From 836a57cd76ab798a5cee1b2f76b84147326f0aa9 Mon Sep 17 00:00:00 2001 From: bob Date: Fri, 10 Apr 2026 23:35:27 -0500 Subject: [PATCH] Implement bridges and fillout readme with current state --- environments/nonprod/providers.tf | 7 +++++++ environments/nonprod/terraform.tf | 10 +++++++++ modules/networking/README.md | 35 +++++++++++++++++++++++++++++++ modules/networking/main.tf | 29 +++++++++++++++++++++++++ modules/networking/terraform.tf | 7 +++++++ modules/networking/variables.tf | 4 ++++ 6 files changed, 92 insertions(+) create mode 100644 environments/nonprod/providers.tf create mode 100644 environments/nonprod/terraform.tf create mode 100644 modules/networking/README.md create mode 100644 modules/networking/main.tf create mode 100644 modules/networking/terraform.tf create mode 100644 modules/networking/variables.tf diff --git a/environments/nonprod/providers.tf b/environments/nonprod/providers.tf new file mode 100644 index 0000000..a2f29ae --- /dev/null +++ b/environments/nonprod/providers.tf @@ -0,0 +1,7 @@ +provider "proxmox" { + endpoint = var.proxmox_endpoint + api_token = var.proxmox_api_token + + # Set to true if using a self-signed certificate (common on home labs) + insecure = var.proxmox_insecure +} diff --git a/environments/nonprod/terraform.tf b/environments/nonprod/terraform.tf new file mode 100644 index 0000000..544af2b --- /dev/null +++ b/environments/nonprod/terraform.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + proxmox = { + source = "bpg/proxmox" + version = "~> 0.73" + } + } +} diff --git a/modules/networking/README.md b/modules/networking/README.md new file mode 100644 index 0000000..ca166a4 --- /dev/null +++ b/modules/networking/README.md @@ -0,0 +1,35 @@ +# Module: networking + +Creates the internal Linux bridge network segments on a Proxmox node. These bridges are purely virtual — no physical NIC is attached. All inter-segment traffic is routed through a firewall VM (OPNsense). + +## Segments + +| Bridge | CIDR | Purpose | +|--------|------|---------| +| management | 10.10.10.0/24 | Proxmox API access and admin tools. Proxmox host holds 10.10.10.1. | +| services | 10.10.20.0/24 | General workload VMs and containers. | +| dmz | 10.10.30.0/24 | Externally exposed workloads (e.g. web servers). | +| isolated | 10.10.40.0/24 | Lab and test workloads. No outbound access by default. | + +The Proxmox host has no IP on services, dmz, or isolated — VMs on those segments have no direct path to the hypervisor. + +## Usage + +```hcl +module "networking" { + source = "../../modules/networking" + + proxmox_node_name = "pve" +} +``` + +## Inputs + +| Name | Type | Description | +|------|------|-------------| +| proxmox_node_name | string | Name of the Proxmox node to create bridges on. | + +## Notes + +- After apply, Proxmox automatically reloads the network configuration — no manual intervention required. +- `Sys.Modify` must be granted to the Terraform API token role to manage node network interfaces. diff --git a/modules/networking/main.tf b/modules/networking/main.tf new file mode 100644 index 0000000..8f5f8ff --- /dev/null +++ b/modules/networking/main.tf @@ -0,0 +1,29 @@ +resource "proxmox_network_linux_bridge" "management" { + node_name = var.proxmox_node_name + name = "management" + + address = "10.10.10.1/24" + + comment = "Terraform managed Linux bridge for Proxmox API access and admin tools" +} + +resource "proxmox_network_linux_bridge" "services" { + node_name = var.proxmox_node_name + name = "services" + + comment = "Terraform managed Linux bridge for general workload VMs and containers" +} + +resource "proxmox_network_linux_bridge" "dmz" { + node_name = var.proxmox_node_name + name = "dmz" + + comment = "Terraform managed Linux bridge for externally exposed VMs and containers (e.g. web servers)" +} + +resource "proxmox_network_linux_bridge" "isolated" { + node_name = var.proxmox_node_name + name = "isolated" + + comment = "Terraform managed Linux bridge for Lab/test VMs and containers with no external connectivity" +} diff --git a/modules/networking/terraform.tf b/modules/networking/terraform.tf new file mode 100644 index 0000000..e5901a2 --- /dev/null +++ b/modules/networking/terraform.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + proxmox = { + source = "bpg/proxmox" + } + } +} diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf new file mode 100644 index 0000000..481f84e --- /dev/null +++ b/modules/networking/variables.tf @@ -0,0 +1,4 @@ +variable "proxmox_node_name" { + description = "Name of the Proxmox node to manage resources on" + type = string +}