This module is used to deploy a Tailscale router instance to set up access from VPC to the Tailscale Cloud.
Module logic is the following:
- Connect to TailScale API using the Terraform Provider and Tailscale api token.
- Generate TailScale Auth Key and place it into the instance.
- Create an Autoscale Group with a single instance using and connect it to the TailScale network.
Please refer to Tailscale Configuration first
module "tailscale" {
source = "registry.terraform.io/hazelops/tailscale/aws"
version = "~>0.2"
allowed_cidr_blocks = ["0.0.0.0/0"] # Please lock this down to your specific CIDR
ec2_key_pair_name = "default-key"
env = "prod"
subnets = ["subnet-0000000", "subnet-0000000"]
vpc_id = "vpc-0000000"
api_token = "00000000000000000000000000" # Please don't store secrets in plain text
}
More examples can be found in the examples directory.
- Create Tailscale API access token (More info on Access tokens can be found here
- Add tag to the ACL control list. ACL should look like this:
{
"acls": [
{
"action": "accept",
"ports": [
"*:*"
],
"users": [
"*"
]
}
],
"tagOwners": {
"tag:<your-environment>": []
}
}Make sure to approve the advertised route:
- Go to Machines page
- Find the machine and click on the
...button. - Select "Edit route settings", check the checkbox and then click "Save".
The tag must be added to the ACL to disable automatic key expiration!
Default parameter for tag is tag:<your-environment>.
More examples can be found in Tailscale Tag Docs.
- Create AWS SSM Parameter using the obtained Tailscale API access token. For example, use the following path
pattern:
<env-name>/global/tailscale_api_token. For more information please refer to AWS Docs. - Add data source to Terraform code like in the example configuration main.tf file.
- In the module call parameters, set
api_tokenvariable like in the example configuration main.tf file. - Alternatively Tailscale API token could be set as string, but this is very unsafe, therefore it is * highly not recommended* to do this.
The following error may occur during module removal:
Error: Provider configuration not present
To work with module.tailscale.tailscale_tailnet_key.this (orphan) its
original provider configuration at
module.tailscale.provider["registry.terraform.io/tailscale/tailscale"] is
required, but it has been removed. This occurs when a provider
configuration is removed while objects created by that provider still exist
in the state. Re-add the provider configuration to destroy
module.tailscale.tailscale_tailnet_key.this (orphan), after which you can
remove the provider configuration again.
To remove it, run the following code:
terraform state rm module.tailscale.tailscale_tailnet_key.this| Name | Version |
|---|---|
| terraform | >=1.2.0 |
| aws | >=4.30.0 |
| tailscale | 0.13.13 |
| Name | Version |
|---|---|
| aws | >=4.30.0 |
| tailscale | 0.13.13 |
No modules.
| Name | Type |
|---|---|
| aws_autoscaling_group.this | resource |
| aws_iam_instance_profile.this | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.this | resource |
| aws_launch_template.this | resource |
| aws_security_group.this | resource |
| tailscale_tailnet_key.this | resource |
| aws_ami.this | data source |
| aws_iam_policy_document.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_cidr_blocks | List of network subnets that are allowed. According to PCI-DSS, CIS AWS and SOC2 providing a default wide-open CIDR is not secure. | list(string) |
n/a | yes |
| ami_id | Optional AMI ID for Tailscale instance. Otherwise latest Amazon Linux will be used. One might want to lock this down to avoid unexpected upgrades. | string |
"" |
no |
| api_token | Tailscale API access token | string |
n/a | yes |
| asg | Scaling settings of an Auto Scaling Group | map(any) |
{ |
no |
| ec2_key_pair_name | EC2 key pair name to use for Tailscale instance | string |
n/a | yes |
| env | Environment name (typically dev/prod) | string |
n/a | yes |
| ext_security_groups | External security groups to add to the Tailscale instance | list(any) |
[] |
no |
| instance_type | Type of Tailscale instance | string |
"t3.nano" |
no |
| key_ephemeral | Indicates whether the key is ephemeral | bool |
true |
no |
| key_expiry | Expiry of the key in seconds. Defaults to 7776000 (90 days) | number |
7776000 |
no |
| key_preauthorized | Determines whether or not the machines authenticated by the key will be authorized for the Tailnet by default | bool |
true |
no |
| key_reusable | Indicates whether the key is reusable | bool |
true |
no |
| monitoring_enabled | Whether to enable monitoring for the Auto Scaling Group | bool |
true |
no |
| name | Name for Tailscale instance | string |
"tailscale-router" |
no |
| public_ip_enabled | Wheter to enable a public IP for Tailscale instance | bool |
false |
no |
| ssm_role_arn | SSM role to attach to a Tailscale instance | string |
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM" |
no |
| subnets | Subnets where the Taiscale instance will be placed. It is recommended to use a private subnet for better security. | list(string) |
n/a | yes |
| tags | AWS tags for the Tailscale instance | map(string) |
{} |
no |
| tailscale_tags | List of Tailscale tags for the Tailnet device. It would be automatically tagged when it is authenticated with this key | list(string) |
[] |
no |
| vpc_id | VPC ID where the Tailscale instance will be placed | string |
n/a | yes |
| Name | Description |
|---|---|
| autoscaling_group_id | n/a |
| name | n/a |
| security_group_id | n/a |
