In order for developers to self-serve cloud infrastructure in Wayfinder, you must provide access to one or more cloud providers that you want Wayfinder workspaces to use. This topic contains the types of cloud accounts you can configure in Wayfinder, and points you to more detailed information.
Types of cloud accounts
For each cloud provider, Wayfinder supports two methods of account integration:
Organization accounts (recommended)
Organization accounts are required for account automation. Automation provides new isolated AWS accounts, GCP projects, and Azure subscriptions on demand for your developers. This ensures best practice separation between each team's workspace and environment, and allows Wayfinder to manage least privilege access into those accounts.
Let's say you configure an organization account for AWS (known as subscription in Azure, and project in GCP), and a workspace decides it will use Wayfinder managed accounts when creating clusters. Then:
When workspace members create a cluster on AWS for a particular development stage, the cluster uses an automatically created managed account on AWS, for that stage.
If another AWS cluster is created for that same stage, it uses the same managed account in that workspace.
If another AWS cluster is created for a different stage, a new managed account is automatically created for the new stage.
As a Wayfinder administrator, you can see the managed accounts in Wayfinder settings > Cloud accounts > Managed accounts.
Each workspace can have one managed account per development stage, per organization account. Organization accounts appear in the workspace view of the UI on the Cloud environments page. Workspace members can also add managed accounts without creating a cluster.
Shared accounts let you add your existing AWS accounts, GCP projects, and Azure subscriptions to Wayfinder and allocate them to your team workspaces as you see fit. Team infrastructure will be provisioned directly into these workspaces when requested. You take responsibility for providing access for Wayfinder into the accounts and for ensuring workspaces have accounts allocated to them.
We recommend using organization account automation where possible, however, you can mix and match these approaches as needed.
Allocating cloud accounts to workspaces
Workspaces can only use cloud accounts that are allocated to them. When managing organizations or shared cloud accounts, you can choose to allocate to:
- All workspaces—any workspace can use this to build their infrastructure. This is the recommended setting for organization account automation as it allows developers to self-serve.
- Specified workspaces—only the specified workspaces can use this cloud account. This lets you have different shared cloud accounts for different workspaces.
- None—only usable for Wayfinder-wide functionality such as DNS zones, cost estimation and management, and network peering. No workspaces can see or use this account.
You can allocate accounts to workspaces:
- When creating the account using the CLI—see
wf get cloudaccounts.
- When creating or editing the account in the UI—see the relevant pages for your cloud provider.
Once you make a cloud account available to a workspace, the members of that workspace see the account listed in Wayfinder when they
build a cluster or when they use
wf get cloudaccounts -w WORKSPACEID.
Allowing user access to cloud accounts
If desirable, you can allow workspace members to access their cloud account so they can use tools such as Terraform or the AWS CLI, and the cloud provider's native console. For instructions, see User Access to Wayfinder-managed Cloud Accounts.
Organization account automation (recommended)
Adding an organization cloud account to Wayfinder gives it the ability to create and manage cloud accounts on demand for your development teams, subject to the rules and conventions you configure. You will typically add a single organization type account to Wayfinder for each provider you wish to use.
View cloud accounts in the UI
As an administrator, you can see the managed or shared cloud accounts that have been allocated to workspaces. If you have added an organization account for a cloud provider, managed accounts are automatically created when members of a workspace create a cluster and select to use a managed account in that cloud. Shared accounts are manually created and can also be selected when creating a cluster.
To see your cloud accounts in the UI:
Click Wayfinder settings.
The Organizations page is displayed, showing any organization accounts you configured for each cloud provider.
Select your cloud provider at the top, and then click either:
- Managed accounts
- Shared accounts
Wayfinder displays a list of either type of account, including the workspaces each account is allocated to. For example:
Configure cloud accounts for automation
Wayfinder needs specific information and set-up for each cloud provider to support account automation. See the following for instructions:
- Amazon Web Services (AWS) Account Automation
- Microsoft Azure Subscription Automation
- Google Cloud Platform (GCP) Project Automation
Close cloud accounts provisioned by Wayfinder
Closing accounts provisioned by Wayfinder takes a particular set of steps with each cloud provider, after removing (or 'un-managing') the unused account from Wayfinder:
- Close Amazon Web Services (AWS) Accounts created by Wayfinder
- Close Microsoft Azure Subscriptions created by Wayfinder
- Close Google Cloud Platform (GCP) Projects created by Wayfinder
Using shared cloud accounts
Adding a shared cloud account to Wayfinder gives it the ability to use an existing cloud account directly to build development team infrastructure. You can control which workspaces have access to request infrastructure in each account.
You can find out the prerequisites for adding shared cloud accounts to Wayfinder for each of the providers: