fix cidr validation & suport exit node setting

.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

files/acl.hujson.tftpl

@@ -11,7 +11,7 @@
     "autoApprovers": {
         "routes": {
             %{~ for route in routes ~}
-            "${route}": ["group:admin", "${tag}"],
+            "${route}": ["${tag}"],
             %{~ endfor ~}
         },
         "exitNode": ["${tag}"]

files/relay-init.sh.tftpl

@@ -3,4 +3,4 @@ echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
 echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf
 sysctl -p /etc/sysctl.conf
 curl -fsSL https://gist.githubusercontent.com/bdeshi/ba8fed1b5d357320d0314e8380c58454/raw/4978c0b60443e448607b59bc67c09f1dbbac9a56/tailscale-install.sh | sh
-tailscale up %{ if length(routes) > 0 } --advertise-routes "${join(",", routes)}" %{ endif } --authkey "${auth_key}" --accept-dns=false
+tailscale up %{ if length(routes) > 0 } --advertise-routes "${join(",", routes)}" %{ endif } %{ if exit_node } --advertise-exit-node %{ endif } --authkey "${auth_key}" --accept-dns=false

tailscale-server.tf

@@ -19,6 +19,7 @@ resource "aws_instance" "tailscale" {
   user_data = templatefile("${path.module}/files/relay-init.sh.tftpl", {
     routes   = local.tailscale_routes
     auth_key = tailscale_tailnet_key.relay_auth.key
+    exit_node = var.advertise_exit_node
   })
   tags = {
     Name = "tailscale"

variables.tf

@@ -66,9 +66,9 @@ variable "additional_routes" {
   default     = []
   description = "The routes in addition to selected VPC's routes, to add to the tailscale network."
   validation {
-    condition = length(var.additional_routes) == 0 ? true : alltrue([
+    condition = alltrue([
       for route in var.additional_routes :
-      regex("^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/\\d{1,2}$", route)
+      can(regex("^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/\\d{1,2}$", route))
     ])
     error_message = "routes must be in CIDR format."
   }
@@ -93,9 +93,15 @@ variable "advertise_routes" {
   description = "Whether to advertise the tailscale server's subnet routes to clients."
 }
 
-variable "enable_tailscale_ssh" {
+variable "advertise_exit_node" {
   type        = bool
   default     = true
+  description = "Whether to advertise the tailscale server as an exit node."
+}
+
+variable "enable_tailscale_ssh" {
+  type        = bool
+  default     = false
   description = "Whether to enable ssh-over-tailscale for tailscale network nodes."
 }