From d2ec024e6ac475a0bbd54d395609d39bd243cddc Mon Sep 17 00:00:00 2001 From: Rasmus Wejlgaard Date: Sun, 21 Jun 2026 18:20:02 +0100 Subject: [PATCH] Give Terraform CI tailnet access for the Proxmox provider The bpg/proxmox provider has to reach london-a's API and node, which only live on the tailnet, during plan and apply. Add a setup-tailnet composite action (Tailscale via the CI OAuth client + the deploy SSH key in an agent) and use it in the terraform plan/apply and validate workflows. Pin the provider's node SSH address to london-a's Tailscale IP so it isn't reached via the API-reported LAN address. --- .github/actions/setup-tailnet/action.yml | 35 ++++++++++++++++++++++++ .github/workflows/terraform.yml | 16 +++++++++++ .github/workflows/validate-terraform.yml | 9 ++++++ terraform/providers.tf | 6 ++++ 4 files changed, 66 insertions(+) create mode 100644 .github/actions/setup-tailnet/action.yml diff --git a/.github/actions/setup-tailnet/action.yml b/.github/actions/setup-tailnet/action.yml new file mode 100644 index 0000000..740df2d --- /dev/null +++ b/.github/actions/setup-tailnet/action.yml @@ -0,0 +1,35 @@ +name: Set up tailnet + SSH +description: >- + Join Tailscale and load the deploy SSH key into an agent, so tofu's Proxmox + (bpg) provider can reach london-a's API and node over the tailnet. + +inputs: + tailscale-client-id: + required: true + tailscale-audience: + required: true + ssh-private-key: + required: true + +runs: + using: composite + steps: + - name: Set up Tailscale + uses: tailscale/github-action@v4 + with: + oauth-client-id: ${{ inputs.tailscale-client-id }} + audience: ${{ inputs.tailscale-audience }} + tags: tag:ci + + - name: Load SSH key into agent + shell: bash + run: | + mkdir -p ~/.ssh + echo "${{ inputs.ssh-private-key }}" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + eval "$(ssh-agent -s)" + ssh-add ~/.ssh/id_ed25519 + # Persist the agent for later steps (bpg uses SSH_AUTH_SOCK). + echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV" + echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> "$GITHUB_ENV" + ssh-keyscan -H 100.122.180.98 >> ~/.ssh/known_hosts 2>/dev/null || true diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index af906c8..dfe417d 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -34,6 +34,14 @@ jobs: - name: Set backend credentials uses: ./.github/actions/tofu-backend-creds + # Proxmox (bpg) provider reaches london-a over the tailnet. + - name: Set up tailnet + SSH + uses: ./.github/actions/setup-tailnet + with: + tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }} + tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }} + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + - name: tofu init working-directory: terraform/ run: tofu init @@ -69,6 +77,14 @@ jobs: - name: Set backend credentials uses: ./.github/actions/tofu-backend-creds + # Proxmox (bpg) provider reaches london-a over the tailnet. + - name: Set up tailnet + SSH + uses: ./.github/actions/setup-tailnet + with: + tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }} + tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }} + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + - name: tofu init working-directory: terraform/ run: tofu init diff --git a/.github/workflows/validate-terraform.yml b/.github/workflows/validate-terraform.yml index ac46c23..8db8999 100644 --- a/.github/workflows/validate-terraform.yml +++ b/.github/workflows/validate-terraform.yml @@ -61,6 +61,15 @@ jobs: if: github.actor != 'dependabot[bot]' uses: ./.github/actions/tofu-backend-creds + # Proxmox (bpg) provider reaches london-a over the tailnet during plan. + - name: Set up tailnet + SSH + if: github.actor != 'dependabot[bot]' + uses: ./.github/actions/setup-tailnet + with: + tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }} + tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }} + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + - name: tofu init if: github.actor != 'dependabot[bot]' working-directory: terraform/ diff --git a/terraform/providers.tf b/terraform/providers.tf index 4815924..99c841c 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -60,8 +60,14 @@ provider "proxmox" { insecure = true # self-signed PVE cert # Uploading the cloud-init snippet needs node-level access; SSH to root@london-a. + # Pin the node's SSH address to its Tailscale IP (the API-reported LAN IP isn't + # reachable from CI runners on the tailnet). ssh { agent = true username = "root" + node { + name = "london-a" + address = "100.122.180.98" + } } }