Skip to main content

Tailscale + Indent Webhook

This guide explains how to deploy an Indent webhook to the cloud for managing access to Tailscale Groups for a single Tailnet. This webhook can be run as an AWS Lambda.

Take a look at our example template on GitHub:

This page assumes that you or someone on your team has already completed the Quickstart. If you haven't already, we would recommend you check it out - it should take 5 minutes. By the end you should have a working Space you can integrate with this webhook.

Prerequisites

Overview

We're going to pull Tailscale Groups into Indent (optionally, you can import groups manually) then set up automated change management. This webhook can only be deployed as an AWS Lambda.

Step 0: Configure your cloud provider#

Let's get all the AWS-specific items ready before getting started:

Step 1: Configure the GitHub Repo#

Before you deploy these webhooks for the first time, create an S3 bucket to use to store the Terraform state. Add your credentials to the repo as GitHub Secrets.

1. Connecting the S3 bucket

  • Go to AWS S3 and select an existing bucket or create a new one.
  • Select the settings given your environment:
    • Name โ€” easily identifiable name for the bucket (example = indent-deploy-state-123)
    • Region โ€” where you plan to deploy the Lambda (default = us-west-2)
    • Bucket versioning โ€” if you want to have revisions of past deployments (default = disabled)
    • Default encryption โ€” server-side encryption for deployment files (default = Enable)

2. Connecting the AWS credentials

  • Go to AWS IAM โ†’ New User and create a new user for deploys, e.g. indent-terraform-deployer
  • Configure the service account access:
    • Credential type โ€” select Access key - Programmatic access
    • Permissions โ€” select Attach existing policies directly and select AdministratorAccess

3. Adding the GitHub Actions secrets. What are GitHub Action Secrets?

NameValue
TAILSCALE_WEBHOOK_SECRETGet this from your Indent App or an Indent Webhook in the Dashboard.
TAILSCALE_PULL_WEBHOOK_SECRETGet this from the Indent Webhook you created while setting up your space.
TAILSCALE_KEYYour Tailscale API Key. Get this from your Tailscale Administrator Panel.
TAILSCALE_TAILNETThe name of your Tailscale network. The network you want to manage with Indent.
AWS_REGIONThe AWS Region where you want to deploy the webhooks.
AWS_ACCESS_KEY_IDYour Programmatic AWS Access Key ID
AWS_SECRET_ACCESS_KEYYour Programmatic AWS Secret Access Key
AWS_SESSION_TOKENOptional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires

Last, update the file main.tf with the name of your S3 bucket. It should look like this:

terraform {
backend "s3" {
encrypt = true
bucket = "my-indent-bucket"
region = "us-west-2"
key = "indent/terraform.tfstate"
}
}

Step 2: Add the webhooks to Indent#

  1. Sign into your Indent Space.
  2. Navigate to your Catalog in the sidebar.
  3. Select Tailscale from the catalog. You'll be taken to a new page where you'll create the webhooks.
  4. Write down the signing secrets for use with your new GitHub repository and store them securely.
  5. Click Create webhooks, we'll add the URLs for each webhook in the next step.

Step 3: Deploy the webhooks#

  1. In your repository, click Actions in the top menu, you should see at least one workflow run in the list.
  2. Click on the workflow run, then click Re-run all jobs in the top right.
  3. The workflow automatically deploys the webhooks to AWS. If you commit any changes to the main branch of this repository the workflows will redeploy automatically.
  4. After you finish deploying your webhooks, enter the HTTP endpoint from AWS Lambda as the Webhook URL field in your new Webhook.
  5. Save the Webhook.
  6. Go to your Resources and click the dropdown arrow next to New
  7. Select Pull Update and a modal window appears with a list of resource kinds you can pull.
  8. Choose the slider for Tailscale Groups then press Start Pulling Updates.

The webhook updates your Resources with all the Tailscale Groups for your Tailnet. Now when you search "tailscale" on the Resources page search bar, you will see all your Tailscale Groups as available Resources. Next, you'll automate group membership changes when access is granted or revoked.

Step 4: Configure your Indent policies#

  1. Click Apps in the Indent Dashboard and click on your communication app.

  2. Open Access Request Rules and add tailscale.v1.Group to the "Kinds of Resources," your app can manage.

    • Alternatively, you can add individual Groups based on Resource ID in this section.
  3. Configure the approvers for granting access to your Tailscale Groups.

Step 5: Make a test request#

  1. Go to Request Access.
  2. Select your Tailscale Group from the dropdown and enter a reason for access.
  3. Once the access is approved, check the group's page to confirm membership.

Congrats! Youโ€™ve just configured requesting and managing Tailscale Group access with Indent.


Import groups manually#

  1. Sign into your Indent Space.
  2. Go to your Resources.
  3. Click +New to create a new Resource:
    • Under Resource Kind, type in "tailscale.v1.Group"
    • Enter the name of your Tailscale Group
    • Under Resource ID enter the group name as "group:name"