Model Tailscale Grants relationships (who can access what) #1762
Description
Summary
The Tailscale module currently fetches data from the API, but does not parse or model Grants. This prevents Cartography from answering access questions such as "who can access what" for Tailscale-managed resources.
This feature aims to parse and model Tailscale Grants to surface effective access relationships, similar to what is already implemented for AWS IAM.
Motivation
Understanding identity-to-resource access relationships is a key capability for security teams using Cartography. By modeling Tailscale Grants, users will be able to:
- Query effective access paths across overlay networks.
- Detect overly permissive or misconfigured Grants.
- Build least-privilege analysis, compliance checks, or dynamic policy audits.
Proposed Solution
Note: Tailscale ACLs are now deprecated in favor of Tailscale Grants.
- Parse Tailscale Grants and resolve them into effective identity-to-resource relationships.
- Model relationships using MatchLinks to connect
TailscaleUsernodes to the correspondingTailscaleNodeorTailscaleService. - Use directionality and tenant scoping consistent with AWS.
- Follow Cartography’s standard sync pattern (
get → transform → load → cleanup), and document the schema.
Additional Context
- The Tailscale module and endpoint integration already exist, but Grants are not yet parsed.
- Related modeling patterns exist in:
cartography/intel/aws/iam/ - Background: "IAM: Whatever You Say I Am"
- Reference: Tailscale Grants documentation