diff --git a/.github/workflows/cdktf-diff.yml b/.github/workflows/cdktf-diff.yml
index 594dbf09a..9a5b06c8b 100644
--- a/.github/workflows/cdktf-diff.yml
+++ b/.github/workflows/cdktf-diff.yml
@@ -74,7 +74,7 @@ jobs:
           mode: plan-only
           terraformCloudToken: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }}
           githubToken: ${{ secrets.GITHUB_TOKEN }}
-          commentOnPR: true
+          commentOnPr: true
       - name: Store generated CDKTF
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
         if: always()
diff --git a/.github/workflows/cdktf-refresh-tailscale.yml b/.github/workflows/cdktf-refresh-tailscale.yml
new file mode 100644
index 000000000..2037a716a
--- /dev/null
+++ b/.github/workflows/cdktf-refresh-tailscale.yml
@@ -0,0 +1,70 @@
+---
+name: CDKTF Refresh Tailscale
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  CDKTF_VERSION: 0.14.3
+  TERRAFORM_VERSION: 1.3.5
+  NODE_VERSION: latest
+
+jobs:
+  terraform:
+    name: "Terraform CDK Refresh Tailscale"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+        with:
+          persist-credentials: false
+      # Configure 1Password Service Account
+      - name: Configure 1Password Service Account
+        uses: 1Password/load-secrets-action/configure@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      # Fetch TERRAFORM_CLOUD_TOKEN from 1Password using load-secrets-action
+      - name: Fetch TERRAFORM_CLOUD_TOKEN from 1Password
+        uses: 1Password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1
+        id: fetch-terraform-cloud-token
+        with:
+          export-env: false
+        env:
+          TERRAFORM_CLOUD_TOKEN: op://Infrastructure/terraform/cloud/token
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+          terraform_wrapper: false
+          cli_config_credentials_token: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }}
+      - name: Setup yarn
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: yarn
+          cache-dependency-path: ./cdktf/yarn.lock
+      - name: Install dependencies
+        working-directory: ./cdktf
+        run: |
+          # Install node-gyp globally first
+          npm install -g node-gyp
+
+          yarn install --frozen-lockfile --immutable
+      - name: Generate module and provider bindings
+        working-directory: ./cdktf
+        env:
+          TERRAFORM_CLOUD_TOKEN: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }}
+        run: yarn get
+      - name: Synth Terraform CDK
+        working-directory: ./cdktf
+        env:
+          TERRAFORM_CLOUD_TOKEN: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }}
+        run: yarn synth
+      - name: Remove tailscale from state
+        working-directory: ./cdktf
+        env:
+          TERRAFORM_CLOUD_TOKEN: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }}
+        run: yarn remove-tailscale
diff --git a/ansible/host_vars/localhost/tailscale.yml b/ansible/group_vars/all/tailscale.yml
similarity index 100%
rename from ansible/host_vars/localhost/tailscale.yml
rename to ansible/group_vars/all/tailscale.yml
diff --git a/ansible/host_vars/localhost/vault_tailscale.yml b/ansible/group_vars/all/vault_tailscale.yml
similarity index 100%
rename from ansible/host_vars/localhost/vault_tailscale.yml
rename to ansible/group_vars/all/vault_tailscale.yml
diff --git a/cdktf/main.ts b/cdktf/main.ts
index 31c6c22b3..8ed3e41c8 100644
--- a/cdktf/main.ts
+++ b/cdktf/main.ts
@@ -137,7 +137,7 @@ class InfrastructureStack extends TerraformStack {
     new tailscale.provider.TailscaleProvider(this, "tailscale", {
       oauthClientId: tailscale_oauth_client_id.value,
       oauthClientSecret: tailscale_oauth_client_secret.value,
-      scopes: ["devices"],
+      scopes: ["all"],
       tailnet: tailscale_tailnet.value,
     })
 
@@ -149,6 +149,7 @@ class InfrastructureStack extends TerraformStack {
         reusable: true,
         ephemeral: false,
         preauthorized: true,
+        description: "Generated by CDKTF in jon77p infrastructure",
         tags: ["tag:cdktf", "tag:ssh", "tag:oci"],
       }
     )
diff --git a/cdktf/package.json b/cdktf/package.json
index 468f483fd..f338e97aa 100644
--- a/cdktf/package.json
+++ b/cdktf/package.json
@@ -16,7 +16,9 @@
     "watch": "tsc -w",
     "test": "jest",
     "test:watch": "jest --watch",
-    "upgrade": "yarn upgrade"
+    "upgrade": "yarn upgrade",
+    "clean": "rm -rf .gen cdktf.out node_modules *.log",
+    "remove-tailscale": "cd cdktf.out/stacks/cdktf && terraform state rm $(terraform state list | grep tailscale)"
   },
   "engines": {
     "node": ">=14.0"