diff --git a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf index a7826c5..20a31c3 100644 --- a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf @@ -71,10 +71,8 @@ module "tailscale_aws_ec2_autoscaling" { ] tailscale_advertise_connector = true - # tailscale_advertise_github_service_names = [ - # "api", - # "packages", - # "website", + # tailscale_advertise_aws_service_names = [ + # "GLOBALACCELERATOR", # ] depends_on = [ diff --git a/terraform/aws/aws-ec2-autoscaling/main.tf b/terraform/aws/aws-ec2-autoscaling/main.tf index 7635a7c..b80c636 100644 --- a/terraform/aws/aws-ec2-autoscaling/main.tf +++ b/terraform/aws/aws-ec2-autoscaling/main.tf @@ -55,24 +55,15 @@ module "tailscale_aws_ec2_autoscaling" { tailscale_set_preferences = var.tailscale_set_preferences tailscale_ssh = true tailscale_advertise_exit_node = true - tailscale_advertise_connector = true tailscale_advertise_routes = [ module.vpc.vpc_cidr_block, ] - tailscale_advertise_aws_service_names = [ - "GLOBALACCELERATOR", - ] - tailscale_advertise_github_service_names = [ - "api", - "packages", - "website", - ] - tailscale_advertise_okta_cell_names = [ - "us_cell_1", - "emea_cell_2", - ] + tailscale_advertise_connector = true + # tailscale_advertise_aws_service_names = [ + # "GLOBALACCELERATOR", + # ] depends_on = [ module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets diff --git a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf index 0ae5d9b..eacc7b2 100644 --- a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf +++ b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf @@ -53,11 +53,6 @@ module "tailscale_aws_ec2" { ) tailscale_advertise_connector = true - # tailscale_advertise_github_service_names = [ - # "api", - # "packages", - # "website", - # ] depends_on = [ module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets diff --git a/terraform/aws/aws-ec2-instance/main.tf b/terraform/aws/aws-ec2-instance/main.tf index 6a2acca..46a7299 100644 --- a/terraform/aws/aws-ec2-instance/main.tf +++ b/terraform/aws/aws-ec2-instance/main.tf @@ -50,7 +50,7 @@ module "tailscale_aws_ec2" { ] tailscale_advertise_connector = true - # tailscale_advertise_github_service_names = [ + # tailscale_advertise_aws_service_names = [ # "GLOBALACCELERATOR", # ] diff --git a/terraform/aws/internal-modules/aws-ec2-autoscaling/main.tf b/terraform/aws/internal-modules/aws-ec2-autoscaling/main.tf index a9f9376..27915da 100644 --- a/terraform/aws/internal-modules/aws-ec2-autoscaling/main.tf +++ b/terraform/aws/internal-modules/aws-ec2-autoscaling/main.tf @@ -8,10 +8,8 @@ module "tailscale_install_scripts" { tailscale_set_preferences = var.tailscale_set_preferences tailscale_ssh = var.tailscale_ssh - tailscale_advertise_routes = var.tailscale_advertise_routes - tailscale_advertise_aws_service_names = var.tailscale_advertise_aws_service_names - tailscale_advertise_github_service_names = var.tailscale_advertise_github_service_names - tailscale_advertise_okta_cell_names = var.tailscale_advertise_okta_cell_names + tailscale_advertise_routes = var.tailscale_advertise_routes + tailscale_advertise_aws_service_names = var.tailscale_advertise_aws_service_names additional_before_scripts = var.additional_before_scripts additional_after_scripts = var.additional_after_scripts diff --git a/terraform/aws/internal-modules/aws-ec2-autoscaling/variables-tailscale-install-scripts.tf b/terraform/aws/internal-modules/aws-ec2-autoscaling/variables-tailscale-install-scripts.tf index 2192a45..c7206f9 100644 --- a/terraform/aws/internal-modules/aws-ec2-autoscaling/variables-tailscale-install-scripts.tf +++ b/terraform/aws/internal-modules/aws-ec2-autoscaling/variables-tailscale-install-scripts.tf @@ -57,13 +57,3 @@ variable "tailscale_advertise_aws_service_names" { type = set(string) default = [] } -variable "tailscale_advertise_github_service_names" { - description = "List of GitHub Services to retrieve IP prefixes for - e.g. ['web','api']" - type = set(string) - default = [] -} -variable "tailscale_advertise_okta_cell_names" { - description = "List of Okta cells to retrieve IP prefixes for - e.g. ['us_cell_1','emea_cell_2']" - type = set(string) - default = [] -} diff --git a/terraform/aws/internal-modules/aws-ec2-instance/main.tf b/terraform/aws/internal-modules/aws-ec2-instance/main.tf index d20bec9..c89206c 100644 --- a/terraform/aws/internal-modules/aws-ec2-instance/main.tf +++ b/terraform/aws/internal-modules/aws-ec2-instance/main.tf @@ -8,10 +8,8 @@ module "tailscale_install_scripts" { tailscale_set_preferences = var.tailscale_set_preferences tailscale_ssh = var.tailscale_ssh - tailscale_advertise_routes = var.tailscale_advertise_routes - tailscale_advertise_aws_service_names = var.tailscale_advertise_aws_service_names - tailscale_advertise_github_service_names = var.tailscale_advertise_github_service_names - tailscale_advertise_okta_cell_names = var.tailscale_advertise_okta_cell_names + tailscale_advertise_routes = var.tailscale_advertise_routes + tailscale_advertise_aws_service_names = var.tailscale_advertise_aws_service_names additional_before_scripts = var.additional_before_scripts additional_after_scripts = var.additional_after_scripts diff --git a/terraform/aws/internal-modules/aws-ec2-instance/variables-tailscale-install-scripts.tf b/terraform/aws/internal-modules/aws-ec2-instance/variables-tailscale-install-scripts.tf index 2192a45..c7206f9 100644 --- a/terraform/aws/internal-modules/aws-ec2-instance/variables-tailscale-install-scripts.tf +++ b/terraform/aws/internal-modules/aws-ec2-instance/variables-tailscale-install-scripts.tf @@ -57,13 +57,3 @@ variable "tailscale_advertise_aws_service_names" { type = set(string) default = [] } -variable "tailscale_advertise_github_service_names" { - description = "List of GitHub Services to retrieve IP prefixes for - e.g. ['web','api']" - type = set(string) - default = [] -} -variable "tailscale_advertise_okta_cell_names" { - description = "List of Okta cells to retrieve IP prefixes for - e.g. ['us_cell_1','emea_cell_2']" - type = set(string) - default = [] -} diff --git a/terraform/azure/azure-linux-vm/main.tf b/terraform/azure/azure-linux-vm/main.tf index e3d0adb..c1d150e 100644 --- a/terraform/azure/azure-linux-vm/main.tf +++ b/terraform/azure/azure-linux-vm/main.tf @@ -66,11 +66,6 @@ module "tailscale_azure_linux_virtual_machine" { tailscale_advertise_routes = module.network.vnet_address_space tailscale_advertise_connector = true - # tailscale_advertise_github_service_names = [ - # "api", - # "packages", - # "website", - # ] depends_on = [ module.network.natgw_ids, # for private subnets - ensure NAT gateway is available before instance provisioning diff --git a/terraform/azure/internal-modules/azure-linux-vm/main.tf b/terraform/azure/internal-modules/azure-linux-vm/main.tf index e3b95fa..7c4988d 100644 --- a/terraform/azure/internal-modules/azure-linux-vm/main.tf +++ b/terraform/azure/internal-modules/azure-linux-vm/main.tf @@ -8,10 +8,8 @@ module "tailscale_install_scripts" { tailscale_set_preferences = var.tailscale_set_preferences tailscale_ssh = var.tailscale_ssh - tailscale_advertise_routes = var.tailscale_advertise_routes - tailscale_advertise_aws_service_names = var.tailscale_advertise_aws_service_names - tailscale_advertise_github_service_names = var.tailscale_advertise_github_service_names - tailscale_advertise_okta_cell_names = var.tailscale_advertise_okta_cell_names + tailscale_advertise_routes = var.tailscale_advertise_routes + tailscale_advertise_aws_service_names = var.tailscale_advertise_aws_service_names additional_before_scripts = var.additional_before_scripts additional_after_scripts = var.additional_after_scripts diff --git a/terraform/azure/internal-modules/azure-linux-vm/variables-tailscale-install-scripts.tf b/terraform/azure/internal-modules/azure-linux-vm/variables-tailscale-install-scripts.tf index 2192a45..c7206f9 100644 --- a/terraform/azure/internal-modules/azure-linux-vm/variables-tailscale-install-scripts.tf +++ b/terraform/azure/internal-modules/azure-linux-vm/variables-tailscale-install-scripts.tf @@ -57,13 +57,3 @@ variable "tailscale_advertise_aws_service_names" { type = set(string) default = [] } -variable "tailscale_advertise_github_service_names" { - description = "List of GitHub Services to retrieve IP prefixes for - e.g. ['web','api']" - type = set(string) - default = [] -} -variable "tailscale_advertise_okta_cell_names" { - description = "List of Okta cells to retrieve IP prefixes for - e.g. ['us_cell_1','emea_cell_2']" - type = set(string) - default = [] -} diff --git a/terraform/google/google-compute-instance/main.tf b/terraform/google/google-compute-instance/main.tf index ba4c9be..57c3cb1 100644 --- a/terraform/google/google-compute-instance/main.tf +++ b/terraform/google/google-compute-instance/main.tf @@ -59,11 +59,6 @@ module "tailscale_instance" { tailscale_advertise_routes = module.vpc.subnets_ips tailscale_advertise_connector = true - # tailscale_advertise_github_service_names = [ - # "api", - # "packages", - # "website", - # ] depends_on = [ module.vpc.nat_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets diff --git a/terraform/google/internal-modules/google-compute-instance/main.tf b/terraform/google/internal-modules/google-compute-instance/main.tf index 240010c..e4c7f97 100644 --- a/terraform/google/internal-modules/google-compute-instance/main.tf +++ b/terraform/google/internal-modules/google-compute-instance/main.tf @@ -8,10 +8,8 @@ module "tailscale_install_scripts" { tailscale_set_preferences = var.tailscale_set_preferences tailscale_ssh = var.tailscale_ssh - tailscale_advertise_routes = var.tailscale_advertise_routes - tailscale_advertise_aws_service_names = var.tailscale_advertise_aws_service_names - tailscale_advertise_github_service_names = var.tailscale_advertise_github_service_names - tailscale_advertise_okta_cell_names = var.tailscale_advertise_okta_cell_names + tailscale_advertise_routes = var.tailscale_advertise_routes + tailscale_advertise_aws_service_names = var.tailscale_advertise_aws_service_names additional_before_scripts = var.additional_before_scripts additional_after_scripts = var.additional_after_scripts diff --git a/terraform/google/internal-modules/google-compute-instance/variables-tailscale-install-scripts.tf b/terraform/google/internal-modules/google-compute-instance/variables-tailscale-install-scripts.tf index 2192a45..c7206f9 100644 --- a/terraform/google/internal-modules/google-compute-instance/variables-tailscale-install-scripts.tf +++ b/terraform/google/internal-modules/google-compute-instance/variables-tailscale-install-scripts.tf @@ -57,13 +57,3 @@ variable "tailscale_advertise_aws_service_names" { type = set(string) default = [] } -variable "tailscale_advertise_github_service_names" { - description = "List of GitHub Services to retrieve IP prefixes for - e.g. ['web','api']" - type = set(string) - default = [] -} -variable "tailscale_advertise_okta_cell_names" { - description = "List of Okta cells to retrieve IP prefixes for - e.g. ['us_cell_1','emea_cell_2']" - type = set(string) - default = [] -} diff --git a/terraform/internal-modules/tailscale-advertise-routes/github.tf b/terraform/internal-modules/tailscale-advertise-routes/github.tf deleted file mode 100644 index 4ec64dd..0000000 --- a/terraform/internal-modules/tailscale-advertise-routes/github.tf +++ /dev/null @@ -1,52 +0,0 @@ -variable "tailscale_advertise_github_service_names" { - description = "List of GitHub Services to retrieve IP prefixes for - e.g. ['web','api']" - type = set(string) - default = [] -} -variable "github_domain_services" { # TODO: move to tailscale-install-scripts or separate module? - description = "List of GitHub Services to retrieve Domains for for - e.g. ['website','packages']" - type = set(string) - default = [] -} - -/** - * For routes - */ -locals { - github_routes_script = length(var.tailscale_advertise_github_service_names) == 0 ? null : templatefile( - "${path.module}/scripts/get-routes-github.tftpl", - { - tailscale_advertise_github_service_names = var.tailscale_advertise_github_service_names, - routes_file_to_append = var.tailscale_advertise_routes_from_file_on_host, - } - ) -} - -/** - * For domains - */ -data "http" "github_ip_ranges_json" { - count = length(var.github_domain_services) == 0 ? 0 : 1 - // https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses - url = "https://api.github.com/meta" -} - -locals { - github_ip_data = length(var.github_domain_services) == 0 ? null : jsondecode(data.http.github_ip_ranges_json[0].response_body) - - github_domains = length(var.github_domain_services) == 0 ? [] : flatten([for s in var.github_domain_services : - local.github_ip_data.domains[s] - ]) - github_top_level_domains = length(var.github_domain_services) == 0 ? [] : [for s in local.github_domains : - replace(s, "/^\\*\\./", "") # strip wildcard off of domains - e.g. '*.github.com' -> 'github.com' - ] -} -output "github_domains" { - description = "Distinct and sorted list of domains for the provider; including wildcard and TLDs - e.g. ['*.example.com','example.com']." - value = sort(distinct( - concat( - local.github_domains, - local.github_top_level_domains, - ) - )) -} diff --git a/terraform/internal-modules/tailscale-advertise-routes/main.tf b/terraform/internal-modules/tailscale-advertise-routes/main.tf index ece72e9..1c68b65 100644 --- a/terraform/internal-modules/tailscale-advertise-routes/main.tf +++ b/terraform/internal-modules/tailscale-advertise-routes/main.tf @@ -3,15 +3,11 @@ locals { # boolean - do we have any routes to advertise? length(var.tailscale_advertise_routes) + length(var.tailscale_advertise_aws_service_names) - + length(var.tailscale_advertise_github_service_names) - + length(var.tailscale_advertise_okta_cell_names) ) == 0 saas_routes_to_advertise = ( # boolean - do we have any **SaaS** routes to advertise? length(var.tailscale_advertise_aws_service_names) - + length(var.tailscale_advertise_github_service_names) - + length(var.tailscale_advertise_okta_cell_names) ) == 0 advertise_routes_script = local.routes_to_advertise ? "" : templatefile( diff --git a/terraform/internal-modules/tailscale-advertise-routes/okta.tf b/terraform/internal-modules/tailscale-advertise-routes/okta.tf deleted file mode 100644 index a2e24c3..0000000 --- a/terraform/internal-modules/tailscale-advertise-routes/okta.tf +++ /dev/null @@ -1,15 +0,0 @@ -variable "tailscale_advertise_okta_cell_names" { - description = "List of Okta cells to retrieve IP prefixes for - e.g. ['us_cell_1','emea_cell_2']" - type = set(string) - default = [] -} - -locals { - okta_routes_script = length(var.tailscale_advertise_okta_cell_names) == 0 ? null : templatefile( - "${path.module}/scripts/get-routes-okta.tftpl", - { - tailscale_advertise_okta_cell_names = var.tailscale_advertise_okta_cell_names, - routes_file_to_append = var.tailscale_advertise_routes_from_file_on_host, - } - ) -} diff --git a/terraform/internal-modules/tailscale-advertise-routes/outputs.tf b/terraform/internal-modules/tailscale-advertise-routes/outputs.tf index 32f5932..f3c2979 100644 --- a/terraform/internal-modules/tailscale-advertise-routes/outputs.tf +++ b/terraform/internal-modules/tailscale-advertise-routes/outputs.tf @@ -1,13 +1,11 @@ /** - * See other files for vendor-specific variables/outputs - `aws.tf`, `github.tf`, etc. + * See other files for vendor-specific variables/outputs - `aws.tf`, etc. */ output "routes_script" { description = "Sript to fetch, parse, and save routes to `var.routes_file_to_append`" value = join("\n", compact([ local.aws_routes_script, - local.github_routes_script, - local.okta_routes_script, local.advertise_routes_script, ])) } diff --git a/terraform/internal-modules/tailscale-advertise-routes/scripts/get-routes-github.tftpl b/terraform/internal-modules/tailscale-advertise-routes/scripts/get-routes-github.tftpl deleted file mode 100644 index e6f4382..0000000 --- a/terraform/internal-modules/tailscale-advertise-routes/scripts/get-routes-github.tftpl +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# -# Download and parse a json file from the vendor to create a list of routes to advertise -# by Tailscale. The list is saved appended to a file that may have other routes already added. -# -# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses -# - -echo -e '\n#\n# Beginning GitHub routes fetching, parsing, and saving to [${routes_file_to_append}]...\n#\n' - -which jq > /dev/null # TODO: move to shared script? -if [ $? -ne 0 ]; then - apt-get -qq update - apt-get -yqq install jq - echo -e '\n#\n# jq installation complete.\n#\n' -fi - -OUTPUT_FILE_TMP=/tmp/routes-output-github.txt -OUTPUT_FILE=${routes_file_to_append} - -JSON_FILE=routes-input-github.json -curl -s 'https://api.github.com/meta' > $JSON_FILE - -%{ for s in tailscale_advertise_github_service_names ~} -jq -r '.${s}[]' $JSON_FILE >> $OUTPUT_FILE_TMP -%{ endfor ~} - -cat $OUTPUT_FILE_TMP | sort | uniq >> $OUTPUT_FILE # append to file to not overwrite routes from other sources - -echo -e '\n#\n# Complete.\n#\n' diff --git a/terraform/internal-modules/tailscale-advertise-routes/scripts/get-routes-okta.tftpl b/terraform/internal-modules/tailscale-advertise-routes/scripts/get-routes-okta.tftpl deleted file mode 100644 index a042009..0000000 --- a/terraform/internal-modules/tailscale-advertise-routes/scripts/get-routes-okta.tftpl +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# -# Download and parse a json file from the vendor to create a list of routes to advertise -# by Tailscale. The list is saved appended to a file that may have other routes already added. -# -# https://help.okta.com/en-us/content/topics/security/ip-address-allow-listing.htm -# - -echo -e '\n#\n# Beginning Okta routes fetching, parsing, and saving to [${routes_file_to_append}]...\n#\n' - -which jq > /dev/null # TODO: move to shared script? -if [ $? -ne 0 ]; then - apt-get -qq update - apt-get -yqq install jq - echo -e '\n#\n# jq installation complete.\n#\n' -fi - -OUTPUT_FILE_TMP=/tmp/routes-output-okta.txt -OUTPUT_FILE=${routes_file_to_append} - -JSON_FILE=routes-input-okta.json -curl -s 'https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json' > $JSON_FILE - -%{ for s in tailscale_advertise_okta_cell_names ~} -jq -r '.${s}.ip_ranges[]' $JSON_FILE >> $OUTPUT_FILE_TMP -%{ endfor ~} - -cat $OUTPUT_FILE_TMP | sort | uniq >> $OUTPUT_FILE # append to file to not overwrite routes from other sources - -echo -e '\n#\n# Complete.\n#\n' diff --git a/terraform/internal-modules/tailscale-advertise-routes/variables.tf b/terraform/internal-modules/tailscale-advertise-routes/variables.tf index fb88081..aeab852 100644 --- a/terraform/internal-modules/tailscale-advertise-routes/variables.tf +++ b/terraform/internal-modules/tailscale-advertise-routes/variables.tf @@ -1,5 +1,5 @@ /** - * See other files for vendor-specific variables/outputs - `aws.tf`, `github.tf`, etc. + * See other files for vendor-specific variables/outputs - `aws.tf`, etc. */ variable "tailscale_advertise_routes_from_file_on_host" { diff --git a/terraform/internal-modules/tailscale-install-scripts/main.tf b/terraform/internal-modules/tailscale-install-scripts/main.tf index 2cf59eb..2b43663 100644 --- a/terraform/internal-modules/tailscale-install-scripts/main.tf +++ b/terraform/internal-modules/tailscale-install-scripts/main.tf @@ -54,6 +54,4 @@ module "tailscale-advertise-routes" { tailscale_advertise_routes_from_file_on_host = "/root/tailscale-routes-to-advertise.txt" tailscale_advertise_aws_service_names = var.tailscale_advertise_aws_service_names - tailscale_advertise_github_service_names = var.tailscale_advertise_github_service_names - tailscale_advertise_okta_cell_names = var.tailscale_advertise_okta_cell_names } diff --git a/terraform/internal-modules/tailscale-install-scripts/variables.tf b/terraform/internal-modules/tailscale-install-scripts/variables.tf index 2192a45..c7206f9 100644 --- a/terraform/internal-modules/tailscale-install-scripts/variables.tf +++ b/terraform/internal-modules/tailscale-install-scripts/variables.tf @@ -57,13 +57,3 @@ variable "tailscale_advertise_aws_service_names" { type = set(string) default = [] } -variable "tailscale_advertise_github_service_names" { - description = "List of GitHub Services to retrieve IP prefixes for - e.g. ['web','api']" - type = set(string) - default = [] -} -variable "tailscale_advertise_okta_cell_names" { - description = "List of Okta cells to retrieve IP prefixes for - e.g. ['us_cell_1','emea_cell_2']" - type = set(string) - default = [] -}