Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/tailscale_compliance
Overview
1Dashboards
7Controls
0Queries
0Variables
GitHub
Loading controls...

Control: Use groups in ACLs

Description

Using groups allows identities to be controlled based on job function. If someone leaves an organization or changes roles, you can adjust the group membership rather than update all of their ACLs.

Usage

Run the control in your terminal:

powerpipe control run tailscale_compliance.control.security_best_practices_tailnet_acl_groups_used

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run tailscale_compliance.control.security_best_practices_tailnet_acl_groups_used --share

Steampipe Tables

tailscale_tailnet
Tailscale plugin

SQL

with group_names as (
  select
    string_agg(split_part(json_keys, ':', 2), ', ') as gn,
    tailnet_name
  from
    (
      select
        jsonb_object_keys(acl_groups) as json_keys,
        tailnet_name
      from
        tailscale_tailnet
    ) as a
  group by
    a.tailnet_name
)
select
  t.tailnet_name as resource,
  case
    when acl_groups is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when acl_groups is not null then t.tailnet_name || ' uses ACL groups: ' || gn || '.'
    else t.tailnet_name || ' does not use ACL groups.'
  end as reason,
  t.tailnet_name
from
  tailscale_tailnet as t
  left outer join group_names as g on g.tailnet_name = t.tailnet_name;