ndejong / terraform-aws-opnsense-image Goto Github PK

Terraform module to create an AWS AMI snapshot-image that can subsequently be used to start an OPNsense instance within AWS.

Home Page: https://registry.terraform.io/modules/verbnetworks/opnsense-image/aws

License: Apache License 2.0

Shell 58.66% HCL 41.34%

terraform terraform-modules aws opnsense

terraform-aws-opnsense-image's Introduction

Image Create :: OPNsense on AWS

Terraform module to create an AWS AMI snapshot-image that can subsequently be used to start an OPNsense instance within AWS.

OPNsense
AWS

This module provides an boot-time syshook for OPNsense that collects input parameters from the AWS meta-data service at http://169.254.169.254 and applies it as required to the OPNsense config.xml file at boot. Config attributes that are managed this way include:-

root user sshkey
Public and Private network interface cards
IPv4 address, subnet, gateway, dns
IPv6 address, subnet, gateway

This allows the resulting OPNsense AMI to be used in regular Terraform devops automation situations. Additionally, users of the resulting OPNsense instance can inject user-data scripts at initial instance boot, however the system does not include cloudinit, so user-data scripts need to be contained /bin/sh scripts.

Usage

This module is mildly unusual in that the final result does not provide a running EC2 Instance. The correct behaviour of this module will result in an AWS AMI while the EV2 instance used in the process of creating the image will poweroff.

The example below shows an example setup - note that the root_passwd variable is optional and by default will use the same default password that OPNsense uses, that is "opnsense" - be smart, change this because your OPNsense instance will be publicly accessible to begin with unless you take other measures to prevent inbound access to TCP22 (SSH) and TCP443 (HTTPS).

variable "aws_access_key_id" {}       # set via environment value `TF_VAR_aws_access_key_id`
variable "aws_secret_access_key" {}   # set via environment value `TF_VAR_aws_secret_access_key`

module "opnsense-image" {
  source  = "verbnetworks/opnsense-image/aws"

  opnsense_release = "18.7"
  root_passwd = "honeyPot..."

  aws_region = "ap-southeast-1"
  aws_access_key_id = "${var.aws_access_key_id}"
  aws_secret_access_key = "${var.aws_secret_access_key}"

  do_opnsense_install = 1
  do_cleanup_shutdown = 1
  do_image = 1
  do_self_destruct = 1
}

output "provider" { value = "${module.opnsense-image.provider}"}
output "region" { value = "${module.opnsense-image.region}"}
output "build_id" { value = "${module.opnsense-image.build_id}"}
output "image_name" { value = "${module.opnsense-image.image_name}"}
output "image_action_outfile" { value = "${module.opnsense-image.image_action_outfile}"}

After the build process completes you should observe among the final Terraform log lines the following, thus indicating the build process is complete and the image is taking place on the Digital Ocean backend.

action-status (local-exec): !!!!
action-status (local-exec): !!!! build_id: YDYAKA
action-status (local-exec): !!!! image_name: OPNsense 18.1 - 20180717Z102528
action-status (local-exec): !!!! image_action_outfile: /tmp/opnsense-YDYAKA-image-action.json
action-status (local-exec): !!!!
action-status (local-exec): !!!! Remember to terraform destroy resources once image action is complete
action-status (local-exec): !!!!

The user should perform a terraform destroy once complete to remove the resources that have allocated in the local tfstate - they can all safely be destroyed, the new AMI will not be removed in this destroy action because the action to create the image is performed as a local-exec call via awscli thus preventing it from being a Terraform resource.

Use your new AMI

You are now able to start a new AWS EC2 instance using the AMI that has been created for you. Your new AMI will be listed under the "My AMIs" section when you choose an Amazon Machine Image to start within the AWS console UI.

Warning!

The default rules used in this arrangement differ from the default OPNsense rules in that they allow access to the OPNsense control interfaces via TCP22 (SSH) and TCP443 (HTTPS) to facilitate your initial connection(s) to the system for setup etc.

Leaving the system in this arrangement is NOT recommended and you should take steps to restrict the source addresses that can connect to your OPNsense control interfaces.

Notes and Observations

The image "build" process leverages the OPNsense provided opnsense-bootstrap.sh tool to "convert" a FreeBSD Droplet into an OPNsense one, check it out here - https://github.com/opnsense/update
It is recommended that the user does not choose an instance size too small else the build will take a very long time, generally a t2.medium is appropriate for the build and will take approx 7 to 8 minutes.
You will see a lot of Terraform log output as the build process continues, keep in mind that builds can fail for many surprising reasons, external packages may not download and kernel-panics have been observed, so it is worth keeping an eye on the Terraform logging output to make sure nothing really obvious is going wrong.
Remember to issue the terraform destroy at the end, else you may become confused what state you are in the next time to come to roll another Droplet based OPNsense image.

What about Packer?

Packer, also produced by Hashicorp is an awesome tool, but requires learning yet another tool-chain. Since the resulting Digital Ocean images are targeted at DevOps people that use Terraform, it just felt more natural to do the whole build process in Terraform.

Builds Confirmed

(v0.3.0) amazon-ami: FreeBSD 11.2-STABLE-amd64-2018-07-09 (ami-36a0dedc) > OPNsense 18.1.12 (@ 2018-07-17T09:09:00Z)
(v0.3.1) amazon-ami: FreeBSD 11.2-STABLE-amd64-2018-08-02 (ami-285012c2) > OPNsense 18.7.0 (@ 2018-08-05T15:12:13Z)

Compute Providers Supported

Input Variables - Required

opnsense_release

The OPNsense release to target for this image build

digitalocean_region

The DigitalOcean region-slug to start this digitalocean-droplet within (nyc1, sgp1, lon1, nyc3, ams3, fra1, tor1, sfo2, blr1)

digitalocean_token

Your DigitalOcean API token used to issue cURL API calls directly to DigitalOcean to create the required image

Input Variables - Optional

root_passwd

The initial root password for OPNsense once the image is built.

default = "opnsense"

hostname

The hostname applied to this digitalocean-droplet within the image build process only.

default = "opnsense-image"

digitalocean_image

The DigitalOcean image to use as the base for this digitalocean-droplet.

default = "freebsd-11-1-x64"

digitalocean_size

The size to use for this digitalocean-droplet.

default = "s-1vcpu-1gb"

digitalocean_ipv6

Enable/disable getting a public IPv6 on this digitalocean-droplet.

default = true

digitalocean_private_networking

Enable/disable private-networking functionality on this digitalocean-droplet.

default = true

do_opnsense_install

Cause OPNsense to be installed once the instance is reachable.

default = 1

do_cleanup_shutdown

Cause the system to perform cleanup operations and then shutdown.

default = 1

do_image

Cause a Digital Ocean Droplet image to be taken of the Droplet while powered off.

default = 1

do_self_destruct

Cause the Droplet that was used to create the snapshot image to delete itself itself once the image is done.

default = 1

Outputs

provider

The compute provider name.

region

The compute provider region identifier.

build_id

The build identifier used to generate this image.

image_name

The image name given to this volume.

image_action_outfile

The output file from the image action call to the compute provider.

Authors

Module managed by Verb Networks.

License

Apache 2 Licensed. See LICENSE file for full details.

terraform-aws-opnsense-image's People

Contributors

Stargazers

Watchers

Forkers

cbk914 cdrobey ksekimoto sebasortiz-dev acme-architecture sufficientbears mmetc crowdsecurity ryanoatz99

terraform-aws-opnsense-image's Issues

module.opnsense-image.null_ jq tool not installed on this system

Guys, could you help me?
I'm getting the error below.

I am running local through my notebook (LINUX-MINT) with terraform and awscli installed.

Can you guide me to create the MAI?

Thank you, did not put the credentials here on github for security, okay?
My code
"
module "opnsense-image" {
source = "verbnetworks/opnsense-image/aws"
version = "0.3.2"

opnsense_release = "18.7"
root_passwd = "XXXXXXXXXXXXXXX"

aws_region = "XXXXXX"

do_opnsense_install = 1
do_cleanup_shutdown = 1
do_image = 1
do_self_destruct = 1
}

output "provider" { value = "${module.opnsense-image.provider}"}
output "region" { value = "${module.opnsense-image.region}"}
output "build_id" { value = "${module.opnsense-image.build_id}"}
output "image_name" { value = "${module.opnsense-image.image_name}"}
output "image_action_outfile" { value = "${module.opnsense-image.image_action_outfile}"}
"

Tagging AMI fails

Nice tool.

One small error at the end

Error: Error applying plan:

1 error(s) occurred:

* null_resource.instance-snapshot-tag: Error running command '      export AWS_ACCESS_KEY_ID=************
      export AWS_SECRET_ACCESS_KEY=***********************
      aws --region=eu-west-1 ec2 create-tags \
          --resources  \
          --tags Key=Name,Value="OPNsense 18.7 - 20180810Z182949"
    ': exit status 255. Output:
An error occurred (MissingParameter) when calling the CreateTags operation: The request must contain the parameter resourceIdSet

Seems the resources variable does not get set in my environment properly. Fixed by just commenting out. that section and rerunning. AMI works, thanks.

Can't access instance in AWS us-east-1 (virginia)

Hello,

I followed the documentation and I was able to create a new image and started a new instance in the us-east-1 (virginia) region. Yet, I can't SSH nor access the web UI after the instance starts. I tried using both FreeBSD 11.1 and 11.2 and I get the same result.

I also tried using the two AMI's reported in the documentation in the Singapore region, and I'm getting similar results. The difference is that I can establish an ssh connection, but when I use the opnsense password, it fails. Also, the web UI Is not available.

Any help would be appreciated.

Thanks

Cannot connect on starting new instance

The AMI was built on a private range 192.168.42.0/24.

When an instance is start using this range, the instance is connectable on port 22.

When the instance is moved to another subnet, CIDR 10.1.0.20 was attempted, the instance cannot be connected to.

Is the range hard-coded into the instance's ip config?

Appreciate your help on this.

Not complete instance

Guys, I was able to generate the AMI as per the documentation.
And right after I created an instance with this new image.

But I can not connect, I have already released all the firewall in the security group.

Any idea what it could be?

Not working for newer versions.

Hi,

First of all thank you for the effort.

I'm trying to update and support building the newest version of OPNsense, will wait for the release of the 21 based on FreeBSD 12.2 for finish this PR

Right now I got it working to build an image with dchp on the primary interface and with limited support for Enhaced Networking (ena) interfaces.

Will try to support all kind later.

Image Builder instance stuck in panic/reboot loop

I'm attempting to use this module (thanks for writing it!)…

I've created a main.tf containing:

variable "aws_access_key_id" {}       # set via environment value `TF_VAR_aws_access_key_id`
variable "aws_secret_access_key" {}   # set via environment value `TF_VAR_aws_secret_access_key`

module "opnsense-image" {
  source  = "verbnetworks/opnsense-image/aws"
  version = "0.3.2"

  opnsense_release = "18.7"
  root_passwd = "<REDACTED>"

  aws_region = "us-east-1"
  aws_access_key_id = "${var.aws_access_key_id}"
  aws_secret_access_key = "${var.aws_secret_access_key}"

  do_opnsense_install = 1
  do_cleanup_shutdown = 1
  do_image = 1
  do_self_destruct = 1
}

Followed by a terraform init, terraform plan, and terraform apply. Then, during the apply, it eventually timed out after waiting 5m30s for the created opnsense-cloud-image-builder instance to become ssh-able. Viewing the instance's "system log" in the AWS console showed this repeated:

cpu_reset: Restarting BSP
cpu_reset_proxy: Stopped CPU 1
Copyright (c) 1992-2018 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.2-STABLE #0 r340237: Wed Nov  7 23:01:31 UTC 2018
    [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
FreeBSD clang version 6.0.1 (tags/RELEASE_601/final 335540) (based on LLVM 6.0.1)
VT(vga): text 80x25
XEN: Hypervisor version 4.2 detected.
CPU: Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz (2300.04-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x406f1  Family=0x6  Model=0x4f  Stepping=1
  Features=0x1783fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,SSE2,HTT>
  Features2=0xfffa3203<SSE3,PCLMULQDQ,SSSE3,FMA,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND,HV>
  AMD Features=0x28100800<SYSCALL,NX,RDTSCP,LM>
  AMD Features2=0x21<LAHF,ABM>
  Structured Extended Features=0x7a9<FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID>
  XSAVE Features=0x1<XSAVEOPT>
Hypervisor: Origin = "XenVMMXenVMM"
real memory  = 4294967296 (4096 MB)
avail memory = 4108935168 (3918 MB)
Event timer "LAPIC" quality 100
ACPI APIC Table: <Xen HVM>
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
ioapic0: Changing APIC ID to 1
MADT: Forcing active-low polarity and level trigger for SCI
ioapic0 <Version 1.1> irqs 0-47 on motherboard
MADT: Forcing active-low polarity and level trigger for SCI
SMP: AP CPU #1 Launched!
random: entropy device external interface
kbd1 at kbdmux0
netmap: loaded module
module_register_init: MOD_LOAD (vesa, 0xffffffff80ffb780, 0) error 19
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
nexus0
vtvga0: <VT VGA driver> on motherboard
cryptosoft0: <software crypto> on motherboard
acpi0: <Xen> on motherboard
acpi0: Power Button (fixed)
acpi0: Sleep Button (fixed)
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 62500000 Hz quality 950
attimer0: <AT timer> port 0x40-0x43 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
atrtc0: <AT realtime clock> port 0x70-0x71 irq 8 on acpi0
atrtc0: registered as a time-of-day clock, resolution 1.000000s
panic: unable to configure IRQ#8

cpuid = 1
KDB: stack backtrace:
#0 0xffffffff80b423d7 at kdb_backtrace+0x67
#1 0xffffffff80afb677 at vpanic+0x177
#2 0xffffffff80afb4f3 at panic+0x43
#3 0xffffffff810fe432 at xen_intr_pirq_config_intr+0x102
#4 0xffffffff803c4615 at acpi_alloc_resource+0x1e5
#5 0xffffffff80b3751e at bus_alloc_resource+0x9e
#6 0xffffffff810e482d at atrtc_attach+0x1fd
#7 0xffffffff80b34a48 at device_attach+0x3b8
#8 0xffffffff80b35ced at bus_generic_attach+0x3d
#9 0xffffffff803c3cf9 at acpi_attach+0xe39
#10 0xffffffff80b34a48 at device_attach+0x3b8
#11 0xffffffff80b35ced at bus_generic_attach+0x3d
#12 0xffffffff80b34a48 at device_attach+0x3b8
#13 0xffffffff80b36359 at bus_generic_new_pass+0xe9
#14 0xffffffff80b38017 at root_bus_configure+0x77
#15 0xffffffff810e8169 at configure+0x9
#16 0xffffffff80a96ac8 at mi_startup+0x118
#17 0xffffffff8031102c at btext+0x2c
Uptime: 1s
Rebooting...
cpu_reset: Restarting BSP
cpu_reset_proxy: Stopped CPU 1