Announcing the CloudQuery Tailscale Source Plugin

March 21, 2023

Name: Yevgeny Pats
Twitter: @yevgenypats

Introduction

The Tailscale (opens in a new tab) source plugin for CloudQuery is now officially maintained by Tailscale — big thanks to the Tailscale team!

With the new Tailscale plugin you can now easily query Tailscale config and bring config data to your infrastructure/operational lake. This way you can have all your infrastructure data in one place and correlate between different services.

As part of its initial release, the Tailscale plugin supports pulling data for the following APIs:

tailscale_acls (opens in a new tab) table
tailscale_devices (opens in a new tab) table
tailscale_device_routes (opens in a new tab) table
tailscale_dns_nameservers (opens in a new tab) table
tailscale_dns_searchpaths (opens in a new tab) table
tailscale_keys (opens in a new tab) table

Let's look at a few useful queries.

Configuration

First, let's quickly look at the source configuration so the plugin. The example below syncs the tailscale_devices table to PostgreSQL, making use of the new OAuth client to authenticate.

kind: source
# Common source-plugin configuration
spec:
  name: tailscale
  path: cloudquery/tailscale
  version: "v3.0.0"
  tables: ["tailscale_devices"]
  destinations: ["postgresql"]
  # Tailscale specific configuration
  spec:
    client_id: "YOUR_CLIENT_ID"
    client_secret: "${TAILSCALE_CLIENT_SECRET}"
    tailnet: "cloudquery.io"

Example Queries

Let's look at a few useful queries we can do just with the Tailscale tables.

Unseen devices

Find all devices that weren't seen for more than 30 days:

select name, id, last_seen from tailscale_devices where last_seen < NOW() - INTERVAL '30 DAY';

    tailnet    |             name              |        id         |      last_seen      
---------------+-------------------------------+-------------------+---------------------
 cloudquery.io | example-name.tail341.ts.net   | 12345678082367896 | 2023-01-07 12:43:18

Key expiry disabled

Find all devices with key expiry disabled

select name, id, last_seen from tailscale_devices where key_expiry_disabled;

    tailnet    |             name              |        id         |      last_seen      
---------------+-------------------------------+-------------------+---------------------
 cloudquery.io | example-name.tail341.ts.net   | 12345678082367896 | 2023-01-07 12:43:18

Distribution of devices

Learn about how Tailscale client are distributed in your org across devices

select count(*), os from tailscale_devices group by os;

 count |  os   
-------+-------
   102 | macOS
   103 | linux
   70  | window

Find all devices of disabled Okta users

Other cool things once you have Tailscale configuration in your database/datalake is that you can join and query it with data from other CloudQuery source plugins.

For example, the following will show all devices of users that were deactivated on Okta:

select td.tailnet, td.name, td.id, td.user, td.last_seen
from tailscale_devices td
    left join okta_users ou 
        on td.user = ou.profile->>'email'
where ou.stats != 'ACTIVE'

Summary

Using data from the new Tailscale source plugin you can slice and dice your Tailscale data in many ways, but the examples in this post should give you a good starting point.

Building an Infrastructure Data Lake with MongoDB Exploring API Data with DuckDB