From 32a5e5bdd05c16b6ed78624cad31180e39cb1bf9 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Fri, 12 Apr 2024 17:25:05 -0700 Subject: [PATCH 1/4] terraform, aws: open 41641 ingress port --- terraform/aws/internal-modules/aws-vpc/main.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/terraform/aws/internal-modules/aws-vpc/main.tf b/terraform/aws/internal-modules/aws-vpc/main.tf index d501937..9105fcc 100644 --- a/terraform/aws/internal-modules/aws-vpc/main.tf +++ b/terraform/aws/internal-modules/aws-vpc/main.tf @@ -62,3 +62,13 @@ resource "aws_security_group_rule" "internal_vpc_ingress_ipv6" { protocol = "-1" ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] } + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} From a98e4e47de9a1988602fde975c30a0fb4cdd2871 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Sun, 14 Apr 2024 15:53:01 -0700 Subject: [PATCH 2/4] terraform, azure: open 41641 ingress port --- .../internal-modules/azure-linux-vm/main.tf | 25 ++++++++++++++++--- .../azure-linux-vm/variables.tf | 5 ---- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/terraform/azure/internal-modules/azure-linux-vm/main.tf b/terraform/azure/internal-modules/azure-linux-vm/main.tf index 77d3143..56217da 100644 --- a/terraform/azure/internal-modules/azure-linux-vm/main.tf +++ b/terraform/azure/internal-modules/azure-linux-vm/main.tf @@ -34,11 +34,28 @@ resource "azurerm_network_interface" "primary" { enable_ip_forwarding = module.tailscale_install_scripts.ip_forwarding_required } -resource "azurerm_network_interface_security_group_association" "primary" { - count = length(var.network_security_group_ids) - +resource "azurerm_network_interface_security_group_association" "tailscale" { network_interface_id = azurerm_network_interface.primary.id - network_security_group_id = var.network_security_group_ids[count.index] + network_security_group_id = azurerm_network_security_group.tailscale_ingress.id +} + +resource "azurerm_network_security_group" "tailscale_ingress" { + location = var.location + resource_group_name = var.resource_group_name + + name = "nsg-tailscale-ingress" + + security_rule { + name = "AllowTailscaleInbound" + access = "Allow" + direction = "Inbound" + priority = 100 + protocol = "Udp" + source_address_prefix = "Internet" + source_port_range = "*" + destination_address_prefix = "*" + destination_port_range = "41641" + } } resource "azurerm_linux_virtual_machine" "tailscale_instance" { diff --git a/terraform/azure/internal-modules/azure-linux-vm/variables.tf b/terraform/azure/internal-modules/azure-linux-vm/variables.tf index 9caeecf..336ec8c 100644 --- a/terraform/azure/internal-modules/azure-linux-vm/variables.tf +++ b/terraform/azure/internal-modules/azure-linux-vm/variables.tf @@ -25,11 +25,6 @@ variable "primary_subnet_id" { description = "The primary subnet (typically PUBLIC) to assign to the virtual machine" type = string } -variable "network_security_group_ids" { - description = "The network security groups to assign to the virtual machine" - type = list(string) - default = [] -} variable "machine_size" { description = "The machine size to assign the virtual machine" type = string From d08f84709c748542cf4d31209f3f35ab81ae5754 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Sun, 14 Apr 2024 16:27:29 -0700 Subject: [PATCH 3/4] terraform, google: open 41641 ingress port, add public IP --- .../internal-modules/azure-linux-vm/main.tf | 2 +- .../google-compute-instance/main.tf | 46 ++++++++++++++++++- 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/terraform/azure/internal-modules/azure-linux-vm/main.tf b/terraform/azure/internal-modules/azure-linux-vm/main.tf index 56217da..e3b95fa 100644 --- a/terraform/azure/internal-modules/azure-linux-vm/main.tf +++ b/terraform/azure/internal-modules/azure-linux-vm/main.tf @@ -43,7 +43,7 @@ resource "azurerm_network_security_group" "tailscale_ingress" { location = var.location resource_group_name = var.resource_group_name - name = "nsg-tailscale-ingress" + name = "nsg-tailscale-ingress" security_rule { name = "AllowTailscaleInbound" diff --git a/terraform/google/internal-modules/google-compute-instance/main.tf b/terraform/google/internal-modules/google-compute-instance/main.tf index 5cbb65e..d67ac04 100644 --- a/terraform/google/internal-modules/google-compute-instance/main.tf +++ b/terraform/google/internal-modules/google-compute-instance/main.tf @@ -17,6 +17,48 @@ module "tailscale_install_scripts" { additional_after_scripts = var.additional_after_scripts } +data "google_compute_subnetwork" "selected" { + self_link = "https://www.googleapis.com/compute/v1/${var.subnet}" # requires full URL - https://github.com/hashicorp/terraform-provider-google/issues/9919 +} + +resource "google_compute_firewall" "tailscale_ingress_ipv4" { + name = "tailscale-ingress-ipv4" + network = data.google_compute_subnetwork.selected.network + + allow { + protocol = "udp" + ports = ["41641"] + } + + source_ranges = [ + "0.0.0.0/0", + ] + target_tags = var.instance_tags + + log_config { #TODO: remove + metadata = "INCLUDE_ALL_METADATA" + } +} + +resource "google_compute_firewall" "tailscale_ingress_ipv6" { + name = "tailscale-ingress-ipv6" + network = data.google_compute_subnetwork.selected.network + + allow { + protocol = "udp" + ports = ["41641"] + } + + source_ranges = [ + "::/0", + ] + target_tags = var.instance_tags + + log_config { #TODO: remove + metadata = "INCLUDE_ALL_METADATA" + } +} + data "google_compute_image" "ubuntu" { project = "ubuntu-os-cloud" family = "ubuntu-2204-lts" @@ -27,7 +69,6 @@ resource "google_compute_instance" "tailscale_instance" { name = var.machine_name machine_type = var.machine_type - boot_disk { initialize_params { image = data.google_compute_image.ubuntu.self_link @@ -36,6 +77,9 @@ resource "google_compute_instance" "tailscale_instance" { network_interface { subnetwork = var.subnet + access_config { + // Ephemeral public IP + } } metadata = var.instance_metadata From 6679b8bb16124b2784c0b94cb9a83a78adf61eb7 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Sun, 14 Apr 2024 16:29:51 -0700 Subject: [PATCH 4/4] remove TODOs --- .../internal-modules/google-compute-instance/main.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/terraform/google/internal-modules/google-compute-instance/main.tf b/terraform/google/internal-modules/google-compute-instance/main.tf index d67ac04..240010c 100644 --- a/terraform/google/internal-modules/google-compute-instance/main.tf +++ b/terraform/google/internal-modules/google-compute-instance/main.tf @@ -34,10 +34,6 @@ resource "google_compute_firewall" "tailscale_ingress_ipv4" { "0.0.0.0/0", ] target_tags = var.instance_tags - - log_config { #TODO: remove - metadata = "INCLUDE_ALL_METADATA" - } } resource "google_compute_firewall" "tailscale_ingress_ipv6" { @@ -53,10 +49,6 @@ resource "google_compute_firewall" "tailscale_ingress_ipv6" { "::/0", ] target_tags = var.instance_tags - - log_config { #TODO: remove - metadata = "INCLUDE_ALL_METADATA" - } } data "google_compute_image" "ubuntu" {