Cloud Configuration Overview
Scope
In order for developers to self-serve cloud infrastructure in Wayfinder, you must provide access to one or more cloud providers that you want Wayfinder workspaces to use. This topic contains the types of cloud accounts you can configure in Wayfinder, and points you to more detailed information.
CLI Quick Reference
| Instruction | CLI Command |
|---|---|
| View cloud accounts | wf get cloudaccessconfig |
| View cloud account for a particular workspace | wf get cloudaccessconfig -w WORKSPACE-ID |
Types of cloud accounts
For each cloud provider, Wayfinder supports two methods of account integration namely, cloud accounts and organisation accounts. Both are outlined below.
Cloud Accounts
Cloud accounts let you add your existing AWS accounts, GCP projects, and Azure subscriptions to Wayfinder and allocate them to your workspaces as you see fit. Infrastructure for a workspace will be provisioned directly into these accounts when requested. You take responsibility for providing access for Wayfinder into the accounts and for ensuring workspaces have accounts allocated to them.
As a Wayfinder administrator, you can see linked accounts Wayfinder's web interface as follow:
Settings > Isolation & Boundaries > Cloud Access
The account type in the accounts list is Linked workspace account.
Pros: The linked accounts already exist in your cloud provider, so it's easy to link them to Wayfinder.
Cons: Different teams or projects (workspaces) may share the same account. This does not follow best practice of isolating each team's workspace and environment, and does not allow Wayfinder to manage least privilege access into these shared accounts.
Organisation accounts
[Advanced Users]
Organisation accounts are required for multi-account automation. Multi-account automation provides new isolated AWS accounts, GCP projects, and Azure subscriptions on demand for your developers. This ensures best practice separation between each team's workspace and environment, and allows Wayfinder to manage least privilege access into those accounts.
Let's say you configure an organisation account for AWS (known as subscription in Azure, and project in GCP), and a workspace decides to use Wayfinder-managed accounts when creating clusters. Then:
Each workspace can have one managed account per development stage, per cloud. For example:
When workspace members create a cluster on AWS for a particular development stage, the cluster uses an automatically created managed account on AWS, for that stage.
If another AWS cluster is created for that same stage, it uses the same managed account in that workspace.
If another AWS cluster is created for a different stage, a new managed account is automatically created for the new stage.
As a Wayfinder administrator, you can see linked accounts Wayfinder's web interface as follow:
Settings > Isolation & Boundaries > Cloud Access
The account type in the accounts list is Managed.
Pros: This method ensures best practice of isolating teams/workspaces and environments, and lets Wayfinder manage least privilege into the accounts.
Cons: Setting up organisation accounts for automation can be difficult if you're unfamiliar with cloud accounts. You also need greater access to your company's cloud infrastructure, and must meet several prerequisites, to set this up.
View cloud accounts
As an administrator, you can see the managed or linked cloud accounts that have been allocated to workspaces. If you have added an organisation account for a cloud provider, managed accounts are automatically created when members of a workspace create a cluster and select to use a managed account in that cloud. Cloud accounts are existing account that you connected to Wayfinder, and these can also be selected when creating a cluster.
CLI:
Wayfinder's web interface:
Click Settings > Isolation & Boundaries > Cloud Access, and then click the tab for your cloud provider.
In the accounts list there can be two types of accounts:
- Managed—Created through multi-account automation or directly by users (requires an organisation account to be set up)
- Linked—Existing cloud accounts that you connected to Wayfinder
Wayfinder displays a list of either type of account, and the workspaces each account is allocated to in the Stage column:
You can use the Filter results tool to search by account type.
Using organisation accounts
Adding an organisation cloud account to Wayfinder gives it the ability to create and manage multiple cloud accounts on demand for your development teams, subject to the rules and conventions you configure. You will typically add a single organization type account to Wayfinder for each provider you wish to use.
Configure cloud accounts for automation
Wayfinder needs specific information and set-up for each cloud provider to support multi-account automation. See the following for instructions:
- Amazon Web Services (AWS) Account Automation
- Microsoft Azure Subscription Automation
- Google Cloud Platform (GCP) Project Automation
Using cloud accounts
Adding a cloud account to Wayfinder gives it the ability to use an existing cloud account directly to build development team infrastructure. You can control which workspaces have access to request infrastructure in each account.
See the following to add cloud accounts to Wayfinder for each of the providers:
Allocating cloud accounts to workspaces
Workspaces can only use cloud accounts that are allocated to them. When managing organisation or linked cloud accounts, you can choose to allocate to:
- All workspaces—any workspace can use this to build their infrastructure. This is the recommended setting for organization accounts (for multi-account automation) as it allows developers to self-serve.
- Specified workspaces—only the specified workspaces can use this cloud account. This lets you have different linked cloud accounts for different workspaces.
- None—No workspaces can see or use this account. This is only used for Wayfinder-wide functionality such as DNS zones, cost estimation and management, and network peering.
You can allocate accounts to workspaces when:
- Creating the account using the CLI—see
wf get cloudaccessconfig. - Creating or editing the account in the UI—see the relevant pages for your cloud provider.
- Organization accounts:
- Cloud accounts:
Once you make a cloud account available to a workspace, the members of that workspace see the account listed in Wayfinder when they
build a cluster or when they use
wf get cloudaccessconfig -w WORKSPACE-ID.
Allowing user access to cloud accounts
If desirable, you can allow workspace members to access their cloud account so they can use tools such as Terraform or the AWS CLI, and the cloud provider's native console. For instructions, see User Access to Wayfinder-managed Cloud Accounts.