This is what I've been looking for. I love Tailscale, but as our tailnet has grown from "just me and a few servers" to "entire engineering team + prod/staging/dev environments," the ACL file has become terrifyingly long.
I always have this low-level anxiety that I accidentally left a tag too open or messed up a source/destination rule in the HuJSON. Anyone else? The fact that this can run in CI/CD is a huge win.
Tailscale policy tests are a bit hard to write but help us have confidence in our changes.
https://tailscale.com/kb/1337/policy-syntax#tests
I've tried using policy tests but as far as I remember you can't test access to specific hostnames, only tags. I know Tailscale ACLs operate on tags but in tests I want to validate that users can access specific things, validating they can access tags isn't very useful. I also don't really think the tests should be in the ACL file itself, I would much prefer if it were external, or if the Tailscale CLI had a command to run ad-hoc reachability testing.
We did a refactor of our big ACL file recently but it took a lot of work and people inevitably lost access to things. I don't feel that Tailscale's ACL tests are really sufficient for making changes fearlessly.