blumeops/pulumi/__main__.py

"""Pulumi program to manage tail8d86e.ts.net tailnet configuration."""

import pulumi
import pulumi_tailscale as tailscale
from pathlib import Path

# Read the HuJSON policy file
policy_path = Path(__file__).parent / "policy.hujson"
policy_content = policy_path.read_text()

# Manage the ACL - this completely overwrites the tailnet's ACL policy
acl = tailscale.Acl(
    "tailnet-acl",
    acl=policy_content,
)

# Export useful info
pulumi.export("acl_id", acl.id)
Add Pulumi for tailnet IaC management (#15) ## Summary - Manage tail8d86e.ts.net ACLs, tags, and DNS via Pulumi + Python - State stored in Pulumi Cloud (free tier) to avoid circular dependency - OAuth authentication via 1Password for secure credential management - New mise tasks: `tailnet-preview`, `tailnet-up` ## Architecture Two-layer approach: - Layer 1 (Pulumi): Tailnet-wide config (ACLs, tags, DNS) - Layer 2 (Ansible): Node-local `tailscale serve` config (unchanged) ## Test plan - [x] Exported current ACL from Tailscale API - [x] Imported existing ACL into Pulumi state - [x] Verified `mise run tailnet-preview` shows no changes - [x] Verified `mise run tailnet-up` applies successfully 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/15 2026-01-15 20:55:25 -08:00			`"""Pulumi program to manage tail8d86e.ts.net tailnet configuration."""`

			`import pulumi`
			`import pulumi_tailscale as tailscale`
			`from pathlib import Path`

			`# Read the HuJSON policy file`
			`policy_path = Path(__file__).parent / "policy.hujson"`
			`policy_content = policy_path.read_text()`

			`# Manage the ACL - this completely overwrites the tailnet's ACL policy`
			`acl = tailscale.Acl(`
			`"tailnet-acl",`
			`acl=policy_content,`
			`)`

			`# Export useful info`
			`pulumi.export("acl_id", acl.id)`