UNPKG

cdk-tailscale-bastion

Version:

Deploys a AWS Bastion Host preconfigured for Tailscale access

108 lines (107 loc) 3.98 kB
import { AmazonLinuxCpuType, BastionHostLinux, IMachineImage, InitElement, InstanceType, ISecurityGroup, IVpc, SubnetSelection } from 'aws-cdk-lib/aws-ec2'; import { ISecret } from 'aws-cdk-lib/aws-secretsmanager'; import { Construct } from 'constructs'; export interface SecretsManagerAuthKey { /** * Secret manager location where the tailscale auth key is stored. Must be in the standard key/value JSON format. */ readonly secret: ISecret; /** * The key of the auth key value located within the provided secret. */ readonly key: string; } export interface TailscaleCredentials { /** * Fetches the Auth Key from secrets manager. This value will be fetched during bastion startup. */ readonly secretsManager?: SecretsManagerAuthKey; /** * Provides an auth key as a plaintext string. * This option will expose the auth key in your CDK template and should only be used with non-reusable keys. * Potentially useful for DevOps runbooks and temporary instances. * * The `cachedInContext` configuration option might be relevant to you if you use this parameter. */ readonly unsafeString?: string; } export interface TailscaleBastionProps { /** * VPC to launch the instance in. */ readonly vpc: IVpc; /** * Credential settings for the tailscale auth key. One type must be used. * Ephemeral keys are recommended. */ readonly tailscaleCredentials: TailscaleCredentials; /** * In which AZ to place the instance within the VPC. * * @default - Random zone. */ readonly availabilityZone?: string; /** * The name of the instance. * * @default 'BastionHostTailscale' */ readonly instanceName?: string; /** * Select the subnets to run the bastion host in. * PUBLIC subnets are used by default to allow for a direct Tailscale connection. DERP nodes will be used in a private subnet. * * @default - PUBLIC subnets of the supplied VPC */ readonly subnetSelection?: SubnetSelection; /** * Security Group to assign to this instance. * * @default - create new security group with no inbound and all outbound traffic allowed */ readonly securityGroup?: ISecurityGroup; /** * Type of instance to launch. * * @default 't3.nano' */ readonly instanceType?: InstanceType; /** * CPU Type of the instance. * * @default AmazonLinuxCpuType.X86_64 */ readonly cpuType?: AmazonLinuxCpuType; /** * Additional cloudformation init actions to perform during startup. */ readonly additionalInit?: InitElement[]; /** * List of incoming routes from Tailscale network. VPC route table will get these targets added. * * @default none */ readonly incomingRoutes?: string[]; /** * Advertise a custom route instead of using the VPC CIDR, used for Tailscale 4via6 support. */ readonly advertiseRoute?: string; /** * Setting this to true will result in the Amazon Linux AMI being cached in `cdk.context.json` and prevent the instance being replaced when the image is updated. * Enable this if you'd like to use non-reusable Tailscale keys, or you'd prefer the instance to remain stable. * Keep in mind that the AMI will grow old over time and is it your responsibility to evict it from the context. * * @default false */ readonly cachedInContext?: boolean; /** * If you want to completely opt out of getting the latest Amazon Linux AMI and instead need to specify one yourself, pass it in here. * We'll use the one you specify instead of the default. */ readonly ami?: IMachineImage; } export declare class TailscaleBastion extends Construct { readonly bastion: BastionHostLinux; constructor(scope: Construct, id: string, props: TailscaleBastionProps); private computeTsKeyCli; }