Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(bastion): add support for app connectors, exit nodes, and configurable tags #120

Merged
merged 7 commits into from
Mar 15, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 58 additions & 28 deletions provider/pkg/provider/aws/bastion.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,29 +25,31 @@ var (

// The set of arguments for creating a Bastion component resource.
type BastionArgs struct {
VpcID pulumi.StringInput `pulumi:"vpcId"`
SubnetIds pulumi.StringArrayInput `pulumi:"subnetIds"`
TailscaleTags pulumi.StringArrayInput `pulumi:"tailscaleTags"`
Route pulumi.StringInput `pulumi:"route"`
Region pulumi.StringInput `pulumi:"region"`
InstanceType pulumi.StringInput `pulumi:"instanceType"`
HighAvailability bool `pulumi:"highAvailability"`
EnableSSH bool `pulumi:"enableSSH"`
Public bool `pulumi:"public"`
VpcID pulumi.StringInput `pulumi:"vpcId"`
SubnetIds pulumi.StringArrayInput `pulumi:"subnetIds"`
TailscaleTags pulumi.StringArrayInput `pulumi:"tailscaleTags"`
Route pulumi.StringInput `pulumi:"route"`
Region pulumi.StringInput `pulumi:"region"`
InstanceType pulumi.StringInput `pulumi:"instanceType"`
Hostname pulumi.StringInput `pulumi:"hostname"`
HighAvailability bool `pulumi:"highAvailability"`
EnableSSH bool `pulumi:"enableSSH"`
Public bool `pulumi:"public"`
EnableExitNode bool `pulumi:"enableExitNode"`
EnableAppConnector bool `pulumi:"enableAppConnector"`
}

type UserDataArgs struct {
ParameterName string
Route string
Region string
TailscaleTags []string
EnableSSH bool
ParameterName string
Route string
Region string
TailscaleTags string
EnableSSH bool
EnableExitNode bool
EnableAppConnector bool
Hostname string
}

// Join the tags into a CSV
func (uda *UserDataArgs) JoinedTags() string {
return strings.Join(uda.TailscaleTags, ",")
}

// The Bastion component resource.
type Bastion struct {
Expand All @@ -71,21 +73,31 @@ func NewBastion(ctx *pulumi.Context,
return nil, err
}

var hostname pulumi.StringInput

if args.Hostname == nil {
hostname = pulumi.String(name)
} else {
hostname = args.Hostname
}

// create a tailnet key to auth devices
tailnetKey, err := tailscale.NewTailnetKey(ctx, name, &tailscale.TailnetKeyArgs{
Ephemeral: pulumi.Bool(true),
Preauthorized: pulumi.Bool(true),
Reusable: pulumi.Bool(true),
Tags: args.TailscaleTags,
Description: pulumi.Sprintf("Auth key for %s", hostname),
}, pulumi.Parent(component))
if err != nil {
return nil, fmt.Errorf("error creating tailnet key: %v", err)
}

// store the key in an AWS SSM parameter
tailnetKeySsmParameter, err := ssm.NewParameter(ctx, name, &ssm.ParameterArgs{
Type: ssm.ParameterTypeSecureString,
Value: tailnetKey.Key,
Type: ssm.ParameterTypeSecureString,
Value: tailnetKey.Key,
Description: pulumi.Sprintf("Tailscale auth key for %s", hostname),
}, pulumi.Parent(component))
if err != nil {
return nil, fmt.Errorf("error creating SSM parameter: %v", err)
Expand Down Expand Up @@ -263,14 +275,20 @@ func NewBastion(ctx *pulumi.Context,
MostRecent: pulumi.BoolPtr(true),
}, pulumi.Parent(component))

data := pulumi.All(tailnetKeySsmParameter.Name, args.Route, args.Region, args.TailscaleTags, args.EnableSSH).ApplyT(
data := pulumi.All(tailnetKeySsmParameter.Name, args.Route, args.Region, args.TailscaleTags, args.EnableSSH, hostname, args.EnableExitNode, args.EnableAppConnector).ApplyT(
func(args []interface{}) (string, error) {

tagCSV := strings.Join(args[3].([]string), ",")

d := UserDataArgs{
ParameterName: args[0].(string),
Route: args[1].(string),
Region: args[2].(string),
TailscaleTags: args[3].([]string),
EnableSSH: args[4].(bool),
ParameterName: args[0].(string),
Route: args[1].(string),
Region: args[2].(string),
TailscaleTags: tagCSV,
EnableSSH: args[4].(bool),
Hostname: args[5].(string),
EnableExitNode: args[6].(bool),
EnableAppConnector: args[7].(bool),
}

var userDataBytes bytes.Buffer
Expand Down Expand Up @@ -309,8 +327,6 @@ func NewBastion(ctx *pulumi.Context,
PublicKey: key.PublicKeyOpenssh,
}, pulumi.Parent(component))



launchConfiguration, err := ec2.NewLaunchConfiguration(ctx, name, &ec2.LaunchConfigurationArgs{
InstanceType: instanceType,
AssociatePublicIpAddress: pulumi.Bool(args.Public),
Expand All @@ -334,13 +350,27 @@ func NewBastion(ctx *pulumi.Context,
size = 1
}

var instanceRefresh autoscaling.GroupInstanceRefreshPtrInput
if args.HighAvailability {
instanceRefresh = autoscaling.GroupInstanceRefreshArgs{
Strategy: pulumi.String("Rolling"),
Preferences: autoscaling.GroupInstanceRefreshPreferencesArgs{
MinHealthyPercentage: pulumi.Int(50),
},
}

} else {
instanceRefresh = nil
}

asg, err := autoscaling.NewGroup(ctx, name, &autoscaling.GroupArgs{
LaunchConfiguration: launchConfiguration.ID(),
MaxSize: pulumi.Int(size),
MinSize: pulumi.Int(size),
HealthCheckType: pulumi.String("EC2"),
HealthCheckGracePeriod: pulumi.Int(30),
VpcZoneIdentifiers: args.SubnetIds,
InstanceRefresh: instanceRefresh,
Tags: autoscaling.GroupTagArray{
autoscaling.GroupTagArgs{
Key: pulumi.String("Name"),
Expand Down
2 changes: 1 addition & 1 deletion provider/pkg/provider/aws/userdata.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ sudo yum-config-manager --add-repo https://pkgs.tailscale.com/stable/amazon-linu
sudo yum install tailscale -y
sudo systemctl enable --now tailscaled
sleep 10
sudo tailscale up --ssh="{{ .EnableSSH }}" --advertise-tags=tag:bastion --advertise-routes="{{ .Route }}" --authkey=$(aws ssm get-parameter --name {{.ParameterName}} --region {{.Region}} --with-decryption | jq .Parameter.Value -r) --host-routes
sudo tailscale up --advertise-connector="{{ .EnableAppConnector }}" --advertise-exit-node="{{ .EnableExitNode }}" --hostname="{{ .Hostname}}" --ssh="{{ .EnableSSH }}" --advertise-tags="{{ .TailscaleTags}}" --advertise-routes="{{ .Route }}" --authkey=$(aws ssm get-parameter --name {{.ParameterName}} --region {{.Region}} --with-decryption | jq .Parameter.Value -r) --host-routes
17 changes: 17 additions & 0 deletions schema.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ description: "A Pulumi package for creating a tailscale bastion in AWS."
repository: "https://github.com/lbrlabs/pulumi-tailscale-bastion"
publisher: "lbrlabs"
displayname: "tailscale-bastion"
keywords:
- aws
- tailscale
- lbrlabs
- kind/component
- category/network
resources:
tailscale-bastion:azure:Bastion:
isComponent: true
Expand Down Expand Up @@ -58,6 +64,9 @@ resources:
tailscale-bastion:aws:Bastion:
isComponent: true
inputProperties:
hostname:
type: string
description: "The hostname of the bastion."
public:
type: boolean
description: "Whether the bastion is going in public subnets."
Expand All @@ -66,6 +75,14 @@ resources:
type: boolean
description: "Whether to enable SSH access to the bastion."
default: true
enableAppConnector:
type: boolean
description: "Whether the bastion advertises itself as an app connector."
default: false
enableExitNode:
type: boolean
description: "Whether the subnet router can advertise itself as an exit node."
default: false
highAvailability:
type: boolean
description: "Whether the bastion should be highly available."
Expand Down
20 changes: 20 additions & 0 deletions sdk/dotnet/TailscaleBastion/Aws/Bastion.cs
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,18 @@ private static ComponentResourceOptions MakeResourceOptions(ComponentResourceOpt

public sealed class BastionArgs : global::Pulumi.ResourceArgs
{
/// <summary>
/// Whether the bastion advertises itself as an app connector.
/// </summary>
[Input("enableAppConnector")]
public Input<bool>? EnableAppConnector { get; set; }

/// <summary>
/// Whether the subnet router can advertise itself as an exit node.
/// </summary>
[Input("enableExitNode")]
public Input<bool>? EnableExitNode { get; set; }

/// <summary>
/// Whether to enable SSH access to the bastion.
/// </summary>
Expand All @@ -66,6 +78,12 @@ public sealed class BastionArgs : global::Pulumi.ResourceArgs
[Input("highAvailability", required: true)]
public Input<bool> HighAvailability { get; set; } = null!;

/// <summary>
/// The hostname of the bastion.
/// </summary>
[Input("hostname")]
public Input<string>? Hostname { get; set; }

/// <summary>
/// The EC2 instance type to use for the bastion.
/// </summary>
Expand Down Expand Up @@ -122,6 +140,8 @@ public InputList<string> TailscaleTags

public BastionArgs()
{
EnableAppConnector = false;
EnableExitNode = false;
EnableSSH = true;
HighAvailability = false;
Public = false;
Expand Down
18 changes: 18 additions & 0 deletions sdk/go/bastion/aws/bastion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions sdk/nodejs/aws/bastion.ts
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,11 @@ export class Bastion extends pulumi.ComponentResource {
if ((!args || args.vpcId === undefined) && !opts.urn) {
throw new Error("Missing required property 'vpcId'");
}
resourceInputs["enableAppConnector"] = (args ? args.enableAppConnector : undefined) ?? false;
resourceInputs["enableExitNode"] = (args ? args.enableExitNode : undefined) ?? false;
resourceInputs["enableSSH"] = (args ? args.enableSSH : undefined) ?? true;
resourceInputs["highAvailability"] = (args ? args.highAvailability : undefined) ?? false;
resourceInputs["hostname"] = args ? args.hostname : undefined;
resourceInputs["instanceType"] = args ? args.instanceType : undefined;
resourceInputs["public"] = (args ? args.public : undefined) ?? false;
resourceInputs["region"] = args ? args.region : undefined;
Expand All @@ -81,6 +84,14 @@ export class Bastion extends pulumi.ComponentResource {
* The set of arguments for constructing a Bastion resource.
*/
export interface BastionArgs {
/**
* Whether the bastion advertises itself as an app connector.
*/
enableAppConnector?: pulumi.Input<boolean>;
/**
* Whether the subnet router can advertise itself as an exit node.
*/
enableExitNode?: pulumi.Input<boolean>;
/**
* Whether to enable SSH access to the bastion.
*/
Expand All @@ -89,6 +100,10 @@ export interface BastionArgs {
* Whether the bastion should be highly available.
*/
highAvailability: pulumi.Input<boolean>;
/**
* The hostname of the bastion.
*/
hostname?: pulumi.Input<string>;
/**
* The EC2 instance type to use for the bastion.
*/
Expand Down
Loading
Loading