### sap_profile_update_restart_sapstartsrv
+- _Type:_ `bool`<br>
+- _Default:_ `false`<br>
+
+Enable this variable to restart sapstartsrv service after updating parameters.</br>
+This is applicable only for 'instance' type profiles as DEFAULT.PFL does not have sapstartsrv.</br>
+This role does not manage restart of complete SAP System,
+and this parameter is limited to `sapcontrol -nr XX -function RestartService` only.</br>
+<!-- END Role Variables -->

roles/sap_profile_update/defaults/main.yml

@@ -1,20 +1,32 @@
-# SAP system details
-sap_update_profile_sid:
-sap_update_profile_instance_nr:
+# SPDX-License-Identifier: Apache-2.0
+---
 
-# List of profile parameters to be updated in the DEFAULT profile
-sap_update_profile_default_profile_params: []
-# Sample list
-# sap_update_profile_default_profile_params:
-#     - sapgui/user_scripting = TRUE
-#     - ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
-#     - ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
+# This variable defines all SAP systems, profiles, and parameters to be managed
+# or updated on the current host. It is structured as a list of dictionaries,
+# where each top-level dictionary defines a specific SAP System ID (SID).
+#
+# Structure:
+# - List of Systems (sid)
+#   - List of Profiles (type: default/instance)
+#     - List of Parameters (name, value, state)
+#
+# Key fields:
+# * sid: The 3-letter SAP System ID (e.g., 'PRD', 'QAS').
+# * profiles: A list of profile files to manage for this SID.
+#   * type: 'default' or 'instance'. Used for dynamic path calculation.
+#   * instance_number: Required if type is 'instance' (e.g., '00', '10').
+#   * path: (Optional) Explicit file path to the profile. If omitted, the path
+#           will be constructed based on 'sid', 'type', and discovered facts.
+#   * parameters: The list of parameters to apply to this profile file.
+#     * name: Parameter name to update (e.g., 'ssl/ciphersuites').
+#     * value: New value for the parameter. Not required if state is 'absent'.
+#     * state: (Optional) 'present' (default) or 'absent'.
+#
+sap_profile_update_definitions: []
 
-# List of profile parameters to be updated in the instance profile
-sap_update_profile_instance_profile_params: []
-# Sample list
-# sap_update_profile_instance_profile_params:
-#     - PHYS_MEMSIZE = 32768
-#     - icm/server_port_0 = PROT=HTTP,PORT=80$$,PROCTIMEOUT=600,TIMEOUT=3600
-#     - icm/server_port_1 = PROT=HTTPS,PORT=443$$,PROCTIMEOUT=600,TIMEOUT=3600
-#     - icm/server_port_2 = PROT=SMTP,PORT=25$$,PROCTIMEOUT=120,TIMEOUT=120
+
+# Enable this variable to restart sapstartsrv service after updating parameters.
+# This is applicable only for 'instance' type profiles as DEFAULT.PFL does not have sapstartsrv.
+# This role does not manage restart of complete SAP System,
+# and this parameter is limited to 'sapcontrol -function RestartService' only.
+sap_profile_update_restart_sapstartsrv: false

roles/sap_profile_update/tasks/main.yml

@@ -1,38 +1,24 @@
+# SPDX-License-Identifier: Apache-2.0
 ---
-# Get instance profile path using sapcontrol
-- name: SAP Profile Update - Get Instance Profile
-  ansible.builtin.shell: |
-    set -o pipefail
-    source ~/.profile ; sapcontrol -nr {{ sap_update_profile_instance_nr }} -function ParameterValue SAPPROFILE | grep profile
-  args:
-    executable: /bin/bash
-  become: true
-  become_user: "{{ sap_update_profile_sid | lower }}adm"
-  register: get_instance_profile
 
-- name: SAP Profile Update - Setup facts
-  ansible.builtin.set_fact:
-    sap_update_profile_default_profile_file_path: "/sapmnt/{{ sap_update_profile_sid }}/profile/DEFAULT.PFL"
-    sap_update_profile_instance_profile_file_path: "{{ get_instance_profile.stdout }}"
+# Main variable 'sap_profile_update_definitions' is complex and requires special handling.
+# This is achieved by dedicated task files for each level inside of list.
+# 1. Systems - Keys: sid, profiles
+# 2. Profiles - Keys: type, instance_number, path, parameters
+# 3. Parameters - Keys: name, value, state
 
-# Update default profile
-- name: SAP Profile Update - Updating DEFAULT.PFL
-  ansible.builtin.include_tasks: update_parameter.yml
-  vars:
-    passed_parameter_path: "{{ sap_update_profile_default_profile_file_path }}"
-  loop: "{{ sap_update_profile_default_profile_params }}"
-  loop_control:
-    loop_var: passed_parameter
-  when:
-    - sap_update_profile_default_profile_params is defined
+# 1. Validate through 'sap_profile_update_definitions'
+# and check against host to ensure we catch failure before doing changes.
+- name: SAP Profile Update - Validate variables
+  ansible.builtin.include_tasks:
+    file: validation/validate_variables.yml
 
-# Update instance profile
-- name: SAP Profile Update - Updating instance profile
-  ansible.builtin.include_tasks: update_parameter.yml
-  vars:
-    passed_parameter_path: "{{ sap_update_profile_instance_profile_file_path }}"
-  loop: "{{ sap_update_profile_instance_profile_params }}"
+# 2. Loop through all top level System items to update profiles
+# We need one less task file as loop is done in main, instead of validate_variables.yml.
+- name: SAP Profile Update - Update parameters
+  ansible.builtin.include_tasks:
+    file: update/update_system.yml
+  loop: "{{ sap_profile_update_definitions }}"
   loop_control:
-    loop_var: passed_parameter
-  when:
-    - sap_update_profile_instance_profile_params is defined
+    loop_var: __sap_profile_update_system
+    label: "SID: {{ __sap_profile_update_system.sid }}"