professional-service-best-practices/landingzone_ipsec
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

align network and readme (config changes)

Browse source
This commit is contained in:
Michael_Sodan 2025-08-21 09:14:22 +00:00
parent 4f966c4c9f
commit ff77fbab55
5 changed files with 74 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
01-network.tf
View file

@ -44,15 +44,16 @@ resource "stackit_network" "p2_lan_network1" {
resource "stackit_network_interface" "p2_lan1" { resource "stackit_network_interface" "p2_lan1" {
project_id = module.project.project_info["project2"].project_id project_id = module.project.project_info["project2"].project_id
network_id = stackit_network.p2_lan_network1.network_id network_id = stackit_network.p2_lan_network1.network_id
security = true security = false
name = "P2LAN1" name = "P2LAN1"
security_group_ids = [ stackit_security_group.example.security_group_id ] //security_group_ids = [ stackit_security_group.example.security_group_id ]
} }
// this is for adding a second network interface to the core project (for WAN access). // this is for adding a second network interface to the core project (for WAN access).
/* resource "stackit_network" "p2_wan_network1" { /* resource "stackit_network" "p2_wan_network1" {
project_id = module.project.project_info["project2"].project_id project_id = module.project.project_info["project2"].project_id
name = "wan" name = "wan"
ipv4_prefix = "10.220.6.0/24" ipv4_prefix = "10.220.50.0/24"
routed = true routed = true
} }
@ -82,6 +83,8 @@ resource "stackit_network_interface" "p3_lan1" {
//security_group_ids = [ stackit_security_group.example.security_group_id ] //security_group_ids = [ stackit_security_group.example.security_group_id ]
} }
// project 4 for SKE, so no configuration necessary here
// ------- project 5 - vpn ------------ // ------- project 5 - vpn ------------
// This file defines the network setup for the fifth project (vpn). // This file defines the network setup for the fifth project (vpn).
resource "stackit_network" "wan_network_beta" { resource "stackit_network" "wan_network_beta" {
@ -128,9 +131,9 @@ resource "stackit_network" "p6_lan_network1" {
resource "stackit_network_interface" "p6_lan1" { resource "stackit_network_interface" "p6_lan1" {
project_id = module.project.project_info["project6"].project_id project_id = module.project.project_info["project6"].project_id
network_id = stackit_network.p6_lan_network1.network_id network_id = stackit_network.p6_lan_network1.network_id
security = true security = false
name = "P6LAN1" name = "P6LAN1"
security_group_ids = [ stackit_security_group.example_beta.security_group_id ] //security_group_ids = [ stackit_security_group.example_beta.security_group_id ]
} }
// ---------- public IPs ------------------ // ---------- public IPs ------------------
@ -139,7 +142,7 @@ resource "stackit_public_ip" "wan_ip" {
project_id = module.project.project_info["project1"].project_id project_id = module.project.project_info["project1"].project_id
network_interface_id = stackit_network_interface.wan.network_interface_id network_interface_id = stackit_network_interface.wan.network_interface_id
} }
resource "stackit_public_ip" "wan_ip_alpha" { resource "stackit_public_ip" "wan_ip_beta" {
project_id = module.project.project_info["project5"].project_id project_id = module.project.project_info["project5"].project_id
network_interface_id = stackit_network_interface.wan_beta.network_interface_id network_interface_id = stackit_network_interface.wan_beta.network_interface_id
} }
@ -154,9 +157,15 @@ resource "stackit_public_ip" "wan_ip_alpha" {
// Output the public IPs for both projects // Output the public IPs for both projects
output "public_ips" { output "public_ips" {
value = { value = {
"wan_ip" = stackit_public_ip.wan_ip.ip "pfsense-alpha" = stackit_public_ip.wan_ip.ip
"wan_ip_alpha" = stackit_public_ip.wan_ip_alpha.ip "pfsense-beta" = stackit_public_ip.wan_ip_beta.ip
//"wan_server" = stackit_public_ip.wan_server.ip //"wan_server" = stackit_public_ip.wan_server.ip
} }
} }
output "private_ips" {
value = {
"linux-alpha" = stackit_network_interface.p2_lan1.ipv4
"linux-beta" = stackit_network_interface.p6_lan1.ipv4
}
}

8
02-pfSense-image.tf
View file

@ -26,8 +26,12 @@ resource "stackit_image" "pfsense_image" {
disk_bus = "scsi" disk_bus = "scsi"
secure_boot = false secure_boot = false
} }
lifecycle {
ignore_changes = [ local_file_path ]
}
} }
// Upload VPN Appliance Image to STACKIT // Upload VPN Appliance Image to STACKIT
resource "stackit_image" "pfsense_image_beta" { resource "stackit_image" "pfsense_image_beta" {
project_id = module.project.project_info["project5"].project_id project_id = module.project.project_info["project5"].project_id
@ -43,5 +47,9 @@ resource "stackit_image" "pfsense_image_beta" {
disk_bus = "scsi" disk_bus = "scsi"
secure_boot = false secure_boot = false
} }
lifecycle {
ignore_changes = [ local_file_path ]
}
} }

2
03-pfSense-appliance.tf
View file

@ -39,7 +39,7 @@ resource "stackit_volume" "pfsense_vol_beta" {
resource "stackit_server" "pfsense_appliance_beta" { resource "stackit_server" "pfsense_appliance_beta" {
project_id = module.project.project_info["project5"].project_id project_id = module.project.project_info["project5"].project_id
name = "pfSense" name = "pfSense-beta"
boot_volume = { boot_volume = {
source_type = "volume" source_type = "volume"
source_id = stackit_volume.pfsense_vol_beta.volume_id source_id = stackit_volume.pfsense_vol_beta.volume_id

46
README.md
View file

@ -6,35 +6,56 @@ This repository contains Terraform code to deploy the following infrastructure p
## 📦 Projects Overview ## 📦 Projects Overview
### 1. **Landing Zone**
### 1. **ALPHA SNA**
#### 1.1 **Landing Zone**
- Deploys a single **pfSense VM** as the central firewall/router. - Deploys a single **pfSense VM** as the central firewall/router.
- Acts as the entry point for the environment. - Acts as the entry point for the environment.
- Configures **WAN and multiple LAN networks**: - Configures **WAN and one LAN network**:
- `wan_network`: `10.220.0.0/24` - `wan_network`: `10.220.0.0/24`
- `lan_network1`: `10.220.1.0/24` - `lan_network1`: `10.220.1.0/24`
- Interfaces: - Interfaces:
- WAN interface with static IP `10.220.0.254` - WAN interface with static IP `10.220.0.254`
- LAN13 interfaces, each connected to corresponding networks - LAN interfaces with dynamic IP
### 2. **Core** #### 1.2 **Core**
- Deploys a single **Virtual Machine** (VM) for core services or testing purposes. - Deploys a single **Virtual Machine** (VM) for core services or testing purposes.
- Network setup includes: - Network setup includes:
- `p2_lan_network`: `10.220.5.0/24` (routed) - `p2_lan_network`: `10.220.5.0/24` (routed)
- `p2_wan_network`: `10.220.6.0/24` (routed) - optional - `p2_wan_network`: `10.220.50.0/24` (routed) - optional and deactivated
- Interfaces: - Interfaces:
- LAN interface with attached security group - LAN interface with optional configured security group
- WAN interface without additional security - WAN interface without additional security set
### 3. **Backup** #### 1.3 **Backup**
- Used for backup and disaster recovery scenarios. - Used for backup and disaster recovery scenarios.
- Creates an **Object Storage Bucket**. - Creates an **Object Storage Bucket**.
- Relevant **access credentials** are provisioned for use with other services. - Relevant **access credentials** are provisioned for use with other services.
### 4. **SKE** #### 1.4 **SKE**
- Deploys a managed **SKE (STACKIT Kubernetes Engine)** cluster. - Deploys a managed **SKE (STACKIT Kubernetes Engine)** cluster.
- `ske_network`: `10.220.10.0/24` - `ske_network`: `10.220.10.0/24`
### 2. **BETA SNA**
#### 2.1 **VPN**
- Deploys a single **pfSense VM** as the central firewall/router.
- Acts as the entry point for the environment.
- Configures **WAN and one LAN network**:
- `wan_network`: `10.230.0.0/24`
- `lan_network1`: `10.230.1.0/24`
- Interfaces:
- WAN interface with static IP `10.230.0.254`
- LAN interfaces with dynamic IP
#### 2.2 **Infra**
- Deploys a single **Virtual Machine** (VM) for infra services or testing purposes.
- Network setup includes:
- `p6_lan_network`: `10.230.5.0/24` (routed)
- Interfaces:
- LAN interface with optional configured security group and dynamic IP.
--- ---
## 🚀 Getting Started ## 🚀 Getting Started
@ -48,7 +69,7 @@ This repository contains Terraform code to deploy the following infrastructure p
1. Clone this repository: 1. Clone this repository:
```bash ```bash
git clone https://professional-service.git.onstackit.cloud/professional-service-best-practices/landingzone.git git clone https://professional-service.git.onstackit.cloud/professional-service-best-practices/landingzone_ipsec.git
cd <repo-name> cd <repo-name>
``` ```
@ -75,6 +96,7 @@ This repository contains Terraform code to deploy the following infrastructure p
The deployment will output: The deployment will output:
- VM IP addresses - VM IP addresses
- pfSense Public IPs
- Kubernetes cluster information (kubeconfig) - Kubernetes cluster information (kubeconfig)
- Object Storage credentials (access/secret key) - Object Storage credentials (access/secret key)
@ -84,7 +106,8 @@ The deployment will output:
## 📝 Notes ## 📝 Notes
- This setup is optimized for a **test or POC environment**. - This setup is optimized for a **test or POC environment** and is intended to setup an IPSEC Site2Site VPN.
- Check the SNA Routes for configuring the Remote Networks on pfSense side. **Be sure to set the Identifier in IKE Phase 1 to the Public IP, because we are behind NAT.**
- pfSense must be manually configured after deployment. (User: admin, Passwort: STACKIT123!) - pfSense must be manually configured after deployment. (User: admin, Passwort: STACKIT123!)
- Kubernetes workloads are not included in this deployment but can be added later. - Kubernetes workloads are not included in this deployment but can be added later.
- LVM striping (RAID0) can be used for temporary IOPS/performance improvement — but **requires attention to backups**. - LVM striping (RAID0) can be used for temporary IOPS/performance improvement — but **requires attention to backups**.
@ -95,7 +118,6 @@ The deployment will output:
- The infrastructure is not auto-scaled or HA-enabled by default. - The infrastructure is not auto-scaled or HA-enabled by default.
- No automated DNS or certificate management is configured. - No automated DNS or certificate management is configured.
- `lan_network3` is non-routed and might require manual routing adjustments if used.
--- ---

18
project/01-sna.tf
View file

@ -27,13 +27,23 @@ resource "stackit_network_area" "sna_beta" {
//depends_on = [time_sleep.wait_before_destroy] //depends_on = [time_sleep.wait_before_destroy]
} }
/* resource "stackit_network_area_route" "sna_route1" { resource "stackit_network_area_route" "sna_route_alpha" {
organization_id = var.organization_id organization_id = var.organization_id
network_area_id = stackit_network_area.sna_alpha.network_area_id network_area_id = stackit_network_area.sna_alpha.network_area_id
prefix = "10.220.99.0/24" prefix = "10.230.5.0/24"
next_hop = "10.220.0.0" next_hop = "10.220.0.254"
labels = { labels = {
"key" = "value" "key" = "value"
} }
} }
*/
resource "stackit_network_area_route" "sna_route_beta" {
organization_id = var.organization_id
network_area_id = stackit_network_area.sna_beta.network_area_id
prefix = "10.220.5.0/24"
next_hop = "10.230.0.254"
labels = {
"key" = "value"
}
}