Tailscale subnet router
This module allows to provision EC2 instances (part of an Autoscaling group) in order to access to private AWS resources using Tailscale
✔️ Prerequisites
In order for your instances to join automatically your Tailnet at startup, you need to:
- Generate an auth key or use the Tailscale provider (here is an example)
- Add an autoApprovers ACL so that the routes will be advertised.
Here is an example that allows an instance that uses an auth_key generated by the user
foo@example.comto automatically advertise the CIDR10.0.0.0/16
"autoApprovers": {
"routes": {
"10.0.0.0/16": [
"foo@example.com"
]
}
},:rocket: Deploy
Set the appropriate variables in variables.tfvars
module "tailscale_subnet_router" {
source = "Smana/tailscale-subnet-router/aws"
version = "1.0.6"
region = "eu-west-3"
env = "dev"
name = "foobar"
auth_key = <REDACTED> # Put your tailscale auth_key here
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
advertise_routes = [module.vpc.vpc_cidr_block]
tags = {
app = "tailscale"
observability:node-exporter = "true"
}
}And run the following command
tofu plan --var-file variables.tfvarsAfter checking the plan, apply it:
tofu apply --var-file variables.tfvars🔍 CI
Run the following command in order to check the code before pushing a PR.
task pre-commitRequirements
| Name | Version |
|---|---|
| terraform | ~> 1.4 |
| aws | ~> 5.0 |
| cloudinit | ~> 2.3 |
| random | ~> 3.2 |
Providers
| Name | Version |
|---|---|
| aws | 5.65.0 |
| cloudinit | 2.3.4 |
| random | 3.6.2 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_autoscaling_group.this | resource |
| aws_iam_instance_profile.tailscale_profile | resource |
| aws_iam_role.tailscale_role | resource |
| aws_iam_role_policy_attachment.ssm_worker_nodes | resource |
| aws_launch_template.this | resource |
| aws_security_group.this | resource |
| aws_security_group_rule.default_egress | resource |
| aws_security_group_rule.prometheus_node_exporter | resource |
| random_pet.prefix | resource |
| aws_ami.this | data source |
| aws_vpc.this | data source |
| cloudinit_config.tailscale_cloud_init | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| advertise_routes | List of CIDR blocks that are routed through Tailscale | list(string) |
n/a | yes |
| ami_filter | List of maps used to create the AMI filter for the action runner AMI. | map(list(string)) |
{ |
no |
| ami_owner | Owner ID of the AMI | string |
"099720109477" |
no |
| auth_key | Tailscale auth key used to join the tailnet | string |
"" |
no |
| autoscaling | Autoscaling configuration | object({ |
{ |
no |
| env | Environment of the Tailscale instances | string |
"" |
no |
| extra_args | Additionnal arguments to append to the tailscale commmand line | string |
"" |
no |
| instance_type | EC2 instance type | string |
"t3a.micro" |
no |
| name | Prefix for the autoscaling group | string |
null |
no |
| prometheus_node_exporter_enabled | If set to true install and start a prometheus node exporter | bool |
false |
no |
| region | Name of the AWS Region | string |
n/a | yes |
| resources_to_tag | list of resources we want to tag on aws_launch_template | list(string) |
[ |
no |
| ssm_enabled | If set to true install and start the AWS SSM agent | bool |
false |
no |
| subnet_ids | Private subnet IDs where the Tailscale instances will be created | list(string) |
n/a | yes |
| tags | Default tags for all the resources | map(string) |
{} |
no |
| tailscale_ssh_enabled | If true Tailscale will be started with SSH support | bool |
false |
no |
| vpc_id | ID of the VPC where the Tailscale instances will be created | string |
n/a | yes |
Outputs
| Name | Description |
|---|---|
| autoscaling_group_id | value |
| security_group_id | value |