pulumi-tailscale 1.0.0a1759993309__tar.gz → 1.0.0a1769802536__tar.gz

{pulumi_tailscale-1.0.0a1759993309 → pulumi_tailscale-1.0.0a1769802536}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulumi_tailscale
-Version: 1.0.0a1759993309
+Version: 1.0.0a1769802536
 Summary: A Pulumi package for creating and managing Tailscale cloud resources.
 License: Apache-2.0
 Project-URL: Homepage, https://pulumi.io

{pulumi_tailscale-1.0.0a1759993309 → pulumi_tailscale-1.0.0a1769802536}/pulumi_tailscale/__init__.py

@@ -18,6 +18,7 @@ from .dns_nameservers import *
 from .dns_preferences import *
 from .dns_search_paths import *
 from .dns_split_nameservers import *
+from .federated_identity import *
 from .get4_via6 import *
 from .get_acl import *
 from .get_device import *
@@ -140,6 +141,14 @@ _utilities.register(
    "tailscale:index/dnsSplitNameservers:DnsSplitNameservers": "DnsSplitNameservers"
   }
  },
+ {
+  "pkg": "tailscale",
+  "mod": "index/federatedIdentity",
+  "fqn": "pulumi_tailscale",
+  "classes": {
+   "tailscale:index/federatedIdentity:FederatedIdentity": "FederatedIdentity"
+  }
+ },
  {
   "pkg": "tailscale",
   "mod": "index/logstreamConfiguration",

{pulumi_tailscale-1.0.0a1759993309 → pulumi_tailscale-1.0.0a1769802536}/pulumi_tailscale/acl.py

@@ -25,8 +25,8 @@ class AclArgs:
         """
         The set of arguments for constructing a Acl resource.
         :param pulumi.Input[_builtins.str] acl: The policy that defines which devices and users are allowed to connect in your network. Can be either a JSON or a HuJSON string.
-        :param pulumi.Input[_builtins.bool] overwrite_existing_content: If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
-        :param pulumi.Input[_builtins.bool] reset_acl_on_destroy: If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+        :param pulumi.Input[_builtins.bool] overwrite_existing_content: If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
+        :param pulumi.Input[_builtins.bool] reset_acl_on_destroy: If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
         """
         pulumi.set(__self__, "acl", acl)
         if overwrite_existing_content is not None:
@@ -50,7 +50,7 @@ class AclArgs:
     @pulumi.getter(name="overwriteExistingContent")
     def overwrite_existing_content(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
-        If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
+        If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
         """
         return pulumi.get(self, "overwrite_existing_content")
 
@@ -62,7 +62,7 @@ class AclArgs:
     @pulumi.getter(name="resetAclOnDestroy")
     def reset_acl_on_destroy(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
-        If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+        If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
         """
         return pulumi.get(self, "reset_acl_on_destroy")
 
@@ -80,8 +80,8 @@ class _AclState:
         """
         Input properties used for looking up and filtering Acl resources.
         :param pulumi.Input[_builtins.str] acl: The policy that defines which devices and users are allowed to connect in your network. Can be either a JSON or a HuJSON string.
-        :param pulumi.Input[_builtins.bool] overwrite_existing_content: If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
-        :param pulumi.Input[_builtins.bool] reset_acl_on_destroy: If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+        :param pulumi.Input[_builtins.bool] overwrite_existing_content: If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
+        :param pulumi.Input[_builtins.bool] reset_acl_on_destroy: If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
         """
         if acl is not None:
             pulumi.set(__self__, "acl", acl)
@@ -106,7 +106,7 @@ class _AclState:
     @pulumi.getter(name="overwriteExistingContent")
     def overwrite_existing_content(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
-        If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
+        If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
         """
         return pulumi.get(self, "overwrite_existing_content")
 
@@ -118,7 +118,7 @@ class _AclState:
     @pulumi.getter(name="resetAclOnDestroy")
     def reset_acl_on_destroy(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
-        If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+        If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
         """
         return pulumi.get(self, "reset_acl_on_destroy")
 
@@ -138,9 +138,11 @@ class Acl(pulumi.CustomResource):
                  reset_acl_on_destroy: Optional[pulumi.Input[_builtins.bool]] = None,
                  __props__=None):
         """
-        The acl resource allows you to configure a Tailscale ACL. See https://tailscale.com/kb/1018/acls for more information. Note that this resource will completely overwrite existing ACL contents for a given tailnet.
+        The acl resource allows you to configure a Tailscale policy file. See https://tailscale.com/kb/1395/tailnet-policy-file for more information. Note that this resource will completely overwrite existing policy file contents for a given tailnet.
 
-        If tests are defined in the ACL (the top-level "tests" section), ACL validation will occur before creation and update operations are applied.
+        If tests are defined in the policy file (the top-level "tests" section), policy file validation will occur before creation and update operations are applied.
+
+        > **Note:** The naming of this resource predates Tailscale's usage of the term "policy file" to refer to the centralized configuration file for a tailnet. This resource controls a tailnet's entire policy file and not just the ACLs section within it.
 
         ## Example Usage
 
@@ -150,20 +152,20 @@ class Acl(pulumi.CustomResource):
         import pulumi_tailscale as tailscale
 
         as_json = tailscale.Acl("as_json", acl=json.dumps({
-            "acls": [{
-                "action": "accept",
-                "users": ["*"],
-                "ports": ["*:*"],
+            "grants": [{
+                "src": ["*"],
+                "dst": ["*"],
+                "ip": ["*"],
             }],
         }))
         as_hujson = tailscale.Acl("as_hujson", acl=\"\"\"  {
             // Comments in HuJSON policy are preserved when the policy is applied.
-            "acls": [
+            \\"grants\\": [
               {
                 // Allow all users access to all ports.
-                action = "accept",
-                users  = ["*"],
-                ports  = ["*:*"],
+                \\"src\\" = [\\"*\\"],
+                \\"dst\\" = [\\"*\\"],
+                \\"ip\\"  = [\\"*\\"],
               },
             ],
           }
@@ -172,8 +174,6 @@ class Acl(pulumi.CustomResource):
 
         ## Import
 
-        The `pulumi import` command can be used, for example:
-
         ID doesn't matter.
 
         ```sh
@@ -183,8 +183,8 @@ class Acl(pulumi.CustomResource):
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[_builtins.str] acl: The policy that defines which devices and users are allowed to connect in your network. Can be either a JSON or a HuJSON string.
-        :param pulumi.Input[_builtins.bool] overwrite_existing_content: If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
-        :param pulumi.Input[_builtins.bool] reset_acl_on_destroy: If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+        :param pulumi.Input[_builtins.bool] overwrite_existing_content: If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
+        :param pulumi.Input[_builtins.bool] reset_acl_on_destroy: If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
         """
         ...
     @overload
@@ -193,9 +193,11 @@ class Acl(pulumi.CustomResource):
                  args: AclArgs,
                  opts: Optional[pulumi.ResourceOptions] = None):
         """
-        The acl resource allows you to configure a Tailscale ACL. See https://tailscale.com/kb/1018/acls for more information. Note that this resource will completely overwrite existing ACL contents for a given tailnet.
+        The acl resource allows you to configure a Tailscale policy file. See https://tailscale.com/kb/1395/tailnet-policy-file for more information. Note that this resource will completely overwrite existing policy file contents for a given tailnet.
 
-        If tests are defined in the ACL (the top-level "tests" section), ACL validation will occur before creation and update operations are applied.
+        If tests are defined in the policy file (the top-level "tests" section), policy file validation will occur before creation and update operations are applied.
+
+        > **Note:** The naming of this resource predates Tailscale's usage of the term "policy file" to refer to the centralized configuration file for a tailnet. This resource controls a tailnet's entire policy file and not just the ACLs section within it.
 
         ## Example Usage
 
@@ -205,20 +207,20 @@ class Acl(pulumi.CustomResource):
         import pulumi_tailscale as tailscale
 
         as_json = tailscale.Acl("as_json", acl=json.dumps({
-            "acls": [{
-                "action": "accept",
-                "users": ["*"],
-                "ports": ["*:*"],
+            "grants": [{
+                "src": ["*"],
+                "dst": ["*"],
+                "ip": ["*"],
             }],
         }))
         as_hujson = tailscale.Acl("as_hujson", acl=\"\"\"  {
             // Comments in HuJSON policy are preserved when the policy is applied.
-            "acls": [
+            \\"grants\\": [
               {
                 // Allow all users access to all ports.
-                action = "accept",
-                users  = ["*"],
-                ports  = ["*:*"],
+                \\"src\\" = [\\"*\\"],
+                \\"dst\\" = [\\"*\\"],
+                \\"ip\\"  = [\\"*\\"],
               },
             ],
           }
@@ -227,8 +229,6 @@ class Acl(pulumi.CustomResource):
 
         ## Import
 
-        The `pulumi import` command can be used, for example:
-
         ID doesn't matter.
 
         ```sh
@@ -288,8 +288,8 @@ class Acl(pulumi.CustomResource):
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[_builtins.str] acl: The policy that defines which devices and users are allowed to connect in your network. Can be either a JSON or a HuJSON string.
-        :param pulumi.Input[_builtins.bool] overwrite_existing_content: If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
-        :param pulumi.Input[_builtins.bool] reset_acl_on_destroy: If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+        :param pulumi.Input[_builtins.bool] overwrite_existing_content: If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
+        :param pulumi.Input[_builtins.bool] reset_acl_on_destroy: If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -312,7 +312,7 @@ class Acl(pulumi.CustomResource):
     @pulumi.getter(name="overwriteExistingContent")
     def overwrite_existing_content(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
-        If true, will skip requirement to import acl before allowing changes. Be careful, can cause ACL to be overwritten
+        If true, will skip requirement to import acl before allowing changes. Be careful, can cause the policy file to be overwritten
         """
         return pulumi.get(self, "overwrite_existing_content")
 
@@ -320,7 +320,7 @@ class Acl(pulumi.CustomResource):
     @pulumi.getter(name="resetAclOnDestroy")
     def reset_acl_on_destroy(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
-        If true, will reset the ACL for the Tailnet to the default when this resource is destroyed
+        If true, will reset the policy file for the Tailnet to the default when this resource is destroyed
         """
         return pulumi.get(self, "reset_acl_on_destroy")
 

{pulumi_tailscale-1.0.0a1759993309 → pulumi_tailscale-1.0.0a1769802536}/pulumi_tailscale/config/__init__.pyi

@@ -24,24 +24,29 @@ baseUrl: Optional[str]
 The base URL of the Tailscale API. Defaults to https://api.tailscale.com. Can be set via the TAILSCALE_BASE_URL environment variable.
 """
 
+identityToken: Optional[str]
+"""
+The jwt identity token to exchange for a Tailscale API token when using a federated identity client. Can be set via the TAILSCALE_IDENTITY_TOKEN environment variable. Conflicts with 'api_key' and 'oauth_client_secret'.
+"""
+
 oauthClientId: Optional[str]
 """
-The OAuth application's ID when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_ID environment variable. Both 'oauth_client_id' and 'oauth_client_secret' must be set. Conflicts with 'api_key'.
+The OAuth application's ID when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_ID environment variable. Either 'oauth_client_secret' or 'identity_token' must be set alongside 'oauth_client_id'. Conflicts with 'api_key'.
 """
 
 oauthClientSecret: Optional[str]
 """
-The OAuth application's secret when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_SECRET environment variable. Both 'oauth_client_id' and 'oauth_client_secret' must be set. Conflicts with 'api_key'.
+The OAuth application's secret when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_SECRET environment variable. Conflicts with 'api_key' and 'identity_token'.
 """
 
 scopes: Optional[str]
 """
-The OAuth 2.0 scopes to request when for the access token generated using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauth_client_id' and 'oauth_client_secret' are set.
+The OAuth 2.0 scopes to request when generating the access token using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauth_client_id' and 'oauth_client_secret' are set.
 """
 
 tailnet: Optional[str]
 """
-The organization name of the Tailnet in which to perform actions. Can be set via the TAILSCALE_TAILNET environment variable. Default is the tailnet that owns API credentials passed to the provider.
+The tailnet ID. Tailnets created before Oct 2025 can still use the legacy ID, but the Tailnet ID is the preferred identifier. Can be set via the TAILSCALE_TAILNET environment variable. Default is the tailnet that owns API credentials passed to the provider.
 """
 
 userAgent: Optional[str]

{pulumi_tailscale-1.0.0a1759993309 → pulumi_tailscale-1.0.0a1769802536}/pulumi_tailscale/config/vars.py

@@ -34,31 +34,38 @@ class _ExportableConfig(types.ModuleType):
         """
         return __config__.get('baseUrl')
 
+    @_builtins.property
+    def identity_token(self) -> Optional[str]:
+        """
+        The jwt identity token to exchange for a Tailscale API token when using a federated identity client. Can be set via the TAILSCALE_IDENTITY_TOKEN environment variable. Conflicts with 'api_key' and 'oauth_client_secret'.
+        """
+        return __config__.get('identityToken')
+
     @_builtins.property
     def oauth_client_id(self) -> Optional[str]:
         """
-        The OAuth application's ID when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_ID environment variable. Both 'oauth_client_id' and 'oauth_client_secret' must be set. Conflicts with 'api_key'.
+        The OAuth application's ID when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_ID environment variable. Either 'oauth_client_secret' or 'identity_token' must be set alongside 'oauth_client_id'. Conflicts with 'api_key'.
         """
         return __config__.get('oauthClientId')
 
     @_builtins.property
     def oauth_client_secret(self) -> Optional[str]:
         """
-        The OAuth application's secret when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_SECRET environment variable. Both 'oauth_client_id' and 'oauth_client_secret' must be set. Conflicts with 'api_key'.
+        The OAuth application's secret when using OAuth client credentials. Can be set via the TAILSCALE_OAUTH_CLIENT_SECRET environment variable. Conflicts with 'api_key' and 'identity_token'.
         """
         return __config__.get('oauthClientSecret')
 
     @_builtins.property
     def scopes(self) -> Optional[str]:
         """
-        The OAuth 2.0 scopes to request when for the access token generated using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauth_client_id' and 'oauth_client_secret' are set.
+        The OAuth 2.0 scopes to request when generating the access token using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauth_client_id' and 'oauth_client_secret' are set.
         """
         return __config__.get('scopes')
 
     @_builtins.property
     def tailnet(self) -> Optional[str]:
         """
-        The organization name of the Tailnet in which to perform actions. Can be set via the TAILSCALE_TAILNET environment variable. Default is the tailnet that owns API credentials passed to the provider.
+        The tailnet ID. Tailnets created before Oct 2025 can still use the legacy ID, but the Tailnet ID is the preferred identifier. Can be set via the TAILSCALE_TAILNET environment variable. Default is the tailnet that owns API credentials passed to the provider.
         """
         return __config__.get('tailnet')