├── _docker ├── tailscale.Dockerfile.dockerignore ├── tailscale.Dockerfile └── tailscale-entrypoint.sh ├── modules └── subnet_router │ ├── aws.tf │ ├── secrets.tf │ ├── logs.tf │ ├── outputs.tf │ ├── versions.tf │ ├── ecr.tf │ ├── networking.tf │ ├── efs.tf │ ├── container_definitions │ └── tailscale.json │ ├── variables.tf │ ├── ecs.tf │ └── iam.tf ├── versions.tf ├── outputs.tf ├── main.tf ├── variables.tf ├── README.md └── LICENSE /_docker/tailscale.Dockerfile.dockerignore: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Ignore everything 16 | ** 17 | 18 | # Build Files 19 | !/_docker/tailscale-entrypoint.sh 20 | -------------------------------------------------------------------------------- /modules/subnet_router/aws.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | locals { 16 | aws_region_name = data.aws_region.current.name 17 | } 18 | 19 | data "aws_region" "current" {} 20 | -------------------------------------------------------------------------------- /modules/subnet_router/secrets.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | data "aws_secretsmanager_secret" "tailscale_auth_key" { 16 | name = var.tailscale_auth_key_secret 17 | } 18 | -------------------------------------------------------------------------------- /modules/subnet_router/logs.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | resource "aws_cloudwatch_log_group" "tailscale" { 16 | name = "/ecs/${local.name}" 17 | 18 | retention_in_days = 7 19 | } 20 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | terraform { 16 | required_version = ">= 1.0.0" 17 | 18 | required_providers { 19 | aws = { 20 | source = "hashicorp/aws" 21 | version = ">= 4.58.0" 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | output "tailscale_ecs_task_role_name" { 16 | value = module.subnet_router.tailscale_ecs_task_role_name 17 | description = "The name of the IAM role created for the ECS task that runs Tailscale" 18 | } 19 | -------------------------------------------------------------------------------- /modules/subnet_router/outputs.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | output "tailscale_ecs_task_role_name" { 16 | value = aws_iam_role.ecs_task_tailscale.name 17 | description = "The name of the IAM role created for the ECS task that runs Tailscale" 18 | } 19 | -------------------------------------------------------------------------------- /modules/subnet_router/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | terraform { 16 | required_version = ">= 1.0.0" 17 | 18 | required_providers { 19 | aws = { 20 | source = "hashicorp/aws" 21 | version = ">= 4.58.0" 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /_docker/tailscale.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ARG TAILSCALE_TAG=v1.38.4 16 | FROM docker.io/tailscale/tailscale:${TAILSCALE_TAG} 17 | 18 | COPY _docker/tailscale-entrypoint.sh /usr/local/bin/tailscale-entrypoint.sh 19 | ENTRYPOINT ["/usr/local/bin/tailscale-entrypoint.sh"] 20 | -------------------------------------------------------------------------------- /modules/subnet_router/ecr.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | data "aws_ecr_repository" "tailscale" { 16 | name = var.tailscale_docker_repository 17 | } 18 | 19 | data "aws_ecr_image" "tailscale" { 20 | repository_name = data.aws_ecr_repository.tailscale.name 21 | image_tag = var.tailscale_docker_tag 22 | } 23 | -------------------------------------------------------------------------------- /modules/subnet_router/networking.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | data "aws_vpc" "ecs" { 16 | tags = { 17 | Name = var.vpc 18 | } 19 | } 20 | 21 | data "aws_subnets" "primary" { 22 | filter { 23 | name = "vpc-id" 24 | values = [data.aws_vpc.ecs.id] 25 | } 26 | tags = { 27 | group = var.subnet_group 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /modules/subnet_router/efs.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | resource "aws_efs_file_system" "tailscale" { 16 | creation_token = local.name 17 | lifecycle_policy { 18 | transition_to_ia = "AFTER_30_DAYS" 19 | } 20 | lifecycle_policy { 21 | transition_to_primary_storage_class = "AFTER_1_ACCESS" 22 | } 23 | 24 | tags = { 25 | Name = local.name 26 | } 27 | } 28 | 29 | resource "aws_efs_access_point" "tailscale" { 30 | file_system_id = aws_efs_file_system.tailscale.id 31 | root_directory { 32 | path = "/var/lib/tailscale" 33 | } 34 | 35 | tags = { 36 | Name = "var-lib-tailscale" 37 | } 38 | } 39 | 40 | resource "aws_efs_mount_target" "primary" { 41 | for_each = toset(data.aws_subnets.primary.ids) 42 | 43 | file_system_id = aws_efs_file_system.tailscale.id 44 | subnet_id = each.key 45 | security_groups = var.security_group_ids 46 | } 47 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | module "subnet_router" { 16 | source = "./modules/subnet_router" 17 | 18 | name = var.name 19 | vpc = var.vpc 20 | subnet_group = var.subnet_group 21 | assign_public_ip = var.assign_public_ip 22 | security_group_ids = var.security_group_ids 23 | target_ecs_cluster = var.target_ecs_cluster 24 | tailscale_auth_key_secret = var.tailscale_auth_key_secret 25 | tailscale_docker_repository = var.tailscale_docker_repository 26 | tailscale_docker_tag = var.tailscale_docker_tag 27 | enable_execute_command = var.enable_execute_command 28 | additional_routes = var.additional_routes 29 | cpu_architecture = var.cpu_architecture 30 | additional_flags = var.additional_flags 31 | cpu = var.cpu 32 | memory = var.memory 33 | } 34 | -------------------------------------------------------------------------------- /modules/subnet_router/container_definitions/tailscale.json: -------------------------------------------------------------------------------- 1 | { 2 | "environment": [ 3 | { 4 | "name": "TAILSCALE_HOSTNAME", 5 | "value": "${hostname}" 6 | }, 7 | { 8 | "name": "TAILSCALE_ADVERTISE_ROUTES", 9 | "value": "${advertise_routes}" 10 | }, 11 | { 12 | "name": "TAILSCALE_ADDITIONAL_FLAGS", 13 | "value": "${additional_flags}" 14 | } 15 | ], 16 | "secrets": [ 17 | { 18 | "name": "TAILSCALE_AUTH_KEY", 19 | "valueFrom": "${auth_key_secret_id}" 20 | } 21 | ], 22 | "essential": true, 23 | "image": "${image_id}", 24 | "cpu": ${cpu}, 25 | "memory": ${memory}, 26 | "memoryReservation": ${memory}, 27 | "name": "tailscale", 28 | "portMappings": [], 29 | "mountPoints": [ 30 | { 31 | "containerPath": "/var/lib/tailscale", 32 | "sourceVolume": "${volume_name}", 33 | "readOnly": false 34 | } 35 | ], 36 | "healthcheck": { 37 | "command": [ 38 | "tailscale", 39 | "status" 40 | ], 41 | "interval": 30, 42 | "timeout": 5, 43 | "retries": 3, 44 | "startPeriod": 0 45 | }, 46 | "logConfiguration": { 47 | "logDriver": "awslogs", 48 | "options": { 49 | "awslogs-group": "${logs_group}", 50 | "awslogs-region": "${logs_region}", 51 | "awslogs-stream-prefix": "ecs" 52 | } 53 | }, 54 | "linuxParameters": { 55 | "initProcessEnabled": true 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /_docker/tailscale-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Copyright 2022 Hardfin, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # https://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # Usage: 17 | # ./tailscale-entrypoint.sh 18 | # Runs Tailscale daemon and Tailscale up command. This is assumed to be running 19 | # in a container. 20 | 21 | set -e 22 | 23 | ## Validate and read inputs 24 | 25 | if [ "${#}" -ne 0 ] 26 | then 27 | echo "Usage: ./tailscale-entrypoint.sh" >&2 28 | exit 1 29 | fi 30 | 31 | if [ -z "${TAILSCALE_HOSTNAME}" ]; then 32 | echo "TAILSCALE_HOSTNAME environment variable should be set by the caller." >&2 33 | exit 1 34 | fi 35 | 36 | if [ -z "${TAILSCALE_AUTH_KEY}" ]; then 37 | echo "TAILSCALE_AUTH_KEY environment variable should be set by the caller." >&2 38 | exit 1 39 | fi 40 | 41 | if [ -z "${TAILSCALE_ADVERTISE_ROUTES}" ]; then 42 | echo "TAILSCALE_ADVERTISE_ROUTES environment variable should be set by the caller." >&2 43 | exit 1 44 | fi 45 | 46 | ## Start `tailscaled` and background it 47 | 48 | echo "Starting tailscaled" 49 | tailscaled \ 50 | --tun userspace-networking & 51 | TAILSCALED_PID="${!}" 52 | 53 | ## Run `tailscale up` 54 | 55 | tailscale up \ 56 | --hostname "${TAILSCALE_HOSTNAME}" \ 57 | --authkey "${TAILSCALE_AUTH_KEY}" \ 58 | --advertise-routes "${TAILSCALE_ADVERTISE_ROUTES}" \ 59 | ${TAILSCALE_ADDITIONAL_FLAGS} 60 | 61 | ## Wait on `tailscaled` 62 | 63 | wait "${TAILSCALED_PID}" 64 | -------------------------------------------------------------------------------- /modules/subnet_router/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | variable "name" { 16 | type = string 17 | default = null 18 | description = "The name of the subnet router deployment. If unspecified the VPC name will be used." 19 | } 20 | 21 | variable "vpc" { 22 | type = string 23 | description = "The name of the VPC where the subnet router ECS service will be launched" 24 | } 25 | 26 | variable "subnet_group" { 27 | type = string 28 | description = "The group (tag) of the VPC subnets where the subnet router ECS service will be launched" 29 | } 30 | 31 | variable "assign_public_ip" { 32 | type = bool 33 | description = "The 'assign_public_ip' flag for the ECS task network configuration" 34 | } 35 | 36 | variable "security_group_ids" { 37 | type = list(string) 38 | description = "The security group IDs to associate with the subnet router ECS service and EFS mount targets" 39 | } 40 | 41 | variable "target_ecs_cluster" { 42 | type = string 43 | description = "The name of the target ECS cluster" 44 | } 45 | 46 | variable "tailscale_auth_key_secret" { 47 | type = string 48 | description = "The name of secret where the Tailscale auth key is stored" 49 | } 50 | 51 | variable "tailscale_docker_repository" { 52 | type = string 53 | description = "The name of ECR repository where the Docker image stored" 54 | } 55 | 56 | variable "tailscale_docker_tag" { 57 | type = string 58 | description = "The name of tag for the Docker image stored in ECR" 59 | } 60 | 61 | variable "enable_execute_command" { 62 | type = bool 63 | description = "Allows AWS ECS exec into the task containers" 64 | } 65 | 66 | variable "additional_routes" { 67 | type = list(string) 68 | default = [] 69 | description = "A list of additional CIDR blocks to pass to Tailscale as routes to advertise" 70 | } 71 | 72 | variable "cpu_architecture" { 73 | type = string 74 | default = "X86_64" 75 | description = "The CPU architecture to use for the container. Either X86_64 or ARM64." 76 | } 77 | 78 | variable "additional_flags" { 79 | type = string 80 | default = "" 81 | description = "Additional flags to pass to the tailscale up command" 82 | } 83 | 84 | variable "cpu" { 85 | type = number 86 | default = 256 87 | description = "The CPU value to assign to the container (vCPU)" 88 | } 89 | 90 | variable "memory" { 91 | type = number 92 | default = 512 93 | description = "The memory value to assign to the container (MiB)" 94 | } 95 | -------------------------------------------------------------------------------- /modules/subnet_router/ecs.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | locals { 16 | tailscale_volume_name = "var-lib-tailscale" 17 | tailscale_definition_path = abspath("${path.module}/container_definitions/tailscale.json") 18 | tailscale_container_json = templatefile(local.tailscale_definition_path, { 19 | hostname = local.name 20 | advertise_routes = join(",", concat([data.aws_vpc.ecs.cidr_block], var.additional_routes)) 21 | additional_flags = var.additional_flags 22 | auth_key_secret_id = data.aws_secretsmanager_secret.tailscale_auth_key.id 23 | image_id = "${data.aws_ecr_repository.tailscale.repository_url}@${data.aws_ecr_image.tailscale.id}" 24 | volume_name = local.tailscale_volume_name 25 | logs_group = aws_cloudwatch_log_group.tailscale.name 26 | logs_region = local.aws_region_name 27 | cpu = var.cpu 28 | memory = var.memory 29 | }) 30 | name = var.name != null ? var.name : "${var.vpc}-tailscale" 31 | service_name = var.name != null ? var.name : "tailscale" 32 | } 33 | 34 | resource "aws_ecs_task_definition" "tailscale" { 35 | family = local.name 36 | requires_compatibilities = ["FARGATE"] 37 | network_mode = "awsvpc" 38 | cpu = var.cpu 39 | memory = var.memory 40 | execution_role_arn = aws_iam_role.ecs_task_execution_tailscale.arn 41 | task_role_arn = aws_iam_role.ecs_task_tailscale.arn 42 | 43 | container_definitions = jsonencode([ 44 | jsondecode(local.tailscale_container_json), 45 | ]) 46 | 47 | volume { 48 | name = local.tailscale_volume_name 49 | 50 | efs_volume_configuration { 51 | file_system_id = aws_efs_file_system.tailscale.id 52 | transit_encryption = "ENABLED" 53 | } 54 | } 55 | 56 | runtime_platform { 57 | operating_system_family = "LINUX" 58 | cpu_architecture = var.cpu_architecture 59 | } 60 | } 61 | 62 | data "aws_ecs_cluster" "target" { 63 | cluster_name = var.target_ecs_cluster 64 | } 65 | 66 | resource "aws_ecs_service" "tailscale" { 67 | name = local.service_name 68 | cluster = data.aws_ecs_cluster.target.id 69 | task_definition = aws_ecs_task_definition.tailscale.arn 70 | desired_count = 1 71 | wait_for_steady_state = true 72 | launch_type = "FARGATE" 73 | enable_execute_command = var.enable_execute_command 74 | 75 | deployment_circuit_breaker { 76 | enable = false 77 | rollback = false 78 | } 79 | 80 | deployment_controller { 81 | type = "ECS" 82 | } 83 | 84 | network_configuration { 85 | assign_public_ip = var.assign_public_ip 86 | security_groups = var.security_group_ids 87 | subnets = data.aws_subnets.primary.ids 88 | } 89 | 90 | depends_on = [aws_efs_mount_target.primary] 91 | } 92 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | variable "name" { 16 | type = string 17 | default = null 18 | description = "The name of the subnet router deployment. If unspecified the VPC name will be used." 19 | } 20 | 21 | variable "vpc" { 22 | type = string 23 | description = "The name of the VPC where the subnet router ECS service will be launched" 24 | } 25 | 26 | variable "subnet_group" { 27 | type = string 28 | description = "The group (tag) of the VPC subnets where the subnet router ECS service will be launched" 29 | } 30 | 31 | variable "assign_public_ip" { 32 | type = bool 33 | default = false 34 | 35 | description = <<-EOT 36 | The 'assign_public_ip' flag for the ECS task network configuration. 37 | 38 | The `assign_public_ip` is necessary to be able to pull from ECR when the 39 | containers come up. Alternatively, AWS PrivateLink can be used or the ECS task 40 | can be placed in a private subnet that routes traffic through a NAT gateway. 41 | EOT 42 | } 43 | 44 | variable "security_group_ids" { 45 | type = list(string) 46 | description = "The security group IDs to associate with the subnet router ECS service and EFS mount targets" 47 | } 48 | 49 | variable "target_ecs_cluster" { 50 | type = string 51 | description = "The name of the target ECS cluster" 52 | } 53 | 54 | variable "tailscale_auth_key_secret" { 55 | type = string 56 | description = "The name of secret where the Tailscale auth key is stored" 57 | } 58 | 59 | variable "tailscale_docker_repository" { 60 | type = string 61 | description = "The name of ECR repository where the Docker image stored" 62 | } 63 | 64 | variable "tailscale_docker_tag" { 65 | type = string 66 | description = "The name of tag for the Docker image stored in ECR" 67 | } 68 | 69 | variable "enable_execute_command" { 70 | type = bool 71 | default = false 72 | 73 | description = <<-EOT 74 | Allows AWS ECS exec into the task containers. 75 | 76 | The `enable_execute_command` field allows AWS ECS exec into the task 77 | containers. See: 78 | - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html 79 | - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html 80 | EOT 81 | } 82 | 83 | variable "additional_routes" { 84 | type = list(string) 85 | default = [] 86 | description = "A list of additional CIDR blocks to pass to Tailscale as routes to advertise" 87 | } 88 | 89 | variable "cpu_architecture" { 90 | type = string 91 | default = "X86_64" 92 | description = "The CPU architecture to use for the container. Either X86_64 or ARM64." 93 | } 94 | 95 | variable "additional_flags" { 96 | type = string 97 | default = "" 98 | description = "Additional flags to pass to the tailscale up command" 99 | } 100 | 101 | variable "cpu" { 102 | type = number 103 | default = 256 104 | description = "The CPU value to assign to the container (vCPU)" 105 | } 106 | 107 | variable "memory" { 108 | type = number 109 | default = 512 110 | description = "The memory value to assign to the container (MiB)" 111 | } 112 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Terraform module for Tailscale subnet router in ECS Fargate 2 | 3 | This module deploys a Tailscale [subnet router][1] as an [AWS Fargate][2] 4 | ECS task. The subnet router runs within an AWS VPC and advertises (to the 5 | Tailnet) the entire CIDR block for that VPC. 6 | 7 | ## Docker Container 8 | 9 | The `_docker/tailscale.Dockerfile` file extends the `tailscale/tailscale` 10 | [image][3] with an entrypoint script that starts the Tailscale daemon and runs 11 | `tailscale up` using an [auth key][4] and the relevant advertised CIDR block. 12 | 13 | This Docker container must be built and [pushed][5] to an ECR repository. 14 | 15 | ```bash 16 | docker build \ 17 | --tag tailscale-subnet-router:v1.20230311.1 \ 18 | --file ./_docker/tailscale.Dockerfile \ 19 | . 20 | 21 | # Optionally override the tag for the base `tailscale/tailscale` image 22 | docker build \ 23 | --build-arg TAILSCALE_TAG=v1.38.4 \ 24 | --tag tailscale-subnet-router:v1.20230311.1 \ 25 | --file ./_docker/tailscale.Dockerfile \ 26 | . 27 | ``` 28 | 29 | ## Operator's Notes 30 | 31 | - The Tailscale state (`/var/lib/tailscale`) is stored in an EFS disk so that 32 | the subnet router only needs to be [authorized][6] once. 33 | - When deploying a new version, ECS will do a rolling update so two ECS tasks 34 | will be simultaneously claiming to be the same host. This conflict will 35 | eventually resolve itself some time after the older task exits, but may be 36 | confusing during the rollout. 37 | 38 | ## Room for Improvement 39 | 40 | ### Throughput 41 | 42 | Right now this explicitly maps exactly one subnet router per VPC. As an 43 | organization grows, this can cause the subnet router to get saturated and cause 44 | a bottleneck. One of the perks of a mesh VPN is that bottlenecks via a 45 | centralized controller aren't possible, so reintroducing a bottleneck is 46 | unfortunate. 47 | 48 | The best way to avoid this bottleneck is to not use a subnet router at all, but 49 | many engineering organizations can't (or don't want to) run Tailscale as a 50 | sidecar for all workloads. Assuming a subnet router will be used, there are a 51 | few ways bottlenecks can be mitigated: 52 | 53 | - Use smaller VPCs and utilize VPC peering as needed. 54 | - Use multiple subnet routers to cover one VPC. To enable this we could allow 55 | the CIDR range covered by the subnet router (via `--advertise-routes`) to be 56 | configurable. 57 | - Use [subnet router failover][7] for business users. 58 | - Use the subnet router **only** as a way to access jump / bastion hosts (with 59 | access limited via Tailscale [network ACLs][8]) and then rely on scaling 60 | jump hosts to increase throughput. 61 | 62 | ### State 63 | 64 | In the current form, this module uses AWS EFS to persist the Tailscale state in 65 | `/var/lib/tailscale` across deploys. 66 | 67 | ```bash 68 | tailscaled --state arn:aws:ssm:zz-minotaur-7:123456789012:parameter/sandbox-tailscale 69 | ``` 70 | 71 | ### VPC 72 | 73 | This module assumes a VPC `Name` is used, equivalent to: 74 | 75 | ```hcl 76 | data "aws_vpc" "sandbox" { 77 | tags = { 78 | Name = "sandbox" 79 | } 80 | } 81 | ``` 82 | 83 | We'd be open to accepting a `vpc_id` directly. 84 | 85 | ### Subnet group 86 | 87 | The `subnet_group` variable is of note; it is used to filter subnets tagged 88 | with `group={subnet_group}`. This is a convention we use at Hardfin to group 89 | together subnets that are part of the same VPC (usually one subnet per AZ). 90 | In Terraform, this is determined via: 91 | 92 | ```hcl 93 | data "aws_subnets" "primary" { 94 | filter { 95 | name = "vpc-id" 96 | values = ["vpc-51edfd86d3223cdff"] 97 | } 98 | tags = { 99 | group = "sandbox-igw-zz-minotaur-7" 100 | } 101 | } 102 | ``` 103 | 104 | We'd be open to accepting an `aws_subnet_ids` list directly. 105 | 106 | [1]: https://tailscale.com/kb/1019/subnets/ 107 | [2]: https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html 108 | [3]: https://hub.docker.com/r/tailscale/tailscale 109 | [4]: https://tailscale.com/kb/1085/auth-keys/ 110 | [5]: https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html 111 | [6]: https://tailscale.com/kb/1099/device-authorization/ 112 | [7]: https://tailscale.com/kb/1115/subnet-failover/ 113 | [8]: https://tailscale.com/kb/1018/acls/ 114 | -------------------------------------------------------------------------------- /modules/subnet_router/iam.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Hardfin, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | data "aws_iam_policy_document" "ecs_tasks_assume" { 16 | statement { 17 | actions = ["sts:AssumeRole"] 18 | effect = "Allow" 19 | principals { 20 | type = "Service" 21 | identifiers = ["ecs-tasks.amazonaws.com"] 22 | } 23 | } 24 | } 25 | 26 | ################################################## 27 | ############### ECS Task Execution ############### 28 | ################################################## 29 | 30 | # This role will be the one used by the AWS Fargate agent(s) to make AWS 31 | # API calls, e.g. to authenticate with ECR when pulling container images 32 | # or to pull secrets from AWS Secrets Manager to inject into the task 33 | # environment variables. See: 34 | # - https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_execution_IAM_role.html 35 | resource "aws_iam_role" "ecs_task_execution_tailscale" { 36 | name = "ecs-task-execution-${local.name}" 37 | assume_role_policy = data.aws_iam_policy_document.ecs_tasks_assume.json 38 | } 39 | 40 | resource "aws_iam_role_policy_attachment" "ecs_task_execution_tailscale" { 41 | role = aws_iam_role.ecs_task_execution_tailscale.name 42 | policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 43 | } 44 | 45 | # See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-tutorial.html 46 | data "aws_iam_policy_document" "ecs_task_secrets_tailscale" { 47 | statement { 48 | effect = "Allow" 49 | actions = [ 50 | "secretsmanager:GetSecretValue", 51 | ] 52 | resources = [ 53 | data.aws_secretsmanager_secret.tailscale_auth_key.arn, 54 | ] 55 | } 56 | } 57 | 58 | resource "aws_iam_policy" "ecs_task_secrets_tailscale" { 59 | name = "ecs-task-secrets-${local.name}" 60 | description = "Permissions for ECS task execution to read secrets for Tailscale in VPC ${var.vpc}" 61 | policy = data.aws_iam_policy_document.ecs_task_secrets_tailscale.json 62 | } 63 | 64 | resource "aws_iam_role_policy_attachment" "ecs_task_secrets_tailscale" { 65 | role = aws_iam_role.ecs_task_execution_tailscale.name 66 | policy_arn = aws_iam_policy.ecs_task_secrets_tailscale.arn 67 | } 68 | 69 | ################################################## 70 | #################### ECS Task #################### 71 | ################################################## 72 | 73 | # This role will be the one actually used by the running ECS task; i.e. 74 | # when the task authenticates with the AWS credential endpoint, this is 75 | # the role it will authenticate with. See: 76 | # - https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html 77 | resource "aws_iam_role" "ecs_task_tailscale" { 78 | name = "ecs-task-${local.name}" 79 | assume_role_policy = data.aws_iam_policy_document.ecs_tasks_assume.json 80 | } 81 | 82 | # See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html 83 | data "aws_iam_policy_document" "ecs_task_logs_tailscale" { 84 | statement { 85 | effect = "Allow" 86 | actions = ["logs:DescribeLogGroups"] 87 | resources = ["*"] 88 | } 89 | statement { 90 | effect = "Allow" 91 | actions = [ 92 | "logs:CreateLogStream", 93 | "logs:DescribeLogStreams", 94 | "logs:PutLogEvents", 95 | ] 96 | resources = [ 97 | aws_cloudwatch_log_group.tailscale.arn, 98 | ] 99 | } 100 | } 101 | 102 | resource "aws_iam_policy" "ecs_task_logs_tailscale" { 103 | name = "ecs-task-logs-${local.name}" 104 | description = "Permissions for ECS task to write logs for Tailscale in VPC ${var.vpc}" 105 | policy = data.aws_iam_policy_document.ecs_task_logs_tailscale.json 106 | } 107 | 108 | resource "aws_iam_role_policy_attachment" "ecs_task_logs_tailscale" { 109 | role = aws_iam_role.ecs_task_tailscale.name 110 | policy_arn = aws_iam_policy.ecs_task_logs_tailscale.arn 111 | } 112 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------