Control: Use groups in ACLs
Using groups allows identities to be controlled based on job function. If someone leaves an organization or changes roles, you can adjust the group membership rather than update all of their ACLs.
Run the control in your terminal:
steampipe check tailscale_compliance.control.security_best_practices_tailnet_acl_groups_used
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share tailscale_compliance.control.security_best_practices_tailnet_acl_groups_used
Plugins & Tables
with group_names as (selectstring_agg(split_part(json_keys, ':', 2), ', ') as gn,tailnet_namefrom(selectjsonb_object_keys(acl_groups) as json_keys,tailnet_namefromtailscale_tailnet) as agroup bya.tailnet_name)selectt.tailnet_name as resource,casewhen acl_groups is not null then 'ok'else 'alarm'end as status,casewhen acl_groups is not null then t.tailnet_name || ' uses ACL groups: ' || gn || '.'else t.tailnet_name || ' does not use ACL groups.'end as reason,t.tailnet_namefromtailscale_tailnet as tleft outer join group_names as g on g.tailnet_name = t.tailnet_name;