Skip to content

tailscale-dev/tailscale-acl-combiner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits

.github/workflows

.github/workflows

 
 

testdata

testdata

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

main_test.go

main_test.go

 
 

Repository files navigation

tailscale-acl-combiner

status: experimental

A CLI tool to facilitate delegation of managing Tailscale ACLs across multiple people and teams within an organization. Provide a parent ACL file and a directory for "child" ACL files and all are merged into a single ACL file.

Installation

go install github.com/tailscale-dev/tailscale-acl-combiner@latest

Usage

tailscale-acl-combiner -f <parent-file> -d <directory-of-child-files> -allow <acl-sections-to-allow>
...

Note: the arguments for parent file, directory of child files, and acl sections to allow are all required. This is to prevent accidental omission resulting in an unexpected final file.

Example

Using the testdata directory in this repo:

$ tailscale-acl-combiner \
  -f testdata/input-parent.hujson \
  -d testdata/departments \
  -allow acls,extraDNSRecords,grants,groups,ssh,tests

{
  "acls": [
    // acls from `testdata/input-parent.hujson` and any files found under `testdata/departments`
  ],
  "groups": [
    // groups from `testdata/input-parent.hujson` and any files found under `testdata/departments`
  ],
  // ...
}

Usage in a GitOps workflow

We recommend the following steps when using tailscale-acl-combiner in a GitOps workflow:

  1. Create a new branch in the repo containing your policy files.
  2. Make your change locally.
  3. Use tailscale-acl-combiner to generate an updated file and commit the combined file to your branch.
  4. Open a pull or merge request with your updates and ask a peer to review your changes.
  5. In your GitOps workflow, run tailscale-acl-combiner to generate a new, temporary file and compare to the committed file - e.g. diff -c policy.hujson $RUNNER_TEMP/generated-by-pull-request.hujson.
    1. If differences are found, cancel the workflow and require updates.
    2. If differences are not found, allow the workflow to proceed.
  6. Once the pull request is merged, have the GitOps workflow repeat the generate and compare steps then test and apply the ACL to your Tailnet.

By committing the file you have a versioned artifact to review in the future and revert to if necessary.

See .github/workflows/combine-and-push-acls.yaml.example for an example.

Limitations

  • Top-level objects and arrays are appended, not merged.
    • For example, if one child file has "groups": { "group1": ["user1"] }) and another child has "groups": { "group1": ["user2"] }), the resulting file will have two group1 groups with different members.
    • See the next limitation about Duplicate names.
  • Duplicate names (e.g. "groups": { "group1": [], "group1": [] })) will not result in an error from tailscale-acl-combiner.
  • autoApprovers, derpMap, disableIPv4, OneCGNATRoute, randomizeClientPort, and other network-wide policy settings are only allowed in the provided parent file.

About

A CLI tool to combine multiple Tailscale ACL files into one

Resources

Readme

License

BSD-3-Clause license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Languages