Infrastructure for a Tailscale exit node.
- VM running Debian that will join the tailnet at launch and advertise as an exit node.
- If Device Approval is switched on, and/or the user
generating the auth key is not set up as an
autoApproverin tailnet policy, then the exit node will need to be manually approved on the Machines tab of the Tailscale admin console.
- If Device Approval is switched on, and/or the user
generating the auth key is not set up as an
- Dedicated VPC network and subnet, and a firewall rule to allow SSHing into the exit node VM via Identity-Aware Proxy.
- Enablement of the necessary Google Cloud APIs/services.
Both the Google Cloud and Tailscale providers will require authentication:
- For Tailscale, it is recommended to
set the
TAILSCALE_API_KEYenvironment variable with a valid API access token generated from the admin console.- The shell script executed by
null_resource.remove_previous_exit_nodewill also make use of thisTAILSCALE_API_KEYenvironment variable.
- The shell script executed by
- Google Cloud provider authentication is documented here.
If the exit node VM needs to be rotated, into a different region for example, it is recommended to have Terraform
force-replace the tailscale_tailnet_key resource, like so:
terraform apply --replace=module.this.tailscale_tailnet_key.one_time_useThe following requirements are needed by this module:
The following providers are used by this module:
No modules.
The following resources are used by this module:
- google_compute_address.main (resource)
- google_compute_firewall.main (resource)
- google_compute_instance.main (resource)
- google_compute_network.main (resource)
- google_compute_project_default_network_tier.main (resource)
- google_compute_project_metadata_item.vm_manager_os_config (resource)
- google_compute_project_metadata_item.vm_metadata_guest_attributes (resource)
- google_compute_subnetwork.main (resource)
- google_project_iam_member.vm_manager_logwriter (resource)
- google_project_service.main (resource)
- google_service_account.vm_manager (resource)
- null_resource.remove_previous_exit_node (resource)
- random_integer.region_selector (resource)
- tailscale_tailnet_key.one_time_use (resource)
- google_compute_image.debian (data source)
- google_compute_zones.region (data source)
- google_project.this (data source)
The following input variables are required:
Description: Google Cloud region to deploy resources in.
Type: string
The following input variables are optional (have default values):
Description: Activate required API services for the Google Cloud project.
Type: bool
Default: true
Description: Activate Google Cloud VM Manager.
Type: bool
Default: false
Description: Whether or not to use Google Cloud's Premium Tier network.
Type: bool
Default: false
Description: A map of labels to apply to contained resources.
Type: map(string)
Default: {}
Description: UUID of a check at Healthchecks.io that the exit node VM will poll every 15 minutes with curl from a cron job. If left unset then the check will not be set up.
Type: string
Default: ""
The following outputs are exported:
Description: The service APIs that have been enabled by this module.
Description: The ID of the exit node VM.
Description: The public IP address of the exit node VM.
Description: The command line to run for SSH access into the exit node VM.
Description: The ID of the regional subnet.
Description: The ID of the Tailscale auth key that the exit node VM joined the tailnet with.
Description: The ID of the service account attached to the VM. If the enable_vm_manager input variable is set to true then this SA will also enable VM Manager.
Description: The ID of the main VPC.