Skip to content
Heatwave Docs

Tailscale tailnet policy + heatwave-db VIP service (Terraform)

Gives direct read_only SQL users a stable endpoint to prod pgbouncer over the tailnet that survives the CHI↔DAL ping-pong: heatwave-db.tail5475a.ts.net:6432 (plus a TailVIP). Two layers gate access — the Tailscale ACL (network) and Postgres read_only (SELECT-only, via pgbouncer auth_query).

What Terraform manages (this module)

Section titled “What Terraform manages (this module)”
  • tailscale_acl.policy — the whole tailnet policy: the existing wide-open grant + SSH rule preserved verbatim, plus tagOwners["tag:heatwave-db"] and an explicit members → svc:heatwave-db:tcp:6432 grant.
  • tailscale_service.heatwave_db — the VIP service definition (svc:heatwave-db, tcp:6432, advertiser tag tag:heatwave-db).

What it does NOT manage (operational — moves on every flip)

Section titled “What it does NOT manage (operational — moves on every flip)”

Which host is tagged and advertising the service right now. That follows prod, so it lives in the deploy/cutover (like pgbouncer’s backend repoint), NOT here:

Terminal window
# On the ACTIVE prod host (Dallas now, 100.123.47.52):
#   1. tag the node so it may advertise the service (one-time per host, via the admin API):
#        POST /api/v2/device/<node_id>/tags  {"tags":["tag:heatwave-db"]}
#   2. advertise pgbouncer:6432 as the service:
tailscale serve --bg --service=svc:heatwave-db --tcp 6432 tcp://100.123.47.52:6432


# At W3 (flip to Chicago, 100.68.157.49) — drain Dallas, advertise on Chicago:
#   (Dallas)  tailscale serve --service=svc:heatwave-db --tcp 6432 off
#   (Chicago) tag the node + tailscale serve --bg --service=svc:heatwave-db --tcp 6432 tcp://100.68.157.49:6432

The stable MagicDNS name + TailVIP persist across the move automatically.

Apply

Section titled “Apply”
Terminal window
export TF_VAR_oauth_client_id="$(op read 'op://IT/Tailscale-API-OAUTH/username')"
export TF_VAR_oauth_client_secret="$(op read 'op://IT/Tailscale-API-OAUTH/credential')"
tofu init && tofu plan      # review: ACL update (additive) + service create
tofu apply

(Or wire into a TFC workspace warmlyyours/heatwave-tailscale, VCS-driven, with the OAuth pair as sensitive workspace vars — same pattern as heatwave-latitude-production.)

Connection string for users

Section titled “Connection string for users”
postgres://read_only@heatwave-db.tail5475a.ts.net:6432/heatwave   # stable across flips

(Requires tailnet membership + the read_only password; read_only is SELECT-only.)