On-demand Access to Tailscale Resources with Sym

On-demand Access to Tailscale Resources with Sym

Sym provides intelligent approvals as code to keep your engineering velocity up while putting guardrails around risky actions. We’re excited to announce a new integration with Tailscale that extends our approvals capability to new flavors of VPN and SSH access. Tailscale is a mesh VPN that allows you to connect from one device to any other, including your production servers, directly — with an encrypted connection, even behind firewalls.

Tailscale’s powerful ACL system, which is all managed in code, lets you define what nodes your users and groups can access. With Sym’s new Tailscale integration, you can quickly toggle group membership via Slack approval workflows, giving your team seamless temporary-access to sensitive resources.

Chat-based requests to Tailscale resources

Using Sym, end users can request to join a Tailscale group via Slack — for access to a server, or to SSH into a server over Tailscale. You can enable Tailscale access requests from sources other than Slack by integrating the Sym API into your applications.

The request gets routed to the appropriate Slack channel for approval (or approval is fast-tracked using the Sym SDK):

Once approved, the requesting user will have access to the nodes or to SSH to the instances that their escalated Tailscale ACL group gives them access to.

Set up a Tailscale Sym Flow with Terraform

Sym’s platform lets you declare Flow resources using Terraform and provision these using standard infrastructure-as-code pipelines. To make Tailscale really easy to set up, we’ve introduced a few new resource types to the Sym platform: the tailscale Integration, the tailscale Strategy, the tailscale_group Access Target.

Using these three resource types, you can now declare a Flow that will add or remove users from Tailscale groups:

resource "sym_integration" "tailscale" {
  type        = "tailscale"
  external_id = "example.com"  # Your Tailscale network

  settings = {
    api_token_secret = sym_secret.tailscale_api_key.id
  }
}

resource "sym_strategy" "tailscale" {
  type           = "tailscale"
  name           = "main-tailscale-strategy"
  integration_id = sym_integration.tailscale.id
  targets = [sym_target.tailscale_prod_group.id]
}

resource "sym_target" "tailscale_prod_group" {
  type  = "tailscale_group"
  name  = "main-prod-access"
  label = "Prod SSH Access"

  settings = {
    group_name = "prod"
  }
}

User management

Sym will automatically map users from Slack that have the same email address identifying them in Tailscale. If your users aren’t mapped this way, you can use the symflow CLI to manage the user mappings.

Sym, Tailscale, and Okta

Note that for Tailscale customers that use Tailscale’s user & group provisioning for Okta, you also have the option to manage your Sym-based access groups in Okta. With this approach, first use Sym’s Okta integration to set up an access flow for the Okta groups that you’ll push to Tailscale. Then set up your Okta group sync to push the required groups over to Tailscale and configure your ACLs!

Related Posts