From 6a0fa6c61eea88db58149fccf6ec9f9f6fee4706 Mon Sep 17 00:00:00 2001 From: StackedDane Date: Thu, 27 Mar 2025 09:36:50 +0100 Subject: [PATCH 01/15] Updated to STACKIT provider --- .gitignore | 1 + 00-provider.tf | 19 ++++------ 01-config.tf | 28 ++++---------- 02-pfsense-image.tf | 34 +++++++++++++---- 03-pfsense-network.tf | 84 +++++++++++++---------------------------- 04-pfsense-appliance.tf | 84 +++++++++++++---------------------------- 6 files changed, 95 insertions(+), 155 deletions(-) diff --git a/.gitignore b/.gitignore index 18c75fb..ae85be5 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ terraform.rc .env .terraform.lock.hcl conf.img +pfsense.qcow2 diff --git a/00-provider.tf b/00-provider.tf index 0c41e12..614d5fd 100644 --- a/00-provider.tf +++ b/00-provider.tf @@ -11,20 +11,15 @@ https://opensource.org/licenses/MIT. terraform { required_version = ">= 0.14.0" required_providers { - openstack = { - source = "terraform-provider-openstack/openstack" - version = "3.0.0" + stackit = { + source = "stackitcloud/stackit" + version = "0.44.0" } } } -# Configure the OpenStack Provider -provider "openstack" { - user_name = var.USERNAME - tenant_id = var.TENANTID - user_domain_name = "portal_mvp" - project_domain_id = "portal_mvp" - password = var.PASSWORD - auth_url = "https://keystone.api.iaas.eu01.stackit.cloud/v3/" - region = "RegionOne" +provider "stackit" { + default_region = "eu01" + service_account_token = var.STACKIT_SERVICE_ACCOUNT_TOKEN + enable_beta_resources = true } diff --git a/01-config.tf b/01-config.tf index 30c0c1e..a781d41 100644 --- a/01-config.tf +++ b/01-config.tf @@ -11,47 +11,35 @@ https://opensource.org/licenses/MIT. # Custom User Settings # -# OpenStack Availability Zone +# STACKIT Availability Zone variable "zone" { type = string description = "" default = "eu01-m" } -# OpenStack VM Flavor +# STACKIT VM Flavor variable "flavor" { type = string description = "" default = "c1.2" } -# Local VPC Subnet to create OpenStack Network +# Local VPC Subnet to create Network variable "LOCAL_SUBNET" { type = string description = "" default = "10.0.0.0/24" } -############################################ - -# -# System Settings (do not edit) -# - -# OpenStack UAT Username -variable "USERNAME" { +# STACKIT ProjectID +variable "STACKIT_PROJECT_ID" { type = string description = "" } -# OpenStack Project ID -variable "TENANTID" { +# STACKIT Service Account Token +variable "STACKIT_SERVICE_ACCOUNT_TOKEN" { type = string description = "" -} - -# OpenStack UAT Password -variable "PASSWORD" { - type = string - description = "" -} +} \ No newline at end of file diff --git a/02-pfsense-image.tf b/02-pfsense-image.tf index 5374ad9..6f275bf 100644 --- a/02-pfsense-image.tf +++ b/02-pfsense-image.tf @@ -7,12 +7,30 @@ license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT. */ -# Upload VPN Appliance Image to OpenStack -resource "openstack_images_image_v2" "pfsense_image" { - name = "pfsense-2.7.2-amd64-image" - image_source_url = "https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2" - web_download = true - container_format = "bare" - disk_format = "qcow2" - visibility = "shared" +# Local copy of the Image +resource "null_resource" "pfsense_image_file" { + triggers = { + always_run = timestamp() + } + + provisioner "local-exec" { + command = "curl -o pfsense.qcow2 https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2" + } +} + +# Upload VPN Appliance Image to STACKIT +resource "stackit_image" "pfsense_image" { + project_id = var.STACKIT_PROJECT_ID + name = "pfsense-2.7.2-amd64-image" + local_file_path = "./pfsense.qcow2" + disk_format = "qcow2" + depends_on = [null_resource.pfsense_image_file] + min_disk_size = 10 + min_ram = 2 + config = { + uefi = false + cdrom_bus = "scsi" + disk_bus = "scsi" + secure_boot = false + } } diff --git a/03-pfsense-network.tf b/03-pfsense-network.tf index ee5f1f8..17857d6 100644 --- a/03-pfsense-network.tf +++ b/03-pfsense-network.tf @@ -7,72 +7,42 @@ license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT. */ -# Create vNET Networks -resource "openstack_networking_network_v2" "vpc_network" { - name = "VPC Network" - description = "Local Peering VPC Network" - admin_state_up = "true" +# Get vNET Networks +resource "stackit_network" "lan_network" { + project_id = var.STACKIT_PROJECT_ID + name = "lan_network" + ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] + ipv4_prefix_length = 24 } -resource "openstack_networking_network_v2" "wan_network" { - name = "WAN Network" - description = "Transfer Net for binding FloatingIPs" - admin_state_up = "true" +resource "stackit_network" "wan_network" { + project_id = var.STACKIT_PROJECT_ID + name = "wan_network" + ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] + ipv4_prefix_length = 28 } -# Create Subnets -resource "openstack_networking_subnet_v2" "vpc_subnet_1" { - name = "vpc_subnet" - description = "Local VPC Network" - network_id = openstack_networking_network_v2.vpc_network.id - cidr = var.LOCAL_SUBNET - ip_version = 4 - dns_nameservers = [ - "208.67.222.222", - "9.9.9.9", - ] +resource "stackit_network_interface" "nic_lan" { + project_id = var.STACKIT_PROJECT_ID + network_id = stackit_network.lan_network.network_id } -resource "openstack_networking_subnet_v2" "wan_subnet_1" { - name = "wan_subnet" - description = "WAN Network" - network_id = openstack_networking_network_v2.wan_network.id - cidr = "100.96.96.0/25" - ip_version = 4 - dns_nameservers = [ - "208.67.222.222", - "9.9.9.9", - ] +resource "stackit_network_interface" "nic_wan" { + project_id = var.STACKIT_PROJECT_ID + network_id = stackit_network.wan_network.network_id } -# Create OpenStack Router - -resource "openstack_networking_router_v2" "vpc_router" { - name = "vpc_router" - description = "VPC Router" +resource "stackit_public_ip" "example" { + project_id = var.STACKIT_PROJECT_ID + network_interface_id = stackit_network_interface.nic_wan.network_interface_id } -resource "openstack_networking_router_interface_v2" "vpc_router_interface_1" { - router_id = openstack_networking_router_v2.vpc_router.id - subnet_id = openstack_networking_subnet_v2.vpc_subnet_1.id -} -resource "openstack_networking_router_v2" "wan_router" { - name = "wan_router" - description = "WAN Router" - external_network_id = "970ace5c-458f-484a-a660-0903bcfd91ad" -} +# Get Subents +#data "openstack_networking_subnet_v2" "vpc_subnet_1" { +# network_id = stackit_network.lan_network.network_id +#} -# Create Router interfaces -resource "openstack_networking_router_interface_v2" "wan_router_interface_1" { - router_id = openstack_networking_router_v2.wan_router.id - subnet_id = openstack_networking_subnet_v2.wan_subnet_1.id -} - -# Create static routing entry for VPC Traffic to hit the pfSense instead of the default gateway -resource "openstack_networking_router_route_v2" "vpc_router_route_1" { - depends_on = [openstack_networking_router_interface_v2.vpc_router_interface_1] - router_id = openstack_networking_router_v2.vpc_router.id - destination_cidr = "0.0.0.0/0" - next_hop = openstack_compute_instance_v2.instance_fw.network.1.fixed_ip_v4 -} +#data "openstack_networking_subnet_v2" "wan_subnet_1" { +# network_id = stackit_network.wan_network.network_id +#} \ No newline at end of file diff --git a/04-pfsense-appliance.tf b/04-pfsense-appliance.tf index 2b296cc..1905ba0 100644 --- a/04-pfsense-appliance.tf +++ b/04-pfsense-appliance.tf @@ -7,68 +7,36 @@ license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT. */ -# Create root Volume -resource "openstack_blockstorage_volume_v3" "fw_root_volume" { +resource "stackit_volume" "pfsense_vol" { + project_id = var.STACKIT_PROJECT_ID name = "pfsense-2.7.2-root" - description = "Root Volume" + availability_zone = var.zone size = 16 - image_id = openstack_images_image_v2.pfsense_image.id + performance_class = "storage_premium_perf4" + source = { + id = stackit_image.pfsense_image.image_id + type = "image" + } +} + +resource "stackit_server" "pfsense_Server" { + project_id = var.STACKIT_PROJECT_ID + name = "pfSense" + boot_volume = { + source_type = "volume" + source_id = stackit_volume.pfsense_vol.volume_id + } availability_zone = var.zone - volume_type = "storage_premium_perf4" + machine_type = var.flavor } -# Create virtual Server -resource "openstack_compute_instance_v2" "instance_fw" { - name = "pfSense" # Server name - flavor_name = var.flavor - availability_zone = var.zone - - block_device { - uuid = openstack_blockstorage_volume_v3.fw_root_volume.id - source_type = "volume" - destination_type = "volume" - boot_index = 0 - delete_on_termination = true - } - - network { - port = openstack_networking_port_v2.wan_port_1.id - } - - network { - port = openstack_networking_port_v2.vpc_port_1.id - } - +resource "stackit_server_network_interface_attach" "nic-attachment-lan" { + project_id = var.STACKIT_PROJECT_ID + server_id = stackit_server.pfsense_Server.server_id + network_interface_id = stackit_network_interface.nic_lan.network_interface_id } - -# Network Ports -resource "openstack_networking_port_v2" "wan_port_1" { - name = "FW WAN Port" - network_id = openstack_networking_network_v2.wan_network.id - admin_state_up = "true" - port_security_enabled = "false" - fixed_ip { - subnet_id = openstack_networking_subnet_v2.wan_subnet_1.id - } -} - -resource "openstack_networking_port_v2" "vpc_port_1" { - name = "FW VPC Port" - network_id = openstack_networking_network_v2.vpc_network.id - admin_state_up = "true" - port_security_enabled = "false" - fixed_ip { - subnet_id = openstack_networking_subnet_v2.vpc_subnet_1.id - } -} - - -# Add FloatingIP -resource "openstack_networking_floatingip_v2" "fip" { - pool = "floating-net" -} - -resource "openstack_networking_floatingip_associate_v2" "fip" { - floating_ip = openstack_networking_floatingip_v2.fip.address - port_id = openstack_networking_port_v2.wan_port_1.id +resource "stackit_server_network_interface_attach" "nic-attachment-wan" { + project_id = var.STACKIT_PROJECT_ID + server_id = stackit_server.pfsense_Server.server_id + network_interface_id = stackit_network_interface.nic_wan.network_interface_id } \ No newline at end of file From f83f7b9714dc3ef0114a2b41ac7be5d0e9232370 Mon Sep 17 00:00:00 2001 From: Daniel Przibilla Date: Thu, 27 Mar 2025 09:41:06 +0100 Subject: [PATCH 02/15] Create pfsense.qcow2 --- pfsense.qcow2 | 1 + 1 file changed, 1 insertion(+) create mode 100644 pfsense.qcow2 diff --git a/pfsense.qcow2 b/pfsense.qcow2 new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/pfsense.qcow2 @@ -0,0 +1 @@ + From cdb4ec90b1356e0d0a01ae5d6ee499d4f6210034 Mon Sep 17 00:00:00 2001 From: Daniel Przibilla Date: Thu, 27 Mar 2025 09:43:07 +0100 Subject: [PATCH 03/15] Delete example.env --- example.env | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 example.env diff --git a/example.env b/example.env deleted file mode 100644 index 685f16a..0000000 --- a/example.env +++ /dev/null @@ -1,6 +0,0 @@ -# UAT Username -export TF_VAR_USERNAME= -# UAT Password -export TF_VAR_PASSWORD= -# OpenStack (not STACKIT) project id -export TF_VAR_TENANTID= \ No newline at end of file From b2488f5f83b5bac8763cc1e76bb250bf3db00334 Mon Sep 17 00:00:00 2001 From: Daniel Przibilla Date: Thu, 27 Mar 2025 09:45:18 +0100 Subject: [PATCH 04/15] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9bfdb2f..b4550a1 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ The Terraform deployment consists of: **Requirements:** + Terraform installed + Access to a STACKIT project -+ UAT (OpenStack) credentials ++ STACKIT Service-Account-Token ### Installation 1. Clone Repo @@ -47,4 +47,4 @@ Set default password for admin to STACKIT123! Disabled Referer-Check Enable allow all wan adresses to connect to the WebUI -Now you can enter the WebUI via the FloatingIP on port 443 the default login is admin:STACKIT123! \ No newline at end of file +Now you can enter the WebUI via the FloatingIP on port 443 the default login is admin:STACKIT123! From 8dd4c5fd038bfeef64e88b20a7417c45c3014b2f Mon Sep 17 00:00:00 2001 From: StackedDane Date: Thu, 27 Mar 2025 13:56:54 +0100 Subject: [PATCH 05/15] Changed Network --- 03-pfsense-network.tf | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/03-pfsense-network.tf b/03-pfsense-network.tf index 17857d6..512db34 100644 --- a/03-pfsense-network.tf +++ b/03-pfsense-network.tf @@ -8,23 +8,19 @@ https://opensource.org/licenses/MIT. */ # Get vNET Networks -resource "stackit_network" "lan_network" { - project_id = var.STACKIT_PROJECT_ID - name = "lan_network" - ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] - ipv4_prefix_length = 24 -} - resource "stackit_network" "wan_network" { project_id = var.STACKIT_PROJECT_ID name = "wan_network" ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] - ipv4_prefix_length = 28 + routed = true } -resource "stackit_network_interface" "nic_lan" { +resource "stackit_network" "lan_network" { project_id = var.STACKIT_PROJECT_ID - network_id = stackit_network.lan_network.network_id + name = "lan_network" + ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] + ipv4_prefix_length = 24 + routed = true } resource "stackit_network_interface" "nic_wan" { @@ -32,17 +28,13 @@ resource "stackit_network_interface" "nic_wan" { network_id = stackit_network.wan_network.network_id } +resource "stackit_network_interface" "nic_lan" { + project_id = var.STACKIT_PROJECT_ID + network_id = stackit_network.lan_network.network_id + depends_on = [stackit_network_interface.nic_wan] +} + resource "stackit_public_ip" "example" { project_id = var.STACKIT_PROJECT_ID network_interface_id = stackit_network_interface.nic_wan.network_interface_id } - - -# Get Subents -#data "openstack_networking_subnet_v2" "vpc_subnet_1" { -# network_id = stackit_network.lan_network.network_id -#} - -#data "openstack_networking_subnet_v2" "wan_subnet_1" { -# network_id = stackit_network.wan_network.network_id -#} \ No newline at end of file From b093c98da70b311e42d3d1dd33acd1c7611aaa15 Mon Sep 17 00:00:00 2001 From: StackedDane Date: Fri, 28 Mar 2025 11:15:01 +0100 Subject: [PATCH 06/15] adjusted network settings --- 03-pfsense-network.tf | 71 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/03-pfsense-network.tf b/03-pfsense-network.tf index 512db34..f4c83a8 100644 --- a/03-pfsense-network.tf +++ b/03-pfsense-network.tf @@ -19,18 +19,87 @@ resource "stackit_network" "lan_network" { project_id = var.STACKIT_PROJECT_ID name = "lan_network" ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] - ipv4_prefix_length = 24 routed = true } +resource "stackit_security_group" "sec_group_wan" { + project_id = var.STACKIT_PROJECT_ID + name = "sec_group" + labels = { + "key" = "value" + } +} + +resource "stackit_security_group_rule" "sec_icmp" { + project_id = var.STACKIT_PROJECT_ID + security_group_id = stackit_security_group.sec_group_wan.security_group_id + direction = "ingress" + icmp_parameters = { + code = 0 + type = 8 + } + protocol = { + name = "icmp" + } +} + +resource "stackit_security_group_rule" "sec_tcp" { + project_id = var.STACKIT_PROJECT_ID + security_group_id = stackit_security_group.sec_group_wan.security_group_id + direction = "ingress" + port_range = { + max = 443 + min = 443 + } + protocol = { + name = "tcp" + } +} + +resource "stackit_security_group" "sec_group_lan" { + project_id = var.STACKIT_PROJECT_ID + name = "sec_group" + labels = { + "key" = "value" + } +} + +#resource "stackit_security_group_rule" "lan_sec_icmp" { +# project_id = var.STACKIT_PROJECT_ID +# security_group_id = stackit_security_group.sec_group_lan.security_group_id +# direction = "ingress" +# icmp_parameters = { +# code = 0 +# type = 8 +# } +# protocol = { +# name = "icmp" +# } +#} + +#resource "stackit_security_group_rule" "lan_sec_tcp" { +# project_id = var.STACKIT_PROJECT_ID +# security_group_id = stackit_security_group.sec_group_lan.security_group_id +# direction = "ingress" +# port_range = { +# max = 443 +# min = 443 +# } +# protocol = { +# name = "tcp" +# } +#} + resource "stackit_network_interface" "nic_wan" { project_id = var.STACKIT_PROJECT_ID network_id = stackit_network.wan_network.network_id + security_group_ids = [stackit_security_group.sec_group_wan.security_group_id] } resource "stackit_network_interface" "nic_lan" { project_id = var.STACKIT_PROJECT_ID network_id = stackit_network.lan_network.network_id + security_group_ids = [stackit_security_group.sec_group_lan.security_group_id] depends_on = [stackit_network_interface.nic_wan] } From 4034faeb4fd745568e99665b7dc48015d5ec9958 Mon Sep 17 00:00:00 2001 From: BackInBash <48181660+BackInBash@users.noreply.github.com> Date: Wed, 2 Apr 2025 14:14:30 +0200 Subject: [PATCH 07/15] updated provider version --- 00-provider.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/00-provider.tf b/00-provider.tf index 614d5fd..eb328f9 100644 --- a/00-provider.tf +++ b/00-provider.tf @@ -13,7 +13,7 @@ terraform { required_providers { stackit = { source = "stackitcloud/stackit" - version = "0.44.0" + version = "0.47.0" } } } From f7efbdfb0319ee573be4e1324153ae224d11a3fe Mon Sep 17 00:00:00 2001 From: BackInBash <48181660+BackInBash@users.noreply.github.com> Date: Wed, 2 Apr 2025 14:23:01 +0200 Subject: [PATCH 08/15] removed image options default options are fine --- 02-pfsense-image.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/02-pfsense-image.tf b/02-pfsense-image.tf index 6f275bf..fc38186 100644 --- a/02-pfsense-image.tf +++ b/02-pfsense-image.tf @@ -29,8 +29,5 @@ resource "stackit_image" "pfsense_image" { min_ram = 2 config = { uefi = false - cdrom_bus = "scsi" - disk_bus = "scsi" - secure_boot = false } } From 089597a9b568d4156463cfe01ba1f49a766974af Mon Sep 17 00:00:00 2001 From: BackInBash <48181660+BackInBash@users.noreply.github.com> Date: Wed, 2 Apr 2025 14:23:17 +0200 Subject: [PATCH 09/15] removed sec groups --- 03-pfsense-network.tf | 98 +++++++------------------------------------ 1 file changed, 14 insertions(+), 84 deletions(-) diff --git a/03-pfsense-network.tf b/03-pfsense-network.tf index f4c83a8..447c3fe 100644 --- a/03-pfsense-network.tf +++ b/03-pfsense-network.tf @@ -9,101 +9,31 @@ https://opensource.org/licenses/MIT. # Get vNET Networks resource "stackit_network" "wan_network" { - project_id = var.STACKIT_PROJECT_ID - name = "wan_network" - ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] - routed = true + project_id = var.STACKIT_PROJECT_ID + name = "wan_network" + ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] + routed = false } resource "stackit_network" "lan_network" { - project_id = var.STACKIT_PROJECT_ID - name = "lan_network" - ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] - routed = true + project_id = var.STACKIT_PROJECT_ID + name = "lan_network" + ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] } -resource "stackit_security_group" "sec_group_wan" { - project_id = var.STACKIT_PROJECT_ID - name = "sec_group" - labels = { - "key" = "value" - } -} - -resource "stackit_security_group_rule" "sec_icmp" { - project_id = var.STACKIT_PROJECT_ID - security_group_id = stackit_security_group.sec_group_wan.security_group_id - direction = "ingress" - icmp_parameters = { - code = 0 - type = 8 - } - protocol = { - name = "icmp" - } -} - -resource "stackit_security_group_rule" "sec_tcp" { - project_id = var.STACKIT_PROJECT_ID - security_group_id = stackit_security_group.sec_group_wan.security_group_id - direction = "ingress" - port_range = { - max = 443 - min = 443 - } - protocol = { - name = "tcp" - } -} - -resource "stackit_security_group" "sec_group_lan" { - project_id = var.STACKIT_PROJECT_ID - name = "sec_group" - labels = { - "key" = "value" - } -} - -#resource "stackit_security_group_rule" "lan_sec_icmp" { -# project_id = var.STACKIT_PROJECT_ID -# security_group_id = stackit_security_group.sec_group_lan.security_group_id -# direction = "ingress" -# icmp_parameters = { -# code = 0 -# type = 8 -# } -# protocol = { -# name = "icmp" -# } -#} - -#resource "stackit_security_group_rule" "lan_sec_tcp" { -# project_id = var.STACKIT_PROJECT_ID -# security_group_id = stackit_security_group.sec_group_lan.security_group_id -# direction = "ingress" -# port_range = { -# max = 443 -# min = 443 -# } -# protocol = { -# name = "tcp" -# } -#} - resource "stackit_network_interface" "nic_wan" { - project_id = var.STACKIT_PROJECT_ID - network_id = stackit_network.wan_network.network_id - security_group_ids = [stackit_security_group.sec_group_wan.security_group_id] + project_id = var.STACKIT_PROJECT_ID + network_id = stackit_network.wan_network.network_id + security = false } resource "stackit_network_interface" "nic_lan" { - project_id = var.STACKIT_PROJECT_ID - network_id = stackit_network.lan_network.network_id - security_group_ids = [stackit_security_group.sec_group_lan.security_group_id] - depends_on = [stackit_network_interface.nic_wan] + project_id = var.STACKIT_PROJECT_ID + network_id = stackit_network.lan_network.network_id + security = false } -resource "stackit_public_ip" "example" { +resource "stackit_public_ip" "wan-ip" { project_id = var.STACKIT_PROJECT_ID network_interface_id = stackit_network_interface.nic_wan.network_interface_id } From e446d33a51a9f8fc18f224a5a6bee8ebb8d1ef21 Mon Sep 17 00:00:00 2001 From: BackInBash <48181660+BackInBash@users.noreply.github.com> Date: Wed, 2 Apr 2025 14:24:34 +0200 Subject: [PATCH 10/15] nic depends on --- 04-pfsense-appliance.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/04-pfsense-appliance.tf b/04-pfsense-appliance.tf index 1905ba0..986329c 100644 --- a/04-pfsense-appliance.tf +++ b/04-pfsense-appliance.tf @@ -1,6 +1,6 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at @@ -34,6 +34,7 @@ resource "stackit_server_network_interface_attach" "nic-attachment-lan" { project_id = var.STACKIT_PROJECT_ID server_id = stackit_server.pfsense_Server.server_id network_interface_id = stackit_network_interface.nic_lan.network_interface_id + depends_on = [ stackit_server_network_interface_attach.nic-attachment-wan ] } resource "stackit_server_network_interface_attach" "nic-attachment-wan" { project_id = var.STACKIT_PROJECT_ID From 39b3f988efe20f33710b8e427004c03f9c46f092 Mon Sep 17 00:00:00 2001 From: BackInBash <48181660+BackInBash@users.noreply.github.com> Date: Wed, 2 Apr 2025 14:25:53 +0200 Subject: [PATCH 11/15] refactoring --- 00-provider.tf | 6 +++--- 01-config.tf | 4 ++-- 02-pfsense-image.tf | 20 ++++++++++---------- 03-pfsense-network.tf | 2 +- 04-pfsense-appliance.tf | 8 ++++---- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/00-provider.tf b/00-provider.tf index eb328f9..27e01ac 100644 --- a/00-provider.tf +++ b/00-provider.tf @@ -1,6 +1,6 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at @@ -12,14 +12,14 @@ terraform { required_version = ">= 0.14.0" required_providers { stackit = { - source = "stackitcloud/stackit" + source = "stackitcloud/stackit" version = "0.47.0" } } } provider "stackit" { - default_region = "eu01" + default_region = "eu01" service_account_token = var.STACKIT_SERVICE_ACCOUNT_TOKEN enable_beta_resources = true } diff --git a/01-config.tf b/01-config.tf index a781d41..d40505c 100644 --- a/01-config.tf +++ b/01-config.tf @@ -1,6 +1,6 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at @@ -42,4 +42,4 @@ variable "STACKIT_PROJECT_ID" { variable "STACKIT_SERVICE_ACCOUNT_TOKEN" { type = string description = "" -} \ No newline at end of file +} diff --git a/02-pfsense-image.tf b/02-pfsense-image.tf index fc38186..b0555b0 100644 --- a/02-pfsense-image.tf +++ b/02-pfsense-image.tf @@ -1,6 +1,6 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at @@ -9,7 +9,7 @@ https://opensource.org/licenses/MIT. # Local copy of the Image resource "null_resource" "pfsense_image_file" { - triggers = { + triggers = { always_run = timestamp() } @@ -20,14 +20,14 @@ resource "null_resource" "pfsense_image_file" { # Upload VPN Appliance Image to STACKIT resource "stackit_image" "pfsense_image" { - project_id = var.STACKIT_PROJECT_ID - name = "pfsense-2.7.2-amd64-image" - local_file_path = "./pfsense.qcow2" - disk_format = "qcow2" - depends_on = [null_resource.pfsense_image_file] - min_disk_size = 10 - min_ram = 2 + project_id = var.STACKIT_PROJECT_ID + name = "pfsense-2.7.2-amd64-image" + local_file_path = "./pfsense.qcow2" + disk_format = "qcow2" + depends_on = [null_resource.pfsense_image_file] + min_disk_size = 10 + min_ram = 2 config = { - uefi = false + uefi = false } } diff --git a/03-pfsense-network.tf b/03-pfsense-network.tf index 447c3fe..2e997a4 100644 --- a/03-pfsense-network.tf +++ b/03-pfsense-network.tf @@ -1,6 +1,6 @@ /* Copyright 2023 Schwarz IT KG -Copyright 2024 STACKIT GmbH & Co. KG +Copyright 2024-2025 STACKIT GmbH & Co. KG Use of this source code is governed by an MIT-style license that can be found in the LICENSE file or at diff --git a/04-pfsense-appliance.tf b/04-pfsense-appliance.tf index 986329c..81751c4 100644 --- a/04-pfsense-appliance.tf +++ b/04-pfsense-appliance.tf @@ -14,9 +14,9 @@ resource "stackit_volume" "pfsense_vol" { size = 16 performance_class = "storage_premium_perf4" source = { - id = stackit_image.pfsense_image.image_id + id = stackit_image.pfsense_image.image_id type = "image" - } + } } resource "stackit_server" "pfsense_Server" { @@ -34,10 +34,10 @@ resource "stackit_server_network_interface_attach" "nic-attachment-lan" { project_id = var.STACKIT_PROJECT_ID server_id = stackit_server.pfsense_Server.server_id network_interface_id = stackit_network_interface.nic_lan.network_interface_id - depends_on = [ stackit_server_network_interface_attach.nic-attachment-wan ] + depends_on = [stackit_server_network_interface_attach.nic-attachment-wan] } resource "stackit_server_network_interface_attach" "nic-attachment-wan" { project_id = var.STACKIT_PROJECT_ID server_id = stackit_server.pfsense_Server.server_id network_interface_id = stackit_network_interface.nic_wan.network_interface_id -} \ No newline at end of file +} From ae39b230c619ef92454bf5313425ecf25f4f0e2e Mon Sep 17 00:00:00 2001 From: BackInBash <48181660+BackInBash@users.noreply.github.com> Date: Wed, 2 Apr 2025 14:28:14 +0200 Subject: [PATCH 12/15] Create example.env --- example.env | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 example.env diff --git a/example.env b/example.env new file mode 100644 index 0000000..e69de29 From d8debf1239bb4f45545b1c262541c96bbf38a18b Mon Sep 17 00:00:00 2001 From: BackInBash <48181660+BackInBash@users.noreply.github.com> Date: Wed, 2 Apr 2025 16:18:04 +0200 Subject: [PATCH 13/15] project firewall setup --- 00-provider.tf | 2 +- 01-config.tf | 7 ++++++- 02-pfsense-image.tf | 5 ++++- 03-pfsense-network.tf | 5 ++++- example.env | 4 ++++ 5 files changed, 19 insertions(+), 4 deletions(-) diff --git a/00-provider.tf b/00-provider.tf index 27e01ac..15829c9 100644 --- a/00-provider.tf +++ b/00-provider.tf @@ -13,7 +13,7 @@ terraform { required_providers { stackit = { source = "stackitcloud/stackit" - version = "0.47.0" + version = "0.46.0" } } } diff --git a/01-config.tf b/01-config.tf index d40505c..8ccc46b 100644 --- a/01-config.tf +++ b/01-config.tf @@ -29,7 +29,12 @@ variable "flavor" { variable "LOCAL_SUBNET" { type = string description = "" - default = "10.0.0.0/24" + default = "10.10.0.0/24" +} +variable "LOCAL_FIREWALL_IP" { + type = string + description = "" + default = "10.10.0.220" } # STACKIT ProjectID diff --git a/02-pfsense-image.tf b/02-pfsense-image.tf index b0555b0..5d51461 100644 --- a/02-pfsense-image.tf +++ b/02-pfsense-image.tf @@ -14,7 +14,10 @@ resource "null_resource" "pfsense_image_file" { } provisioner "local-exec" { - command = "curl -o pfsense.qcow2 https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2" + command = "curl -o pfsense.qcow2 https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-29-01-2024.qcow2" + } + lifecycle { + ignore_changes = all } } diff --git a/03-pfsense-network.tf b/03-pfsense-network.tf index 2e997a4..a37705b 100644 --- a/03-pfsense-network.tf +++ b/03-pfsense-network.tf @@ -12,13 +12,15 @@ resource "stackit_network" "wan_network" { project_id = var.STACKIT_PROJECT_ID name = "wan_network" ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] - routed = false } resource "stackit_network" "lan_network" { project_id = var.STACKIT_PROJECT_ID name = "lan_network" ipv4_nameservers = ["208.67.222.222", "9.9.9.9"] + ipv4_prefix = var.LOCAL_SUBNET + ipv4_gateway = var.LOCAL_FIREWALL_IP + routed = false } resource "stackit_network_interface" "nic_wan" { @@ -30,6 +32,7 @@ resource "stackit_network_interface" "nic_wan" { resource "stackit_network_interface" "nic_lan" { project_id = var.STACKIT_PROJECT_ID network_id = stackit_network.lan_network.network_id + ipv4 = var.LOCAL_FIREWALL_IP security = false } diff --git a/example.env b/example.env index e69de29..2cabc6e 100644 --- a/example.env +++ b/example.env @@ -0,0 +1,4 @@ +# STACKIT ProjectID +export TF_VAR_STACKIT_PROJECT_ID= +# STACKIT Service Account Token +export TF_VAR_STACKIT_SERVICE_ACCOUNT_TOKEN= \ No newline at end of file From af78c522356b97815f542e2a1a8a5bc8dcaf122a Mon Sep 17 00:00:00 2001 From: BackInBash <48181660+BackInBash@users.noreply.github.com> Date: Wed, 2 Apr 2025 16:21:57 +0200 Subject: [PATCH 14/15] updated image version --- 02-pfsense-image.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/02-pfsense-image.tf b/02-pfsense-image.tf index 5d51461..2ef827e 100644 --- a/02-pfsense-image.tf +++ b/02-pfsense-image.tf @@ -14,7 +14,7 @@ resource "null_resource" "pfsense_image_file" { } provisioner "local-exec" { - command = "curl -o pfsense.qcow2 https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-29-01-2024.qcow2" + command = "curl -o pfsense.qcow2 https://pfsense.object.storage.eu01.onstackit.cloud/pfsense-ce-2.7.2-amd64-10-12-2024.qcow2" } lifecycle { ignore_changes = all From 6fa1642946953e4bd593ac4d5637c65cede1078e Mon Sep 17 00:00:00 2001 From: BackInBash <48181660+BackInBash@users.noreply.github.com> Date: Thu, 10 Apr 2025 09:17:24 +0200 Subject: [PATCH 15/15] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index b4550a1..2d247da 100644 --- a/README.md +++ b/README.md @@ -7,9 +7,7 @@ Deployment overview: The Terraform deployment consists of: + WAN Network -+ WAN Router with external RouterIP + LAN Network -+ LAN Router with static default gateway router to the pfSense firewall + pfSense firewall VM + disk volume + FloatingIP for firewall VM + deactivating port security on firewall ports