professional-service-best-practices/terraform-strongswan-deployment
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit
All checks were successful
CI / TruffleHog Secrets Scan (push) Successful in 5s
Details
CI / Terraform Format & Validate (push) Successful in 7s
Details

Browse source
This commit is contained in:
Mauritz_Uphoff 2025-07-02 11:11:22 +02:00
commit fb87dbaaca
6 changed files with 225 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
.forgejo/workflows/default-workflow.yaml Normal file
View file

@ -0,0 +1,28 @@
name: CI
on: [push]
jobs:
secrets-scan:
name: TruffleHog Secrets Scan
runs-on: docker
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: trufflehog-actions-scan
uses: https://github.com/edplato/trufflehog-actions-scan@master
terraform:
name: Terraform Format & Validate
runs-on: docker
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: https://github.com/hashicorp/setup-terraform@v3
with:
terraform_version: "1.5.7"
- name: Format Terraform Code
run: terraform fmt -recursive -check

7
.gitignore vendored Normal file
View file

@ -0,0 +1,7 @@
.idea
keys/*
.terraform
*.tfstate
backup/terraform.tfstate
backup/terraform.tfstate.backup
.DS_Store

28
00-provider.tf Normal file
View file

@ -0,0 +1,28 @@
/*
Copyright 2023 Schwarz IT KG <markus.brunsch@mail.schwarz>
Copyright 2024-2025 STACKIT GmbH & Co. KG <markus.brunsch@stackit.cloud>
Use of this source code is governed by an MIT-style
license that can be found in the LICENSE file or at
https://opensource.org/licenses/MIT.
*/
# Define required providers
terraform {
required_version = ">= 0.14.0"
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "0.56.0"
}
random = {
source = "hashicorp/random"
version = "3.6.3"
}
}
}
provider "stackit" {
default_region = var.stackit_region
service_account_key_path = var.stackit_service_account_key_path
}

26
01-variables.tf Normal file
View file

@ -0,0 +1,26 @@
variable "stackit_project_id" {
type = string
/*default = "XXXXX-XXXX-XXXX-XXXX-XXXXXXX"*/
default = "d75e6aab-b616-4b42-ae3b-aaf161ad626d"
}
variable "stackit_region" {
type = string
default = "eu01"
}
variable "stackit_service_account_key_path" {
type = string
default = "./keys/stackit-sa.json"
}
variable "debian_image_id" {
type = string
default = "b7aedfad-3be7-46e0-9ece-19fd50e2d83e"
}
variable "vpn_psk" {
type = string
description = "Pre-Shared Key for IPsec VPN"
default = "yoursecurekey123456"
}

102
02-main.tf Normal file
View file

@ -0,0 +1,102 @@
resource "random_pet" "pet01" {}
resource "stackit_key_pair" "admin_keypair" {
name = "${random_pet.pet01.id}-keypair"
public_key = chomp(file("~/.ssh/id_rsa.pub"))
}
resource "stackit_network" "machine01" {
project_id = var.stackit_project_id
ipv4_prefix = "10.1.1.0/24"
name = "network-machine01"
ipv4_nameservers = ["9.9.9.9", "1.1.1.1"]
}
resource "stackit_network" "machine02" {
project_id = var.stackit_project_id
ipv4_prefix = "10.2.2.0/24"
name = "network-machine02"
ipv4_nameservers = ["9.9.9.9", "1.1.1.1"]
}
resource "stackit_network_interface" "machines" {
for_each = {
machine01 = {
network_id = stackit_network.machine01.network_id
ipv4 = "10.1.1.10"
}
machine02 = {
network_id = stackit_network.machine02.network_id
ipv4 = "10.2.2.10"
}
}
project_id = var.stackit_project_id
network_id = each.value.network_id
ipv4 = each.value.ipv4
security = false
}
resource "stackit_public_ip" "wan_ips" {
for_each = stackit_network_interface.machines
project_id = var.stackit_project_id
network_interface_id = each.value.network_interface_id
}
locals {
vpn_config = {
machine01 = {
local_ip = "10.1.1.10"
remote_ip = stackit_public_ip.wan_ips["machine02"].ip
local_subnet = "10.1.1.0/24"
remote_subnet = "10.2.2.0/24"
}
machine02 = {
local_ip = "10.2.2.10"
remote_ip = stackit_public_ip.wan_ips["machine01"].ip
local_subnet = "10.2.2.0/24"
remote_subnet = "10.1.1.0/24"
}
}
init_config = {
machine01 = templatefile("${path.module}/cloud-init.yaml", merge(local.vpn_config["machine01"], {
psk = var.vpn_psk
}))
machine02 = templatefile("${path.module}/cloud-init.yaml", merge(local.vpn_config["machine02"], {
psk = var.vpn_psk
}))
}
}
resource "stackit_server" "machines" {
for_each = toset(["machine01", "machine02"])
project_id = var.stackit_project_id
name = each.key
availability_zone = "eu01-1"
machine_type = "c1.4"
keypair_name = stackit_key_pair.admin_keypair.name
user_data = local.init_config[each.key]
boot_volume = {
size = 64
source_type = "image"
source_id = var.debian_image_id
performance_class = "storage_premium_perf6"
delete_on_termination = true
}
network_interfaces = [
stackit_network_interface.machines[each.key].network_interface_id
]
}
output "machine01_public_ip" {
value = stackit_public_ip.wan_ips["machine01"].ip
}
output "machine02_public_ip" {
value = stackit_public_ip.wan_ips["machine02"].ip
}

34
cloud-init.yaml Normal file
View file

@ -0,0 +1,34 @@
#cloud-config
package_update: true
packages:
- strongswan
- iptables
write_files:
- path: /etc/ipsec.conf
content: |
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn net-net
auto=start
keyexchange=ikev2
authby=psk
left=%any
leftid=${local_ip}
leftsubnet=${local_subnet}
right=${remote_ip}
rightsubnet=${remote_subnet}
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=restart
dpddelay=30s
dpdtimeout=120s
- path: /etc/ipsec.secrets
content: |
${local_ip} ${remote_ip} : PSK "${psk}"
runcmd:
- sysctl -w net.ipv4.ip_forward=1
- systemctl enable --now strongswan