bendwyer · bendwyer · Mar 9, 2025 · Mar 9, 2025 · Mar 9, 2025 · Mar 9, 2025
diff --git a/README.md b/README.md
@@ -3,7 +3,10 @@
 Terraform module for deploying a Tailscale exit node on AWS Lightsail.
 
 > [!WARNING]\
-> This module requires a tag defined in Tailscale access controls.
+> This module requires a tag defined in Tailscale Access Controls.
+
+> [!WARNING]\
+> This module requires an OAuth client with at least the following scopes: `devices:core=write`, `keys:auth-keys=write`.
 
 ## Usage
 
@@ -17,25 +20,17 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5.0"
     }
-    tailscale = {
-      source  = "tailscale/tailscale"
-      version = "~> 0.0"
-    }
-    time = {
-      source  = "hashicorp/time"
-      version = "~> 0.0"
-    }
   }
 }
 
 provider "aws" {
-  region = "eu-central-1"
+  region = var.lightsail_region
 }
 
-provider "tailscale" {}
-
 module "exit_node" {
   source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
+
+  lightsail_instance_name = "vpn-${var.lightsail_region}"
 }
 ```
 
@@ -49,19 +44,11 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5.0"
     }
-    tailscale = {
-      source  = "tailscale/tailscale"
-      version = "~> 0.0"
-    }
-    time = {
-      source  = "hashicorp/time"
-      version = "~> 0.0"
-    }
   }
 }
 
 provider "aws" {
-  region = "eu-central-1"
+  region = var.lightsail_region
 }
 
 provider "aws" {
@@ -74,18 +61,22 @@ provider "aws" {
   region = "us-east-1"
 }
 
-provider "tailscale" {}
-
 module "de_exit_node" {
   source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
+
+  lightsail_instance_name = "vpn-${var.lightsail_region}"
 }
 
 module "jp_exit_node" {
   source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
+
   providers = {
     aws = aws.jp
   }
-  lightsail_region = "ap-northeast-1"
+
+  lightsail_instance_name        = "vpn-ap-northeast-1"
+  lightsail_region               = "ap-northeast-1"
+  lightsail_region_friendly_name = "tokyo"
 }
 
 module "us_exit_node" {
@@ -94,7 +85,10 @@ module "us_exit_node" {
   providers = {
     aws = aws.us
   }
-  lightsail_region = "us-east-1"
+
+  lightsail_instance_name        = "vpn-us-east-1"
+  lightsail_region               = "us-east-1"
+  lightsail_region_friendly_name = "ohio"
 }
 ```
 
@@ -112,15 +106,11 @@ terraform {
       source  = "tailscale/tailscale"
       version = "~> 0.0"
     }
-    time = {
-      source  = "hashicorp/time"
-      version = "~> 0.0"
-    }
   }
 }
 
 provider "aws" {
-  region = "eu-central-1"
+  region = var.lightsail_region
 }
 
 provider "aws" {
@@ -137,12 +127,15 @@ provider "tailscale" {}
 
 resource "tailscale_acl" "this" {
   acl = templatefile("${path.root}/acl.json.tftpl", {
-    tailscale_exit_node_tag_name = "exit"
+    tailscale_exit_node_tag = var.tailscale_exit_node_tag
   })
+  reset_acl_on_destroy = true
 }
 
 module "de_exit_node" {
   source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
+
+  lightsail_instance_name = "vpn-${var.lightsail_region}"
 }
 
 module "jp_exit_node" {
@@ -151,7 +144,9 @@ module "jp_exit_node" {
   providers = {
     aws = aws.jp
   }
-  lightsail_region = "ap-northeast-1"
+  lightsail_instance_name        = "vpn-ap-northeast-1"
+  lightsail_region               = "ap-northeast-1"
+  lightsail_region_friendly_name = "tokyo"
 }
 
 module "us_exit_node" {
@@ -160,26 +155,25 @@ module "us_exit_node" {
   providers = {
     aws = aws.us
   }
-  lightsail_region = "us-east-1"
+
+  lightsail_instance_name        = "vpn-us-east-1"
+  lightsail_region               = "us-east-1"
+  lightsail_region_friendly_name = "ohio"
 }
 ```
 
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.10.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >=5.37.0 |
-| <a name="requirement_tailscale"></a> [tailscale](#requirement\_tailscale) | >=0.13.13 |
-| <a name="requirement_time"></a> [time](#requirement\_time) | >=0.10.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >=5.37.0 |
-| <a name="provider_tailscale"></a> [tailscale](#provider\_tailscale) | >=0.13.13 |
-| <a name="provider_time"></a> [time](#provider\_time) | >=0.10.0 |
 
 
 
@@ -189,16 +183,21 @@ module "us_exit_node" {
 |------|------|
 | [aws_lightsail_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_instance) | resource |
 | [aws_lightsail_instance_public_ports.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_instance_public_ports) | resource |
-| [tailscale_tailnet_key.this](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs/resources/tailnet_key) | resource |
-| [time_static.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/static) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_lightsail_availability_zone"></a> [lightsail\_availability\_zone](#input\_lightsail\_availability\_zone) | AWS Lightsail availability zone for the AWS Lightsail region. | `string` | `"a"` | no |
+| <a name="input_lightsail_instance_name"></a> [lightsail\_instance\_name](#input\_lightsail\_instance\_name) | Display name for instance in Lightsail dashboard. | `string` | n/a | yes |
+| <a name="input_tailscale_hostname"></a> [tailscale\_hostname](#input\_tailscale\_hostname) | Display name for instance in Tailscale dashboard | `string` | n/a | yes |
+| <a name="input_tailscale_oauth_client_id"></a> [tailscale\_oauth\_client\_id](#input\_tailscale\_oauth\_client\_id) | Tailscale OAuth client ID. | `string` | n/a | yes |
+| <a name="input_tailscale_oauth_client_secret"></a> [tailscale\_oauth\_client\_secret](#input\_tailscale\_oauth\_client\_secret) | Tailscale OAuth client secret. | `string` | n/a | yes |
+| <a name="input_lightsail_availability_zone"></a> [lightsail\_availability\_zone](#input\_lightsail\_availability\_zone) | AWS Lightsail availability zone for AWS Lightsail region. | `string` | `"a"` | no |
+| <a name="input_lightsail_bundle_id"></a> [lightsail\_bundle\_id](#input\_lightsail\_bundle\_id) | AWS Lightsail bundle ID. Determines type of instance to deploy. | `string` | `"nano_3_0"` | no |
 | <a name="input_lightsail_region"></a> [lightsail\_region](#input\_lightsail\_region) | AWS Lightsail region to deploy to. | `string` | `"eu-central-1"` | no |
-| <a name="input_tailscale_exit_node_tag_names"></a> [tailscale\_exit\_node\_tag\_names](#input\_tailscale\_exit\_node\_tag\_names) | Tailscale exit node tag names to associate with ephemeral key. Tag names must be be prefixed with 'tag:' | `set(string)` | <pre>[<br/>  "tag:exit"<br/>]</pre> | no |
+| <a name="input_lightsail_region_friendly_name"></a> [lightsail\_region\_friendly\_name](#input\_lightsail\_region\_friendly\_name) | Friendly name for AWS Lightsail region to deploy to. | `string` | `"frankfurt"` | no |
+| <a name="input_lightsail_tags"></a> [lightsail\_tags](#input\_lightsail\_tags) | A map of key-value pairs used to create AWS Lightsail instance tags. By default no tags will be created. | `map(string)` | `null` | no |
+| <a name="input_tailscale_exit_node_tag"></a> [tailscale\_exit\_node\_tag](#input\_tailscale\_exit\_node\_tag) | Tailscale exit node tag to associate with machine(s). Tag must be be prefixed with 'tag:' | `string` | `"tag:exit"` | no |
 
 ## Outputs
 

diff --git a/examples/acl-with-multiple-exit-nodes/README.md b/examples/acl-with-multiple-exit-nodes/README.md
@@ -1,6 +1,5 @@
 # ACL with multiple exit nodes
 
-This example will deploy multiple Tailscale exit nodes on AWS Lightsail with the following default settings:
-  - `tag:exit` Tailscale tag
+This example will deploy multiple Tailscale exit nodes on AWS Lightsail. The `eu-central-1` deployment uses default settings. The `ap-northeast-1` and `us-east-2` deployments override the default `lightsail_region` and `lightsail_region_friendly_name` settings.
 
 It will also define basic Tailscale access controls and the `tag:exit` tag so they do not need to be manually defined beforehand.
diff --git a/examples/acl-with-multiple-exit-nodes/acl.json.tftpl b/examples/acl-with-multiple-exit-nodes/acl.json.tftpl
@@ -11,13 +11,13 @@
     }
   ],
   "tagOwners": {
-    "tag:${tailscale_exit_node_tag_name}": [
+    "${tailscale_exit_node_tag}": [
       "autogroup:admin"
     ]
   },
   "autoApprovers": {
     "exitNode": [
-      "tag:${tailscale_exit_node_tag_name}"
+      "${tailscale_exit_node_tag}"
     ]
   }
 }
diff --git a/examples/acl-with-multiple-exit-nodes/main.tf b/examples/acl-with-multiple-exit-nodes/main.tf
@@ -9,15 +9,11 @@ terraform {
       source  = "tailscale/tailscale"
       version = "~> 0.0"
     }
-    time = {
-      source  = "hashicorp/time"
-      version = "~> 0.0"
-    }
   }
 }
 
 provider "aws" {
-  region = "eu-central-1"
+  region = var.lightsail_region
 }
 
 provider "aws" {
@@ -34,12 +30,15 @@ provider "tailscale" {}
 
 resource "tailscale_acl" "this" {
   acl = templatefile("${path.root}/acl.json.tftpl", {
-    tailscale_exit_node_tag_name = "exit"
+    tailscale_exit_node_tag = var.tailscale_exit_node_tag
   })
+  reset_acl_on_destroy = true
 }
 
 module "de_exit_node" {
   source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
+
+  lightsail_instance_name = "vpn-${var.lightsail_region}"
 }
 
 module "jp_exit_node" {
@@ -48,7 +47,9 @@ module "jp_exit_node" {
   providers = {
     aws = aws.jp
   }
-  lightsail_region = "ap-northeast-1"
+  lightsail_instance_name        = "vpn-ap-northeast-1"
+  lightsail_region               = "ap-northeast-1"
+  lightsail_region_friendly_name = "tokyo"
 }
 
 module "us_exit_node" {
@@ -57,5 +58,8 @@ module "us_exit_node" {
   providers = {
     aws = aws.us
   }
-  lightsail_region = "us-east-1"
+
+  lightsail_instance_name        = "vpn-us-east-1"
+  lightsail_region               = "us-east-1"
+  lightsail_region_friendly_name = "ohio"
 }
diff --git a/examples/acl-with-multiple-exit-nodes/variables.tf b/examples/acl-with-multiple-exit-nodes/variables.tf
@@ -0,0 +1,11 @@
+variable "lightsail_region" {
+  description = "AWS Lightsail region to deploy to."
+  default     = "eu-central-1"
+  type        = string
+}
+
+variable "tailscale_exit_node_tag" {
+  default     = "tag:exit"
+  description = "Tailscale exit node tag to associate with machine(s). Tag must be be prefixed with 'tag:'"
+  type        = string
+}
diff --git a/examples/multiple-exit-nodes/README.md b/examples/multiple-exit-nodes/README.md
@@ -1,7 +1,6 @@
 # Multiple exit nodes
 
-This example will deploy multiple Tailscale exit nodes on AWS Lightsail with the following default settings:
-  - `tag:exit` Tailscale tag
+This example will deploy multiple Tailscale exit nodes on AWS Lightsail. The `eu-central-1` deployment uses default settings. The `ap-northeast-1` and `us-east-2` deployments override the default `lightsail_region` and `lightsail_region_friendly_name` settings.
 
 > [!WARNING]\
 > This example assumes that `tag:exit` is already defined in the Tailscale access controls. See [Defining a tag](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) for more information.
diff --git a/examples/multiple-exit-nodes/main.tf b/examples/multiple-exit-nodes/main.tf
@@ -5,19 +5,11 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5.0"
     }
-    tailscale = {
-      source  = "tailscale/tailscale"
-      version = "~> 0.0"
-    }
-    time = {
-      source  = "hashicorp/time"
-      version = "~> 0.0"
-    }
   }
 }
 
 provider "aws" {
-  region = "eu-central-1"
+  region = var.lightsail_region
 }
 
 provider "aws" {
@@ -30,18 +22,22 @@ provider "aws" {
   region = "us-east-1"
 }
 
-provider "tailscale" {}
-
 module "de_exit_node" {
   source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
+
+  lightsail_instance_name = "vpn-${var.lightsail_region}"
 }
 
 module "jp_exit_node" {
   source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
+
   providers = {
     aws = aws.jp
   }
-  lightsail_region = "ap-northeast-1"
+
+  lightsail_instance_name        = "vpn-ap-northeast-1"
+  lightsail_region               = "ap-northeast-1"
+  lightsail_region_friendly_name = "tokyo"
 }
 
 module "us_exit_node" {
@@ -50,5 +46,8 @@ module "us_exit_node" {
   providers = {
     aws = aws.us
   }
-  lightsail_region = "us-east-1"
+
+  lightsail_instance_name        = "vpn-us-east-1"
+  lightsail_region               = "us-east-1"
+  lightsail_region_friendly_name = "ohio"
 }
diff --git a/examples/multiple-exit-nodes/variables.tf b/examples/multiple-exit-nodes/variables.tf
@@ -0,0 +1,5 @@
+variable "lightsail_region" {
+  description = "AWS Lightsail region to deploy to."
+  default     = "eu-central-1"
+  type        = string
+}
diff --git a/examples/single-exit-node/README.md b/examples/single-exit-node/README.md
@@ -1,9 +1,6 @@
 # Single exit node
 
-This example will deploy a single Tailscale exit node on AWS Lightsail with all default settings:
-  - `eu-central-1a` region and availability zone
-  - `tag:exit` Tailscale tag
+This example will deploy a single Tailscale exit node on AWS Lightsail with all default settings.
 
 > [!WARNING]\
-> This example assumes that `tag:exit` is already defined in the Tailscale access controls. See [Defining a tag](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) for more information.
-
+> This example assumes that `tag:exit` is already defined in the Tailscale Access Controls. See [Defining a tag](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) for more information.