From 248f554aedc207a35f2135e4e3ef300e200fe91d Mon Sep 17 00:00:00 2001 From: Michael Sodan Date: Mon, 12 May 2025 12:09:04 +0200 Subject: [PATCH] changes --- 01-network.tf | 4 ++-- 99-variables.tf | 2 +- README.md | 18 +++++++----------- project/01-sna.tf | 2 +- project/99-variables.tf | 2 +- 5 files changed, 12 insertions(+), 16 deletions(-) diff --git a/01-network.tf b/01-network.tf index 5d1f4f9..079967a 100644 --- a/01-network.tf +++ b/01-network.tf @@ -63,7 +63,7 @@ resource "stackit_network_interface" "wan" { name = "MGMT" ipv4 = "10.220.131.10" allowed_addresses = ["10.220.131.30/32"] - security_group_ids = ["92fc0cad-1a6f-495f-89da-2a12100bea68"] + security_group_ids = [stackit_security_group.paloalto.security_group_id] } @@ -89,7 +89,7 @@ resource "stackit_network_interface" "wan2" { name = "WAN2" ipv4 = "10.220.131.20" allowed_addresses = ["10.220.131.30/32"] - security_group_ids = ["92fc0cad-1a6f-495f-89da-2a12100bea68"] + security_group_ids = [stackit_security_group.paloalto.security_group_id] } resource "stackit_network_interface" "vip" { diff --git a/99-variables.tf b/99-variables.tf index 6ec05d6..45225a5 100644 --- a/99-variables.tf +++ b/99-variables.tf @@ -4,7 +4,7 @@ variable "organization_id" { } variable "service_account_key_path" { - default = "~/.stackit/credentials.json" + default = "/Users/sodan/.stackit/credentials.json" } variable "default_region" { diff --git a/README.md b/README.md index 090aa07..35fa80b 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,8 @@ -1. terraform files for deploying the hengeler project -2. terraform files for add a palo alto fw -3. currently splitted because of 2 internal bugs in stackit cli and terraform but should be fixed now .... so code can be changed. - -Todo: - -- activate the project module that you only need one terraform run and one set of terraform state files -- the state files must be secured and backuped to an S3 Object Store. -- - - +1. terraform files for deploying two paloAlto Firewalls in a HA Setup + - important thing is to enable port_security on the interfaces which will hold the vip + - the interface with the VIP must not be attached to a server! + - also the internal VIP IP has to be added as allowed_address, otherwise the move of the floating IP will not work. + It is not possible to a CIDR here. The IP must be set with /32. + - if you enable port_security also a security rule must be added with the relevant rules. + - the interfaces are added to the same network on firewall 1 and 2 for HA. diff --git a/project/01-sna.tf b/project/01-sna.tf index 86e96c8..b6af233 100644 --- a/project/01-sna.tf +++ b/project/01-sna.tf @@ -1,5 +1,5 @@ resource "time_sleep" "wait_before_destroy" { - destroy_duration = "10s" + destroy_duration = "60s" } resource "stackit_network_area" "sna" { diff --git a/project/99-variables.tf b/project/99-variables.tf index d76b1e5..b0e3412 100644 --- a/project/99-variables.tf +++ b/project/99-variables.tf @@ -4,7 +4,7 @@ variable "organization_id" { } variable "service_account_key_path" { - default = "~/.stackit/credentials.json" + default = "/Users/sodan/.stackit/credentials.json" } variable "default_region" {