Loading controls...
Control: Assign Admin roles
Description
Assign user roles for managing Tailscale as appropriate, based on job function and for separation of duties. Tailscale provides multiple user roles that restrict who can modify your tailnet's configurations.
Usage
Run the control in your terminal:
powerpipe control run tailscale_compliance.control.security_best_practices_acl_ssh_admin_roles_assigned
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run tailscale_compliance.control.security_best_practices_acl_ssh_admin_roles_assigned --share
Steampipe Tables
SQL
with tailnet_all_roles as ( select tailnet_name, jsonb_array_elements(users) as all_roles from tailscale_acl_ssh group by tailnet_name, users),aggregate_roles as ( select tailnet_name, jsonb_agg(all_roles) as role_agg from tailnet_all_roles group by tailnet_name)select t.tailnet_name as resource, case when role_agg ?| array [ 'group:admin' ] and role_agg ?| array [ 'group:itadmin' ] and role_agg ?| array [ 'group:networkadmin' ] and role_agg ?| array [ 'group:auditor' ] then 'ok' else 'alarm' end as status, case when role_agg ?| array [ 'group:admin' ] and role_agg ?| array [ 'group:itadmin' ] and role_agg ?| array [ 'group:networkadmin' ] and role_agg ?| array [ 'group:auditor' ] then t.tailnet_name || ' has Admin, Network Admin, IT Admin, and Auditor roles assigned.' else t.tailnet_name || ' does not have ' || concat_ws( ', ', case when not (role_agg ?| array [ 'group:admin' ]) :: boolean then 'Admin' end, case when not (role_agg ?| array [ 'group:itadmin' ]) :: boolean then 'IT Admin' end, case when not (role_agg ?| array [ 'group:networkadmin' ]) :: boolean then 'Network Admin' end, case when not (role_agg ?| array [ 'group:auditor' ]) :: boolean then 'Auditor' end ) || ' role(s) assigned.' end as reason, t.tailnet_namefrom tailscale_tailnet as t left join aggregate_roles as r on t.tailnet_name = r.tailnet_name;