init

00-provider.tf

@@ -0,0 +1,21 @@
+# Define required providers
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    openstack = {
+      source  = "terraform-provider-openstack/openstack"
+      version = "1.52.1"
+    }
+  }
+}
+
+# Configure the OpenStack Provider
+provider "openstack" {
+  user_name         = var.USERNAME
+  tenant_id         = var.TENANTID
+  user_domain_name  = "portal_mvp"
+  project_domain_id = "portal_mvp"
+  password          = var.PASSWORD
+  auth_url          = "https://keystone.api.iaas.eu01.stackit.cloud/v3/"
+  region            = "RegionOne"
+}

01-config.tf

@@ -0,0 +1,48 @@
+#
+# Custom User Settings
+#
+
+# OpenStack Availability Zone
+variable "zone" {
+  type        = string
+  description = ""
+  default     = "eu01-m"
+}
+
+# OpenStack VM Flavor
+variable "flavor" {
+  type        = string
+  description = ""
+  default     = "c1.2"
+}
+
+# Local VPC Subnet to create OpenStack Network
+variable "LOCAL_SUBNET" {
+  type        = string
+  description = ""
+  default     = "10.0.0.0/24"
+}
+
+############################################
+
+#
+# System Settings (do not edit)
+#
+
+# OpenStack UAT Username
+variable "USERNAME" {
+  type        = string
+  description = ""
+}
+
+# OpenStack Project ID
+variable "TENANTID" {
+  type        = string
+  description = ""
+}
+
+# OpenStack UAT Password
+variable "PASSWORD" {
+  type        = string
+  description = ""
+}

02-pfsense-image.tf

@@ -0,0 +1,9 @@
+# Upload VPN Appliance Image to OpenStack
+resource "openstack_images_image_v2" "pfsense_image" {
+  name             = "pfsense-2.7.0-amd64-image"
+  image_source_url = "https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.0-amd64-14-08-2023.qcow2"
+  web_download     = true
+  container_format = "bare"
+  disk_format      = "qcow2"
+  visibility       = "shared"
+}

03-pfsense-network.tf

@@ -0,0 +1,69 @@
+# Create vNET Networks
+resource "openstack_networking_network_v2" "vpc_network" {
+  name           = "VPC Network"
+  description    = "Local Peering VPC Network"
+  admin_state_up = "true"
+}
+
+resource "openstack_networking_network_v2" "wan_network" {
+  name           = "WAN Network"
+  description    = "Transfer Net for binding FloatingIPs"
+  admin_state_up = "true"
+}
+
+# Create Subnets
+resource "openstack_networking_subnet_v2" "vpc_subnet_1" {
+  name        = "vpc_subnet"
+  description = "Local VPC Network"
+  network_id  = openstack_networking_network_v2.vpc_network.id
+  cidr        = var.LOCAL_SUBNET
+  ip_version  = 4
+  dns_nameservers = [
+    "208.67.222.222",
+    "9.9.9.9",
+  ]
+}
+
+resource "openstack_networking_subnet_v2" "wan_subnet_1" {
+  name        = "wan_subnet"
+  description = "WAN Network"
+  network_id  = openstack_networking_network_v2.wan_network.id
+  cidr        = "100.96.96.0/25"
+  ip_version  = 4
+  dns_nameservers = [
+    "208.67.222.222",
+    "9.9.9.9",
+  ]
+}
+
+# Create OpenStack Router
+
+resource "openstack_networking_router_v2" "vpc_router" {
+  name        = "vpc_router"
+  description = "VPC Router"
+}
+
+resource "openstack_networking_router_interface_v2" "vpc_router_interface_1" {
+  router_id = openstack_networking_router_v2.vpc_router.id
+  subnet_id = openstack_networking_subnet_v2.vpc_subnet_1.id
+}
+
+resource "openstack_networking_router_v2" "wan_router" {
+  name                = "wan_router"
+  description         = "WAN Router"
+  external_network_id = "970ace5c-458f-484a-a660-0903bcfd91ad"
+}
+
+# Create Router interfaces
+resource "openstack_networking_router_interface_v2" "wan_router_interface_1" {
+  router_id = openstack_networking_router_v2.wan_router.id
+  subnet_id = openstack_networking_subnet_v2.wan_subnet_1.id
+}
+
+# Create static routing entry for VPC Traffic to hit the pfSense instead of the default gateway
+resource "openstack_networking_router_route_v2" "vpc_router_route_1" {
+  depends_on       = [openstack_networking_router_interface_v2.vpc_router_interface_1]
+  router_id        = openstack_networking_router_v2.vpc_router.id
+  destination_cidr = "0.0.0.0/0"
+  next_hop         = openstack_compute_instance_v2.instance_fw.network.1.fixed_ip_v4
+}

04-pfsense-appliance.tf

@@ -0,0 +1,66 @@
+# Create root Volume
+resource "openstack_blockstorage_volume_v3" "fw_root_volume" {
+  name              = "pfsense-2.7.0-root"
+  description       = "Root Volume"
+  size              = 32
+  image_id          = openstack_images_image_v2.pfsense_image.id
+  availability_zone = var.zone
+  volume_type       = "storage_premium_perf4"
+}
+
+# Create virtual Server
+resource "openstack_compute_instance_v2" "instance_fw" {
+  name              = "pfSense" # Server name
+  flavor_name       = var.flavor
+  availability_zone = var.zone
+
+  block_device {
+    uuid                  = openstack_blockstorage_volume_v3.fw_root_volume.id
+    source_type           = "volume"
+    destination_type      = "volume"
+    boot_index            = 0
+    delete_on_termination = true
+  }
+
+  network {
+    port = openstack_networking_port_v2.wan_port_1.id
+  }
+
+  network {
+    port = openstack_networking_port_v2.vpc_port_1.id
+  }
+
+}
+
+# Network Ports
+resource "openstack_networking_port_v2" "wan_port_1" {
+  name                  = "FW WAN Port"
+  network_id            = openstack_networking_network_v2.wan_network.id
+  admin_state_up        = "true"
+  port_security_enabled = "false"
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.wan_subnet_1.id
+  }
+}
+
+resource "openstack_networking_port_v2" "vpc_port_1" {
+  name                  = "FW VPC Port"
+  network_id            = openstack_networking_network_v2.vpc_network.id
+  admin_state_up        = "true"
+  port_security_enabled = "false"
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.vpc_subnet_1.id
+  }
+}
+
+
+# Add FloatingIP
+resource "openstack_networking_floatingip_v2" "fip" {
+  pool = "floating-net"
+}
+
+resource "openstack_compute_floatingip_associate_v2" "fip" {
+  floating_ip = openstack_networking_floatingip_v2.fip.address
+  instance_id = openstack_compute_instance_v2.instance_fw.id
+  fixed_ip    = openstack_compute_instance_v2.instance_fw.network.0.fixed_ip_v4
+}

README.md

@@ -0,0 +1,48 @@
+# STACKIT pfSense Deployment
+
+Terraform script to deploy an pfSense firewall into STACKIT Cloud.
+
+Deployment overview:
+![](deployment.svg)
+
+The Terraform deployment consists of:
++ WAN Network
++ WAN Router with external RouterIP
++ LAN Network
++ LAN Router with static default gateway router to the pfSense firewall
++ pfSense firewall VM + disk volume
++ FloatingIP for firewall VM
++ deactivating port security on firewall ports
+
+## Setup
+**Requirements:**
++ Terraform installed
++ Access to a STACKIT project
++ UAT (OpenStack) credentials
+
+### Installation
+1. Clone Repo
+1. Setup enviroment (.env) variables
+1. Run Terraform `terraform apply`
+
+## Configure Access to the WebUI
+In order to access the pfSense WebUI you need to configure the Appliance via the webVNC console first.
+
+### Interface Mapping
+The pfSense is asking for WAN and LAN interfaces.
+WAN must be mapped to `vtnet0` LAN to `vtnet1`
+
+### Enable WebUI Access
+In the menu overview enter the Shell and type in the following two commands.
+
+1. To disable the http referer check
+    ```bash
+    pfSsh.php playback disablereferercheck
+    ```
+1. Allow access from WAN to the WebUI
+    ```bash
+    pfSsh.php playback enableallowallwan
+    ```
+    > Keep in mind this rule creates an any to any (allow all) rule to the WAN interface. Please restrict the access again asap.
+
+Now you can enter the WebUI via the FloatingIP on port 443 the default login is `admin:pfsense`

deployment.d2

@@ -0,0 +1,33 @@
+Internet: {
+    shape: image
+    icon: https://styleguide.stackit.schwarz/assets/imagery/networks.svg
+}
+
+Internet -> Project.WAN Network
+
+Project: {
+    style: {
+      stroke: black
+      font-color: "#004E5A"
+      fill: "#F8EC17"
+      opacity: 0.8
+    }
+    WAN Network: {
+        shape: image
+        icon: https://styleguide.stackit.schwarz/assets/imagery/networks.svg
+    }
+    LAN Network: {
+        shape: image
+        icon: https://styleguide.stackit.schwarz/assets/imagery/networks.svg
+    }
+    Firewall: {
+        shape: image
+        icon: https://styleguide.stackit.schwarz/imagery/firewall.svg
+    }
+    WAN Network -> Firewall -> LAN Network
+    App: {
+        shape: image
+        icon: https://styleguide.stackit.schwarz/imagery/virtual-machine.svg
+    }
+    LAN Network -> App
+}

example.env

@@ -0,0 +1,6 @@
+# UAT Username
+export TF_VAR_USERNAME=
+# UAT Password
+export TF_VAR_PASSWORD=
+# OpenStack (not STACKIT) project id
+export TF_VAR_TENANTID=