GitOps workflow for Tailscale ACL changes across ephemeral dev environments?

We run a fleet of short-lived dev environments (created per PR, torn down after merge). Each environment gets its own Tailscale tailnet with custom ACL rules for service-to-service access. Problem: our Tailscale ACL hujson is currently managed manually. When a dev spins up a new environment, someone has to add the node to the ACL and grant access to the right services. This is becoming a bottleneck. I'd like to move to a GitOps model where: - ACL rules are generated from Terraform/Pulumi based on the environment manifest - Changes go through PR review before applying - Rollback is as simple as reverting a commit Has anyone built this pattern? Specifically: 1. Do you use the Tailscale API directly or wrap it in a custom provider? 2. How do you handle the auth keys for ephemeral nodes — baked into the environment spec or rotated? 3. Any gotchas with ACL policy evaluation latency after an update? Currently on Tailscale 1.64+, ~40 ephemeral environments at peak.