In order for developers to self-serve cloud infrastructure in Wayfinder, you must provide access to one or more cloud providers that you want Wayfinder workspaces to use. This topic contains the types of cloud accounts you can configure in Wayfinder, and points you to more detailed information.
Types of cloud accounts
For each cloud provider, Wayfinder supports two methods of account integration:
Linked accounts let you add your existing AWS accounts, GCP projects, and Azure subscriptions to Wayfinder and allocate them to your workspaces as you see fit. Infrastructure for a workspace will be provisioned directly into these accounts when requested. You take responsibility for providing access for Wayfinder into the accounts and for ensuring workspaces have accounts allocated to them.
As a Wayfinder administrator, you can see linked accounts in Wayfinder settings > Cloud accounts > Accounts. The account type in the accounts list is Linked.
Pros: The linked accounts already exist in your cloud provider, so it's easy to link them to Wayfinder.
Cons: Different teams or projects (workspaces) may share the same account. This does not follow best practice of isolating each team's workspace and environment, and does not allow Wayfinder to manage least privilege access into these shared accounts.
Organization accounts are required for multi-account automation. Multi-account automation provides new isolated AWS accounts, GCP projects, and Azure subscriptions on demand for your developers. This ensures best practice separation between each team's workspace and environment, and allows Wayfinder to manage least privilege access into those accounts.
Let's say you configure an organization account for AWS (known as subscription in Azure, and project in GCP), and a workspace decides to use Wayfinder-managed accounts when creating clusters. Then:
Each workspace can have one managed account per development stage, per cloud. For example:
When workspace members create a cluster on AWS for a particular development stage, the cluster uses an automatically created managed account on AWS, for that stage.
If another AWS cluster is created for that same stage, it uses the same managed account in that workspace.
If another AWS cluster is created for a different stage, a new managed account is automatically created for the new stage.
As a Wayfinder administrator, you can see the managed accounts in Wayfinder settings > Cloud accounts > Accounts. The account type in the accounts list is Managed.
Pros: This method ensures best practice of isolating teams/workspaces and environments, and lets Wayfinder manage least privilege into the accounts.
Cons: Setting up organization accounts for automation can be difficult if you're unfamiliar with cloud accounts. You also need greater access to your company's cloud infrastructure, and must meet several prerequisites, to set this up.
View cloud accounts
As an administrator, you can see the managed or linked cloud accounts that have been allocated to workspaces. If you have added an organization account for a cloud provider, managed accounts are automatically created when members of a workspace create a cluster and select to use a managed account in that cloud. Linked accounts are existing account that you connected to Wayfinder, and these can also be selected when creating a cluster.
To see your cloud accounts:
In the UI, click Wayfinder settings > Cloud accounts > Accounts, and then click the tab for your cloud provider.
In the accounts list there can be two types of accounts:
- Managed—Created through multi-account automation or directly by users (requires an organization account to be set up)
- Linked—Existing cloud accounts that you connected to Wayfinder
Wayfinder displays a list of either type of account, and the workspaces each account is allocated to in the Scope column:
If you've set up an organization account, a gray box is displayed at the top saying Multi-account automation is enabled, along with the account details.
Using organization accounts
Adding an organization cloud account to Wayfinder gives it the ability to create and manage multiple cloud accounts on demand for your development teams, subject to the rules and conventions you configure. You will typically add a single organization type account to Wayfinder for each provider you wish to use.
Configure cloud accounts for automation
Wayfinder needs specific information and set-up for each cloud provider to support multi-account automation. See the following for instructions:
- Amazon Web Services (AWS) Account Automation
- Microsoft Azure Subscription Automation
- Google Cloud Platform (GCP) Project Automation
Close cloud accounts provisioned by Wayfinder
Closing accounts provisioned by Wayfinder takes a particular set of steps with each cloud provider, after removing (or 'un-managing') the unused account from Wayfinder:
- Close Amazon Web Services (AWS) Accounts created by Wayfinder
- Close Microsoft Azure Subscriptions created by Wayfinder
- Close Google Cloud Platform (GCP) Projects created by Wayfinder
Using linked cloud accounts
Adding a linked cloud account to Wayfinder gives it the ability to use an existing cloud account directly to build development team infrastructure. You can control which workspaces have access to request infrastructure in each account.
See the following to add linked cloud accounts to Wayfinder for each of the providers:
- Google Cloud Platform (GCP) Linked Projects
- Microsoft Azure Linked Subscriptions
- Amazon Web Services (AWS) Linked Accounts
Allocating cloud accounts to workspaces
Workspaces can only use cloud accounts that are allocated to them. When managing organization or linked cloud accounts, you can choose to allocate to:
- All workspaces—any workspace can use this to build their infrastructure. This is the recommended setting for organization accounts (for multi-account automation) as it allows developers to self-serve.
- Specified workspaces—only the specified workspaces can use this cloud account. This lets you have different linked cloud accounts for different workspaces.
- None—No workspaces can see or use this account. This is only used for Wayfinder-wide functionality such as DNS zones, cost estimation and management, and network peering.
You can allocate accounts to workspaces when:
- Creating the account using the CLI—see
wf get cloudaccounts.
- Creating or editing the account in the UI—see the relevant pages for your cloud provider.
Once you make a cloud account available to a workspace, the members of that workspace see the account listed in Wayfinder when they
build a cluster or when they use
wf get cloudaccounts -w WORKSPACE-ID.
Allowing user access to cloud accounts
If desirable, you can allow workspace members to access their cloud account so they can use tools such as Terraform or the AWS CLI, and the cloud provider's native console. For instructions, see User Access to Wayfinder-managed Cloud Accounts.