Yeah, that's a common workflow. It's easy to programatically allocate those keys using the OAuth workflow though – there's even a CLI utility to do it (https://tailscale.com/kb/1215/oauth-clients#get-authkey-util...)

This can all be automated using e.g. the Terraform Tailscale provider, which takes the OAuth id/secret and can then issue keys as needed for the infrastructure you are deploying.