search

tailscale / terraform-provider-tailscale

Terraform provider for Tailscale
https://registry.terraform.io/providers/tailscale/tailscale
MIT License
263 stars 47 forks source link

"requested tags are invalid or not permitted" with scoped OAuth Clients and 2 or more tags approved for this client #437

Open artmakh opened 1 month ago

artmakh commented 1 month ago

Describe the bug

When you're trying to create resource tailscale_tailnet_key using scoped OAuth Client, with more than 1 allowed tag, but you create tailscale_tailnet_key only for 1 tag, you receive error requested tags are invalid or not permitted When you use API access tokens or OAuth Client with only 1 allowed tag tag:test_tag, you get no errors.

To Reproduce Steps to reproduce the behaviour:

  1. Create OAuth Client with Devices read\write permissions with allowed two tags tag:test_tag, tag:test_tag_2
  2. Export TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET to env
  3. Use this terraform code to create tailscale_tailnet_key resource
provider "tailscale" {
     tailnet = "yours-tailnet"
     scopes  = ["devices"]
}

resource "tailscale_tailnet_key" "this" {
     reusable      = true
     ephemeral     = true
     preauthorized = true

     recreate_if_invalid = "always"

     tags = [
       "tag:test_tag"
     ]
}
  1. Try to apply this code
  2. Get an err requested tags [tag:test_tag] are invalid or not permitted

Expected behaviour tailscale_tailnet_key created

Desktop (please complete the following information):

mpminardi commented 1 month ago

Hey @artmakh !

Clarification on this behaviour from our knowledge base:

When you create an OAuth client with the scope devices, you must select one or more tags, which can be any tag or set of tags in your tailnet. Auth keys created with this client must have those exact tags, or tags owned by the client's tags. Additionally, these tags need to be specified in the API call.

This means that if you have something like the following in the policy file:

"tagOwners": {
  "tag:test-tag": ["autogroup:admin", "autogroup:owner"],
  "tag:test-tag-2": ["autogroup:admin", "autogroup:owner"],
}

and both test-tag and test-tag-2 were added to the OAuth client when it was created, then the tags section on tailscale_tailnet_key must include both test-tag and test-tag-2.

What you might want to be doing here instead if you want to be able to specify either test-tag or test-tag-2 in the tags for tailscale_tailnet_key is have something like the following in the policy file:

"tagOwners": {
  "tag:main":  ["autogroup:admin", "autogroup:owner"],
  "tag:test-tag": ["autogroup:admin", "autogroup:owner", "tag:main"],
  "tag:test-tag-2": ["autogroup:admin", "autogroup:owner", "tag:main"],
}

and then add tag:main to the OAuth client you are using. This scenario is allowed as both test-tag and test-tag-2 are owned by tag:main.

With all that being said: the error message here is definitely confusing. Will take a look into this on our end.