These Terraform configuration files will deploy two droplets (VMs) into DigitalOcean:
- One droplet to act as a Tailscale subnet router
- Another to act as a client reachable via said subnet router
I opted for DigitalOcean because it is a simple cloud provider and Terraform provides a stable and reproducible mechanism to create this environment.
- Implement a more secure method of passing secrets to the Terraform configuration. Perhaps by leveraging HashiCorp Vault or a different cloud provider with proper secrets storage.
- Make the the configuration more flexible to deploy multiple droplets, and in varying regions
- See improved security measures above!
- Store your Terraform state file in a remote location, such as an S3 bucket. Saving Terraform state files locally is risky and an easy eay to lose them.
You will need the following before beginning:
- A DigitalOcean access token with permission to create droplets
- A Tailscale auth key
- A device with Terraform installed and that is connected to your tailet
- Initialize Terraform.
terraform init
- Plan your deployment and confirm Terraform intends on creating two resources.
terraform plan
- Apply the configuration, passing your DigitalOcean access token and Tailscale auth key as variables.
terraform apply -var="do_token=<DO_TOKEN>" -var="ts_auth_key=<TS_AUTH_KEY>"
- Within Tailscale, adjust your ACL to grant access to the
default-tor1VPC and ensure the subnet router is auto-approved to advertise the VPC.
"grants": [
{
"src": ["*"],
"dst": ["10.118.0.0/20"],
"ip": ["*"],
},
],
"autoApprovers": {
"routes": {
"10.118.0.0/20": ["autogroup:admin"],
},
},
- Output the private IP address of the
clientVM.
terraform output
- Traceroute to the private IP, and confirm it goes via the subnet router.
traceroute <INSERT_IP>
Claude was used to generate some of the Terraform configuration in this repository. This was done for efficiency purposes.