-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtailscale-just-in-time.yaml.example
78 lines (73 loc) · 3.54 KB
/
tailscale-just-in-time.yaml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: 'Tailscale: Just-in-time Access'
on:
workflow_dispatch:
inputs:
source-device:
description: FQDN of the source device (e.g. cameron.tail0123456.ts.net)
required: true
type: string
posture:
description: Which posture?
required: true
type: choice
options:
- custom:prodAcccess=true
amount-of-time:
description: For how long?
required: true
type: choice
options:
- '1 hour'
- '12 hours'
- '1 day'
reason:
description: Reason for access
required: true
type: string
jobs:
request:
runs-on: ubuntu-latest
steps:
- name: 'Tailscale: Details of Request'
run: |
echo '####################################################################'
echo '# Source device: ${{ github.event.inputs.source-device }}'
echo '# Posture: ${{ github.event.inputs.posture }}'
echo '# Amount of time: ${{ github.event.inputs.amount-of-time }}'
echo '# Reason: ${{ github.event.inputs.reason }}'
echo '####################################################################'
approve:
runs-on: ubuntu-latest
environment: tailscale-prod
needs: [request]
steps:
- name: 'Tailscale: Get access token from OAuth Client'
run: |
TAILSCALE_ACCESS_TOKEN=$(curl --silent --fail --show-error --data 'client_id=${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}' --data 'client_secret=${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}' \
https://api.tailscale.com/api/v2/oauth/token \
| jq -r '.access_token')
echo "::add-mask::$TAILSCALE_ACCESS_TOKEN"
echo "TAILSCALE_ACCESS_TOKEN=$TAILSCALE_ACCESS_TOKEN" >> $GITHUB_ENV
- name: 'Tailscale: Find device ID from FQDN'
run: |
TAILSCALE_NODE_ID=$(curl --silent --fail --show-error --header "Authorization: Bearer $TAILSCALE_ACCESS_TOKEN" \
https://api.tailscale.com/api/v2/tailnet/-/devices \
| jq -r '.devices[] | select(.name == "${{ github.event.inputs.source-device }}") | .nodeId')
[[ -z $TAILSCALE_NODE_ID ]] && echo "No device id found for hostname [${{ github.event.inputs.source-device }}]" && exit 1
echo "::notice::Found device id [${TAILSCALE_NODE_ID}] for hostname [${{ github.event.inputs.source-device }}]"
echo "TAILSCALE_NODE_ID=${TAILSCALE_NODE_ID}" \
>> $GITHUB_ENV
- name: 'Tailscale: Calculate expiry'
run: |
TAILSCALE_DEVICE_ATTRIBUTE_EXPIRY=$(date -u -d '${{ github.event.inputs.amount-of-time }}' +'%Y-%m-%dT%H:%M:%SZ')
echo "::notice::Setting attribute expiry to [${TAILSCALE_DEVICE_ATTRIBUTE_EXPIRY}] - [${{ github.event.inputs.amount-of-time }}] from now"
echo "TAILSCALE_DEVICE_ATTRIBUTE_EXPIRY=${TAILSCALE_DEVICE_ATTRIBUTE_EXPIRY}" \
>> $GITHUB_ENV
- name: 'Tailscale: Set device attribute'
run: |
TAILSCALE_DEVICE_ATTRIBUTE_KEY=$(echo "${{ github.event.inputs.posture }}" | cut -d'=' -f1)
TAILSCALE_DEVICE_ATTRIBUTE_VALUE=$(echo "${{ github.event.inputs.posture }}" | cut -d'=' -f2)
curl --silent --fail --show-error --header "Authorization: Bearer $TAILSCALE_ACCESS_TOKEN" \
--header 'Content-Type: application/json' \
--data "{ \"value\": \"${TAILSCALE_DEVICE_ATTRIBUTE_VALUE}\", \"expiry\": \"${TAILSCALE_DEVICE_ATTRIBUTE_EXPIRY}\" }" \
"https://api.tailscale.com/api/v2/device/${TAILSCALE_NODE_ID}/attributes/${TAILSCALE_DEVICE_ATTRIBUTE_KEY}"