A Terraform module to deploy a Tailscale subnet router into a VPC. It can also act as a NAT gateway for the VPC.
The AMI is built from the official Docker image by easyto, which enables container-like management of instances directly on EC2.
See the example directory for a sample root module that uses this module.
The Tailscale auth key must be stored in an SSM parameter, optionally encrypted with a customer managed KMS key.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ami | Configuration of the AMI for instances. | object | {} |
no |
| autoscaling | Configuration of the autoscaling group. | object | N/A | yes |
| enable_nat_gateway | Whether or not to configure the instance as a NAT gateway. | bool | false |
no |
| extra_security_group_ids | Extra security groups to assign to the instances. | list(string) | [] |
no |
| iam | Configuration for IAM. | object | {} |
no |
| lambda_configure_vpc | Whether or not to configure the VPC for the lambda function. | bool | false |
no |
| kms_key_id | ID of the KMS key used to encrypt the SSM parameter containing the Tailscale auth key, if used. | bool | null |
no |
| name | Name of the lambda and associated cloud resources. | string | N/A | yes |
| ssh_key | Name of an ssh key to assign to EC2 instances. | string | null |
no |
| subnet_ids | Configuration of subnets. | list(string) | N/A | yes |
| tags | Tags to assign to cloud resources. | map(string) | null |
no |
| tailscale | Configuration for Tailscale. | object | N/A | yes |
| volume | Configuration of the root EBS volume of the instances. | object | {} |
no |
The ami object has the following structure.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| filters | Filters to search for an AMI. Required if name is not defined. |
object | [] |
conditional |
| most_recent | Whether or not to return the most recent image found. | bool | true |
no |
| name | Name of the AMI. Required if filters is not defined. |
string | tailscale-v1.70.0 |
conditional |
| owner | AWS account where the image is located. | string | 256008164056 |
no |
The autoscaling object has the following structure.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| instance_refresh | Configuration of instance refresh. See the upstream asg module for the structure. | object | { strategy = "Rolling" } |
no |
| instance_type | Type of the EC2 instances. Required if mixed_instances_overrides is not defined. |
string | null |
conditional |
| instances_desired | The initial number of instances desired. | number | 1 |
no |
| instances_max | The maximum number of instances desired. | number | 1 |
no |
| instances_min | The minimum number of instances desired. | number | 1 |
no |
| max_instance_lifetime | The maximum lifetime of instances in seconds. | number | null |
no |
| mixed_instances_distribution | The distribution of mixed instances. See the upstream asg module for the structure. | object | null |
no |
| mixed_instances_overrides | A list of override objects for mixed instances. See the upstream asg module for the structure of the object. Required if instance_type is not defined. |
list(object) | null |
conditional |
| suspended_processes | A list of autoscaling processes to suspend. | list(string) | [] |
no |
| termination_policies | A list of policies to decide how instances should be terminated. | list(string) | [] |
no |
The iam object has the following structure.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| extra_policy_arns | Additional policy ARNs to assign to the instance IAM role. | list(string) | [] |
no |
| permissions_boundary | An IAM policy ARN to use as a permissions boundary for the IAM role. | string | null |
no |
The tailscale object has the following structure.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| authkey_ssm_path | Path of SSM parameter where the Tailscale auth key is stored. | string | N/A | yes |
| accept_dns | Whether or not to accept DNS. | bool | false |
no |
| extra_args | Additional arguments to pass to tailscale set. |
list(string) | [] |
no |
| route_vpc_cidr | Whether or not to advertise the VPC CIDR. | bool | true |
no |
| routes | A list of specific subnets to advertise. | list(string) | [] |
no |
| state_dir | Directory where state is stored. | string | /tmp |
no |
| tailscaled_extra_args | Additional arguments to pass to tailscaled. |
list(string) | [] |
no |
| userspace | Whether or not to use userspace networking. | bool | false |
no |
The volume object has the following structure.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| iops | Number of IOPs given to the volume. | number | null |
no |
| name | Name of the volume. | string | /dev/xvda |
no |
| size | Size of the volume in GB. | number | 1 |
no |
| type | Type of the EBS volume. | string | gp3 |
no |
| Name | Description |
|---|---|
| asg | An object containing autoscaling group related resources. |
| lambda | An object containing lambda related resources. |