@pulumi/tailscale 0.23.0 → 0.25.0

package/acl.d.ts

@@ -1,8 +1,10 @@
 import * as pulumi from "@pulumi/pulumi";
 /**
- * The acl resource allows you to configure a Tailscale ACL. See https://tailscale.com/kb/1018/acls for more information. Note that this resource will completely overwrite existing ACL contents for a given tailnet.
+ * The acl resource allows you to configure a Tailscale policy file. See https://tailscale.com/kb/1395/tailnet-policy-file for more information. Note that this resource will completely overwrite existing policy file contents for a given tailnet.
  *
- * If tests are defined in the ACL (the top-level "tests" section), ACL validation will occur before creation and update operations are applied.
+ * If tests are defined in the policy file (the top-level "tests" section), policy file validation will occur before creation and update operations are applied.
+ *
+ * > **Note:** The naming of this resource predates Tailscale's usage of the term "policy file" to refer to the centralized configuration file for a tailnet. This resource controls a tailnet's entire policy file and not just the ACLs section within it.
  *
  * ## Example Usage
  *
@@ -11,20 +13,20 @@ import * as pulumi from "@pulumi/pulumi";
  * import * as tailscale from "@pulumi/tailscale";
  *
  * const asJson = new tailscale.Acl("as_json", {acl: JSON.stringify({
- *     acls: [{
- *         action: "accept",
- *         users: ["*"],
- *         ports: ["*:*"],
+ *     grants: [{
+ *         src: ["*"],
+ *         dst: ["*"],
+ *         ip: ["*"],
  *     }],
  * })});
  * const asHujson = new tailscale.Acl("as_hujson", {acl: `  {
  *     // Comments in HuJSON policy are preserved when the policy is applied.
- *     \\"acls\\": [
+ *     \\"grants\\": [
  *       {
  *         // Allow all users access to all ports.
- *         action = \\"accept\\",
- *         users  = [\\"*\\"],
- *         ports  = [\\"*:*\\"],
+ *         \\"src\\": [\\"*\\"],
+ *         \\"dst\\": [\\"*\\"],
+ *         \\"ip\\": [\\"*\\"],
  *       },
  *     ],
  *   }
@@ -33,8 +35,6 @@ import * as pulumi from "@pulumi/pulumi";
  *
  * ## Import
  *
- * The `pulumi import` command can be used, for example:
- *
  * ID doesn't matter.
  *
  * ```sh
@@ -62,11 +62,11 @@ export declare class Acl extends pulumi.CustomResource {
      */
     readonly acl: pulumi.Output<string>;
     /**
-     * If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
+     * If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
      */
     readonly overwriteExistingContent: pulumi.Output<boolean | undefined>;
     /**
-     * If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+     * If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
      */
     readonly resetAclOnDestroy: pulumi.Output<boolean | undefined>;
     /**
@@ -87,11 +87,11 @@ export interface AclState {
      */
     acl?: pulumi.Input<string>;
     /**
-     * If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
+     * If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
      */
     overwriteExistingContent?: pulumi.Input<boolean>;
     /**
-     * If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+     * If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
      */
     resetAclOnDestroy?: pulumi.Input<boolean>;
 }
@@ -104,11 +104,11 @@ export interface AclArgs {
      */
     acl: pulumi.Input<string>;
     /**
-     * If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
+     * If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
      */
     overwriteExistingContent?: pulumi.Input<boolean>;
     /**
-     * If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+     * If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
      */
     resetAclOnDestroy?: pulumi.Input<boolean>;
 }

package/acl.js

@@ -6,9 +6,11 @@ exports.Acl = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("./utilities");
 /**
- * The acl resource allows you to configure a Tailscale ACL. See https://tailscale.com/kb/1018/acls for more information. Note that this resource will completely overwrite existing ACL contents for a given tailnet.
+ * The acl resource allows you to configure a Tailscale policy file. See https://tailscale.com/kb/1395/tailnet-policy-file for more information. Note that this resource will completely overwrite existing policy file contents for a given tailnet.
  *
- * If tests are defined in the ACL (the top-level "tests" section), ACL validation will occur before creation and update operations are applied.
+ * If tests are defined in the policy file (the top-level "tests" section), policy file validation will occur before creation and update operations are applied.
+ *
+ * > **Note:** The naming of this resource predates Tailscale's usage of the term "policy file" to refer to the centralized configuration file for a tailnet. This resource controls a tailnet's entire policy file and not just the ACLs section within it.
  *
  * ## Example Usage
  *
@@ -17,20 +19,20 @@ const utilities = require("./utilities");
  * import * as tailscale from "@pulumi/tailscale";
  *
  * const asJson = new tailscale.Acl("as_json", {acl: JSON.stringify({
- *     acls: [{
- *         action: "accept",
- *         users: ["*"],
- *         ports: ["*:*"],
+ *     grants: [{
+ *         src: ["*"],
+ *         dst: ["*"],
+ *         ip: ["*"],
  *     }],
  * })});
  * const asHujson = new tailscale.Acl("as_hujson", {acl: `  {
  *     // Comments in HuJSON policy are preserved when the policy is applied.
- *     \\"acls\\": [
+ *     \\"grants\\": [
  *       {
  *         // Allow all users access to all ports.
- *         action = \\"accept\\",
- *         users  = [\\"*\\"],
- *         ports  = [\\"*:*\\"],
+ *         \\"src\\": [\\"*\\"],
+ *         \\"dst\\": [\\"*\\"],
+ *         \\"ip\\": [\\"*\\"],
  *       },
  *     ],
  *   }
@@ -39,8 +41,6 @@ const utilities = require("./utilities");
  *
  * ## Import
  *
- * The `pulumi import` command can be used, for example:
- *
  * ID doesn't matter.
  *
  * ```sh

package/awsExternalId.d.ts

@@ -1,6 +1,57 @@
 import * as pulumi from "@pulumi/pulumi";
 /**
  * The awsExternalId resource allows you to mint an AWS External ID that Tailscale can use to assume an AWS IAM role that you create for the purposes of allowing Tailscale to stream logs to your S3 bucket. See the logstreamConfiguration resource for more details.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ * import * as tailscale from "@pulumi/tailscale";
+ *
+ * const prod = new tailscale.AwsExternalId("prod", {});
+ * const tailscaleAssumeRole = aws.index.IamPolicyDocument({
+ *     statement: [{
+ *         actions: ["sts:AssumeRole"],
+ *         principals: [{
+ *             type: "AWS",
+ *             identifiers: [prod.tailscaleAwsAccountId],
+ *         }],
+ *         condition: [{
+ *             test: "StringEquals",
+ *             variable: "sts:ExternalId",
+ *             values: [prod.externalId],
+ *         }],
+ *     }],
+ * });
+ * const logsWriterIamRole = new aws.index.IamRole("logs_writer", {
+ *     name: "logs-writer",
+ *     assumeRolePolicy: tailscaleAssumeRole.json,
+ * });
+ * const configurationLogs = new tailscale.LogstreamConfiguration("configuration_logs", {
+ *     logType: "configuration",
+ *     destinationType: "s3",
+ *     s3Bucket: tailscaleLogs.id,
+ *     s3Region: "us-west-2",
+ *     s3AuthenticationType: "rolearn",
+ *     s3RoleArn: logsWriterIamRole.arn,
+ *     s3ExternalId: prod.externalId,
+ * });
+ * const logsWriter = aws.index.IamPolicyDocument({
+ *     statement: [{
+ *         effect: "Allow",
+ *         actions: ["s3:*"],
+ *         resources: [
+ *             "arn:aws:s3:::example-bucket",
+ *             "arn:aws:s3:::example-bucket/*",
+ *         ],
+ *     }],
+ * });
+ * const logsWriterIamRolePolicy = new aws.index.IamRolePolicy("logs_writer", {
+ *     role: logsWriterIamRole.id,
+ *     policy: logsWriter.json,
+ * });
+ * ```
  */
 export declare class AwsExternalId extends pulumi.CustomResource {
     /**

package/awsExternalId.js

@@ -7,6 +7,57 @@ const pulumi = require("@pulumi/pulumi");
 const utilities = require("./utilities");
 /**
  * The awsExternalId resource allows you to mint an AWS External ID that Tailscale can use to assume an AWS IAM role that you create for the purposes of allowing Tailscale to stream logs to your S3 bucket. See the logstreamConfiguration resource for more details.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ * import * as tailscale from "@pulumi/tailscale";
+ *
+ * const prod = new tailscale.AwsExternalId("prod", {});
+ * const tailscaleAssumeRole = aws.index.IamPolicyDocument({
+ *     statement: [{
+ *         actions: ["sts:AssumeRole"],
+ *         principals: [{
+ *             type: "AWS",
+ *             identifiers: [prod.tailscaleAwsAccountId],
+ *         }],
+ *         condition: [{
+ *             test: "StringEquals",
+ *             variable: "sts:ExternalId",
+ *             values: [prod.externalId],
+ *         }],
+ *     }],
+ * });
+ * const logsWriterIamRole = new aws.index.IamRole("logs_writer", {
+ *     name: "logs-writer",
+ *     assumeRolePolicy: tailscaleAssumeRole.json,
+ * });
+ * const configurationLogs = new tailscale.LogstreamConfiguration("configuration_logs", {
+ *     logType: "configuration",
+ *     destinationType: "s3",
+ *     s3Bucket: tailscaleLogs.id,
+ *     s3Region: "us-west-2",
+ *     s3AuthenticationType: "rolearn",
+ *     s3RoleArn: logsWriterIamRole.arn,
+ *     s3ExternalId: prod.externalId,
+ * });
+ * const logsWriter = aws.index.IamPolicyDocument({
+ *     statement: [{
+ *         effect: "Allow",
+ *         actions: ["s3:*"],
+ *         resources: [
+ *             "arn:aws:s3:::example-bucket",
+ *             "arn:aws:s3:::example-bucket/*",
+ *         ],
+ *     }],
+ * });
+ * const logsWriterIamRolePolicy = new aws.index.IamRolePolicy("logs_writer", {
+ *     role: logsWriterIamRole.id,
+ *     policy: logsWriter.json,
+ * });
+ * ```
  */
 class AwsExternalId extends pulumi.CustomResource {
     /**

package/awsExternalId.js.map

@@ -1 +1 @@
-{"version":3,"file":"awsExternalId.js","sourceRoot":"","sources":["../awsExternalId.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,yCAAyC;AAEzC;;GAEG;AACH,MAAa,aAAc,SAAQ,MAAM,CAAC,cAAc;IACpD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAA0B,EAAE,IAAmC;QACxH,OAAO,IAAI,aAAa,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACpE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,aAAa,CAAC,YAAY,CAAC;IAC9D,CAAC;IAmBD,YAAY,IAAY,EAAE,WAAoD,EAAE,IAAmC;QAC/G,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAA6C,CAAC;YAC5D,cAAc,CAAC,YAAY,CAAC,GAAG,KAAK,EAAE,UAAU,CAAC;YACjD,cAAc,CAAC,uBAAuB,CAAC,GAAG,KAAK,EAAE,qBAAqB,CAAC;SAC1E;aAAM;YACH,MAAM,IAAI,GAAG,WAA4C,CAAC;YAC1D,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,uBAAuB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC/D;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IAClE,CAAC;;AA3DL,sCA4DC;AA9CG,gBAAgB;AACO,0BAAY,GAAG,6CAA6C,CAAC"}
+{"version":3,"file":"awsExternalId.js","sourceRoot":"","sources":["../awsExternalId.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,yCAAyC;AAEzC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AACH,MAAa,aAAc,SAAQ,MAAM,CAAC,cAAc;IACpD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAA0B,EAAE,IAAmC;QACxH,OAAO,IAAI,aAAa,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACpE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,aAAa,CAAC,YAAY,CAAC;IAC9D,CAAC;IAmBD,YAAY,IAAY,EAAE,WAAoD,EAAE,IAAmC;QAC/G,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAA6C,CAAC;YAC5D,cAAc,CAAC,YAAY,CAAC,GAAG,KAAK,EAAE,UAAU,CAAC;YACjD,cAAc,CAAC,uBAAuB,CAAC,GAAG,KAAK,EAAE,qBAAqB,CAAC;SAC1E;aAAM;YACH,MAAM,IAAI,GAAG,WAA4C,CAAC;YAC1D,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,uBAAuB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC/D;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IAClE,CAAC;;AA3DL,sCA4DC;AA9CG,gBAAgB;AACO,0BAAY,GAAG,6CAA6C,CAAC"}

package/federatedIdentity.d.ts

@@ -0,0 +1,182 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * The federatedIdentity resource allows you to create federated identities to programmatically interact with the Tailscale API using workload identity federation.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as tailscale from "@pulumi/tailscale";
+ *
+ * const exampleFederatedIdentity = new tailscale.FederatedIdentity("example_federated_identity", {
+ *     description: "Example federated identity",
+ *     scopes: [
+ *         "auth_keys",
+ *         "devices:core",
+ *     ],
+ *     tags: ["tag:test"],
+ *     issuer: "https://example.com",
+ *     subject: "example-sub-*",
+ *     customClaimRules: {
+ *         repo_name: "example-repo-name",
+ *     },
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * The `pulumi import` command can be used, for example:
+ *
+ * ```sh
+ * $ pulumi import tailscale:index/federatedIdentity:FederatedIdentity example k1234511CNTRL-kZDRvszg8621CNTRL
+ * ```
+ */
+export declare class FederatedIdentity extends pulumi.CustomResource {
+    /**
+     * Get an existing FederatedIdentity resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: FederatedIdentityState, opts?: pulumi.CustomResourceOptions): FederatedIdentity;
+    /**
+     * Returns true if the given object is an instance of FederatedIdentity.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is FederatedIdentity;
+    /**
+     * The value used when matching against the `aud` claim from an OIDC identity token. Specifying the audience is optional as Tailscale will generate a secure audience at creation time by default.   It is recommended to let Tailscale generate the audience unless the identity provider you are integrating with requires a specific audience format.
+     */
+    readonly audience: pulumi.Output<string>;
+    /**
+     * The creation timestamp of the key in RFC3339 format
+     */
+    readonly createdAt: pulumi.Output<string>;
+    /**
+     * A map of claim names to pattern strings used to match against arbitrary claims in the OIDC identity token. Patterns can include `*` characters to match against any character.
+     */
+    readonly customClaimRules: pulumi.Output<{
+        [key: string]: string;
+    } | undefined>;
+    /**
+     * A description of the federated identity consisting of alphanumeric characters. Defaults to `""`.
+     */
+    readonly description: pulumi.Output<string | undefined>;
+    /**
+     * The issuer of the OIDC identity token used in the token exchange. Must be a valid and publicly reachable https:// URL.
+     */
+    readonly issuer: pulumi.Output<string>;
+    /**
+     * Scopes to grant to the federated identity. See https://tailscale.com/kb/1623/ for a list of available scopes.
+     */
+    readonly scopes: pulumi.Output<string[]>;
+    /**
+     * The pattern used when matching against the `sub` claim from an OIDC identity token. Patterns can include `*` characters to match against any character.
+     */
+    readonly subject: pulumi.Output<string>;
+    /**
+     * A list of tags that access tokens generated for the federated identity will be able to assign to devices. Mandatory if the scopes include "devices:core" or "authKeys".
+     */
+    readonly tags: pulumi.Output<string[] | undefined>;
+    /**
+     * The updated timestamp of the key in RFC3339 format
+     */
+    readonly updatedAt: pulumi.Output<string>;
+    /**
+     * ID of the user who created this federated identity, empty for federated identities created by other trust credentials.
+     */
+    readonly userId: pulumi.Output<string>;
+    /**
+     * Create a FederatedIdentity resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: FederatedIdentityArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * Input properties used for looking up and filtering FederatedIdentity resources.
+ */
+export interface FederatedIdentityState {
+    /**
+     * The value used when matching against the `aud` claim from an OIDC identity token. Specifying the audience is optional as Tailscale will generate a secure audience at creation time by default.   It is recommended to let Tailscale generate the audience unless the identity provider you are integrating with requires a specific audience format.
+     */
+    audience?: pulumi.Input<string>;
+    /**
+     * The creation timestamp of the key in RFC3339 format
+     */
+    createdAt?: pulumi.Input<string>;
+    /**
+     * A map of claim names to pattern strings used to match against arbitrary claims in the OIDC identity token. Patterns can include `*` characters to match against any character.
+     */
+    customClaimRules?: pulumi.Input<{
+        [key: string]: pulumi.Input<string>;
+    }>;
+    /**
+     * A description of the federated identity consisting of alphanumeric characters. Defaults to `""`.
+     */
+    description?: pulumi.Input<string>;
+    /**
+     * The issuer of the OIDC identity token used in the token exchange. Must be a valid and publicly reachable https:// URL.
+     */
+    issuer?: pulumi.Input<string>;
+    /**
+     * Scopes to grant to the federated identity. See https://tailscale.com/kb/1623/ for a list of available scopes.
+     */
+    scopes?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The pattern used when matching against the `sub` claim from an OIDC identity token. Patterns can include `*` characters to match against any character.
+     */
+    subject?: pulumi.Input<string>;
+    /**
+     * A list of tags that access tokens generated for the federated identity will be able to assign to devices. Mandatory if the scopes include "devices:core" or "authKeys".
+     */
+    tags?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The updated timestamp of the key in RFC3339 format
+     */
+    updatedAt?: pulumi.Input<string>;
+    /**
+     * ID of the user who created this federated identity, empty for federated identities created by other trust credentials.
+     */
+    userId?: pulumi.Input<string>;
+}
+/**
+ * The set of arguments for constructing a FederatedIdentity resource.
+ */
+export interface FederatedIdentityArgs {
+    /**
+     * The value used when matching against the `aud` claim from an OIDC identity token. Specifying the audience is optional as Tailscale will generate a secure audience at creation time by default.   It is recommended to let Tailscale generate the audience unless the identity provider you are integrating with requires a specific audience format.
+     */
+    audience?: pulumi.Input<string>;
+    /**
+     * A map of claim names to pattern strings used to match against arbitrary claims in the OIDC identity token. Patterns can include `*` characters to match against any character.
+     */
+    customClaimRules?: pulumi.Input<{
+        [key: string]: pulumi.Input<string>;
+    }>;
+    /**
+     * A description of the federated identity consisting of alphanumeric characters. Defaults to `""`.
+     */
+    description?: pulumi.Input<string>;
+    /**
+     * The issuer of the OIDC identity token used in the token exchange. Must be a valid and publicly reachable https:// URL.
+     */
+    issuer: pulumi.Input<string>;
+    /**
+     * Scopes to grant to the federated identity. See https://tailscale.com/kb/1623/ for a list of available scopes.
+     */
+    scopes: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The pattern used when matching against the `sub` claim from an OIDC identity token. Patterns can include `*` characters to match against any character.
+     */
+    subject: pulumi.Input<string>;
+    /**
+     * A list of tags that access tokens generated for the federated identity will be able to assign to devices. Mandatory if the scopes include "devices:core" or "authKeys".
+     */
+    tags?: pulumi.Input<pulumi.Input<string>[]>;
+}

package/federatedIdentity.js

@@ -0,0 +1,108 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FederatedIdentity = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("./utilities");
+/**
+ * The federatedIdentity resource allows you to create federated identities to programmatically interact with the Tailscale API using workload identity federation.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as tailscale from "@pulumi/tailscale";
+ *
+ * const exampleFederatedIdentity = new tailscale.FederatedIdentity("example_federated_identity", {
+ *     description: "Example federated identity",
+ *     scopes: [
+ *         "auth_keys",
+ *         "devices:core",
+ *     ],
+ *     tags: ["tag:test"],
+ *     issuer: "https://example.com",
+ *     subject: "example-sub-*",
+ *     customClaimRules: {
+ *         repo_name: "example-repo-name",
+ *     },
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * The `pulumi import` command can be used, for example:
+ *
+ * ```sh
+ * $ pulumi import tailscale:index/federatedIdentity:FederatedIdentity example k1234511CNTRL-kZDRvszg8621CNTRL
+ * ```
+ */
+class FederatedIdentity extends pulumi.CustomResource {
+    /**
+     * Get an existing FederatedIdentity resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, state, opts) {
+        return new FederatedIdentity(name, state, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of FederatedIdentity.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === FederatedIdentity.__pulumiType;
+    }
+    constructor(name, argsOrState, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState;
+            resourceInputs["audience"] = state?.audience;
+            resourceInputs["createdAt"] = state?.createdAt;
+            resourceInputs["customClaimRules"] = state?.customClaimRules;
+            resourceInputs["description"] = state?.description;
+            resourceInputs["issuer"] = state?.issuer;
+            resourceInputs["scopes"] = state?.scopes;
+            resourceInputs["subject"] = state?.subject;
+            resourceInputs["tags"] = state?.tags;
+            resourceInputs["updatedAt"] = state?.updatedAt;
+            resourceInputs["userId"] = state?.userId;
+        }
+        else {
+            const args = argsOrState;
+            if (args?.issuer === undefined && !opts.urn) {
+                throw new Error("Missing required property 'issuer'");
+            }
+            if (args?.scopes === undefined && !opts.urn) {
+                throw new Error("Missing required property 'scopes'");
+            }
+            if (args?.subject === undefined && !opts.urn) {
+                throw new Error("Missing required property 'subject'");
+            }
+            resourceInputs["audience"] = args?.audience;
+            resourceInputs["customClaimRules"] = args?.customClaimRules;
+            resourceInputs["description"] = args?.description;
+            resourceInputs["issuer"] = args?.issuer;
+            resourceInputs["scopes"] = args?.scopes;
+            resourceInputs["subject"] = args?.subject;
+            resourceInputs["tags"] = args?.tags;
+            resourceInputs["createdAt"] = undefined /*out*/;
+            resourceInputs["updatedAt"] = undefined /*out*/;
+            resourceInputs["userId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(FederatedIdentity.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.FederatedIdentity = FederatedIdentity;
+/** @internal */
+FederatedIdentity.__pulumiType = 'tailscale:index/federatedIdentity:FederatedIdentity';
+//# sourceMappingURL=federatedIdentity.js.map

package/federatedIdentity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"federatedIdentity.js","sourceRoot":"","sources":["../federatedIdentity.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,yCAAyC;AAEzC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAa,iBAAkB,SAAQ,MAAM,CAAC,cAAc;IACxD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAA8B,EAAE,IAAmC;QAC5H,OAAO,IAAI,iBAAiB,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACxE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,iBAAiB,CAAC,YAAY,CAAC;IAClE,CAAC;IAmDD,YAAY,IAAY,EAAE,WAA4D,EAAE,IAAmC;QACvH,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAiD,CAAC;YAChE,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,EAAE,QAAQ,CAAC;YAC7C,cAAc,CAAC,WAAW,CAAC,GAAG,KAAK,EAAE,SAAS,CAAC;YAC/C,cAAc,CAAC,kBAAkB,CAAC,GAAG,KAAK,EAAE,gBAAgB,CAAC;YAC7D,cAAc,CAAC,aAAa,CAAC,GAAG,KAAK,EAAE,WAAW,CAAC;YACnD,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;YACzC,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;YACzC,cAAc,CAAC,SAAS,CAAC,GAAG,KAAK,EAAE,OAAO,CAAC;YAC3C,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC;YACrC,cAAc,CAAC,WAAW,CAAC,GAAG,KAAK,EAAE,SAAS,CAAC;YAC/C,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;SAC5C;aAAM;YACH,MAAM,IAAI,GAAG,WAAgD,CAAC;YAC9D,IAAI,IAAI,EAAE,MAAM,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACzC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;aACzD;YACD,IAAI,IAAI,EAAE,MAAM,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACzC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;aACzD;YACD,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,kBAAkB,CAAC,GAAG,IAAI,EAAE,gBAAgB,CAAC;YAC5D,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,EAAE,WAAW,CAAC;YAClD,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAChD,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAChD,cAAc,CAAC,QAAQ,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAChD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,iBAAiB,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACtE,CAAC;;AApHL,8CAqHC;AAvGG,gBAAgB;AACO,8BAAY,GAAG,qDAAqD,CAAC"}

package/getAcl.d.ts

@@ -1,6 +1,8 @@
 import * as pulumi from "@pulumi/pulumi";
 /**
- * The acl data source gets the Tailscale ACL for a tailnet
+ * The acl data source gets the Tailscale policy file for a tailnet
+ *
+ * > **Note:** The naming of this data source predates Tailscale's usage of the term "policy file" to refer to the centralized configuration file for a tailnet. This data source fetches a tailnet's entire policy file and not just the ACLs section within it.
  */
 export declare function getAcl(opts?: pulumi.InvokeOptions): Promise<GetAclResult>;
 /**
@@ -21,6 +23,8 @@ export interface GetAclResult {
     readonly json: string;
 }
 /**
- * The acl data source gets the Tailscale ACL for a tailnet
+ * The acl data source gets the Tailscale policy file for a tailnet
+ *
+ * > **Note:** The naming of this data source predates Tailscale's usage of the term "policy file" to refer to the centralized configuration file for a tailnet. This data source fetches a tailnet's entire policy file and not just the ACLs section within it.
  */
 export declare function getAclOutput(opts?: pulumi.InvokeOutputOptions): pulumi.Output<GetAclResult>;

package/getAcl.js

@@ -6,7 +6,9 @@ exports.getAclOutput = exports.getAcl = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("./utilities");
 /**
- * The acl data source gets the Tailscale ACL for a tailnet
+ * The acl data source gets the Tailscale policy file for a tailnet
+ *
+ * > **Note:** The naming of this data source predates Tailscale's usage of the term "policy file" to refer to the centralized configuration file for a tailnet. This data source fetches a tailnet's entire policy file and not just the ACLs section within it.
  */
 function getAcl(opts) {
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
@@ -14,7 +16,9 @@ function getAcl(opts) {
 }
 exports.getAcl = getAcl;
 /**
- * The acl data source gets the Tailscale ACL for a tailnet
+ * The acl data source gets the Tailscale policy file for a tailnet
+ *
+ * > **Note:** The naming of this data source predates Tailscale's usage of the term "policy file" to refer to the centralized configuration file for a tailnet. This data source fetches a tailnet's entire policy file and not just the ACLs section within it.
  */
 function getAclOutput(opts) {
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});

package/getAcl.js.map

@@ -1 +1 @@
-{"version":3,"file":"getAcl.js","sourceRoot":"","sources":["../getAcl.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,yCAAyC;AAEzC;;GAEG;AACH,SAAgB,MAAM,CAAC,IAA2B;IAC9C,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,+BAA+B,EAAE,EAC7D,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AAJD,wBAIC;AAmBD;;GAEG;AACH,SAAgB,YAAY,CAAC,IAAiC;IAC1D,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,+BAA+B,EAAE,EACnE,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AAJD,oCAIC"}
+{"version":3,"file":"getAcl.js","sourceRoot":"","sources":["../getAcl.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,yCAAyC;AAEzC;;;;GAIG;AACH,SAAgB,MAAM,CAAC,IAA2B;IAC9C,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,+BAA+B,EAAE,EAC7D,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AAJD,wBAIC;AAmBD;;;;GAIG;AACH,SAAgB,YAAY,CAAC,IAAiC;IAC1D,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,+BAA+B,EAAE,EACnE,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AAJD,oCAIC"}