pulumi, aws-lambda-device-approval-handler: add example (#15)

Author: clstokes

pulumi/README.md

@@ -0,0 +1,13 @@
+# pulumi
+
+## Overview
+
+This directory contains [Pulumi](https://www.pulumi.com) examples for common Tailscale deployments across Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
+
+## Prerequisites
+
+The examples assume prior experience with Pulumi - its concepts, operations, and configuration.
+
+## To use
+
+Each example subdirectory contains a readme explaining its use.

pulumi/aws/aws-lambda-device-approval-handler/.gitignore

@@ -0,0 +1,3 @@
+/bin/
+/node_modules/
+**/Pulumi.*.yaml

pulumi/aws/aws-lambda-device-approval-handler/Pulumi.yaml

@@ -0,0 +1,7 @@
+name: aws-lambda-device-approval-handler
+runtime: nodejs
+description: Example of handling a Tailscale Device Approval Webhook in Lambda
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: aws-typescript

pulumi/aws/aws-lambda-device-approval-handler/README.md

@@ -0,0 +1,29 @@
+# aws-lambda-device-approval-handler
+
+This example creates the following:
+
+- a API Gateway REST API
+- a Lambda function to receive [Tailscale webhooks](https://tailscale.com/kb/1213/webhooks) and approve devices based on device details and attributes
+
+## To use
+
+Follow the documentation to configure the Terraform providers:
+
+- [AWS](https://www.pulumi.com/registry/packages/aws/installation-configuration/)
+
+### Deploy
+
+Create a [Tailscale OAuth Client](https://tailscale.com/kb/1215/oauth-clients#setting-up-an-oauth-client) with scope `all` and provide the client ID and client secret with `pulumi config set ...` as shown below.
+
+```shell
+pulumi stack init
+pulumi config set tailscaleOauthClientId
+pulumi config set tailscaleOauthClientSecret --secret
+pulumi up
+```
+
+## To destroy
+
+```shell
+pulumi down
+```

pulumi/aws/aws-lambda-device-approval-handler/handler.ts

@@ -0,0 +1,213 @@
+import { APIGatewayProxyEvent, APIGatewayProxyResult } from "aws-lambda";
+
+export async function lambdaHandler(ev: APIGatewayProxyEvent): Promise<APIGatewayProxyResult> {
+    // TODO: https://tailscale.com/kb/1213/webhooks#verifying-an-event-signature
+    // console.log(`Received event: ${JSON.stringify(ev)}`); // TODO: add verbose logging flag?
+
+    let processedCount = 0;
+    let ignoredCount = 0;
+    let erroredCount = 0;
+    try {
+        let decodedBody = ev.body;
+        if (ev.isBase64Encoded) {
+            decodedBody = Buffer.from(ev.body!, 'base64').toString('utf8');
+        }
+        const tailnetEvents: TailnetEvent[] = JSON.parse(decodedBody!);
+        const results: ProcessingResult[] = [];
+        for (const event of tailnetEvents) {
+            try {
+                switch (event.type) { // https://tailscale.com/kb/1213/webhooks#events
+                    case "nodeNeedsApproval":
+                        results.push(await nodeNeedsApprovalHandler(event));
+                        break;
+                    default:
+                        results.push(await unhandledHandler(event));
+                        break;
+                }
+            }
+            catch (err: any) {
+                results.push({ event: event, result: "ERROR", error: err, } as ProcessingResult);
+            }
+        }
+        results.forEach(it => {
+            switch (it.result) {
+                case "SUCCESS":
+                    processedCount++;
+                    break;
+                case "IGNORED":
+                    ignoredCount++;
+                    break;
+                case "ERROR":
+                    console.log(`Error processing event [${JSON.stringify(it.event)}]: ${it.error}`);
+                    erroredCount++;
+                    break;
+            }
+        });
+
+        return generateResponseBody((erroredCount > 0 ? 500 : 200), ev, processedCount, erroredCount, ignoredCount);
+    } catch (err) {
+        console.log(err);
+        return generateResponseBody(500, ev, processedCount, erroredCount, ignoredCount);
+    }
+}
+
+function generateResponseBody(statusCode: number, ev: APIGatewayProxyEvent, processedCount: number, erroredCount: number, ignoredCount: number): APIGatewayProxyResult {
+    const result = {
+        statusCode: statusCode,
+        body: JSON.stringify({
+            message: (statusCode == 200 ? "ok" : "An error occurred."),
+            // requestId: ev.requestContext.requestId, // TODO: This requestId doesn't match what's in the lambda logs.
+            eventResults: {
+                processed: processedCount,
+                errored: erroredCount,
+                ignored: ignoredCount,
+            },
+        }),
+    };
+    console.log(`returning response: ${JSON.stringify(result)}`);
+    return result
+}
+
+async function unhandledHandler(event: TailnetEvent): Promise<ProcessingResult> {
+    console.log(`Ignoring event type [${event.type}]`);
+    return { event: event, result: "IGNORED", } as ProcessingResult;
+}
+
+async function nodeNeedsApprovalHandler(event: TailnetEvent): Promise<ProcessingResult> {
+    try {
+        console.log(`Handling event type [${event.type}]`);
+
+        const eventData = event.data as TailnetEventDeviceData;
+
+        // get device details and attributes
+        const deviceResponse = await getDevice(eventData);
+        if (!deviceResponse.ok) {
+            throw new Error(`Failed to get device [${eventData.nodeID}]`);
+        }
+
+        const attributesResponse = await getDeviceAttributes(eventData);
+        if (!attributesResponse.ok) {
+            throw new Error(`Failed to get device attributes [${eventData.nodeID}]`);
+        }
+
+        // inspect device details
+        const deviceResponseJson = await deviceResponse.json();
+        console.log(`Device response [${JSON.stringify(deviceResponseJson)}]`);
+        const attributesResponseJson = await attributesResponse.json();
+        console.log(`Device attributes response [${JSON.stringify(attributesResponseJson)}]`);
+
+        /**
+         * Customize approval logic here.
+         */
+        if (
+            ["windows", "macos", "linux"].includes(attributesResponseJson["attributes"]["node:os"])
+            && attributesResponseJson["attributes"]["node:tsReleaseTrack"] == "stable"
+        ) {
+            // approve device
+            await approveDevice(eventData);
+        }
+        else {
+            console.log(`NOT approving device [${eventData.nodeID}:${eventData.deviceName}] with attributes [${JSON.stringify(attributesResponseJson)}]`);
+        }
+
+        return { event: event, result: "SUCCESS", } as ProcessingResult;
+    } catch (err: any) {
+        return { event: event, result: "ERROR", error: err, } as ProcessingResult;
+    }
+}
+
+export const ENV_TAILSCALE_OAUTH_CLIENT_ID = "OAUTH_CLIENT_ID";
+export const ENV_TAILSCALE_OAUTH_CLIENT_SECRET = "OAUTH_CLIENT_SECRET";
+const TAILSCALE_CONTROL_URL = "https://login.tailscale.com";
+
+// https://github.com/tailscale/tailscale/blob/main/publicapi/device.md#get-device-posture-attributes
+async function getDeviceAttributes(event: TailnetEventDeviceData): Promise<Response> {
+    console.log(`Getting device attributes [${event.nodeID}]`);
+    const data = await makeAuthenticatedRequest("GET", `${TAILSCALE_CONTROL_URL}/api/v2/device/${event.nodeID}/attributes`);
+    if (!data.ok) {
+        throw new Error(`Failed to get device [${event.nodeID}]`);
+    }
+    return data;
+}
+
+// https://github.com/tailscale/tailscale/blob/main/publicapi/device.md#get-device
+async function getDevice(event: TailnetEventDeviceData): Promise<Response> {
+    console.log(`Getting device [${event.nodeID}]`);
+    const data = await makeAuthenticatedRequest("GET", `${TAILSCALE_CONTROL_URL}/api/v2/device/${event.nodeID}`);
+    if (!data.ok) {
+        throw new Error(`Failed to get device [${event.nodeID}]`);
+    }
+    return data;
+}
+
+// https://github.com/tailscale/tailscale/blob/main/publicapi/device.md#authorize-device
+async function approveDevice(device: TailnetEventDeviceData) {
+    console.log(`Approving device [${device.nodeID}:${device.deviceName}]`);
+    const data = await makeAuthenticatedRequest("POST", `${TAILSCALE_CONTROL_URL}/api/v2/device/${device.nodeID}/authorized`, JSON.stringify({ "authorized": true }));
+    if (!data.ok) {
+        throw new Error(`Failed to approve device [${device.nodeID}:${device.deviceName}]`);
+    }
+}
+
+// https://tailscale.com/kb/1215/oauth-clients
+export async function getAccessToken(): Promise<Response> {
+    const oauthClientId = process.env[ENV_TAILSCALE_OAUTH_CLIENT_ID];
+    const oauthClientSecret = process.env[ENV_TAILSCALE_OAUTH_CLIENT_SECRET];
+    if (!oauthClientId || !oauthClientSecret) {
+        throw new Error(`Missing required environment variables [${ENV_TAILSCALE_OAUTH_CLIENT_ID}] and [${ENV_TAILSCALE_OAUTH_CLIENT_SECRET}]. See https://tailscale.com/kb/1215/oauth-clients.`);
+    }
+
+    const options: RequestInit = {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: `client_id=${oauthClientId}&client_secret=${oauthClientSecret}`,
+    };
+
+    // console.log(`getting access token`);
+    const data = await httpsRequest(`${TAILSCALE_CONTROL_URL}/api/v2/oauth/token`, options);
+    if (!data.ok) {
+        throw new Error(`Failed to get an access token.`);
+    }
+    return data;
+}
+
+const makeAuthenticatedRequest = async function (method: "GET" | "POST", url: string, body?: string): Promise<Response> {
+    const accessTokenResponse = await getAccessToken();
+    const result = await accessTokenResponse.json();
+
+    const options: RequestInit = {
+        method: method,
+        headers: { "Authorization": `Bearer ${result.access_token}` },
+        body: body,
+    };
+
+    return await httpsRequest(url, options);
+}
+
+async function httpsRequest(url: string, options: any): Promise<Response> {
+    // console.log(`Making HTTP request to [${url}] with options [${JSON.stringify(options)}]`); // TODO: add verbose logging flag?
+    return await fetch(url, options);
+}
+
+interface TailnetEvent {
+    timestamp: string;
+    version: number;
+    type: string;
+    tailnet: string;
+    message: string;
+    data: any
+};
+
+interface TailnetEventDeviceData {
+    nodeID: string;
+    deviceName: string;
+    managedBy: string;
+    actor: string;
+    url: string;
+};
+
+interface ProcessingResult {
+    event: TailnetEvent;
+    result: "SUCCESS" | "ERROR" | "IGNORED";
+    error?: Error;
+};

pulumi/aws/aws-lambda-device-approval-handler/handlerPulumi.ts

@@ -0,0 +1,21 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as aws from "@pulumi/aws";
+
+import * as handler from "./handler";
+
+const pulumiConfig = new pulumi.Config();
+
+export const getPulumiHandler = (name: string) => {
+    return new aws.lambda.CallbackFunction(name, {
+        environment: {
+            variables: {
+                [handler.ENV_TAILSCALE_OAUTH_CLIENT_ID]: pulumiConfig.require("tailscaleOauthClientId"),
+                [handler.ENV_TAILSCALE_OAUTH_CLIENT_SECRET]: pulumiConfig.requireSecret("tailscaleOauthClientSecret"),
+            },
+        },
+        runtime: "nodejs20.x",
+        callback: async (ev: any, ctx) => {
+            return handler.lambdaHandler(ev);
+        },
+    });
+};

pulumi/aws/aws-lambda-device-approval-handler/index.ts

@@ -0,0 +1,19 @@
+import * as apigateway from "@pulumi/aws-apigateway";
+import * as path from 'path';
+import * as handler from "./handlerPulumi";
+
+const name = `example-${path.basename(process.cwd())}`;
+
+const api = new apigateway.RestAPI(name, {
+    stageName: "tailscale-device-approval",
+    binaryMediaTypes: ["application/json"],
+    routes: [
+        {
+            path: "/",
+            method: "POST",
+            eventHandler: handler.getPulumiHandler(`${name}-fn`),
+        },
+    ],
+});
+
+export const url = api.url;