When using the opnsense_firewall_filter resource, I got an error using an alias to group several ports:

Error: Invalid Attribute Value Match
│ 
│   with opnsense_firewall_filter.wifi_allow_whatsapp_tcp,
│   on wifi_firewall_rules.tf line 162, in resource "opnsense_firewall_filter" "wifi_allow_whatsapp_tcp":
│  162: resource "opnsense_firewall_filter" "wifi_allow_whatsapp_tcp" {
│ 
│ Attribute destination.port must be number (80), range (80-443) or well known name (http), got:
│ port_whatsapp_tcp

resource "opnsense_firewall_alias" "port_whatsapp_tcp" {
  enabled     = true
  name        = "port_whatsapp_tcp"
  description = "WhatsApp Videocalls TCP ports"

  type = "port"
  content = ["5222","5223","5228"]

  stats = true
}

resource "opnsense_firewall_filter" "allow_whatsapp_tcp" {
  enabled     = true
  description = "Allow access to WhatsApp Videocalls on the WIFI interface"
  action      = "pass"
  quick       = true
  log         = true
  interface   = ["int2"]

  direction   = "in"
  ip_protocol = "inet"
  protocol    = "TCP"

  source = {
    net    = "int2"
    invert = false
  }

  destination = {
    net  = "any"
    port = "port_whatsapp_tcp"
  }
}

I'm interested in being able to get information from my interfaces, such as assigned IP addresses.

It looks like this is only available read-only in the OPNSense API: https://docs.opnsense.org/development/api/core/diagnostics.html (InterfaceController.php)

I think this means that it should only be available by a data source, eg:

data "opnsense_interface" "igc0" {
  name = "igc0"
}

I'm imagining that I could then be able to get access to the data returned by getInterfaceConfig.

Would adding this fit in to your goal with this project? I'd be happy to put in the legwork to implement it if so. I'm kinda new to Terraform, and not super proficient in Go, so might need a little hand holding along the way. I'm also definitely happy to do something different to the API proposed above.

Hi again!

Background
My conundrum is I already have an OPNsense instance up and running and I'd like to move a majority of its configuration to be managed by this terraform provider.

I started off with creating aliases in Terraform but quickly realized that aliases, though unique by name, are not identified by the provider by name, but rather by the id attribute, and as such, new aliases of the same name, are identified as non-existent, thus results in a create action, which will fail the terraform apply as an alias with the same name already exists.

Request

• Would you consider adding support for importing existing resources so that existing setups can be migrated to this provider?
• If not, do you have any recommendations on the most painless method you know, of achieving the same goal?

Hello there :)

I have found several errors when dealing with firewall resources (os-firewall installed)

Let me expose them here:

1. Firewall NAT rules seems to be created but not shown anywhere:

example of resource:

resource "opnsense_firewall_nat" "test_http_forwarding_rule" {
  interface = "wan"
  protocol  = "TCP"

  source = {
    net = "any"
    invert = false
  }

  destination = {
    net  = "wanip"
    port = 8080
  }

  target = {
    ip = "heimdal"
    port = 80
  }

  description = "[TEST] Forward HTTP traffic to Nginx Gateway"
}

Error 1: Description length should handle max 255 chars, but fails with this long. Don't fail with Forward HTTP traffic

Error 2:

2. Firewall aliases are correctly created but crashed after it:

example resource:

resource "opnsense_firewall_alias" "kubernetes_lb_wireguard" {
  name = "test_kubernetes_lb_wireguard"

  type    = "host"
  content = [
    "192.168.2.63"
  ]

  stats       = true
  description = "[TEST] Custom name for Kubernetes' LoadBalancer exposing Wireguard"
}

First apply is fine, and the resource is created fine, but in the second apply:

Hi @browningluke,

While adding more automation and infrastructure to my homelab, I came across this very interesting project.

As we all have different use cases/requirements, there is unfortunately no support for the HAProxy plugin yet.

I would like to try adding the code to set up the basic components (servers, backend, frontend).
I will create a Fork for now and create a PR when I succeeded.

API Reference: https://docs.opnsense.org/development/api/plugins/haproxy.html

Thank you for the great work on this project and also for the opnsense-go API!

Best regards
Robin

Problem Statement: When using the opnsense_firewall_filter resource, the documentation advises a port range can be used by utilising the - such as 1024-65535 however it returns an error.

Attempts: I've tried using an alias defining the ports but it also doesn't work, I've tried wrapping "" and [] around it too.

Code:

Error:

Background

I've been struggling with the following error lately when attempting to create wireguard servers and clients.

Unable to create wg server, got error: reconfigure failed. status:

Observations

• The interesting part is that the wg server is actually created, but the module is unable to determine the success of the add operation.
• Import of the newly created resource works as expected

Debugging

Tracing the code: https://github.com/browningluke/opnsense-go/blob/main/pkg/api/client.go#L139

        // Validate service restarted correctly
	status := cases.Lower(language.English).String(
		strings.TrimSpace(respJson.Status),
	)

It appears that we are expecting a status field.

Looking at trace logs in terraform, I get the following:

2024-01-31T03:12:21.225+0800 [DEBUG] provider.terraform-provider-opnsense_v0.10.0: HTTP/1.1 200 OK
2024-01-31T03:12:21.225+0800 [DEBUG] provider.terraform-provider-opnsense_v0.10.0: Content-Length: 15
2024-01-31T03:12:21.225+0800 [DEBUG] provider.terraform-provider-opnsense_v0.10.0: Content-Type: application/json; charset=UTF-8
2024-01-31T03:12:21.225+0800 [DEBUG] provider.terraform-provider-opnsense_v0.10.0: Date: Tue, 30 Jan 2024 19:12:20 GMT
2024-01-31T03:12:21.226+0800 [DEBUG] provider.terraform-provider-opnsense_v0.10.0: Server: OPNsense
2024-01-31T03:12:21.226+0800 [DEBUG] provider.terraform-provider-opnsense_v0.10.0: 
2024-01-31T03:12:21.226+0800 [DEBUG] provider.terraform-provider-opnsense_v0.10.0: {"result":"ok"}

It appears that OPNsense is returning a result field.

Root cause

OPNsense is returning result instead of status which is what is expected by the module, and as a result, the terraform module falsely returns a failure, but the resource is actually created.

I have yet to determine which OPNsense version contained this change, but for more clarity, I'm on 23.7.12_5.

Hello, I found #40 and I thought that importing resources works on latest(v0.10.1) version of provider.
I'm trying to import VLAN(because I created initial setup manually) using

import {
    to = opnsense_interfaces_vlan.dmz
    id = "9f54422a-f308-4260-9434-bddff9375eed"
}

resource "opnsense_interfaces_vlan" "dmz" {
  description = "DMZ"
  tag = 10
  priority = 0
  parent = "igc2"
  device = "vlan01"
}

and when I run terraform plan, I see next error:

terraform plan
opnsense_interfaces_vlan.dmz: Preparing import... [id=9f54422a-f308-4260-9434-bddff9375eed]
opnsense_interfaces_vlan.dmz: Refreshing state... [id=9f54422a-f308-4260-9434-bddff9375eed]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Client Error
│
│ Unable to read vlan, got error: status code non-200; status code 400

I tried to use data

data "opnsense_interfaces_vlan" "dmz" {
    id = "9f54422a-f308-4260-9434-bddff9375eed"
}

and see similar problem

terraform plan
data.opnsense_interfaces_vlan.dmz: Reading...

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Client Error
│
│   with data.opnsense_interfaces_vlan.dmz,
│   on vlans.tf line 15, in data "opnsense_interfaces_vlan" "dmz":
│   15: data "opnsense_interfaces_vlan" "dmz" {
│
│ Unable to read vlan, got error: status code non-200; status code 400

Hi there, first of all, I'd like to say, this is really cool stuff. I have always been looking forward to define my home infrastructure declaratively. Since I'm used to the world of GitOps and IaC, the mutable state of OPNsense really keeps me up at night at times. With this provider, I may finally sleep peacefully without fear of waking up to an SSD failure on my firewall and no way to understand the context of certain configurations made, a million changes later.

I was just starting to use this provider in my CI pipeline which performs the terraform actions, and I was looking to provide credentials via environment variables.

I saw that it was documented that the env vars can be used:

• api_key (String) The API key for a user. Alternatively, can be configured using the OPNSENSE_API_KEY environment variable.
• api_secret (String) The API secret for a user. Alternatively, can be configured using the OPNSENSE_API_SECRET environment variable.
• uri (String) The URI to an OPNsense host. Alternatively, can be configured using the OPNSENSE_URI environment variable.

However:

1. The provider running in the CI container was not able to detect the environment variables even though they were confirmed to be present.
2. I tested on local with the environment variables set and the provider did not pick them up.
3. I checked the code and found no mentions of logic reading the respective environment variables.

Questions:

1. Is configuring the provider via environment variables truly supported as documented? Did I miss that somewhere?
2. If it isn't, can I request for the support to be implemented?

Hello there :)

As you probably know, most users of this provider are homlab-ers that have an infra too-pro-to-be-at-home. Honestly, one of the best features in this regard is having a VPN right in the firewall, but right now everything is manually configured.

I would love to have some support for this API

WDYT?

One of my host overrides was deleted manually. I get the following error when i attempt to run terraform apply:

╷
│ Error: Client Error
│ 
│   with opnsense_unbound_host_override.AAAA_record,
│   on main.tf line 2, in resource "opnsense_unbound_host_override" "AAAA_record":
│    2: resource "opnsense_unbound_host_override" "AAAA_record" {
│ 
│ Unable to read host override, got error: unable to find resource. it may have been deleted upstream
╵

I would expect the record to be recreated as defined in the state.

snippet from my main.tf:

resource "opnsense_unbound_host_override" "AAAA_record" {
  enabled = true
  type = "AAAA"
  hostname = "k8s-master"
  domain = "REDACTED"
  server = "REDACTED"
}

snippet from my provider.tf:

provider "opnsense" {
  uri = "https://192.168.1.1"
  allow_insecure = true
  api_key = "REDACTED"
  api_secret = "REDACTED"
}

In order to resolve the issue I had to target the specific resource for removal with the terraform state rm command and then run terraform apply again

Hello there :)

These days i'm reconfiguring my kubernetes cluster, migrating to Talos, and honestly, one of the most difficult things is always networking. Everything is easier using DHCP and assigning the IPs based on MAC addresses. This is something I would love to automate and this is why I am kindly requesting the support on the provider for this actions