feat: support extra arguments (#28)

## what
* Allows extra arguments to be passed to the Tailscale daemon and/or the
`tailscale up` command.
* Prints additional info in user data
* Adds some `trivy` ignore rules.

## why
* These extra args were added as a part of my work for ephemeral node
support. Eventually, we don't need this for our case, but it would be
nice to have in terms of long term maintainability.

## references
* N/A

Author: gberenice

.trunk/configs/.prettierignore

@@ -0,0 +1,4 @@
+# `release-please` doesn't generate prettier compliant output, see relevant issues:
+# https://github.com/googleapis/release-please/issues/1902
+# https://github.com/googleapis/release-please/issues/1802
+CHANGELOG.md

.trunk/configs/.trivyignore

@@ -0,0 +1,8 @@
+# Log group is not encrypted
+AVD-AWS-0017
+
+# Bucket does not have versioning enabled
+AVD-AWS-0090
+
+# Bucket does not encrypt data with a customer managed key
+AVD-AWS-0132

README.md

@@ -3,18 +3,30 @@ locals {
   primary_tag              = coalesce(var.primary_tag, module.this.id)
   prefixed_primary_tag     = "tag:${local.primary_tag}"
   prefixed_additional_tags = [for tag in var.additional_tags : "tag:${tag}"]
-  tailscale_tags           = concat([local.prefixed_primary_tag], local.prefixed_additional_tags)
+
+  tailscale_tags = concat([local.prefixed_primary_tag], local.prefixed_additional_tags)
+
+  tailscaled_extra_flags_enabled   = length(var.tailscaled_extra_flags) > 0
+  tailscale_up_extra_flags_enabled = length(var.tailscale_up_extra_flags) > 0
 
   userdata = templatefile("${path.module}/userdata.sh.tmpl", {
-    routes            = join(",", var.advertise_routes)
     authkey           = tailscale_tailnet_key.default.key
+    exit_node_enabled = var.exit_node_enabled
     hostname          = module.this.id
-    tags              = join(",", local.tailscale_tags)
+    routes            = join(",", var.advertise_routes)
     ssh_enabled       = var.ssh_enabled
-    exit_node_enabled = var.exit_node_enabled
+    tags              = join(",", local.tailscale_tags)
+
+    tailscaled_extra_flags_enabled   = local.tailscaled_extra_flags_enabled
+    tailscaled_extra_flags           = join(" ", var.tailscaled_extra_flags)
+    tailscale_up_extra_flags_enabled = local.tailscale_up_extra_flags_enabled
+    tailscale_up_extra_flags         = join(" ", var.tailscale_up_extra_flags)
   })
 }
 
+# Note: `trunk` ignores that this rule is already listed in `.trivyignore` file.
+# Bucket does not have versioning enabled
+# trivy:ignore:AVD-AWS-0090
 module "tailscale_subnet_router" {
   source  = "masterpointio/ssm-agent/aws"
   version = "1.2.0"

main.tf

@@ -1,27 +1,40 @@
 #!/bin/bash -ex
 exec > >(tee /var/log/user-data.log | logger -t user-data -s 2>/dev/console) 2>&1
 
-# Enable ip_forward to allow advertising routes
+echo "Starting user-data script..."
+
+echo "Enabling IP forwarding..."
 echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
 echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
 sudo sysctl -p /etc/sysctl.conf
 
-# Install tailscale
+echo "Installing Tailscale..."
 sudo yum install -y yum-utils
 sudo yum-config-manager --add-repo https://pkgs.tailscale.com/stable/amazon-linux/2/tailscale.repo
 sudo yum install -y tailscale
 
+%{ if tailscaled_extra_flags_enabled == true }
+echo "Exporting FLAGS to environment variable..."
+export FLAGS=${tailscaled_extra_flags}%
+%{ endif }
+
 # Setup tailscale
+echo "Enabling and starting tailscaled service..."
 sudo systemctl enable --now tailscaled
 
-# Wait a few for tailscaled to come up
+echo "Waiting for tailscaled to initialize..."
 sleep 5
 
 # Start tailscale
 # We pass --advertise-tags below even though the authkey being created with those tags should result
 # in the same effect. This is to be more explicit because tailscale tags are a complicated topic.
 sudo tailscale up \
+  %{ if ssh_enabled == true }--ssh%{ endif } \
+  %{ if exit_node_enabled == true }--advertise-exit-node%{ endif } \
+  %{ if tailscale_up_extra_flags_enabled == true }${tailscale_up_extra_flags}%{ endif } \
   --advertise-routes=${routes} \
   --advertise-tags=${tags} \
-  --authkey=${authkey} \
-  --hostname=${hostname}%{ if ssh_enabled == true } --ssh%{ endif }%{ if exit_node_enabled == true } --advertise-exit-node%{ endif }
+  --hostname=${hostname} \
+  --authkey=${authkey}
+
+echo "Tailscale setup completed."

userdata.sh.tmpl

@@ -160,5 +160,23 @@ variable "ephemeral" {
 variable "reusable" {
   default     = true
   type        = bool
-  description = " Indicates if the key is reusable or single-use."
+  description = "Indicates if the key is reusable or single-use."
+}
+
+variable "tailscaled_extra_flags" {
+  default     = []
+  type        = list(string)
+  description = <<-EOT
+  Extra flags to pass to Tailscale daemon for advanced configuration. Example: ["--state=mem:"]
+  See more in the [docs](https://tailscale.com/kb/1278/tailscaled#flags-to-tailscaled).
+  EOT
+}
+
+variable "tailscale_up_extra_flags" {
+  default     = []
+  type        = list(string)
+  description = <<-EOT
+  Extra flags to pass to `tailscale up` for advanced configuration.
+  See more in the [docs](https://tailscale.com/kb/1241/tailscale-up).
+  EOT
 }