Skip to content

appvia/terraform-aws-wayfinder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

97 Commits

.github/workflows

.github/workflows

 
 

examples

examples

 
 

manifests

manifests

 
 

modules

modules

 
 

.gitignore

.gitignore

 
 

.terraform-docs.yml

.terraform-docs.yml

 
 

.terraform.lock.hcl

.terraform.lock.hcl

 
 

README.md

README.md

 
 

autoscaler.tf

autoscaler.tf

 
 

cert-manager.tf

cert-manager.tf

 
 

eks.tf

eks.tf

 
 

external-dns.tf

external-dns.tf

 
 

ingress.tf

ingress.tf

 
 

main.tf

main.tf

 
 

outputs.tf

outputs.tf

 
 

variables.tf

variables.tf

 
 

versions.tf

versions.tf

 
 

wayfinder-cloudaccess.tf

wayfinder-cloudaccess.tf

 
 

wayfinder.tf

wayfinder.tf

 
 

Repository files navigation

Terraform Module: Wayfinder on AWS

The "terraform-aws-wayfinder" Terraform Module can be used to provision and manage a licensed edition of Appvia Wayfinder on AWS.

Requirements

To run this module, you will need the following:

  1. Product Licence Key & Instance ID: Contact sales@appvia.io for more information.
  2. (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a localadmin user for initial access if no IDP details are provided.
  3. A public Route53 DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates.
  4. Existing VPC and Subnets: This module will deploy an EKS Cluster and so requires an existing VPC with outbound internet connectivity. Public ingress is not required, both EKS and Wayfinder ingress can be configured with an internal endpoint.
  5. Network Resource Tags:
    1. Public Subnets should have the tag "kubernetes.io/role/elb" = 1
    2. Private Subnets should have the tag "kubernetes.io/role/internal-elb" = 1

Deployment

Please see the examples directory to see how to deploy this module. To get up and running quickly with minimal pre-requisites, use the quickstart example.

(Optional) Connecting to an Identity Provider

Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID).

This configuration is optional within Terraform, and can also be setup within the product. Please view the documentation for more information: https://docs.appvia.io/wayfinder/admin/auth

The Authorized Redirect URI for the IDP Application should be set to: https://${wayfinder_domain_name_api}/oauth/callback

Note: If you are using Azure Active Directory, you must:

  1. Set azureTenantId to your Azure Tenant ID (serverUrl is not required)
  2. Set the IDP type to aad

Example: Generic IDP Configuration

wayfinder_idp_details = {
  type         = "generic"
  clientId     = "IDP-APP-CLIENT-ID"
  clientSecret = "IDP-APP-CLIENT-SECRET"
  serverUrl    = "https://example.okta.com" # Or "https://example.auth0.com/"
}

Example: Azure AD IDP Configuration

wayfinder_idp_details = {
  type          = "aad"
  clientId      = "IDP-APP-CLIENT-ID"
  clientSecret  = "IDP-APP-CLIENT-SECRET"
  azureTenantId = "12345678-1234-1234-1234-123456789012"
}

Updating Docs

The terraform-docs utility is used to generate this README. Follow the below steps to update:

  1. Make changes to the .terraform-docs.yml file
  2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
  3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Inputs

Name Description Type Default Required
access_entries Map of access entries to add to the cluster. This is required if you use a different IAM Role for Terraform Plan actions. 
map(object({
    kubernetes_groups = optional(list(string))
    principal_arn     = string
    policy_associations = optional(map(object({
      policy_arn = string
      access_scope = object({
        namespaces = optional(list(string))
        type       = string
      })
    })))
  }))
 {} no
aws_ebs_csi_driver_addon_version The version to use for the AWS EBS CSI driver. string "v1.28.0-eksbuild.1" no
aws_vpc_cni_addon_version AWS VPC CNI Addon version to use. string "v1.16.4-eksbuild.2" no
cluster_endpoint_public_access_cidrs List of CIDR blocks which can access the Amazon EKS API server endpoint. list(string) 
[
  "0.0.0.0/0"
]
 no
cluster_security_group_additional_rules List of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as source. any {} no
cluster_version The Kubernetes version to use for the EKS cluster. string "1.28" no
clusterissuer_email The email address to use for the cert-manager cluster issuer. string n/a yes
coredns_addon_version CoreDNS Addon version to use. string "v1.10.1-eksbuild.7" no
create_localadmin_user Whether to create a localadmin user for access to the Wayfinder Portal and API. bool true no
disable_internet_access Whether to disable internet access for EKS and the Wayfinder ingress controller. bool false no
disable_local_login Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. bool false no
dns_zone_arn The AWS Route53 DNS Zone ARN to use (e.g. arn:aws:route53:::hostedzone/ABCDEFG1234567). string n/a yes
ebs_csi_kms_cmk_ids List of KMS CMKs to allow EBS CSI to manage encrypted volumes. This is required if EBS encryption is set at the account level with a default KMS CMK. list(string) [] no
eks_ng_capacity_type The capacity type to use for the EKS managed node group. string "ON_DEMAND" no
eks_ng_desired_size The desired size to use for the EKS managed node group. number 1 no
eks_ng_instance_types The instance types to use for the EKS managed node group. list(string) 
[
  "t3.xlarge"
]
 no
eks_ng_maximum_size The maximum size to use for the EKS managed node group. number 10 no
eks_ng_minimum_size The minimum size to use for the EKS managed node group. number 1 no
enable_k8s_resources Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments). bool true no
enable_wf_cloudaccess Whether to configure CloudIdentity resource in Wayfinder for the configured AWS IRSA identity once installed (requires enable_k8s_resources) bool true no
enable_wf_costestimates Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) bool true no
enable_wf_dnszonemanager Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) bool false no
environment The environment name we are provisioning. string "production" no
kms_key_administrators A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available. list(string) [] no
kube_proxy_addon_version Kube Proxy Addon version to use. string "v1.28.6-eksbuild.2" no
node_security_group_additional_rules List of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source. any {} no
subnet_ids_by_az A map of subnet IDs by availability zone. map(list(string)) {} no
tags A map of tags to add to all resources created. map(string) {} no
vpc_id The VPC ID for the Wayfinder EKS Cluster to be built within. string n/a yes
wayfinder_domain_name_api The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com). string n/a yes
wayfinder_domain_name_ui The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com). string n/a yes
wayfinder_idp_details The IDP details to use for Wayfinder to enable SSO. 
object({
    type          = string
    clientId      = optional(string)
    clientSecret  = optional(string)
    serverUrl     = optional(string)
    azureTenantId = optional(string)
  })
 
{
  "azureTenantId": "",
  "clientId": null,
  "clientSecret": null,
  "serverUrl": "",
  "type": "none"
}
 no
wayfinder_instance_id The instance ID to use for Wayfinder. string n/a yes
wayfinder_licence_key The licence key to use for Wayfinder. string n/a yes
wayfinder_release_channel The release channel to use for Wayfinder. string "wayfinder-releases" no
wayfinder_version The version to use for Wayfinder. string "v2.6.5" no

Outputs

Name Description
cluster_certificate_authority_data The base64 encoded certificate data for the Wayfinder EKS cluster.
cluster_endpoint The endpoint for the Wayfinder EKS Kubernetes API.
cluster_name The name of the Wayfinder EKS cluster.
cluster_oidc_provider_arn The ARN of the OIDC provider for the Wayfinder EKS cluster.
wayfinder_admin_password The password for the Wayfinder local admin user.
wayfinder_admin_username The username for the Wayfinder local admin user.
wayfinder_api_url The URL for the Wayfinder API.
wayfinder_iam_role_arn The ARN of the IAM role used by Wayfinder.
wayfinder_instance_id The unique identifier for the Wayfinder instance.
wayfinder_ui_url The URL for the Wayfinder UI.

About

Terraform Module for installing Wayfinder in AWS

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases 29

v2.6.5-tf.1 Latest
Mar 8, 2024
+ 28 releases

Packages

No packages published

Contributors 7

Languages