This repository contains the source code for the Tailscale Terraform provider. This Terraform provider lets you interact with the Tailscale API.
See the documentation in the Terraform registry for the most up-to-date information and latest release.
This provider is maintained by Tailscale. Thanks to everyone who contributed to the development of the Tailscale Terraform provider, and special thanks to davidsbond.
To install this provider, copy and paste this code into your Terraform configuration. Then, run terraform init
terraform {
required_providers {
tailscale = {
source = "tailscale/tailscale"
version = "~> 0.16" // Latest 0.16.x
provider "tailscale" {
api_key = "tskey-api-..."
In the provider
block, set your API key in the api_key
field. Alternatively, use the TAILSCALE_API_KEY
environment variable.
Instead of using a personal API key, you can configure the provider to use an OAuth client, e.g.:
provider "tailscale" {
oauth_client_id = "..."
oauth_client_secret = "tskey-client-..."
The default api endpoint is
. If your coordination/control server API is at another endpoint, you can pass in base_url
in the provider block.
provider "tailscale" {
api_key = "tskey-api-..."
base_url = ""
To update an existing terraform deployment currently using the original davidsbond/tailscale
provider, use:
terraform state replace-provider
Please review the contributing guidelines and code of conduct before contributing to this codebase. Please create a new issue for bugs and feature requests and fill in as much detail as you can.
The Terraform plugin documentation on debugging provides helpful strategies for debugging while developing plugins.
Namely, adding a development override
for the tailscale/tailscale
provider allows for using your local copy of the provider instead of a published version.
Your terraformrc
should look something like the following:
provider_installation {
# This disables the version and checksum verifications for this
# provider and forces Terraform to look for the tailscale/tailscale
# provider plugin in the given directory.
dev_overrides {
"tailscale/tailscale" = "/path/to/this/repo/on/disk"
# For all other providers, install them directly from their origin provider
# registries as normal. If you omit this, Terraform will _only_ use
# the dev_overrides block, and so no other providers will be available.
direct {}
Remember to run make build
to build the provider and pick up your local changes.
Tests in this repo that are prefixed with TestAcc
are acceptance tests which run against a real instance of the tailscale control plane.
These tests are skipped unless the TF_ACC
environment variable is set.
Running make testacc
sets the TF_ACC
variable and runs the tests.
environment variable is handled by Terraform core code
and is not directly referenced in provider code.
The following tailscale specific environment variables must also be set:
- URL of the control plane
- Tests will be performed against the tailnet which the key belongs to
- The FQDN of a device owned by the owner of the API key in use
If you run a local control server with the terraform-acceptance-testing
test scenario, then you can use the make rule testacc_local
which will correctly populate the necessary environment variables for you.
./tool/go run ./cmd/tailcontrol --dev --generate-test-devices=terraform-acceptance-testing &
make testacc_local
Pushing a tag of the format vX.Y.Z
will trigger the release workflow which uses goreleaser to build and sign artifacts and generate a GitHub release.
GitHub releases are pulled in and served by the HashiCorp Terrafrom and OpenTofu registries for usage of the provider via Terraform or OpenTofu.