Tailscale Release Notes

v0.29.1 of the Tailscale Terraform Provider has been released with the following changes:

Fixed: The tailscale_tailnet_key resource no longer clears the key attribute when Terraform state is refreshed. tailscale_tailnet_key values that are already cleared should be recreated to generate a new key in state. This issue only affects tailscale_tailnet_key resources that were refreshed on v0.29.0 of the Tailscale Terraform provider.

Fixed: The tailscale_tailnet_key resource no longer causes a panic when a key has been removed outside of Terraform.

v0.29.0 of the Tailscale Terraform Provider has been released with the following changes

• New: Use the tailscale_service resource and tailscale_service data source to manage Tailscale Services.
• New: Set identity_token_environment_variable_name in the provider to specify the environment variable to read an identity token from. This is useful for platforms like HCP Cloud that have well-known environment variable names for the identity token.
• New: Obtain an OIDC identity token from the runtime environment by setting audience in the provider. This is useful for runtimes like GitHub Actions, AWS via EC2 IMDSv2 or ECS, or GCP via Metadata Server.
• New: Read credential related provider argument values from disk by supplying paths prefixed with file:.
• Changed: The provider has migrated from Terraform Plugin SDKv2 to the Terraform plugin framework.
• Changed: The tailscale_federated_identity resource no longer accepts an empty string ("") for the audience argument, to match the server-side validation for it. Omit the audience argument or set it to null to let Tailscale generate the audience (recommended), or set it to a non-empty string to specify it yourself.

Note: 1.98.0 was a release candidate intended for testing only.

All Platforms

Fixed: Expired preferred peer addresses are cleared, reducing the time to elect an alternative.

Linux

Note: 1.98.1 introduced a regression in the interaction between Tailscale and MagicDNS on Linux. The Linux release has been withdrawn pending a fix.

Changed: IP forwarding for subnet routers and exit nodes is reported as a health check, surfacing warnings when misconfigured.

Fixed: src_valid_mark sysctl is set in addition to connmark firewall rules to improve reverse path filtering and prevent dropped packets.

macOS

New: Devices and exit nodes can be searched from the application's main menu on macOS Tahoe 26 or later.

New: The AppIntroShown system policy disables the Welcome to the Tailscale app modal window introduction that appears when you log in to Tailscale on a device for the first time.

Changed: The Hide Dock Icon checkbox in Settings is available when Tailscale is disconnected.

Fixed: The tailscale drive CLI command directs users to configure Taildrive through the client GUI instead of returning an error.

Fixed: Device list is more responsive, especially for larger tailnets.

iOS

New: iOS devices can be used as exit nodes.

Fixed: Device list is more responsive, especially for larger tailnets.

A new release of the Tailscale Kubernetes Operator is available. For guidance on installing and updating, refer to our installation instructions.

New

The DNSConfig custom resource in the Kubernetes operator supports specifying node affinity rules for nameserver pods.

The DNSConfig custom resource for the Kubernetes operator supports specifying node selectors for nameserver pods.

Helm chart installations can specify a priority class name for Kubernetes operator pods during install or upgrade.

Fixed

API server proxy ProxyGroup pods can request a new auth key when required.

Use Aperture (beta) to secure and manage your LLM agents with a single control plane across all your providers and models.

New: Create custom guardrails with pre-LLM-call hooks to strip or block PII and restrict specific agent tools before requests reach the LLM.

New: Configure log retention time down to zero for request/response capture logs, with S3-compatible export supported.

New: Audit logs for configuration changes and when admins view logs owned by other users are available using a new API endpoint and UI.

Changed: Set customizable quotas across providers, models, users, agents, or individual agent runs.

Changed

Changed: New tailnet plan signups are billed based on occupied user seats instead of monthly active users. Existing tailnets on a legacy plan will continue to be billed based on monthly active users.

Changed: All plans can have an unlimited number of user devices in a tailnet.

Changed: The Personal plan provides up to six free users instead of the previous three users.

Changed: Ephemeral node usage is free up to a monthly limit, by pricing plan. After four hours in the tailnet, nodes are treated as standard tagged devices and stop consuming ephemeral minutes.

Changed: As part of the Personal plan change, Aperture by Tailscale also provides for up to six free users during the alpha testing phase.

Changed: The Starter plan is no longer available as a plan option for new signups. The new Standard plan is the closest equivalent option.

Changed: Promo codes can be applied to existing plans. Previously, promo codes could only be applied when upgrading to a new plan.

For more information about our pricing plans and the features available for each plan, refer to Pricing and Pricing FAQs.