Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jlucktay/terraform-google-tailscale-exit-node

Tailscale Exit Node on Google Cloud
https://github.com/jlucktay/terraform-google-tailscale-exit-node

exit-node google-cloud tailscale terraform terraform-module

Last synced: 7 days ago
JSON representation

Tailscale Exit Node on Google Cloud

Host: GitHub
URL: https://github.com/jlucktay/terraform-google-tailscale-exit-node
Owner: jlucktay
License: mit
Created: 2023-04-16T12:19:33.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2024-08-28T05:20:15.000Z (6 months ago)
Last Synced: 2025-02-08T12:09:13.008Z (12 days ago)
Topics: exit-node, google-cloud, tailscale, terraform, terraform-module
Language: HCL
Homepage: https://registry.terraform.io/modules/jlucktay/tailscale-exit-node/google
Size: 53.7 KB
Stars: 7
Watchers: 3
Forks: 2
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

        # Tailscale Exit Node on Google Cloud

Infrastructure for a Tailscale exit node.

- VM running Debian that will join the tailnet at launch and advertise as an exit node.

  - If [Device Approval](https://login.tailscale.com/admin/settings/device-management) is switched on, and/or the user

    generating the auth key is not set up as an `autoApprover` in tailnet policy, then the exit node will need to be

    manually approved on [the Machines tab of the Tailscale admin console](https://login.tailscale.com/admin/machines).

- Dedicated VPC network and subnet, and a firewall rule to allow SSHing into the exit node VM via Identity-Aware Proxy.

- Enablement of the necessary Google Cloud APIs/services.

## Usage

Both the Google Cloud and Tailscale providers will require authentication:

- For Tailscale, it is recommended to

  [set the `TAILSCALE_API_KEY` environment variable](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs#api_key)

  with a [valid API access token](https://login.tailscale.com/admin/settings/keys) generated from the admin console.

  - The shell script executed by `null_resource.remove_previous_exit_node` will also make use of this

    `TAILSCALE_API_KEY` environment variable.

- Google Cloud provider authentication is

  [documented here](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication).

If the exit node VM needs to be rotated, into a different region for example, it is recommended to have Terraform

force-replace the `tailscale_tailnet_key` resource, like so:

```shell

terraform apply --replace=module.this.tailscale_tailnet_key.one_time_use

```

## Requirements

The following requirements are needed by this module:

-  [terraform](#requirement\_terraform) (~> 1.0)

-  [google](#requirement\_google) (~> 4.0)

-  [tailscale](#requirement\_tailscale) (~> 0.0)

## Providers

The following providers are used by this module:

-  [google](#provider\_google) (~> 4.0)

-  [null](#provider\_null)

-  [random](#provider\_random)

-  [tailscale](#provider\_tailscale) (~> 0.0)

## Modules

No modules.

## Resources

The following resources are used by this module:

- [google_compute_address.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address) (resource)

- [google_compute_firewall.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) (resource)

- [google_compute_instance.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) (resource)

- [google_compute_network.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network) (resource)

- [google_compute_project_default_network_tier.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_default_network_tier) (resource)

- [google_compute_project_metadata_item.vm_manager_os_config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata_item) (resource)

- [google_compute_project_metadata_item.vm_metadata_guest_attributes](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata_item) (resource)

- [google_compute_subnetwork.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork) (resource)

- [google_project_iam_member.vm_manager_logwriter](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) (resource)

- [google_project_service.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) (resource)

- [google_service_account.vm_manager](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) (resource)

- [null_resource.remove_previous_exit_node](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) (resource)

- [random_integer.region_selector](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) (resource)

- [tailscale_tailnet_key.one_time_use](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs/resources/tailnet_key) (resource)

- [google_compute_image.debian](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_image) (data source)

- [google_compute_zones.region](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) (data source)

- [google_project.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) (data source)

## Required Inputs

The following input variables are required:

###  [region](#input\_region)

Description: Google Cloud region to deploy resources in.

Type: `string`

## Optional Inputs

The following input variables are optional (have default values):

###  [enable\_apis](#input\_enable\_apis)

Description: Activate required API services for the Google Cloud project.

Type: `bool`

Default: `true`

###  [enable\_vm\_manager](#input\_enable\_vm\_manager)

Description: Activate [Google Cloud VM Manager](https://cloud.google.com/compute/docs/vm-manager).

Type: `bool`

Default: `false`

###  [use\_premium\_network\_tier](#input\_use\_premium\_network\_tier)

Description: Whether or not to use [Google Cloud's Premium Tier network](https://cloud.google.com/network-tiers/docs/overview).

Type: `bool`

Default: `false`

###  [labels](#input\_labels)

Description: A map of labels to apply to contained resources.

Type: `map(string)`

Default: `{}`

###  [healthchecks\_io\_uuid](#input\_healthchecks\_io\_uuid)

Description: UUID of a check at Healthchecks.io that the exit node VM will poll every 15 minutes with curl from a cron job. If left unset then the check will not be set up.

Type: `string`

Default: `""`

## Outputs

The following outputs are exported:

###  [enabled\_apis](#output\_enabled\_apis)

Description: The service APIs that have been enabled by this module.

###  [instance\_id](#output\_instance\_id)

Description: The ID of the exit node VM.

###  [instance\_public\_ip](#output\_instance\_public\_ip)

Description: The public IP address of the exit node VM.

###  [instance\_ssh\_command](#output\_instance\_ssh\_command)

Description: The command line to run for SSH access into the exit node VM.

###  [subnet\_id](#output\_subnet\_id)

Description: The ID of the regional subnet.

###  [tailscale\_key\_id](#output\_tailscale\_key\_id)

Description: The ID of the Tailscale auth key that the exit node VM joined the tailnet with.

###  [vm\_manager\_service\_account\_id](#output\_vm\_manager\_service\_account\_id)

Description: The ID of the service account attached to the VM. If the `enable_vm_manager` input variable is set to `true` then this SA will also enable VM Manager.

###  [vpc\_id](#output\_vpc\_id)

Description: The ID of the main VPC.