Awesome

terraform-aws-tailscale

This is a Terraform Module to create a simple, autoscaled Tailscale Subnet Router on EC2 instance along with generated auth key, and its corresponding IAM resources. The instance should cycle itself on a schedule.

It's 100% Open Source and licensed under the APACHE2.

Usage

Here's how to invoke this example module in your projects

module "vpc" {
  source  = "cloudposse/vpc/aws"
  version = "2.1.1"

  namespace = "eg"
  stage     = "test"
  name      = "tailscale"

  ipv4_primary_cidr_block = "172.16.0.0/16"
}

module "subnets" {
  source  = "cloudposse/dynamic-subnets/aws"
  version = "2.4.1"

  namespace = "eg"
  stage     = "test"
  name      = "tailscale"

  availability_zones = ["us-east-1a", "us-east-1b"]

  vpc_id          = module.vpc.vpc_id
  igw_id          = [module.vpc.igw_id]
  ipv4_cidr_block = [module.vpc.vpc_cidr_block]
}

module "tailscale" {
  source  = "masterpointio/tailscale/aws"
  version = "X.X.X"

  namespace = "eg"
  stage     = "test"
  name      = "tailscale"

  vpc_id           = module.vpc.vpc_id
  subnet_ids       = module.subnets.private_subnet_ids
  advertise_routes = [module.vpc.vpc_cidr_block]

  ephemeral = true
}

Examples

Here is an example of using this module:

examples/complete - complete example of using this module

Requirements

Name	Version
<a name="requirement_terraform"></a> terraform	>= 1.0
<a name="requirement_aws"></a> aws	>= 4.0
<a name="requirement_tailscale"></a> tailscale	>= 0.13.7

Providers

Name	Version
<a name="provider_aws"></a> aws	5.76.0
<a name="provider_tailscale"></a> tailscale	0.17.2

Modules

Name	Source	Version
<a name="module_ssm_policy"></a> ssm_policy	cloudposse/iam-policy/aws	2.0.1
<a name="module_ssm_state"></a> ssm_state	cloudposse/ssm-parameter-store/aws	0.13.0
<a name="module_tailscale_subnet_router"></a> tailscale_subnet_router	masterpointio/ssm-agent/aws	1.2.0
<a name="module_this"></a> this	cloudposse/label/null	0.25.0

Resources

Name	Type
aws_iam_role_policy_attachment.default	resource
tailscale_tailnet_key.default	resource

Inputs

Name	Description	Type	Default	Required
<a name="input_additional_security_group_ids"></a> additional_security_group_ids	Additional Security Group IDs to associate with the Tailscale Subnet Router EC2 instance.	`list(string)`	`[]`	no
<a name="input_additional_tag_map"></a> additional_tag_map	Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration.	`map(string)`	`{}`	no
<a name="input_additional_tags"></a> additional_tags	Additional Tailscale tags to apply to the Tailscale Subnet Router machine in addition to `primary_tag`. These should not include the `tag:` prefix.	`list(string)`	`[]`	no
<a name="input_advertise_routes"></a> advertise_routes	The routes (expressed as CIDRs) to advertise as part of the Tailscale Subnet Router.<br> Example: ["10.0.2.0/24", "0.0.1.0/24"]	`list(string)`	`[]`	no
<a name="input_ami"></a> ami	The AMI to use for the Tailscale Subnet Router EC2 instance.<br> If not provided, the latest Amazon Linux 2 AMI will be used.<br> Note: This will update periodically as AWS releases updates to their AL2 AMI.<br> Pin to a specific AMI if you would like to avoid these updates.	`string`	`""`	no
<a name="input_associate_public_ip_address"></a> associate_public_ip_address	Associate public IP address with subnet router	`bool`	`null`	no
<a name="input_attributes"></a> attributes	ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element.	`list(string)`	`[]`	no
<a name="input_context"></a> context	Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional_tag_map, which are merged.	`any`	<pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre>	no
<a name="input_create_run_shell_document"></a> create_run_shell_document	Whether or not to create the SSM-SessionManagerRunShell SSM Document.	`bool`	`true`	no
<a name="input_delimiter"></a> delimiter	Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.	`string`	`null`	no
<a name="input_descriptor_formats"></a> descriptor_formats	Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty).	`any`	`{}`	no
<a name="input_desired_capacity"></a> desired_capacity	Desired number of instances in the Auto Scaling Group	`number`	`1`	no
<a name="input_enabled"></a> enabled	Set to false to prevent the module from creating any resources	`bool`	`null`	no
<a name="input_environment"></a> environment	ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'	`string`	`null`	no
<a name="input_ephemeral"></a> ephemeral	Indicates if the key is ephemeral.	`bool`	`false`	no
<a name="input_exit_node_enabled"></a> exit_node_enabled	Advertise Tailscale Subnet Router EC2 instance as exit node. Defaults to false.	`bool`	`false`	no
<a name="input_expiry"></a> expiry	The expiry of the auth key in seconds.	`number`	`7776000`	no
<a name="input_id_length_limit"></a> id_length_limit	Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`.	`number`	`null`	no
<a name="input_instance_type"></a> instance_type	The instance type to use for the Tailscale Subnet Router EC2 instance.	`string`	`"t3.nano"`	no
<a name="input_key_pair_name"></a> key_pair_name	The name of the key-pair to associate with the Tailscale Subnet Router EC2 instance.	`string`	`null`	no
<a name="input_label_key_case"></a> label_key_case	Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`.	`string`	`null`	no
<a name="input_label_order"></a> label_order	The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.	`list(string)`	`null`	no
<a name="input_label_value_case"></a> label_value_case	Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`.	`string`	`null`	no
<a name="input_labels_as_tags"></a> labels_as_tags	Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>Notes:<br> The value of the `name` tag, if included, will be the `id`, not the `name`.<br> Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br> changed in later chained modules. Attempts to change it will be silently ignored.	`set(string)`	<pre>[<br> "default"<br>]</pre>	no
<a name="input_max_size"></a> max_size	Maximum number of instances in the Auto Scaling Group. Must be >= desired_capacity.	`number`	`2`	no
<a name="input_min_size"></a> min_size	Minimum number of instances in the Auto Scaling Group	`number`	`1`	no
<a name="input_monitoring_enabled"></a> monitoring_enabled	Enable detailed monitoring of instances	`bool`	`true`	no
<a name="input_name"></a> name	ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.	`string`	`null`	no
<a name="input_namespace"></a> namespace	ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique	`string`	`null`	no
<a name="input_preauthorized"></a> preauthorized	Determines whether or not the machines authenticated by the key will be authorized for the tailnet by default.	`bool`	`true`	no
<a name="input_primary_tag"></a> primary_tag	The primary tag to apply to the Tailscale Subnet Router machine. Do not include the `tag:` prefix. This must match the OAuth client's tag. If not provided, the module will use the module's ID as the primary tag, which is configured in context.tf	`string`	`null`	no
<a name="input_regex_replace_chars"></a> regex_replace_chars	Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.	`string`	`null`	no
<a name="input_reusable"></a> reusable	Indicates if the key is reusable or single-use.	`bool`	`true`	no
<a name="input_session_logging_enabled"></a> session_logging_enabled	To enable CloudWatch and S3 session logging or not.<br> Note this does not apply to SSH sessions as AWS cannot log those sessions.	`bool`	`true`	no
<a name="input_session_logging_kms_key_alias"></a> session_logging_kms_key_alias	Alias name for `session_logging` KMS Key.<br> This is only applied if 2 conditions are met: (1) `session_logging_kms_key_arn` is unset,<br> (2) `session_logging_encryption_enabled` = true.	`string`	`"alias/session_logging"`	no
<a name="input_session_logging_ssm_document_name"></a> session_logging_ssm_document_name	Name for `session_logging` SSM document.<br> This is only applied if 2 conditions are met: (1) `session_logging_enabled` = true,<br> (2) `create_run_shell_document` = true.	`string`	`"SSM-SessionManagerRunShell-Tailscale"`	no
<a name="input_ssh_enabled"></a> ssh_enabled	Enable SSH access to the Tailscale Subnet Router EC2 instance. Defaults to true.	`bool`	`true`	no
<a name="input_ssm_state_enabled"></a> ssm_state_enabled	Control is tailscaled state (including preferences and keys) is stored in AWS SSM.<br>See more in the docs.	`bool`	`false`	no
<a name="input_stage"></a> stage	ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'	`string`	`null`	no
<a name="input_subnet_ids"></a> subnet_ids	The Subnet IDs which the Tailscale Subnet Router EC2 instance will run in. These should be private subnets.	`list(string)`	n/a	yes
<a name="input_tags"></a> tags	Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module.	`map(string)`	`{}`	no
<a name="input_tailscale_up_extra_flags"></a> tailscale_up_extra_flags	Extra flags to pass to `tailscale up` for advanced configuration.<br>See more in the docs.	`list(string)`	`[]`	no
<a name="input_tailscaled_extra_flags"></a> tailscaled_extra_flags	Extra flags to pass to Tailscale daemon for advanced configuration. Example: ["--state=mem:"]<br>See more in the docs.	`list(string)`	`[]`	no
<a name="input_tenant"></a> tenant	ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for	`string`	`null`	no
<a name="input_user_data"></a> user_data	The user_data to use for the Tailscale Subnet Router EC2 instance.<br> You can use this to automate installation of all the required command line tools.	`string`	`""`	no
<a name="input_vpc_id"></a> vpc_id	The ID of the VPC which the Tailscale Subnet Router EC2 instance will run in.	`string`	n/a	yes

Outputs

Name	Description
<a name="output_autoscaling_group_id"></a> autoscaling_group_id	The ID of the Tailscale Subnet Router EC2 instance Autoscaling Group.
<a name="output_instance_name"></a> instance_name	The name tag value of the Tailscale Subnet Router EC2 instance.
<a name="output_launch_template_id"></a> launch_template_id	The ID of the Tailscale Subnet Router EC2 instance Launch Template.
<a name="output_security_group_id"></a> security_group_id	The ID of the Tailscale Subnet Router EC2 instance Security Group.