cdk-tailscale-bastion
Version:
Deploys a AWS Bastion Host preconfigured for Tailscale access
108 lines (107 loc) • 3.98 kB
TypeScript
import { AmazonLinuxCpuType, BastionHostLinux, IMachineImage, InitElement, InstanceType, ISecurityGroup, IVpc, SubnetSelection } from 'aws-cdk-lib/aws-ec2';
import { ISecret } from 'aws-cdk-lib/aws-secretsmanager';
import { Construct } from 'constructs';
export interface SecretsManagerAuthKey {
/**
* Secret manager location where the tailscale auth key is stored. Must be in the standard key/value JSON format.
*/
readonly secret: ISecret;
/**
* The key of the auth key value located within the provided secret.
*/
readonly key: string;
}
export interface TailscaleCredentials {
/**
* Fetches the Auth Key from secrets manager. This value will be fetched during bastion startup.
*/
readonly secretsManager?: SecretsManagerAuthKey;
/**
* Provides an auth key as a plaintext string.
* This option will expose the auth key in your CDK template and should only be used with non-reusable keys.
* Potentially useful for DevOps runbooks and temporary instances.
*
* The `cachedInContext` configuration option might be relevant to you if you use this parameter.
*/
readonly unsafeString?: string;
}
export interface TailscaleBastionProps {
/**
* VPC to launch the instance in.
*/
readonly vpc: IVpc;
/**
* Credential settings for the tailscale auth key. One type must be used.
* Ephemeral keys are recommended.
*/
readonly tailscaleCredentials: TailscaleCredentials;
/**
* In which AZ to place the instance within the VPC.
*
* @default - Random zone.
*/
readonly availabilityZone?: string;
/**
* The name of the instance.
*
* @default 'BastionHostTailscale'
*/
readonly instanceName?: string;
/**
* Select the subnets to run the bastion host in.
* PUBLIC subnets are used by default to allow for a direct Tailscale connection. DERP nodes will be used in a private subnet.
*
* @default - PUBLIC subnets of the supplied VPC
*/
readonly subnetSelection?: SubnetSelection;
/**
* Security Group to assign to this instance.
*
* @default - create new security group with no inbound and all outbound traffic allowed
*/
readonly securityGroup?: ISecurityGroup;
/**
* Type of instance to launch.
*
* @default 't3.nano'
*/
readonly instanceType?: InstanceType;
/**
* CPU Type of the instance.
*
* @default AmazonLinuxCpuType.X86_64
*/
readonly cpuType?: AmazonLinuxCpuType;
/**
* Additional cloudformation init actions to perform during startup.
*/
readonly additionalInit?: InitElement[];
/**
* List of incoming routes from Tailscale network. VPC route table will get these targets added.
*
* @default none
*/
readonly incomingRoutes?: string[];
/**
* Advertise a custom route instead of using the VPC CIDR, used for Tailscale 4via6 support.
*/
readonly advertiseRoute?: string;
/**
* Setting this to true will result in the Amazon Linux AMI being cached in `cdk.context.json` and prevent the instance being replaced when the image is updated.
* Enable this if you'd like to use non-reusable Tailscale keys, or you'd prefer the instance to remain stable.
* Keep in mind that the AMI will grow old over time and is it your responsibility to evict it from the context.
*
* @default false
*/
readonly cachedInContext?: boolean;
/**
* If you want to completely opt out of getting the latest Amazon Linux AMI and instead need to specify one yourself, pass it in here.
* We'll use the one you specify instead of the default.
*/
readonly ami?: IMachineImage;
}
export declare class TailscaleBastion extends Construct {
readonly bastion: BastionHostLinux;
constructor(scope: Construct, id: string, props: TailscaleBastionProps);
private computeTsKeyCli;
}