Infrastructure for a Tailscale exit node.
- VM running Debian that will join the tailnet at launch and advertise as an exit node.
- If Device Approval is switched on, and/or the user
generating the auth key is not set up as an
autoApproverin tailnet policy, then the exit node will need to be manually approved on the Machines tab of the Tailscale admin console.
- If Device Approval is switched on, and/or the user
generating the auth key is not set up as an
- Dedicated VPC network and subnet, and a firewall rule to allow SSHing into the exit node VM via Identity-Aware Proxy.
- Enablement of the necessary Google Cloud APIs/services.
Both the Google Cloud and Tailscale providers will require authentication:
- For Tailscale, it is recommended to
set the
TAILSCALE_API_KEYenvironment variable with a valid API access token generated from the admin console.- The shell script executed by
null_resource.remove_previous_exit_nodewill also make use of thisTAILSCALE_API_KEYenvironment variable.
- The shell script executed by
- Google Cloud provider authentication is documented here.
The module has an input variable for the Google Cloud project into which it will provision the resources detailed below. This project must already exist; the module will not provision the project itself, only the resources inside of it, and the necessary APIs/services for these resources.
If the exit node VM needs to be rotated, into a different region for example, it is recommended to have Terraform
force-replace the tailscale_tailnet_key resource, like so:
terraform apply --replace=module.this.tailscale_tailnet_key.one_time_useThe following requirements are needed by this module:
The following providers are used by this module:
No modules.
The following resources are used by this module:
- google_compute_address.main (resource)
- google_compute_firewall.main (resource)
- google_compute_instance.main (resource)
- google_compute_network.main (resource)
- google_compute_project_default_network_tier.main (resource)
- google_compute_project_metadata_item.vm_metadata_guest_attributes (resource)
- google_compute_subnetwork.main (resource)
- google_project_iam_member.compute_gsa_logwriter (resource)
- google_project_service.main (resource)
- google_secret_manager_secret.healthchecks_io_uuid (resource)
- google_secret_manager_secret.tailscale_auth_key (resource)
- google_secret_manager_secret_iam_member.compute_gsa_secretaccessor_healthchecks (resource)
- google_secret_manager_secret_iam_member.compute_gsa_secretaccessor_tailscale (resource)
- google_secret_manager_secret_version.healthchecks_io_uuid (resource)
- google_secret_manager_secret_version.tailscale_auth_key (resource)
- google_service_account.compute (resource)
- null_resource.remove_previous_exit_node (resource)
- random_integer.region_selector (resource)
- tailscale_tailnet_key.one_time_use (resource)
- google_compute_image.debian (data source)
- google_compute_zones.region (data source)
- google_project.this (data source)
The following input variables are required:
Description: The ID of the Google Cloud project in which resources will be created.
Type: string
Description: Google Cloud region to deploy resources in.
Type: string
The following input variables are optional (have default values):
Description: Activate required API services for the Google Cloud project.
Type: bool
Default: true
Description: Enable Tailscale SSH on the exit node.
Type: bool
Default: false
Description: Whether or not to use Google Cloud's Premium Tier network.
Type: bool
Default: false
Description: A map of labels to apply to contained resources.
Type: map(string)
Default: {}
Description: UUID of a check at Healthchecks.io that the exit node VM will poll every 15 minutes with curl from a cron job. If left unset then the check will not be set up.
Type: string
Default: ""
Description: Specify the desired machine type for the exit node VM. Note that it must be available in the chosen region.
Type: string
Default: "f1-micro"
The following outputs are exported:
Description: The ID of the Google service account attached to the exit node VM.
Description: The service APIs that have been enabled by this module.
Description: The ID of the exit node VM.
Description: The URL to access Google Cloud logging for the exit node VM.
Description: The public IP address of the exit node VM.
Description: The command line to run for SSH access into the exit node VM.
Description: The ID of the regional subnet.
Description: The ID of the Tailscale auth key that the exit node VM joined the tailnet with.
Description: The ID of the main VPC.