align network and readme (config changes)
This commit is contained in:
parent
4f966c4c9f
commit
ff77fbab55
5 changed files with 74 additions and 25 deletions
|
|
@ -44,15 +44,16 @@ resource "stackit_network" "p2_lan_network1" {
|
|||
resource "stackit_network_interface" "p2_lan1" {
|
||||
project_id = module.project.project_info["project2"].project_id
|
||||
network_id = stackit_network.p2_lan_network1.network_id
|
||||
security = true
|
||||
security = false
|
||||
name = "P2LAN1"
|
||||
security_group_ids = [ stackit_security_group.example.security_group_id ]
|
||||
//security_group_ids = [ stackit_security_group.example.security_group_id ]
|
||||
}
|
||||
|
||||
// this is for adding a second network interface to the core project (for WAN access).
|
||||
/* resource "stackit_network" "p2_wan_network1" {
|
||||
project_id = module.project.project_info["project2"].project_id
|
||||
name = "wan"
|
||||
ipv4_prefix = "10.220.6.0/24"
|
||||
ipv4_prefix = "10.220.50.0/24"
|
||||
routed = true
|
||||
}
|
||||
|
||||
|
|
@ -82,6 +83,8 @@ resource "stackit_network_interface" "p3_lan1" {
|
|||
//security_group_ids = [ stackit_security_group.example.security_group_id ]
|
||||
}
|
||||
|
||||
// project 4 for SKE, so no configuration necessary here
|
||||
|
||||
// ------- project 5 - vpn ------------
|
||||
// This file defines the network setup for the fifth project (vpn).
|
||||
resource "stackit_network" "wan_network_beta" {
|
||||
|
|
@ -128,9 +131,9 @@ resource "stackit_network" "p6_lan_network1" {
|
|||
resource "stackit_network_interface" "p6_lan1" {
|
||||
project_id = module.project.project_info["project6"].project_id
|
||||
network_id = stackit_network.p6_lan_network1.network_id
|
||||
security = true
|
||||
security = false
|
||||
name = "P6LAN1"
|
||||
security_group_ids = [ stackit_security_group.example_beta.security_group_id ]
|
||||
//security_group_ids = [ stackit_security_group.example_beta.security_group_id ]
|
||||
}
|
||||
|
||||
// ---------- public IPs ------------------
|
||||
|
|
@ -139,7 +142,7 @@ resource "stackit_public_ip" "wan_ip" {
|
|||
project_id = module.project.project_info["project1"].project_id
|
||||
network_interface_id = stackit_network_interface.wan.network_interface_id
|
||||
}
|
||||
resource "stackit_public_ip" "wan_ip_alpha" {
|
||||
resource "stackit_public_ip" "wan_ip_beta" {
|
||||
project_id = module.project.project_info["project5"].project_id
|
||||
network_interface_id = stackit_network_interface.wan_beta.network_interface_id
|
||||
}
|
||||
|
|
@ -154,9 +157,15 @@ resource "stackit_public_ip" "wan_ip_alpha" {
|
|||
// Output the public IPs for both projects
|
||||
output "public_ips" {
|
||||
value = {
|
||||
"wan_ip" = stackit_public_ip.wan_ip.ip
|
||||
"wan_ip_alpha" = stackit_public_ip.wan_ip_alpha.ip
|
||||
"pfsense-alpha" = stackit_public_ip.wan_ip.ip
|
||||
"pfsense-beta" = stackit_public_ip.wan_ip_beta.ip
|
||||
//"wan_server" = stackit_public_ip.wan_server.ip
|
||||
}
|
||||
}
|
||||
|
||||
output "private_ips" {
|
||||
value = {
|
||||
"linux-alpha" = stackit_network_interface.p2_lan1.ipv4
|
||||
"linux-beta" = stackit_network_interface.p6_lan1.ipv4
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,8 +26,12 @@ resource "stackit_image" "pfsense_image" {
|
|||
disk_bus = "scsi"
|
||||
secure_boot = false
|
||||
}
|
||||
lifecycle {
|
||||
ignore_changes = [ local_file_path ]
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Upload VPN Appliance Image to STACKIT
|
||||
resource "stackit_image" "pfsense_image_beta" {
|
||||
project_id = module.project.project_info["project5"].project_id
|
||||
|
|
@ -43,5 +47,9 @@ resource "stackit_image" "pfsense_image_beta" {
|
|||
disk_bus = "scsi"
|
||||
secure_boot = false
|
||||
}
|
||||
lifecycle {
|
||||
ignore_changes = [ local_file_path ]
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ resource "stackit_volume" "pfsense_vol_beta" {
|
|||
|
||||
resource "stackit_server" "pfsense_appliance_beta" {
|
||||
project_id = module.project.project_info["project5"].project_id
|
||||
name = "pfSense"
|
||||
name = "pfSense-beta"
|
||||
boot_volume = {
|
||||
source_type = "volume"
|
||||
source_id = stackit_volume.pfsense_vol_beta.volume_id
|
||||
|
|
|
|||
46
README.md
46
README.md
|
|
@ -6,35 +6,56 @@ This repository contains Terraform code to deploy the following infrastructure p
|
|||
|
||||
## 📦 Projects Overview
|
||||
|
||||
### 1. **Landing Zone**
|
||||
|
||||
|
||||
### 1. **ALPHA SNA**
|
||||
|
||||
#### 1.1 **Landing Zone**
|
||||
- Deploys a single **pfSense VM** as the central firewall/router.
|
||||
- Acts as the entry point for the environment.
|
||||
- Configures **WAN and multiple LAN networks**:
|
||||
- Configures **WAN and one LAN network**:
|
||||
- `wan_network`: `10.220.0.0/24`
|
||||
- `lan_network1`: `10.220.1.0/24`
|
||||
- Interfaces:
|
||||
- WAN interface with static IP `10.220.0.254`
|
||||
- LAN1–3 interfaces, each connected to corresponding networks
|
||||
- LAN interfaces with dynamic IP
|
||||
|
||||
### 2. **Core**
|
||||
#### 1.2 **Core**
|
||||
- Deploys a single **Virtual Machine** (VM) for core services or testing purposes.
|
||||
- Network setup includes:
|
||||
- `p2_lan_network`: `10.220.5.0/24` (routed)
|
||||
- `p2_wan_network`: `10.220.6.0/24` (routed) - optional
|
||||
- `p2_wan_network`: `10.220.50.0/24` (routed) - optional and deactivated
|
||||
- Interfaces:
|
||||
- LAN interface with attached security group
|
||||
- WAN interface without additional security
|
||||
- LAN interface with optional configured security group
|
||||
- WAN interface without additional security set
|
||||
|
||||
### 3. **Backup**
|
||||
#### 1.3 **Backup**
|
||||
- Used for backup and disaster recovery scenarios.
|
||||
- Creates an **Object Storage Bucket**.
|
||||
- Relevant **access credentials** are provisioned for use with other services.
|
||||
|
||||
### 4. **SKE**
|
||||
#### 1.4 **SKE**
|
||||
- Deploys a managed **SKE (STACKIT Kubernetes Engine)** cluster.
|
||||
- `ske_network`: `10.220.10.0/24`
|
||||
|
||||
### 2. **BETA SNA**
|
||||
|
||||
#### 2.1 **VPN**
|
||||
- Deploys a single **pfSense VM** as the central firewall/router.
|
||||
- Acts as the entry point for the environment.
|
||||
- Configures **WAN and one LAN network**:
|
||||
- `wan_network`: `10.230.0.0/24`
|
||||
- `lan_network1`: `10.230.1.0/24`
|
||||
- Interfaces:
|
||||
- WAN interface with static IP `10.230.0.254`
|
||||
- LAN interfaces with dynamic IP
|
||||
|
||||
#### 2.2 **Infra**
|
||||
- Deploys a single **Virtual Machine** (VM) for infra services or testing purposes.
|
||||
- Network setup includes:
|
||||
- `p6_lan_network`: `10.230.5.0/24` (routed)
|
||||
- Interfaces:
|
||||
- LAN interface with optional configured security group and dynamic IP.
|
||||
---
|
||||
|
||||
## 🚀 Getting Started
|
||||
|
|
@ -48,7 +69,7 @@ This repository contains Terraform code to deploy the following infrastructure p
|
|||
|
||||
1. Clone this repository:
|
||||
```bash
|
||||
git clone https://professional-service.git.onstackit.cloud/professional-service-best-practices/landingzone.git
|
||||
git clone https://professional-service.git.onstackit.cloud/professional-service-best-practices/landingzone_ipsec.git
|
||||
cd <repo-name>
|
||||
```
|
||||
|
||||
|
|
@ -75,6 +96,7 @@ This repository contains Terraform code to deploy the following infrastructure p
|
|||
|
||||
The deployment will output:
|
||||
- VM IP addresses
|
||||
- pfSense Public IPs
|
||||
- Kubernetes cluster information (kubeconfig)
|
||||
- Object Storage credentials (access/secret key)
|
||||
|
||||
|
|
@ -84,7 +106,8 @@ The deployment will output:
|
|||
|
||||
## 📝 Notes
|
||||
|
||||
- This setup is optimized for a **test or POC environment**.
|
||||
- This setup is optimized for a **test or POC environment** and is intended to setup an IPSEC Site2Site VPN.
|
||||
- Check the SNA Routes for configuring the Remote Networks on pfSense side. **Be sure to set the Identifier in IKE Phase 1 to the Public IP, because we are behind NAT.**
|
||||
- pfSense must be manually configured after deployment. (User: admin, Passwort: STACKIT123!)
|
||||
- Kubernetes workloads are not included in this deployment but can be added later.
|
||||
- LVM striping (RAID0) can be used for temporary IOPS/performance improvement — but **requires attention to backups**.
|
||||
|
|
@ -95,7 +118,6 @@ The deployment will output:
|
|||
|
||||
- The infrastructure is not auto-scaled or HA-enabled by default.
|
||||
- No automated DNS or certificate management is configured.
|
||||
- `lan_network3` is non-routed and might require manual routing adjustments if used.
|
||||
|
||||
---
|
||||
|
||||
|
|
|
|||
|
|
@ -27,13 +27,23 @@ resource "stackit_network_area" "sna_beta" {
|
|||
//depends_on = [time_sleep.wait_before_destroy]
|
||||
}
|
||||
|
||||
/* resource "stackit_network_area_route" "sna_route1" {
|
||||
resource "stackit_network_area_route" "sna_route_alpha" {
|
||||
organization_id = var.organization_id
|
||||
network_area_id = stackit_network_area.sna_alpha.network_area_id
|
||||
prefix = "10.220.99.0/24"
|
||||
next_hop = "10.220.0.0"
|
||||
prefix = "10.230.5.0/24"
|
||||
next_hop = "10.220.0.254"
|
||||
labels = {
|
||||
"key" = "value"
|
||||
}
|
||||
}
|
||||
*/
|
||||
|
||||
resource "stackit_network_area_route" "sna_route_beta" {
|
||||
organization_id = var.organization_id
|
||||
network_area_id = stackit_network_area.sna_beta.network_area_id
|
||||
prefix = "10.220.5.0/24"
|
||||
next_hop = "10.230.0.254"
|
||||
labels = {
|
||||
"key" = "value"
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue