Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hawxy/cdk-tailscale-bastion

Deploys a AWS EC2 (Bastion Host) preconfigured for Tailscale access.
https://github.com/hawxy/cdk-tailscale-bastion

aws bastion cdk ec2 tailscale

Last synced: 1 day ago
JSON representation

Deploys a AWS EC2 (Bastion Host) preconfigured for Tailscale access.

Host: GitHub
URL: https://github.com/hawxy/cdk-tailscale-bastion
Owner: Hawxy
License: apache-2.0
Created: 2022-07-03T08:47:45.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-11-01T00:39:06.000Z (14 days ago)
Last Synced: 2024-11-01T01:24:07.220Z (14 days ago)
Topics: aws, bastion, cdk, ec2, tailscale
Language: TypeScript
Homepage:
Size: 447 KB
Stars: 25
Watchers: 3
Forks: 6
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # cdk-tailscale-bastion

![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/Hawxy/cdk-tailscale-bastion/build.yml?label=Build%20%26%20Release&style=flat-square)

[![npm](https://img.shields.io/npm/v/cdk-tailscale-bastion?style=flat-square)](https://www.npmjs.com/package/cdk-tailscale-bastion)

[![Nuget](https://img.shields.io/nuget/v/CDK.Tailscale.Bastion?style=flat-square)](https://www.nuget.org/packages/CDK.Tailscale.Bastion/)

This packages creates an AWS EC2 (Bastion) configured for Tailscale. This covers the [Tailscale AWS VPC guide](https://tailscale.com/kb/1021/install-aws/) as well as most of the [Tailscale RDS guide](https://tailscale.com/kb/1141/aws-rds/).

Using Tailscale to access your VPC permits high performance connectivity whilst avoiding SSH or the overhead & limitations of Session Manager.

## Installation

JS/TS: `npm i cdk-tailscale-bastion -D`

C#: `dotnet add package CDK.Tailscale.Bastion`

## Instructions

The Tailscale Auth key should be passed in via secrets manager and NOT hardcoded in your application. 

```typescript

import { TailscaleBastion } from 'cdk-tailscale-bastion';

// Secrets Manager

const secret = Secret.fromSecretNameV2(stack, 'ApiSecrets', 'tailscale');

const bastion = new TailscaleBastion(stack, 'Sample-Bastion', {

  vpc,

  tailscaleCredentials: {

    secretsManager: {

      secret: secret,

      key: 'AUTH_KEY',

    },

  },

});

```

Whatever resource you intend to reach should permit connections from the bastion on the relevant port, naturally. 

## Tailscale Auth Key

I recommend generating an Ephemeral key that includes the bastion as a tag for ease of teardown and tracking:



## Tailscale Configuration

Once deployed, unless you have [auto approval](https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes) enabled, you'll need to manually [enable the subnet routes](https://tailscale.com/kb/1019/subnets/#step-3-enable-subnet-routes-from-the-admin-console) in the tailscale console.

You'll also need to setup the nameserver. The bastion construct conveniently outputs the settings you require for Tailscale's DNS configuration:



Given your configuration is correct, a direct connection to your internal resources should now be possible.

## 4via6 Support

If you wish to use [4via6 subnet routers](https://tailscale.com/kb/1201/4via6-subnets/), you can pass the IPv6 address via the `advertiseRoute` property:

```ts

new TailscaleBastion(stack, 'Cdk-Sample-Lib', {

  vpc,

  tailscaleCredentials: ...,

  advertiseRoute: 'fd7a:115c:a1e0:b1a:0:7:a01:100/120',

});

```

## Incoming routes

If you have other subnet routers configured in Tailscale, you can use the `incomingRoutes` property to configure VPC route table entries for all private subnets.

```ts

new TailscaleBastion(stack, 'Sample-Bastion', {

  vpc,

  tailscaleCredentials: ...,

  incomingRoutes: [

    '192.168.1.0/24',

  ],

});

```