diff --git a/.gitignore b/.gitignore index 18c75fb..ae85be5 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ terraform.rc .env .terraform.lock.hcl conf.img +pfsense.qcow2 diff --git a/00-provider.tf b/00-provider.tf index 0c41e12..15829c9 100644 --- a/00-provider.tf +++ b/00-provider.tf @@ -1,6 +1,6 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at @@ -11,20 +11,15 @@ https://opensource.org/licenses/MIT. terraform { required_version = ">= 0.14.0" required_providers { - openstack = { - source = "terraform-provider-openstack/openstack" - version = "3.0.0" + stackit = { + source = "stackitcloud/stackit" + version = "0.46.0" } } } -# Configure the OpenStack Provider -provider "openstack" { - user_name = var.USERNAME - tenant_id = var.TENANTID - user_domain_name = "portal_mvp" - project_domain_id = "portal_mvp" - password = var.PASSWORD - auth_url = "https://keystone.api.iaas.eu01.stackit.cloud/v3/" - region = "RegionOne" +provider "stackit" { + default_region = "eu01" + service_account_token = var.STACKIT_SERVICE_ACCOUNT_TOKEN + enable_beta_resources = true } diff --git a/01-config.tf b/01-config.tf index 30c0c1e..8ccc46b 100644 --- a/01-config.tf +++ b/01-config.tf @@ -1,6 +1,6 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at @@ -11,47 +11,40 @@ https://opensource.org/licenses/MIT. # Custom User Settings # -# OpenStack Availability Zone +# STACKIT Availability Zone variable "zone" { type = string description = "" default = "eu01-m" } -# OpenStack VM Flavor +# STACKIT VM Flavor variable "flavor" { type = string description = "" default = "c1.2" } -# Local VPC Subnet to create OpenStack Network +# Local VPC Subnet to create Network variable "LOCAL_SUBNET" { type = string description = "" - default = "10.0.0.0/24" + default = "10.10.0.0/24" +} +variable "LOCAL_FIREWALL_IP" { + type = string + description = "" + default = "10.10.0.220" } -############################################ - -# -# System Settings (do not edit) -# - -# OpenStack UAT Username -variable "USERNAME" { +# STACKIT ProjectID +variable "STACKIT_PROJECT_ID" { type = string description = "" } -# OpenStack Project ID -variable "TENANTID" { - type = string - description = "" -} - -# OpenStack UAT Password -variable "PASSWORD" { +# STACKIT Service Account Token +variable "STACKIT_SERVICE_ACCOUNT_TOKEN" { type = string description = "" } diff --git a/02-pfsense-image.tf b/02-pfsense-image.tf index 5374ad9..2ef827e 100644 --- a/02-pfsense-image.tf +++ b/02-pfsense-image.tf @@ -1,18 +1,36 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT. */ -# Upload VPN Appliance Image to OpenStack -resource "openstack_images_image_v2" "pfsense_image" { - name = "pfsense-2.7.2-amd64-image" - image_source_url = "https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2" - web_download = true - container_format = "bare" - disk_format = "qcow2" - visibility = "shared" +# Local copy of the Image +resource "null_resource" "pfsense_image_file" { + triggers = { + always_run = timestamp() + } + + provisioner "local-exec" { + command = "curl -o pfsense.qcow2 https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2" + } + lifecycle { + ignore_changes = all + } +} + +# Upload VPN Appliance Image to STACKIT +resource "stackit_image" "pfsense_image" { + project_id = var.STACKIT_PROJECT_ID + name = "pfsense-2.7.2-amd64-image" + local_file_path = "./pfsense.qcow2" + disk_format = "qcow2" + depends_on = [null_resource.pfsense_image_file] + min_disk_size = 10 + min_ram = 2 + config = { + uefi = false + } } diff --git a/03-pfsense-network.tf b/03-pfsense-network.tf index ee5f1f8..a37705b 100644 --- a/03-pfsense-network.tf +++ b/03-pfsense-network.tf @@ -1,78 +1,42 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT. */ -# Create vNET Networks -resource "openstack_networking_network_v2" "vpc_network" { - name = "VPC Network" - description = "Local Peering VPC Network" - admin_state_up = "true" +# Get vNET Networks +resource "stackit_network" "wan_network" { + project_id = var.STACKIT_PROJECT_ID + name = "wan_network" + ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] } -resource "openstack_networking_network_v2" "wan_network" { - name = "WAN Network" - description = "Transfer Net for binding FloatingIPs" - admin_state_up = "true" +resource "stackit_network" "lan_network" { + project_id = var.STACKIT_PROJECT_ID + name = "lan_network" + ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] + ipv4_prefix = var.LOCAL_SUBNET + ipv4_gateway = var.LOCAL_FIREWALL_IP + routed = false } -# Create Subnets -resource "openstack_networking_subnet_v2" "vpc_subnet_1" { - name = "vpc_subnet" - description = "Local VPC Network" - network_id = openstack_networking_network_v2.vpc_network.id - cidr = var.LOCAL_SUBNET - ip_version = 4 - dns_nameservers = [ - "208.67.222.222", - "9.9.9.9", - ] +resource "stackit_network_interface" "nic_wan" { + project_id = var.STACKIT_PROJECT_ID + network_id = stackit_network.wan_network.network_id + security = false } -resource "openstack_networking_subnet_v2" "wan_subnet_1" { - name = "wan_subnet" - description = "WAN Network" - network_id = openstack_networking_network_v2.wan_network.id - cidr = "100.96.96.0/25" - ip_version = 4 - dns_nameservers = [ - "208.67.222.222", - "9.9.9.9", - ] +resource "stackit_network_interface" "nic_lan" { + project_id = var.STACKIT_PROJECT_ID + network_id = stackit_network.lan_network.network_id + ipv4 = var.LOCAL_FIREWALL_IP + security = false } -# Create OpenStack Router - -resource "openstack_networking_router_v2" "vpc_router" { - name = "vpc_router" - description = "VPC Router" -} - -resource "openstack_networking_router_interface_v2" "vpc_router_interface_1" { - router_id = openstack_networking_router_v2.vpc_router.id - subnet_id = openstack_networking_subnet_v2.vpc_subnet_1.id -} - -resource "openstack_networking_router_v2" "wan_router" { - name = "wan_router" - description = "WAN Router" - external_network_id = "970ace5c-458f-484a-a660-0903bcfd91ad" -} - -# Create Router interfaces -resource "openstack_networking_router_interface_v2" "wan_router_interface_1" { - router_id = openstack_networking_router_v2.wan_router.id - subnet_id = openstack_networking_subnet_v2.wan_subnet_1.id -} - -# Create static routing entry for VPC Traffic to hit the pfSense instead of the default gateway -resource "openstack_networking_router_route_v2" "vpc_router_route_1" { - depends_on = [openstack_networking_router_interface_v2.vpc_router_interface_1] - router_id = openstack_networking_router_v2.vpc_router.id - destination_cidr = "0.0.0.0/0" - next_hop = openstack_compute_instance_v2.instance_fw.network.1.fixed_ip_v4 +resource "stackit_public_ip" "wan-ip" { + project_id = var.STACKIT_PROJECT_ID + network_interface_id = stackit_network_interface.nic_wan.network_interface_id } diff --git a/04-pfsense-appliance.tf b/04-pfsense-appliance.tf index 2b296cc..81751c4 100644 --- a/04-pfsense-appliance.tf +++ b/04-pfsense-appliance.tf @@ -1,74 +1,43 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT. */ -# Create root Volume -resource "openstack_blockstorage_volume_v3" "fw_root_volume" { +resource "stackit_volume" "pfsense_vol" { + project_id = var.STACKIT_PROJECT_ID name = "pfsense-2.7.2-root" - description = "Root Volume" + availability_zone = var.zone size = 16 - image_id = openstack_images_image_v2.pfsense_image.id + performance_class = "storage_premium_perf4" + source = { + id = stackit_image.pfsense_image.image_id + type = "image" + } +} + +resource "stackit_server" "pfsense_Server" { + project_id = var.STACKIT_PROJECT_ID + name = "pfSense" + boot_volume = { + source_type = "volume" + source_id = stackit_volume.pfsense_vol.volume_id + } availability_zone = var.zone - volume_type = "storage_premium_perf4" + machine_type = var.flavor } -# Create virtual Server -resource "openstack_compute_instance_v2" "instance_fw" { - name = "pfSense" # Server name - flavor_name = var.flavor - availability_zone = var.zone - - block_device { - uuid = openstack_blockstorage_volume_v3.fw_root_volume.id - source_type = "volume" - destination_type = "volume" - boot_index = 0 - delete_on_termination = true - } - - network { - port = openstack_networking_port_v2.wan_port_1.id - } - - network { - port = openstack_networking_port_v2.vpc_port_1.id - } - +resource "stackit_server_network_interface_attach" "nic-attachment-lan" { + project_id = var.STACKIT_PROJECT_ID + server_id = stackit_server.pfsense_Server.server_id + network_interface_id = stackit_network_interface.nic_lan.network_interface_id + depends_on = [stackit_server_network_interface_attach.nic-attachment-wan] } - -# Network Ports -resource "openstack_networking_port_v2" "wan_port_1" { - name = "FW WAN Port" - network_id = openstack_networking_network_v2.wan_network.id - admin_state_up = "true" - port_security_enabled = "false" - fixed_ip { - subnet_id = openstack_networking_subnet_v2.wan_subnet_1.id - } +resource "stackit_server_network_interface_attach" "nic-attachment-wan" { + project_id = var.STACKIT_PROJECT_ID + server_id = stackit_server.pfsense_Server.server_id + network_interface_id = stackit_network_interface.nic_wan.network_interface_id } - -resource "openstack_networking_port_v2" "vpc_port_1" { - name = "FW VPC Port" - network_id = openstack_networking_network_v2.vpc_network.id - admin_state_up = "true" - port_security_enabled = "false" - fixed_ip { - subnet_id = openstack_networking_subnet_v2.vpc_subnet_1.id - } -} - - -# Add FloatingIP -resource "openstack_networking_floatingip_v2" "fip" { - pool = "floating-net" -} - -resource "openstack_networking_floatingip_associate_v2" "fip" { - floating_ip = openstack_networking_floatingip_v2.fip.address - port_id = openstack_networking_port_v2.wan_port_1.id -} \ No newline at end of file diff --git a/README.md b/README.md index 9bfdb2f..2d247da 100644 --- a/README.md +++ b/README.md @@ -7,9 +7,7 @@ Deployment overview: The Terraform deployment consists of: + WAN Network -+ WAN Router with external RouterIP + LAN Network -+ LAN Router with static default gateway router to the pfSense firewall + pfSense firewall VM + disk volume + FloatingIP for firewall VM + deactivating port security on firewall ports @@ -18,7 +16,7 @@ The Terraform deployment consists of: **Requirements:** + Terraform installed + Access to a STACKIT project -+ UAT (OpenStack) credentials ++ STACKIT Service-Account-Token ### Installation 1. Clone Repo @@ -47,4 +45,4 @@ Set default password for admin to STACKIT123! Disabled Referer-Check Enable allow all wan adresses to connect to the WebUI -Now you can enter the WebUI via the FloatingIP on port 443 the default login is admin:STACKIT123! \ No newline at end of file +Now you can enter the WebUI via the FloatingIP on port 443 the default login is admin:STACKIT123! diff --git a/example.env b/example.env index 685f16a..2cabc6e 100644 --- a/example.env +++ b/example.env @@ -1,6 +1,4 @@ -# UAT Username -export TF_VAR_USERNAME= -# UAT Password -export TF_VAR_PASSWORD= -# OpenStack (not STACKIT) project id -export TF_VAR_TENANTID= \ No newline at end of file +# STACKIT ProjectID +export TF_VAR_STACKIT_PROJECT_ID= +# STACKIT Service Account Token +export TF_VAR_STACKIT_SERVICE_ACCOUNT_TOKEN= \ No newline at end of file diff --git a/pfsense.qcow2 b/pfsense.qcow2 new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/pfsense.qcow2 @@ -0,0 +1 @@ +