Tags Param in Userdata tailscaleup fails

[jkodroff]

When creating a new AWS bastion host, the userdata script will fail because of the --advertise-tags param:

backend error: requested tags [tag:bastion] are invalid or not permitted

Relevant line: https://github.com/jaxxstorm/pulumi-tailscale-bastion/blob/main/provider/pkg/provider/aws/userdata.tmpl#L21

Per the Tailscale docs it looks like tags have to be defined in an ACL before they're applied to devices. Looks like either defining the bastion tag is missing from the instructions/code or Tailscale used to create this tag by default on the back end and no longer does.

[jaxxstorm]

You'll need to define this acl manually in your ACL settings:

"autoApprovers": {
		"routes": {
			"172.20.0.0/22": ["tag:bastion"],
			"10.100.0.0/16": ["tag:bastion"],
			"172.16.0.0/24": ["tag:bastion"],
		},
	},

We should document this

[jkodroff]

@jaxxstorm I think there may be 2 things that have to be added:

1. Grant the ability to apply the bastion tag to all users:

   	"tagOwners": {
   	"tag:bastion": ["autogroup:members"],
   },

2. Grant the ability to advertise the routes as you noted above. Just for clarity, the routes you listed above above are "the CIDR blocks of any VPCs you want on your VPN, which must not collide", correct?

Also, I do not see a way to define the ACL programmatically: While there is a tailscale.Acl resource, I don't see any obvious way to work with the existing ACL they provide for you. Can you confirm this matches your understanding and that the user will need to manually edit these?

[jaxxstorm]

yep that's right, the resource isn't in the provider yet