Control: Use groups in ACLs

Usage

Run the control in your terminal:

steampipe check tailscale_compliance.control.security_best_practices_tailnet_acl_groups_used

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share tailscale_compliance.control.security_best_practices_tailnet_acl_groups_used

tailscale_tailnet

SQL

with group_names as (
  select
    string_agg(split_part(json_keys, ':', 2), ', ') as gn,
    tailnet_name
  from
    (
      select
        jsonb_object_keys(acl_groups) as json_keys,
        tailnet_name
      from
        tailscale_tailnet
    ) as a
  group by
    a.tailnet_name
)
select
  t.tailnet_name as resource,
  case
    when acl_groups is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when acl_groups is not null then t.tailnet_name || ' uses ACL groups: ' || gn || '.'
    else t.tailnet_name || ' does not use ACL groups.'
  end as reason,
  t.tailnet_name
from
  tailscale_tailnet as t
  left outer join group_names as g on g.tailnet_name = t.tailnet_name;