diff --git a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf index c62a2af..410685e 100644 --- a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf @@ -90,7 +90,7 @@ module "tailscale_aws_ec2_autoscaling" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf index 4cb7dc8..80f1277 100644 --- a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf @@ -190,7 +190,7 @@ module "tailscale_aws_ec2_autoscaling" { ] depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/aws-ec2-autoscaling/main.tf b/terraform/aws/aws-ec2-autoscaling/main.tf index 45f84cb..df1c205 100644 --- a/terraform/aws/aws-ec2-autoscaling/main.tf +++ b/terraform/aws/aws-ec2-autoscaling/main.tf @@ -78,7 +78,7 @@ module "tailscale_aws_ec2_autoscaling" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf index 0be5620..d9bccaa 100644 --- a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf +++ b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf @@ -68,7 +68,7 @@ module "tailscale_aws_ec2" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/aws-ec2-instance/main.tf b/terraform/aws/aws-ec2-instance/main.tf index 93e6771..f243b0c 100644 --- a/terraform/aws/aws-ec2-instance/main.tf +++ b/terraform/aws/aws-ec2-instance/main.tf @@ -65,7 +65,7 @@ module "tailscale_aws_ec2" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/internal-modules/aws-vpc/outputs.tf b/terraform/aws/internal-modules/aws-vpc/outputs.tf index c523e3a..8930437 100644 --- a/terraform/aws/internal-modules/aws-vpc/outputs.tf +++ b/terraform/aws/internal-modules/aws-vpc/outputs.tf @@ -25,9 +25,9 @@ output "nat_public_ips" { value = module.vpc.nat_public_ips } -output "natgw_ids" { +output "nat_ids" { description = "Useful for using within `depends_on` for other resources" - value = module.vpc.natgw_ids + value = module.vpc.nat_ids } output "public_route_table_ids" { diff --git a/terraform/azure/azure-linux-vm/main.tf b/terraform/azure/azure-linux-vm/main.tf index d6b4d33..f2e958c 100644 --- a/terraform/azure/azure-linux-vm/main.tf +++ b/terraform/azure/azure-linux-vm/main.tf @@ -1,9 +1,36 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + azure_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", coalescelist( + local.vpc_cidr_block, + ))}", + ] + + // Modify these to use your own VPC + resource_group_name = azurerm_resource_group.main.name + location = azurerm_resource_group.main.location + + vpc_cidr_block = module.vpc.vnet_address_space + vpc_id = module.vpc.vnet_id + subnet_id = module.vpc.public_subnet_id + network_security_group_id = azurerm_network_security_group.tailscale_ingress.id + instance_type = "Standard_DS1_v2" + admin_public_key_path = var.admin_public_key_path } resource "azurerm_resource_group" "main" { @@ -11,14 +38,14 @@ resource "azurerm_resource_group" "main" { name = local.name } -module "network" { +module "vpc" { source = "../internal-modules/azure-network" name = local.name - tags = local.tags + tags = local.azure_tags - location = azurerm_resource_group.main.location - resource_group_name = azurerm_resource_group.main.name + location = local.location + resource_group_name = local.resource_group_name cidrs = ["10.0.0.0/22"] subnet_cidrs = [ @@ -39,40 +66,49 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } module "tailscale_azure_linux_virtual_machine" { source = "../internal-modules/azure-linux-vm" - location = azurerm_resource_group.main.location - resource_group_name = azurerm_resource_group.main.name + location = local.location + resource_group_name = local.resource_group_name # public subnet - primary_subnet_id = module.network.public_subnet_id + primary_subnet_id = local.subnet_id + network_security_group_id = local.network_security_group_id machine_name = local.name - machine_size = "Standard_DS1_v2" - admin_public_key_path = var.admin_public_key_path - resource_tags = local.tags + machine_size = local.instance_type + admin_public_key_path = local.admin_public_key_path + resource_tags = local.azure_tags # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", module.network.vnet_address_space)}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.network.natgw_ids, # for private subnets - ensure NAT gateway is available before instance provisioning + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "azurerm_network_security_group" "tailscale_ingress" { + location = local.location + resource_group_name = local.resource_group_name + + name = "nsg-tailscale-ingress" + + security_rule { + name = "AllowTailscaleInbound" + access = "Allow" + direction = "Inbound" + priority = 100 + protocol = "Udp" + source_address_prefix = "Internet" + source_port_range = "*" + destination_address_prefix = "*" + destination_port_range = "41641" + } +} diff --git a/terraform/azure/azure-linux-vm/outputs.tf b/terraform/azure/azure-linux-vm/outputs.tf index 7d0ffb2..f228bc9 100644 --- a/terraform/azure/azure-linux-vm/outputs.tf +++ b/terraform/azure/azure-linux-vm/outputs.tf @@ -1,20 +1,20 @@ output "vpc_id" { - value = module.network.vnet_id + value = module.vpc.vnet_id } output "nat_public_ips" { - value = module.network.nat_public_ips + value = module.vpc.nat_public_ips } output "public_subnet_id" { - value = module.network.public_subnet_id + value = module.vpc.public_subnet_id } output "private_subnet_id" { - value = module.network.private_subnet_id + value = module.vpc.private_subnet_id } output "private_dns_resolver_inbound_endpoint_ip" { - value = module.network.private_dns_resolver_inbound_endpoint_ip + value = module.vpc.private_dns_resolver_inbound_endpoint_ip } output "internal_domain_name_suffix" { value = module.tailscale_azure_linux_virtual_machine.internal_domain_name_suffix diff --git a/terraform/azure/internal-modules/azure-linux-vm/main.tf b/terraform/azure/internal-modules/azure-linux-vm/main.tf index 34f4445..bb0577d 100644 --- a/terraform/azure/internal-modules/azure-linux-vm/main.tf +++ b/terraform/azure/internal-modules/azure-linux-vm/main.tf @@ -28,26 +28,7 @@ resource "azurerm_network_interface" "primary" { resource "azurerm_network_interface_security_group_association" "tailscale" { network_interface_id = azurerm_network_interface.primary.id - network_security_group_id = azurerm_network_security_group.tailscale_ingress.id -} - -resource "azurerm_network_security_group" "tailscale_ingress" { - location = var.location - resource_group_name = var.resource_group_name - - name = "nsg-tailscale-ingress" - - security_rule { - name = "AllowTailscaleInbound" - access = "Allow" - direction = "Inbound" - priority = 100 - protocol = "Udp" - source_address_prefix = "Internet" - source_port_range = "*" - destination_address_prefix = "*" - destination_port_range = "41641" - } + network_security_group_id = var.network_security_group_id } resource "azurerm_linux_virtual_machine" "tailscale_instance" { diff --git a/terraform/azure/internal-modules/azure-linux-vm/variables.tf b/terraform/azure/internal-modules/azure-linux-vm/variables.tf index 336ec8c..82652bb 100644 --- a/terraform/azure/internal-modules/azure-linux-vm/variables.tf +++ b/terraform/azure/internal-modules/azure-linux-vm/variables.tf @@ -25,6 +25,10 @@ variable "primary_subnet_id" { description = "The primary subnet (typically PUBLIC) to assign to the virtual machine" type = string } +variable "network_security_group_id" { + description = "The network security group to assign to the virtual machine" + type = string +} variable "machine_size" { description = "The machine size to assign the virtual machine" type = string diff --git a/terraform/azure/internal-modules/azure-network/main.tf b/terraform/azure/internal-modules/azure-network/main.tf index 8a7097d..a6952af 100644 --- a/terraform/azure/internal-modules/azure-network/main.tf +++ b/terraform/azure/internal-modules/azure-network/main.tf @@ -1,4 +1,4 @@ -module "network" { +module "vpc" { # https://registry.terraform.io/modules/Azure/network/azurerm/latest source = "Azure/network/azurerm" version = ">= 5.0, < 6.0" @@ -37,28 +37,28 @@ module "network" { data "azurerm_subnet" "public" { resource_group_name = var.resource_group_name - virtual_network_name = module.network.vnet_name + virtual_network_name = module.vpc.vnet_name name = var.subnet_name_public - depends_on = [module.network.vnet_subnets] + depends_on = [module.vpc.vnet_subnets] } data "azurerm_subnet" "private" { resource_group_name = var.resource_group_name - virtual_network_name = module.network.vnet_name + virtual_network_name = module.vpc.vnet_name name = var.subnet_name_private - depends_on = [module.network.vnet_subnets] + depends_on = [module.vpc.vnet_subnets] } data "azurerm_subnet" "dns-inbound" { resource_group_name = var.resource_group_name - virtual_network_name = module.network.vnet_name + virtual_network_name = module.vpc.vnet_name name = var.subnet_name_private_dns_resolver - depends_on = [module.network.vnet_subnets] + depends_on = [module.vpc.vnet_subnets] } # # Private DNS resolver resources @@ -70,7 +70,7 @@ resource "azurerm_private_dns_resolver" "main" { name = var.name tags = var.tags - virtual_network_id = module.network.vnet_id + virtual_network_id = module.vpc.vnet_id } resource "azurerm_private_dns_resolver_inbound_endpoint" "main" { diff --git a/terraform/azure/internal-modules/azure-network/outputs.tf b/terraform/azure/internal-modules/azure-network/outputs.tf index 60791fe..68bb83e 100644 --- a/terraform/azure/internal-modules/azure-network/outputs.tf +++ b/terraform/azure/internal-modules/azure-network/outputs.tf @@ -1,14 +1,14 @@ output "vnet_id" { - value = module.network.vnet_id + value = module.vpc.vnet_id } output "vnet_name" { - value = module.network.vnet_name + value = module.vpc.vnet_name } output "vnet_address_space" { - value = module.network.vnet_address_space + value = module.vpc.vnet_address_space } output "vnet_subnets" { - value = module.network.vnet_subnets + value = module.vpc.vnet_subnets } output "public_subnet_id" { @@ -40,7 +40,7 @@ output "nat_public_ips" { value = azurerm_public_ip.nat.*.ip_address } -output "natgw_ids" { +output "nat_ids" { description = "Useful for using within `depends_on` for other resources" value = azurerm_nat_gateway.nat.*.id } diff --git a/terraform/google/google-compute-instance/main.tf b/terraform/google/google-compute-instance/main.tf index 5a4278a..31b8930 100644 --- a/terraform/google/google-compute-instance/main.tf +++ b/terraform/google/google-compute-instance/main.tf @@ -1,31 +1,54 @@ locals { - name = "example-${basename(path.cwd)}" - metadata = { + google_metadata = { Name = local.name } - tags = [] + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", coalescelist( + local.vpc_cidr_block, + ))}", + ] + + // Modify these to use your own VPC + project_id = var.project_id + region = var.region + zone = var.zone + vpc_cidr_block = module.vpc.subnets_ips + subnet_id = module.vpc.subnets_ids[0] + instance_type = "e2-medium" + instance_tags = ["tailscale-instance"] } module "vpc" { source = "../internal-modules/google-vpc" - project_id = var.project_id - region = var.region + project_id = local.project_id + region = local.region name = local.name subnets = [ { - subnet_name = "subnet-${var.region}-10-0-121" + subnet_name = "subnet-${local.region}-10-0-121" subnet_ip = "10.0.121.0/24" - subnet_region = var.region + subnet_region = local.region }, { - subnet_name = "subnet-${var.region}-10-0-122" + subnet_name = "subnet-${local.region}-10-0-122" subnet_ip = "10.0.122.0/24" - subnet_region = var.region + subnet_region = local.region } ] } @@ -35,37 +58,56 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } module "tailscale_instance" { source = "../internal-modules/google-compute-instance" - zone = var.zone + zone = local.zone machine_name = local.name - machine_type = "e2-medium" - subnet = module.vpc.subnets_ids[0] + machine_type = local.instance_type + subnet = local.subnet_id - instance_metadata = local.metadata - instance_tags = local.tags + instance_metadata = local.google_metadata + instance_tags = local.instance_tags # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", module.vpc.subnets_ips)}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.nat_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + ] +} + +resource "google_compute_firewall" "tailscale_ingress_ipv4" { + name = "${local.name}-tailscale-ingress-ipv4" + network = module.vpc.vpc_id + + allow { + protocol = "udp" + ports = ["41641"] + } + + source_ranges = [ + "0.0.0.0/0", + ] + target_tags = local.instance_tags +} + +resource "google_compute_firewall" "tailscale_ingress_ipv6" { + name = "${local.name}-tailscale-ingress-ipv6" + network = module.vpc.vpc_id + + allow { + protocol = "udp" + ports = ["41641"] + } + + source_ranges = [ + "::/0", ] + target_tags = local.instance_tags } diff --git a/terraform/google/internal-modules/google-compute-instance/main.tf b/terraform/google/internal-modules/google-compute-instance/main.tf index 9c5f572..0619ddc 100644 --- a/terraform/google/internal-modules/google-compute-instance/main.tf +++ b/terraform/google/internal-modules/google-compute-instance/main.tf @@ -13,36 +13,6 @@ data "google_compute_subnetwork" "selected" { self_link = "https://www.googleapis.com/compute/v1/${var.subnet}" # requires full URL - https://github.com/hashicorp/terraform-provider-google/issues/9919 } -resource "google_compute_firewall" "tailscale_ingress_ipv4" { - name = "tailscale-ingress-ipv4" - network = data.google_compute_subnetwork.selected.network - - allow { - protocol = "udp" - ports = ["41641"] - } - - source_ranges = [ - "0.0.0.0/0", - ] - target_tags = var.instance_tags -} - -resource "google_compute_firewall" "tailscale_ingress_ipv6" { - name = "tailscale-ingress-ipv6" - network = data.google_compute_subnetwork.selected.network - - allow { - protocol = "udp" - ports = ["41641"] - } - - source_ranges = [ - "::/0", - ] - target_tags = var.instance_tags -} - data "google_compute_image" "ubuntu" { project = "ubuntu-os-cloud" family = "ubuntu-2404-lts-amd64"