coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

tailscale-policy: scaffold terraform module + coily verb #136

New issue
Closed
opened 2026-05-26 17:53:55 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-26 17:53:55 +00:00
Owner
Copy link

Problem

Bootstrap the new terraform/tailscale-policy/ module (scoped sub-task of coilysiren/infrastructure#134). Just the scaffolding - module files, runner script, coily verb. The actual terraform import + apply happens in a follow-up commit once Kai reviews the planned diff.

Change

  • terraform/tailscale-policy/main.tf - tailscale_acl.policy body (currently a verbatim transcription of the dumped state, so the post-import diff is additive only) + tailscale_device_tags.physical for_each over devices.yaml.
  • terraform/tailscale-policy/devices.yaml - four physical hosts, each with tag:server (preserved), tag:physical, per-host tag.
  • terraform/tailscale-policy/README.md - bootstrap sequence + tag model docs.
  • scripts/k8s/terraform_tailscale_policy.py - standard terraform_run wrapper plus an import-acl action that runs terraform import tailscale_acl.policy - to adopt current state on first run.
  • Makefile + .coily/coily.yaml - new terraform-tailscale-policy verb.

Reuses tailscale_admin_oauth_env() from scripts/_lib.py.

Next

  • coilysiren/infrastructure#134 itself stays open until terraform apply lands and the tag assignments are verified in the admin console.
  • Separate follow-up will extend terraform/tailscale-devices/ to mint keys with per-service + host tags.

Filed by Claude.

**Problem** Bootstrap the new `terraform/tailscale-policy/` module (scoped sub-task of coilysiren/infrastructure#134). Just the scaffolding - module files, runner script, coily verb. The actual `terraform import` + `apply` happens in a follow-up commit once Kai reviews the planned diff. **Change** - `terraform/tailscale-policy/main.tf` - `tailscale_acl.policy` body (currently a verbatim transcription of the dumped state, so the post-import diff is additive only) + `tailscale_device_tags.physical` for_each over `devices.yaml`. - `terraform/tailscale-policy/devices.yaml` - four physical hosts, each with `tag:server` (preserved), `tag:physical`, per-host tag. - `terraform/tailscale-policy/README.md` - bootstrap sequence + tag model docs. - `scripts/k8s/terraform_tailscale_policy.py` - standard `terraform_run` wrapper plus an `import-acl` action that runs `terraform import tailscale_acl.policy -` to adopt current state on first run. - `Makefile` + `.coily/coily.yaml` - new `terraform-tailscale-policy` verb. Reuses `tailscale_admin_oauth_env()` from `scripts/_lib.py`. **Next** - coilysiren/infrastructure#134 itself stays open until `terraform apply` lands and the tag assignments are verified in the admin console. - Separate follow-up will extend `terraform/tailscale-devices/` to mint keys with per-service + host tags. Filed by Claude.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#136
No description provided.