resource "proxmox_virtual_environment_container" "bastion" { node_name = "pve" vm_id = 6000 tags = ["dev", "prod", "common", "bastion"] unprivileged = true cpu { cores = 1 } memory { dedicated = 512 } disk { datastore_id = var.datastore_id size = 4 } network_interface { bridge = var.external_network_bridge_name name = "eth-ext" firewall = true enabled = true } network_interface { bridge = var.development_network_bridge_name name = "eth-dev" firewall = true enabled = true } initialization { hostname = "bastion" ip_config { ipv4 { address = "dhcp" } } ip_config { ipv4 { address = "192.168.0.254/24" # gateway = "192.168.0.1" } } user_account { keys = [var.ssh_public_key] } } operating_system { # TODO: make into a variable template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst" type = "debian" } started = true startup { order = 100 up_delay = 0 down_delay = 0 } features { nesting = true } } resource "proxmox_virtual_environment_firewall_options" "bastion" { depends_on = [proxmox_virtual_environment_container.bastion] node_name = proxmox_virtual_environment_container.bastion.node_name vm_id = proxmox_virtual_environment_container.bastion.vm_id enabled = true dhcp = true input_policy = "DROP" output_policy = "ACCEPT" } resource "proxmox_virtual_environment_firewall_rules" "bastion" { depends_on = [proxmox_virtual_environment_container.bastion] node_name = proxmox_virtual_environment_container.bastion.node_name vm_id = proxmox_virtual_environment_container.bastion.vm_id rule { type = "in" action = "ACCEPT" dport = "22" proto = "tcp" } rule { type = "in" action = "ACCEPT" dport = "8" proto = "icmp" } rule { security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." } }