professional-service-best-practices/terraform-pfsense-deployment
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #2 from StackedDane/main

Browse source 
Changed provider form Openstack to STACKIT
This commit is contained in:
Markus Brunsch 2025-04-10 09:18:23 +02:00 committed by GitHub
commit e16fe49b71
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 110 additions and 173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -35,3 +35,4 @@ terraform.rc
.env
.terraform.lock.hcl
conf.img
pfsense.qcow2

21
00-provider.tf
View file

@ -1,6 +1,6 @@
/*
Copyright 2023 Schwarz IT KG <markus.brunsch@mail.schwarz>
Copyright 2024 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Copyright 2024-2025 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Use of this source code is governed by an MIT-style
license that can be found in the LICENSE file or at
@ -11,20 +11,15 @@ https://opensource.org/licenses/MIT.
terraform {
required_version = ">= 0.14.0"
required_providers {
openstack = {
source = "terraform-provider-openstack/openstack"
version = "3.0.0"
stackit = {
source = "stackitcloud/stackit"
version = "0.46.0"
}
}
}
# Configure the OpenStack Provider
provider "openstack" {
user_name = var.USERNAME
tenant_id = var.TENANTID
user_domain_name = "portal_mvp"
project_domain_id = "portal_mvp"
password = var.PASSWORD
auth_url = "https://keystone.api.iaas.eu01.stackit.cloud/v3/"
region = "RegionOne"
provider "stackit" {
default_region = "eu01"
service_account_token = var.STACKIT_SERVICE_ACCOUNT_TOKEN
enable_beta_resources = true
}

35
01-config.tf
View file

@ -1,6 +1,6 @@
/*
Copyright 2023 Schwarz IT KG <markus.brunsch@mail.schwarz>
Copyright 2024 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Copyright 2024-2025 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Use of this source code is governed by an MIT-style
license that can be found in the LICENSE file or at
@ -11,47 +11,40 @@ https://opensource.org/licenses/MIT.
# Custom User Settings
#
# OpenStack Availability Zone
# STACKIT Availability Zone
variable "zone" {
type = string
description = ""
default = "eu01-m"
}
# OpenStack VM Flavor
# STACKIT VM Flavor
variable "flavor" {
type = string
description = ""
default = "c1.2"
}
# Local VPC Subnet to create OpenStack Network
# Local VPC Subnet to create Network
variable "LOCAL_SUBNET" {
type = string
description = ""
default = "10.0.0.0/24"
default = "10.10.0.0/24"
}
variable "LOCAL_FIREWALL_IP" {
type = string
description = ""
default = "10.10.0.220"
}
############################################
#
# System Settings (do not edit)
#
# OpenStack UAT Username
variable "USERNAME" {
# STACKIT ProjectID
variable "STACKIT_PROJECT_ID" {
type = string
description = ""
}
# OpenStack Project ID
variable "TENANTID" {
type = string
description = ""
}
# OpenStack UAT Password
variable "PASSWORD" {
# STACKIT Service Account Token
variable "STACKIT_SERVICE_ACCOUNT_TOKEN" {
type = string
description = ""
}

36
02-pfsense-image.tf
View file

@ -1,18 +1,36 @@
/*
Copyright 2023 Schwarz IT KG <markus.brunsch@mail.schwarz>
Copyright 2024 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Copyright 2024-2025 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Use of this source code is governed by an MIT-style
license that can be found in the LICENSE file or at
https://opensource.org/licenses/MIT.
*/
# Upload VPN Appliance Image to OpenStack
resource "openstack_images_image_v2" "pfsense_image" {
name = "pfsense-2.7.2-amd64-image"
image_source_url = "https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2"
web_download = true
container_format = "bare"
disk_format = "qcow2"
visibility = "shared"
# Local copy of the Image
resource "null_resource" "pfsense_image_file" {
triggers = {
always_run = timestamp()
}
provisioner "local-exec" {
command = "curl -o pfsense.qcow2 https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2"
}
lifecycle {
ignore_changes = all
}
}
# Upload VPN Appliance Image to STACKIT
resource "stackit_image" "pfsense_image" {
project_id = var.STACKIT_PROJECT_ID
name = "pfsense-2.7.2-amd64-image"
local_file_path = "./pfsense.qcow2"
disk_format = "qcow2"
depends_on = [null_resource.pfsense_image_file]
min_disk_size = 10
min_ram = 2
config = {
uefi = false
}
}

86
03-pfsense-network.tf
View file

@ -1,78 +1,42 @@
/*
Copyright 2023 Schwarz IT KG <markus.brunsch@mail.schwarz>
Copyright 2024 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Copyright 2024-2025 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Use of this source code is governed by an MIT-style
license that can be found in the LICENSE file or at
https://opensource.org/licenses/MIT.
*/
# Create vNET Networks
resource "openstack_networking_network_v2" "vpc_network" {
name = "VPC Network"
description = "Local Peering VPC Network"
admin_state_up = "true"
# Get vNET Networks
resource "stackit_network" "wan_network" {
project_id = var.STACKIT_PROJECT_ID
name = "wan_network"
ipv4_nameservers = ["208.67.222.222", "9.9.9.9"]
}
resource "openstack_networking_network_v2" "wan_network" {
name = "WAN Network"
description = "Transfer Net for binding FloatingIPs"
admin_state_up = "true"
resource "stackit_network" "lan_network" {
project_id = var.STACKIT_PROJECT_ID
name = "lan_network"
ipv4_nameservers = ["208.67.222.222", "9.9.9.9"]
ipv4_prefix = var.LOCAL_SUBNET
ipv4_gateway = var.LOCAL_FIREWALL_IP
routed = false
}
# Create Subnets
resource "openstack_networking_subnet_v2" "vpc_subnet_1" {
name = "vpc_subnet"
description = "Local VPC Network"
network_id = openstack_networking_network_v2.vpc_network.id
cidr = var.LOCAL_SUBNET
ip_version = 4
dns_nameservers = [
"208.67.222.222",
"9.9.9.9",
]
resource "stackit_network_interface" "nic_wan" {
project_id = var.STACKIT_PROJECT_ID
network_id = stackit_network.wan_network.network_id
security = false
}
resource "openstack_networking_subnet_v2" "wan_subnet_1" {
name = "wan_subnet"
description = "WAN Network"
network_id = openstack_networking_network_v2.wan_network.id
cidr = "100.96.96.0/25"
ip_version = 4
dns_nameservers = [
"208.67.222.222",
"9.9.9.9",
]
resource "stackit_network_interface" "nic_lan" {
project_id = var.STACKIT_PROJECT_ID
network_id = stackit_network.lan_network.network_id
ipv4 = var.LOCAL_FIREWALL_IP
security = false
}
# Create OpenStack Router
resource "openstack_networking_router_v2" "vpc_router" {
name = "vpc_router"
description = "VPC Router"
}
resource "openstack_networking_router_interface_v2" "vpc_router_interface_1" {
router_id = openstack_networking_router_v2.vpc_router.id
subnet_id = openstack_networking_subnet_v2.vpc_subnet_1.id
}
resource "openstack_networking_router_v2" "wan_router" {
name = "wan_router"
description = "WAN Router"
external_network_id = "970ace5c-458f-484a-a660-0903bcfd91ad"
}
# Create Router interfaces
resource "openstack_networking_router_interface_v2" "wan_router_interface_1" {
router_id = openstack_networking_router_v2.wan_router.id
subnet_id = openstack_networking_subnet_v2.wan_subnet_1.id
}
# Create static routing entry for VPC Traffic to hit the pfSense instead of the default gateway
resource "openstack_networking_router_route_v2" "vpc_router_route_1" {
depends_on = [openstack_networking_router_interface_v2.vpc_router_interface_1]
router_id = openstack_networking_router_v2.vpc_router.id
destination_cidr = "0.0.0.0/0"
next_hop = openstack_compute_instance_v2.instance_fw.network.1.fixed_ip_v4
resource "stackit_public_ip" "wan-ip" {
project_id = var.STACKIT_PROJECT_ID
network_interface_id = stackit_network_interface.nic_wan.network_interface_id
}

87
04-pfsense-appliance.tf
View file

@ -1,74 +1,43 @@
/*
Copyright 2023 Schwarz IT KG <markus.brunsch@mail.schwarz>
Copyright 2024 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Copyright 2024-2025 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Use of this source code is governed by an MIT-style
license that can be found in the LICENSE file or at
https://opensource.org/licenses/MIT.
*/
# Create root Volume
resource "openstack_blockstorage_volume_v3" "fw_root_volume" {
resource "stackit_volume" "pfsense_vol" {
project_id = var.STACKIT_PROJECT_ID
name = "pfsense-2.7.2-root"
description = "Root Volume"
availability_zone = var.zone
size = 16
image_id = openstack_images_image_v2.pfsense_image.id
performance_class = "storage_premium_perf4"
source = {
id = stackit_image.pfsense_image.image_id
type = "image"
}
}
resource "stackit_server" "pfsense_Server" {
project_id = var.STACKIT_PROJECT_ID
name = "pfSense"
boot_volume = {
source_type = "volume"
source_id = stackit_volume.pfsense_vol.volume_id
}
availability_zone = var.zone
volume_type = "storage_premium_perf4"
machine_type = var.flavor
}
# Create virtual Server
resource "openstack_compute_instance_v2" "instance_fw" {
name = "pfSense" # Server name
flavor_name = var.flavor
availability_zone = var.zone
block_device {
uuid = openstack_blockstorage_volume_v3.fw_root_volume.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
delete_on_termination = true
}
network {
port = openstack_networking_port_v2.wan_port_1.id
}
network {
port = openstack_networking_port_v2.vpc_port_1.id
}
resource "stackit_server_network_interface_attach" "nic-attachment-lan" {
project_id = var.STACKIT_PROJECT_ID
server_id = stackit_server.pfsense_Server.server_id
network_interface_id = stackit_network_interface.nic_lan.network_interface_id
depends_on = [stackit_server_network_interface_attach.nic-attachment-wan]
}
# Network Ports
resource "openstack_networking_port_v2" "wan_port_1" {
name = "FW WAN Port"
network_id = openstack_networking_network_v2.wan_network.id
admin_state_up = "true"
port_security_enabled = "false"
fixed_ip {
subnet_id = openstack_networking_subnet_v2.wan_subnet_1.id
}
resource "stackit_server_network_interface_attach" "nic-attachment-wan" {
project_id = var.STACKIT_PROJECT_ID
server_id = stackit_server.pfsense_Server.server_id
network_interface_id = stackit_network_interface.nic_wan.network_interface_id
}
resource "openstack_networking_port_v2" "vpc_port_1" {
name = "FW VPC Port"
network_id = openstack_networking_network_v2.vpc_network.id
admin_state_up = "true"
port_security_enabled = "false"
fixed_ip {
subnet_id = openstack_networking_subnet_v2.vpc_subnet_1.id
}
}
# Add FloatingIP
resource "openstack_networking_floatingip_v2" "fip" {
pool = "floating-net"
}
resource "openstack_networking_floatingip_associate_v2" "fip" {
floating_ip = openstack_networking_floatingip_v2.fip.address
port_id = openstack_networking_port_v2.wan_port_1.id
}

6
README.md
View file

@ -7,9 +7,7 @@ Deployment overview:
The Terraform deployment consists of:
+ WAN Network
+ WAN Router with external RouterIP
+ LAN Network
+ LAN Router with static default gateway router to the pfSense firewall
+ pfSense firewall VM + disk volume
+ FloatingIP for firewall VM
+ deactivating port security on firewall ports
@ -18,7 +16,7 @@ The Terraform deployment consists of:
**Requirements:**
+ Terraform installed
+ Access to a STACKIT project
+ UAT (OpenStack) credentials
+ STACKIT Service-Account-Token
### Installation
1. Clone Repo
@ -47,4 +45,4 @@ Set default password for admin to STACKIT123!
Disabled Referer-Check
Enable allow all wan adresses to connect to the WebUI
Now you can enter the WebUI via the FloatingIP on port 443 the default login is admin:STACKIT123!
Now you can enter the WebUI via the FloatingIP on port 443 the default login is admin:STACKIT123!

10
example.env
View file

@ -1,6 +1,4 @@
# UAT Username
export TF_VAR_USERNAME=
# UAT Password
export TF_VAR_PASSWORD=
# OpenStack (not STACKIT) project id
export TF_VAR_TENANTID=
# STACKIT ProjectID
export TF_VAR_STACKIT_PROJECT_ID=
# STACKIT Service Account Token
export TF_VAR_STACKIT_SERVICE_ACCOUNT_TOKEN=

1
pfsense.qcow2 Normal file
View file

@ -0,0 +1 @@