changes

2025-05-13 10:03:37 +02:00 · 2025-05-13 10:03:37 +02:00 · 7f4784c237
commit 7f4784c237
parent 248f554aed
3 changed files with 97 additions and 7 deletions
--- a/04-attachment.tf
+++ b/04-attachment.tf
@ -0,0 +1,25 @@
+resource "stackit_server_network_interface_attach" "nic-attachment-lan1" {
+  project_id           = module.project.project_info.project_id
+  server_id            = stackit_server.paloalto_server.server_id
+  network_interface_id = stackit_network_interface.lan1.network_interface_id
+  depends_on = [ stackit_server_network_interface_attach.nic-attachment-lan1 ]
+}
+resource "stackit_server_network_interface_attach" "nic-attachment-lan2" {
+  project_id           = module.project.project_info.project_id
+  server_id            = stackit_server.paloalto_server.server_id
+  network_interface_id = stackit_network_interface.lan2.network_interface_id
+  depends_on = [ stackit_server_network_interface_attach.nic-attachment-lan1 ]
+}
+
+resource "stackit_server_network_interface_attach" "nic-attachment-lan1_2" {
+  project_id           = module.project.project_info.project_id
+  server_id            = stackit_server.paloalto_server_2.server_id
+  network_interface_id = stackit_network_interface.lan1_2.network_interface_id
+  depends_on = [ stackit_server_network_interface_attach.nic-attachment-lan2 ]
+}
+resource "stackit_server_network_interface_attach" "nic-attachment-lan2_2" {
+  project_id           = module.project.project_info.project_id
+  server_id            = stackit_server.paloalto_server_2.server_id
+  network_interface_id = stackit_network_interface.lan2_2.network_interface_id
+  depends_on = [ stackit_server_network_interface_attach.nic-attachment-lan1_2 ]
+}
--- a/05-security-group.tf
+++ b/05-security-group.tf
@ -0,0 +1,33 @@
+resource "stackit_security_group" "paloalto" {
+  project_id = module.project.project_info["project_id"]
+  name       = "test"
+  labels = {
+    "key" = "example"
+  }
+}
+
+resource "stackit_security_group_rule" "icmp_ingress" {
+  project_id = module.project.project_info["project_id"]
+  security_group_id = stackit_security_group.paloalto.security_group_id
+  direction         = "ingress"
+  icmp_parameters = {
+    code = 0
+    type = 8
+  }
+  protocol = {
+    name = "icmp"
+  }
+}
+resource "stackit_security_group_rule" "icmp_egress" {
+  project_id = module.project.project_info["project_id"]
+  security_group_id = stackit_security_group.paloalto.security_group_id
+  direction         = "egress"
+  icmp_parameters = {
+    code = 0
+    type = 8
+  }
+  protocol = {
+    name = "icmp"
+  }
+}
+
--- a/README.md
+++ b/README.md
@ -1,8 +1,40 @@
-1. terraform files for deploying two paloAlto Firewalls in a HA Setup
- - important thing is to enable port_security on the interfaces which will hold the vip
- - the interface with the VIP must not be attached to a server!
- - also the internal VIP IP has to be added as allowed_address, otherwise the move of the floating IP will not work.
-   It is not possible to a CIDR here. The IP must be set with /32.
- - if you enable port_security also a security rule must be added with the relevant rules.
- - the interfaces are added to the same network on firewall 1 and 2 for HA.
+# Palo Alto HA Setup with Terraform (Stackit Cloud)
+
+This Terraform configuration sets up two **Palo Alto Firewalls** in a **High Availability (HA)** setup on the **Stackit Cloud IaaS** layer. It includes proper configuration for floating IPs (VIPs), port security, and network interface rules.
+
+---
+
+## 🛠️ Key Concepts
+
+### 🔁 High Availability (HA)
+Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) is configured for failover between the two units.
+
+### 🧷 Port Security & VIPs
+- `port_security` **must be enabled** on interfaces where the **VIP** is active.
+- **Do not attach** the VIP IP to any server or instance!
+- VIP must be added as an `allowed_address_pair` on **both firewalls'** relevant interfaces.
+
+---
+
+## ✅ Requirements
+
+- Terraform ≥ 1.3.x
+- Stackit Terraform Provider
+- Palo Alto VM-Series Images (pre-imported into the Stackit project)
+
+---
+
+## 🔐 VIP Configuration Rules
+
+| Requirement                        | Value / Note                                       |
+|------------------------------------|----------------------------------------------------|
+| Port Security Enabled              | ✅ `true` on VIP interfaces                        |
+| VIP Attachment                     | ❌ Do **not** attach VIP to any instance           |
+| Allowed Address Pair               | ✅ Add VIP with `/32` notation                     |
+| Allowed Address Format             | `10.220.131.30/32`                                 |
+| Security Group for VIP Interface   | ✅ Required if `port_security = true`              |
+
+---
+
+