This GitHub action lets you manage your Tailscale ACL rules using a GitOps workflow. With this GitHub action you can automatically manage your Tailscale ACLs using a git repository as your source of truth.
Required The name of your tailnet. You can find it by opening the admin panel and copying down the name next to the Tailscale logo in the upper left hand corner of the page.
Required An API key authorized for your tailnet. You can get one in the admin panel.
Please note that API keys will expire in 90 days. Set up a monthly event to rotate your Tailscale API key.
Optional The path to your policy file in the repository. If not set this
defaults to policy.hujson
in the root of your repository.
Required One of test
or apply
. If you set test
, the action will run
ACL tests and not update the ACLs in Tailscale. If you set apply
, the action
will run ACL tests and then update the ACLs in Tailscale. This enables you to
use pull requests to make changes with CI stopping you from pushing a bad change
out to production.
Set up a new GitHub repository that will contain your ACL files. Open the admin
panel ACL editor and copy your rules to
a file in that repo called policy.hujson
.
If you want to change this name to something else, you will need to add the
policy-file
argument to the with
blocks in your GitHub Actions config.
Copy this file to .github/workflows/tailscale.yml
.
name: Tailscale ACL syncing
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
acls:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Fetch old version info
id: fetch-old-version
uses: actions/cache@v3
with:
path: .
key: version-cache.json
- name: Deploy ACL
if: github.event_name == 'push'
id: deploy-acl
uses: tailscale/gitops-acl-action@v0.1
with:
api-key: ${{ secrets.TS_API_KEY }}
tailnet: ${{ secrets.TS_TAILNET }}
action: apply
- name: Test ACL
if: github.event_name == 'pull_request'
id: test-acl
uses: tailscale/gitops-acl-action@v0.1
with:
api-key: ${{ secrets.TS_API_KEY }}
tailnet: ${{ secrets.TS_TAILNET }}
action: test
Generate a new API key here.
Set a monthly calendar reminder to renew this key because Tailscale does not currently support API key renewal (this will be updated to support that when that feature is implemented).
Then open the secrets settings for your repo and add two secrets:
TS_API_KEY
: Your Tailscale API key from the earlier stepTS_TAILNET
: Your tailnet's name (it's next to the logo on the upper left-hand corner of the admin panel)
Once you do that, commit the changes and push them to GitHub. You will have CI automatically test and push your ACL changes to Tailscale.