The "terraform-aws-wayfinder" Terraform Module can be used to provision and manage a licensed edition of Appvia Wayfinder on AWS.
To run this module, you will need the following:
- Product Licence Key & Instance ID. Request a free licence key from the Appvia Portal.
- (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a
localadmin
user for initial access if no IDP details are provided. - A public Route53 DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates.
- Existing VPC and Subnets: This module will deploy an EKS Cluster and so requires an existing VPC with outbound internet connectivity. Public ingress is not required, both EKS and Wayfinder ingress can be configured with an internal endpoint.
- Network Resource Tags:
- Public Subnets should have the tag
"kubernetes.io/role/elb" = 1
- Private Subnets should have the tag
"kubernetes.io/role/internal-elb" = 1
- Public Subnets should have the tag
Please see the examples directory to see how to deploy this module. To get up and running quickly with minimal pre-requisites, use the quickstart
example.
Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID).
This configuration is optional within Terraform, and can also be setup within the product. Please view the documentation for more information: https://docs.appvia.io/wayfinder/admin/auth
The Authorized Redirect URI for the IDP Application should be set to: https://${wayfinder_domain_name_api}/oauth/callback
Note: If you are using Azure Active Directory, you must:
- Set
azureTenantId
to your Azure Tenant ID (serverUrl
is not required) - Set the IDP type to
aad
wayfinder_idp_details = {
type = "generic"
clientId = "IDP-APP-CLIENT-ID"
clientSecret = "IDP-APP-CLIENT-SECRET"
serverUrl = "https://example.okta.com" # Or "https://example.auth0.com/"
}
wayfinder_idp_details = {
type = "aad"
clientId = "IDP-APP-CLIENT-ID"
clientSecret = "IDP-APP-CLIENT-SECRET"
azureTenantId = "12345678-1234-1234-1234-123456789012"
}
The terraform-docs
utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.yml
file - Fetch the
terraform-docs
binary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
Name | Version |
---|---|
aws | >= 5.34 |
helm | >= 2.9.0 |
kubectl | >= 2.0 |
random | >= 3.5 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
clusterissuer_email | The email address to use for the cert-manager cluster issuer. | string |
n/a | yes |
dns_zone_arn | The AWS Route53 DNS Zone ARN to use (e.g. arn:aws:route53:::hostedzone/ABCDEFG1234567). | string |
n/a | yes |
vpc_id | The VPC ID for the Wayfinder EKS Cluster to be built within. | string |
n/a | yes |
wayfinder_domain_name_api | The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com). | string |
n/a | yes |
wayfinder_domain_name_ui | The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com). | string |
n/a | yes |
wayfinder_instance_id | The instance ID to use for Wayfinder. | string |
n/a | yes |
wayfinder_licence_key | The licence key to use for Wayfinder. | string |
n/a | yes |
access_entries | Map of access entries to add to the cluster. This is required if you use a different IAM Role for Terraform Plan actions. | map(object({ |
{} |
no |
aws_ebs_csi_driver_addon_version | The version to use for the AWS EBS CSI driver. | string |
"v1.31.0-eksbuild.1" |
no |
aws_vpc_cni_addon_version | AWS VPC CNI Addon version to use. | string |
"v1.18.5-eksbuild.1" |
no |
cluster_enabled_log_types | List of log types to enable for the EKS cluster. | list(string) |
[ |
no |
cluster_endpoint_public_access_cidrs | List of CIDR blocks which can access the Amazon EKS API server endpoint. | list(string) |
[ |
no |
cluster_security_group_additional_rules | List of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as source. |
any |
{} |
no |
cluster_version | The Kubernetes version to use for the EKS cluster. | string |
"1.30" |
no |
coredns_addon_version | CoreDNS Addon version to use. | string |
"v1.11.3-eksbuild.1" |
no |
create_localadmin_user | Whether to create a localadmin user for access to the Wayfinder Portal and API. | bool |
true |
no |
disable_internet_access | Whether to disable internet access for EKS and the Wayfinder ingress controller. | bool |
false |
no |
disable_local_login | Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. | bool |
false |
no |
ebs_csi_kms_cmk_ids | List of KMS CMKs to allow EBS CSI to manage encrypted volumes. This is required if EBS encryption is set at the account level with a default KMS CMK. | list(string) |
[] |
no |
eks_encrypted_sc_type | The storage class type to use for the EKS encrypted storage class. | string |
"gp3" |
no |
eks_ng_capacity_type | The capacity type to use for the EKS managed node group. | string |
"ON_DEMAND" |
no |
eks_ng_desired_size | The desired size to use for the EKS managed node group. | number |
1 |
no |
eks_ng_instance_types | The instance types to use for the EKS managed node group. | list(string) |
[ |
no |
eks_ng_maximum_size | The maximum size to use for the EKS managed node group. | number |
10 |
no |
eks_ng_minimum_size | The minimum size to use for the EKS managed node group. | number |
1 |
no |
eks_ng_schedules | A map of autoscaling schedules to use for the EKS managed node group. | map(any) |
{} |
no |
enable_k8s_resources | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments). | bool |
true |
no |
enable_wf_cloudaccess | Whether to configure CloudIdentity resource in Wayfinder for the configured AWS IRSA identity once installed (requires enable_k8s_resources) | bool |
true |
no |
enable_wf_costestimates | Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) | bool |
true |
no |
enable_wf_dnszonemanager | Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) | bool |
false |
no |
environment | The environment name we are provisioning. | string |
"production" |
no |
kms_key_administrators | A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available. | list(string) |
[] |
no |
kube_proxy_addon_version | Kube Proxy Addon version to use. | string |
"v1.30.3-eksbuild.9" |
no |
node_security_group_additional_rules | List of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source. |
any |
{} |
no |
subnet_ids_by_az | A map of subnet IDs by availability zone. | map(list(string)) |
{} |
no |
tags | A map of tags to add to all resources created. | map(string) |
{} |
no |
wayfinder_custom_logo_collapsed_url | The URL of a transparent custom logo to use in the UI when side navigation is collapsed. Recommended dimensions of 44px width by 48px height. Defaults to 'wayfinder_custom_logo_url' if not specified. | string |
"" |
no |
wayfinder_custom_logo_url | The URL of a transparent custom logo to use in the UI. Recommended dimensions of 172px width by 48px height. | string |
"" |
no |
wayfinder_idp_details | The IDP details to use for Wayfinder to enable SSO. | object({ |
{ |
no |
wayfinder_no_defaults | Set to true to stop Wayfinder from applying compiled-in defaults (e.g. default roles, cluster plans, etc). | bool |
true |
no |
wayfinder_release_channel | The release channel to use for Wayfinder. | string |
"wayfinder-releases" |
no |
wayfinder_version | The version to use for Wayfinder. | string |
"v2.9.7" |
no |
Name | Description |
---|---|
cluster_certificate_authority_data | The base64 encoded certificate data for the Wayfinder EKS cluster. |
cluster_endpoint | The endpoint for the Wayfinder EKS Kubernetes API. |
cluster_name | The name of the Wayfinder EKS cluster. |
cluster_oidc_provider_arn | The ARN of the OIDC provider for the Wayfinder EKS cluster. |
wayfinder_admin_password | The password for the Wayfinder local admin user. |
wayfinder_admin_username | The username for the Wayfinder local admin user. |
wayfinder_api_url | The URL for the Wayfinder API. |
wayfinder_iam_role_arn | The ARN of the IAM role used by Wayfinder. |
wayfinder_instance_id | The unique identifier for the Wayfinder instance. |
wayfinder_ui_url | The URL for the Wayfinder UI. |