Skip to content

Latest commit

 

History

History
76 lines (50 loc) · 3.48 KB

README.md

File metadata and controls

76 lines (50 loc) · 3.48 KB

terraform-aws-tailscale-router

Puts a Tailscale subnet router, running on AWS in an ECS container, into your VPC with minimal configuration.

You can read more about this module in "Get VPN access into your AWS VPC with Tailscale" at Atomic Spin.

Quick start

If you just want to deploy into the default VPC and default security group, data sources can get you everything you need save the auth key:

data "aws_vpc" "default" {
  default = true
}

data "aws_security_group" "default_vpc_default" {
  vpc_id = data.aws_vpc.default.id
  name   = "default"
}

data "aws_subnets" "default_vpc" {
  filter {
    name   = "vpc-id"
    values = [data.aws_vpc.default.id]
  }
}

Pick a name (this will be used for many things, including the ECS cluster that will be launched to contain your router), and you can add the router to your Terraform configuration:

module "router" {
  source  = "atomicobject/tailscale-router/aws"
  version = ">= 1.1.4, < 2.0.0"

  name               = "tailscale-subnet-router"
  tailscale_auth_key = var.tailscale_auth_key
  vpc_id             = data.aws_vpc.default.id
  subnet_ids         = data.aws_subnets.default_vpc.ids
  security_group_ids = [data.aws_security_group.default_vpc_default.id]
}

Other configurations are also possible.

Getting an auth key

An auth key is required to authenticate your router to your tailnet. Go to keys in Tailscale admin, and generate a new auth key here.

Once your router is authenticated, the auth key is no longer needed, as the node key will be used.

For more information, see the documentation.

Other configurations

Deploying into other VPCs is also relatively straightforward; you just need the VPC id and the subnet ids you want to launch into.

Depending on your setup, you may also need to launch your router into different security groups. The default security group AWS created allows traffic only from itself, so using it for the router will allow access to anything else in that security group.

If you want to use different security groups, you'll have to make sure there are appropriate ingress rules to support the router.

NEW in v1.1.0: You can ask Tailscale to advertise additional routes beyond the VPC (for example, if you want to route specific Internet hosts though the subnet router). Just use the "additional_routes" variable:

additional_routes = ["8.8.8.8/32", "8.8.4.4/32"]

Q&A

Why are subnet ids required? Can't the module determine the subnet ids automatically?

Yes, but if you are deploying your own VPC as part of the same configuration, depending on the subnet ids there is the cleanest way to make sure the subnets are provisioned before the router.

Thanks

Thanks to David Norton for writing Run a Tailscale VPN relay on ECS/Fargate, which inspired this module. Today, we're able to create containers based on the unmodified official Tailscale image instead of having to create our own images, which simplifies this process quite a bit.