This module allows to provision EC2 instances (part of an Autoscaling group) in order to access to private AWS resources using Tailscale
In order for your instances to join automatically your tailnet at startup, you need to:
- Generate an auth key or use the Tailscale provider (here is an example)
- Add an autoApprovers ACL so that the routes will be advertised.
Here is an example that allows an instance that uses an auth_key generated by the user
foo@example.comto automatically advertise the CIDR10.0.0.0/16
"autoApprovers": {
"routes": {
"10.0.0.0/16": [
"foo@example.com"
]
}
},Set the appropriate variables in variables.tfvars
module "tailscale_subnet_router" {
source = "Smana/tailscale-subnet-router/aws"
version = "1.0.5"
region = "eu-west-3"
env = "dev"
name = "foobar"
auth_key = <REDACTED> # Put your tailscale auth_key here
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
advertise_routes = [module.vpc.vpc_cidr_block]
tags = {
App = "tailscale"
}
}And run the following command
tofu plan --var-file variables.tfvarsAfter checking the plan, apply it:
tofu apply --var-file variables.tfvarsRun the following command in order to check the code before pushing a PR.
task pre-commit| Name | Version |
|---|---|
| terraform | ~> 1.4 |
| aws | ~> 5.0 |
| cloudinit | ~> 2.3 |
| random | ~> 3.2 |
| Name | Version |
|---|---|
| aws | 5.47.0 |
| cloudinit | 2.3.4 |
| random | 3.6.1 |
No modules.
| Name | Type |
|---|---|
| aws_autoscaling_group.this | resource |
| aws_iam_instance_profile.tailscale_profile | resource |
| aws_iam_role.tailscale_role | resource |
| aws_iam_role_policy_attachment.ssm_worker_nodes | resource |
| aws_launch_template.this | resource |
| aws_security_group.this | resource |
| aws_security_group_rule.default_egress | resource |
| random_pet.prefix | resource |
| aws_ami.this | data source |
| cloudinit_config.tailscale_cloud_init | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| advertise_routes | List of CIDR blocks that are routed through Tailscale | list(string) |
n/a | yes |
| ami_filter | List of maps used to create the AMI filter for the action runner AMI. | map(list(string)) |
{ |
no |
| auth_key | Tailscale auth key used to join the tailnet | string |
"" |
no |
| autoscaling | Autoscaling configuration | object({ |
{ |
no |
| env | Environment of the Tailscale instances | string |
"" |
no |
| extra_args | Additionnal arguments to append to the tailscale commmand line | string |
"" |
no |
| instance_type | EC2 instance type | string |
"t3a.micro" |
no |
| name | Prefix for the autoscaling group | string |
null |
no |
| prometheus_node_exporter_enabled | If set to true install and start a prometheus node exporter | bool |
false |
no |
| region | Name of the AWS Region | string |
n/a | yes |
| resources_to_tag | list of resources we want to tag on aws_launch_template | list(string) |
[ |
no |
| ssm_enabled | If set to true install and start the AWS SSM agent | bool |
false |
no |
| subnet_ids | Private subnet IDs where the Tailscale instances will be created | list(string) |
n/a | yes |
| tags | Default tags for all the resources | map(string) |
{} |
no |
| tailscale_ssh_enabled | If true Tailscale will be started with SSH support | bool |
false |
no |
| vpc_id | ID of the VPC where the Tailscale instances will be created | string |
n/a | yes |
| Name | Description |
|---|---|
| autoscaling_group_id | value |
| security_group_id | value |