Skip to content

appvia/terraform-aws-wayfinder

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Appvia Banner

Terraform Registry Latest Release Slack Community Contributors

Description

The "terraform-aws-wayfinder" Terraform Module can be used to provision and manage a licensed edition of Appvia Wayfinder on AWS.

Requirements

To run this module, you will need the following:

  1. Product Licence Key & Instance ID. Request a free licence key from the Appvia Portal.
  2. (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a localadmin user for initial access if no IDP details are provided.
  3. A public Route53 DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates.
  4. Existing VPC and Subnets: This module will deploy an EKS Cluster and so requires an existing VPC with outbound internet connectivity. Public ingress is not required, both EKS and Wayfinder ingress can be configured with an internal endpoint.
  5. Network Resource Tags:
    1. Public Subnets should have the tag "kubernetes.io/role/elb" = 1
    2. Private Subnets should have the tag "kubernetes.io/role/internal-elb" = 1

Deployment

Please see the examples directory to see how to deploy this module. To get up and running quickly with minimal pre-requisites, use the quickstart example.

(Optional) Connecting to an Identity Provider

Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID).

This configuration is optional within Terraform, and can also be setup within the product. Please view the documentation for more information: https://docs.appvia.io/wayfinder/admin/auth

The Authorized Redirect URI for the IDP Application should be set to: https://${wayfinder_domain_name_api}/oauth/callback

Note: If you are using Azure Active Directory, you must:

  1. Set azureTenantId to your Azure Tenant ID (serverUrl is not required)
  2. Set the IDP type to aad

Example: Generic IDP Configuration

wayfinder_idp_details = {
    type         = "generic"
    clientId     = "IDP-APP-CLIENT-ID"
    clientSecret = "IDP-APP-CLIENT-SECRET"
    serverUrl    = "https://example.okta.com" # Or "https://example.auth0.com/"
}

Example: Azure AD IDP Configuration

wayfinder_idp_details = {
    type          = "aad"
    clientId      = "IDP-APP-CLIENT-ID"
    clientSecret  = "IDP-APP-CLIENT-SECRET"
    azureTenantId = "12345678-1234-1234-1234-123456789012"
}

Updating Docs

The terraform-docs utility is used to generate this README. Follow the below steps to update:

  1. Make changes to the .terraform-docs.yml file
  2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
  3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Providers

Name Version
aws >= 5.34
helm >= 2.9.0
kubectl >= 2.0
random >= 3.5

Inputs

Name Description Type Default Required
clusterissuer_email The email address to use for the cert-manager cluster issuer. string n/a yes
dns_zone_arn The AWS Route53 DNS Zone ARN to use (e.g. arn:aws:route53:::hostedzone/ABCDEFG1234567). string n/a yes
vpc_id The VPC ID for the Wayfinder EKS Cluster to be built within. string n/a yes
wayfinder_domain_name_api The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com). string n/a yes
wayfinder_domain_name_ui The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com). string n/a yes
wayfinder_instance_id The instance ID to use for Wayfinder. string n/a yes
wayfinder_licence_key The licence key to use for Wayfinder. string n/a yes
access_entries Map of access entries to add to the cluster. This is required if you use a different IAM Role for Terraform Plan actions.
map(object({
kubernetes_groups = optional(list(string))
principal_arn = string
policy_associations = optional(map(object({
policy_arn = string
access_scope = object({
namespaces = optional(list(string))
type = string
})
})))
}))
{} no
aws_ebs_csi_driver_addon_version The version to use for the AWS EBS CSI driver. string "v1.31.0-eksbuild.1" no
aws_vpc_cni_addon_version AWS VPC CNI Addon version to use. string "v1.18.5-eksbuild.1" no
cluster_enabled_log_types List of log types to enable for the EKS cluster. list(string)
[
"api",
"audit",
"authenticator",
"controllerManager",
"scheduler"
]
no
cluster_endpoint_public_access_cidrs List of CIDR blocks which can access the Amazon EKS API server endpoint. list(string)
[
"0.0.0.0/0"
]
no
cluster_security_group_additional_rules List of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as source. any {} no
cluster_version The Kubernetes version to use for the EKS cluster. string "1.30" no
coredns_addon_version CoreDNS Addon version to use. string "v1.11.3-eksbuild.1" no
create_localadmin_user Whether to create a localadmin user for access to the Wayfinder Portal and API. bool true no
disable_internet_access Whether to disable internet access for EKS and the Wayfinder ingress controller. bool false no
disable_local_login Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. bool false no
ebs_csi_kms_cmk_ids List of KMS CMKs to allow EBS CSI to manage encrypted volumes. This is required if EBS encryption is set at the account level with a default KMS CMK. list(string) [] no
eks_encrypted_sc_type The storage class type to use for the EKS encrypted storage class. string "gp3" no
eks_ng_capacity_type The capacity type to use for the EKS managed node group. string "ON_DEMAND" no
eks_ng_desired_size The desired size to use for the EKS managed node group. number 1 no
eks_ng_instance_types The instance types to use for the EKS managed node group. list(string)
[
"t3.xlarge"
]
no
eks_ng_maximum_size The maximum size to use for the EKS managed node group. number 10 no
eks_ng_minimum_size The minimum size to use for the EKS managed node group. number 1 no
eks_ng_schedules A map of autoscaling schedules to use for the EKS managed node group. map(any) {} no
enable_k8s_resources Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments). bool true no
enable_wf_cloudaccess Whether to configure CloudIdentity resource in Wayfinder for the configured AWS IRSA identity once installed (requires enable_k8s_resources) bool true no
enable_wf_costestimates Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) bool true no
enable_wf_dnszonemanager Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) bool false no
environment The environment name we are provisioning. string "production" no
kms_key_administrators A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available. list(string) [] no
kube_proxy_addon_version Kube Proxy Addon version to use. string "v1.30.3-eksbuild.9" no
node_security_group_additional_rules List of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source. any {} no
subnet_ids_by_az A map of subnet IDs by availability zone. map(list(string)) {} no
tags A map of tags to add to all resources created. map(string) {} no
wayfinder_custom_logo_collapsed_url The URL of a transparent custom logo to use in the UI when side navigation is collapsed. Recommended dimensions of 44px width by 48px height. Defaults to 'wayfinder_custom_logo_url' if not specified. string "" no
wayfinder_custom_logo_url The URL of a transparent custom logo to use in the UI. Recommended dimensions of 172px width by 48px height. string "" no
wayfinder_idp_details The IDP details to use for Wayfinder to enable SSO.
object({
type = string
clientId = optional(string)
clientSecret = optional(string)
serverUrl = optional(string)
azureTenantId = optional(string)
})
{
"azureTenantId": "",
"clientId": null,
"clientSecret": null,
"serverUrl": "",
"type": "none"
}
no
wayfinder_no_defaults Set to true to stop Wayfinder from applying compiled-in defaults (e.g. default roles, cluster plans, etc). bool true no
wayfinder_release_channel The release channel to use for Wayfinder. string "wayfinder-releases" no
wayfinder_version The version to use for Wayfinder. string "v2.9.7" no

Outputs

Name Description
cluster_certificate_authority_data The base64 encoded certificate data for the Wayfinder EKS cluster.
cluster_endpoint The endpoint for the Wayfinder EKS Kubernetes API.
cluster_name The name of the Wayfinder EKS cluster.
cluster_oidc_provider_arn The ARN of the OIDC provider for the Wayfinder EKS cluster.
wayfinder_admin_password The password for the Wayfinder local admin user.
wayfinder_admin_username The username for the Wayfinder local admin user.
wayfinder_api_url The URL for the Wayfinder API.
wayfinder_iam_role_arn The ARN of the IAM role used by Wayfinder.
wayfinder_instance_id The unique identifier for the Wayfinder instance.
wayfinder_ui_url The URL for the Wayfinder UI.