Use Azure static credentials

This article covers granting Wayfinder access to an Azure Subscription (target subscription) and you're using static credentials (Azure AD Client Secret) for authentication. Wayfinder is installed in either AWS, Azure or GCP (home installation).

Jump to the Quick Start section for steps on how to create a new Azure Cloud Access.

CLI Quick Reference

Instruction	CLI Command
Create a workspace (only if Access Type is Kubernetes Cluster Provisioning)	wf create workspace WORKSPACE-KEY -s SUMMARY
Create a stage (only if Access Type is Kubernetes Cluster Provisioning)	wf create stage STAGE-NAME -d DESCRIPTION
View Cloud Access Configurations	wf get cloudaccessconfig -c CLOUD -w WORKSPACE-KEY
Output the Cloud Access Configuration to console	wf get cloudaccessconfig CONFIG-NAME -o yaml
Output the Cloud Access Configuration to file	wf get cloudaccessconfig CONFIG-NAME > ./PATH/TO/FILE.yaml
Apply the Cloud Access Configuration from file	wf apply cloudaccessconfig -f ./PATH/TO/FILE.yaml
View Cloud Permissions	wf get cloudpermissions
View the Permissions of the specified Cloud Permission	wf describe cloudpermissions PERMISSION-NAME -c CLOUD -o JSON
View input values for Wayfinder's terraform module	wf describe cloudaccess --cloud-identity CLOUDIDENTITY-NAME --to-cloud TARGET-CLOUD --for-type ACCESS-TYPE --for-stage STAGE-NAME --for-workspace WORKSPACE-KEY -o tfvars
View cloud identities	wf get cloudidentities
Output the details of the cloud identity to console	wf get cloudidentities NAME-OF-IDENTITY -o yaml
Create a cloud identity for Wayfinder's workload identity (You only have to do this once)	wf create cloudidentity CLOUDIDENTITY-NAME --for-workload-identity
[ADVANCED USERS] Create a Cloud Access Configuration	wf create cloudaccessconfig [flags]

Considerations

For each subscription that you want to connect, you need to:

1. Decide what type of cloud access you need.
2. Decide the scope of the cloud subscription (workspace and stage).
   Note that some access types are designated as 'administrative' for configurations that are outside the scope of any particular workspace or stage and are intended for Wayfinder administrators.
3. Decide what type of authentication method you want to use. This article outlines using static credentials (Azure AD Client Secret).
4. Give Wayfinder cloud permissions to access cloud resources and perform relevant tasks.

Quick Start: Add a new Azure Cloud Access

CLI Steps

The easiest way to create a new Azure cloud access configuration is to edit an existing one.

1. Copy one of the cloud access configuration (yaml) examples or output the yaml of an existing Cloud Access Configuration to file.
2. Review the permissions that Wayfinder needs.
3. Use Wayfinder's terraform module to configure the target subscription (or do the configuration manually).
4. Apply the yaml of the Cloud Access Configuration that you've edited.

Wayfinder's Web Interface Steps

1. Select Admin, then navigate to Cloud > Access.
2. Select Microsoft Azure.
3. Click the Add Azure cloud access button
4. You are presented with the Add Azure cloud access page. There are four main sections to complete.

1. Details Section Steps

1. Enter the Details for the new cloud access.
2. Enter the Azure Subscription ID for the Azure subscription that you want to give Wayfinder access to.
3. Select the Access Type that this cloud access connection is for e.g., Kubernetes Cluster Provisioning

Example

2. Scope Section Steps

1. Select a workspace from the drop-down list or create a new workspace.
2. Select a stage from the drop-down list or create a new stage.

note

The Access Type determines if the Scope section is editable or skipped. If skipped then the Scope is designated as 'Platform'.

Example

3. Authentication Section Steps

1. Select Azure AD client secret as the Authentication Method.
2. Select an Identity from the drop-down list. You can create a new identity if the drop-down list is empty or if they do not suffice.

Example

Create a new identity

1. You need to manually create an Azure AD Client Secret in Azure. After you've created this user, return to Wayfinder's web interface and follow the steps below.
2. In Wayfinder's Web Interface:

• Select the +Identity button. A new modal opens.
• Fill in the details of the Azure AD Client Secret that you created in Azure. See the Authentication section for a description of each field.
• Click on the Validate button so that Wayfinder can verify that it can access the Azure cloud subscription using that identity.
• You will not be able to proceed until all the validation passed.

Example

If the details are valid, then you'll be able to proceed to the Permissions section.

4. Permission Section Steps

note

You need to either run Wayfinder's terraform module to set up the needed cloud configuration in the target subscription or manually do the configuration. The right-hand panel will provide the needed input values for Wayfinder's terraform module.

1. Select the ClusterManager's Validate Permissions button.
2. Click the Validate button. You need to resolve any error messages before you can continue.
3. Repeat the steps above for DNSZoneManager and NetworkManager (if applicable for your Access Type).

Example

Fix any errors by either running Wayfinder's terraform module or update the permissions manually.

You will be able to proceed once the permissions are validated successfully.

All permissions must be validated successfully before you can proceed to the Summary section.

5. Summary Section Steps

1. Verify that all the details are correct.

note

You will not be able to apply the configuration if any of the validations failed.

Example

6. YAML Section Steps

1. Press the Apply button to apply the configuration.
2. Alternatively, download the YAML and apply it using Wayfinder's CLI or your CI pipeline.

Azure Cloud Access Properties

The following sections outline the properties that you'll need to connect your subscription to Wayfinder. CLI users can refer to the information in this section to understand how the settings from Wayfinder's web interface correlate with the respective YAML files.

Refer to the previous section for the quick start steps on how to add a new Azure Cloud Access.

Details Section Properties

This section specifies the general properties and access type for the Azure Subscription you're adding.

Field	Description
Name	The name of this cloud connection
Description	A meaningful description for this cloud connection
Azure Subscription ID	Specify the Azure Subscription ID that you're connecting to.
Access Type	The type of automation Wayfinder should provide. Option(s): Kubernetes Cluster Provisioning: Used for creating, updating and managing Kubernetes, cluster networking and workspace scoped DNS records for applications. DNS Provisioning: Used for managing a top-level domain, so that Wayfinder can create sub domains within it that are delegated to workspace clusters. Peering: Used for peering automation. Wayfinder can accept peering requests enabling connectivity between Wayfinder provisioned Kubernetes clusters and any external VPC network. Cost Estimate: Used for cost data retrieval in order to provide infrastructure cost estimates.

note

Each cloud account you connect is for the purpose of one of the 'Cloud Access Type' and each will have a different scope.

Scope Section Properties

When you've selected the Access Type as 'Kubernetes Cluster Provisioning', you need to set the scope to control where you want to provide the access to. This section is not visible for other Access Types.

What is the difference between a workspace and a stage?

• A workspace is where teams provision and manage applications, environments, clusters, and cloud resources.
• A stage is used to isolate and test resources at the infrastructure level such as production or development.

What is 'platform' scope?

Access types that are designated as 'platform' are for configurations that are outside the scope of any particular workspace or stage and are intended for the use by Wayfinder administrators.

Access Type	Description	Scope
Kubernetes Cluster Provisioning	Used for creating, updating and managing Kubernetes, cluster networking and workspace scoped DNS records for applications.	Workspace and Stage
DNS Provisioning	Used for managing a top-level domain, so that Wayfinder can create sub domains within it that are delegated to workspace clusters.	Platform
Peering	Used for peering automation. Wayfinder can accept peering requests enabling connectivity between Wayfinder provisioned Kubernetes clusters and any external VPC network.	Platform
Cost Estimates	Used for cost data retrieval in order to provide infrastructure cost estimates.	Platform

Create a new workspace

You can create a new workspace if the existing ones don't meet your needs.

Field	Description
Select workspace	The workspace that can use this cloud account.
-- New workspace (button)	Creates a new workspace.
--- Name	The name for the new workspace.
--- Description	Meaningful description for this workspace.
--- Key	Unique 3-5 character identifier for the new workspace.

CLI Examples

Create a workspace

FORMAT: wf create workspace WORKSPACE-KEY -s SUMMARY

EXAMPLE:

wf create workspace sand -s "My sandbox workspace" 
◉ Waiting for resource "org.appvia.io/v2beta1/workspace/sand" to provision (background with ctrl-c)
✔ Successfully provisioned the resource: "sand"

Create a new stage

You can create a new stage if the existing ones don't meet your needs.

Field	Description
Select stage	The stage that can use this cloud account.
-- New stage (button)	Creates a new stage.
--- Name	The name for the new stage.
--- Description	Meaningful description for this stage.

CLI Examples

Create a stage

FORMAT: wf create stage STAGE-NAME -d DESCRIPTION

EXAMPLE:

~ wf create stage nonprod -d "non production stage"
✔ Successfully requested the resource "org.appvia.io/v2beta1/stage/nonprod"
✔ Successfully created the stage

Authentication Section Properties

This section specifies the properties to authenticate your Wayfinder instance with your cloud account.

Field	Description
Authentication method	The method in which Wayfinder will authenticate itself to the account. Option(s): - Using static credentials -- Azure AD Client Secret --- This method uses static credentials. You can choose an identity from the drop-down list or create a new identity. Authenticating without credentials -- For more information see 'Using Wayfinder's credentials'.
Identity	This option is only available when you use credential-based authentication Choose a role-based or user-based identity from the drop-down list
- New identity (button)	Creates a new role-based or user-based identity (when existing identities doesn't meet your needs)
-- Name	Name of the new identity
-- Cloud	The cloud in which the identity will be created (read-only value). Value(s): - Azure
--- Type	The type of identity to create. Option(s): - Azure AD client secret (Read-only value)
--- Tenant ID	Specify the value for the Tenant ID for the new identity
--- Client ID	Specify the value for the Client ID for the new identity
--- Client Secret	Specify the value for the Client Secret

CLI Examples

Use wf create cloudidentity CLOUDIDENTITY-NAME with the --azure-client-id CLIENT-ID --azure-tenant-id TENANT-ID --secret-file SECRET-FILE-NAME -c CLOUD flags to create the cloud identity.

wf create cloudidentity wf-azure-static --azure-client-id  90123456-efgh-7890-abcd-1234efgh5678 --azure-tenant-id 87654321-abcd-458d-aa01-0123abcd1234 --secret-file cred-wf-azure-static -c azure

Permissions Section Properties

This section specifies the properties that grants the necessary permissions to Wayfinder. These permissions allow Wayfinder to create, manage and update cloud resources in the cloud subscription you specified in the previous section.

Field	Description
Cluster manager	Permissions that create and manage Kubernetes clusters.
- Necessary Permissions	JSON outlining the needed permissions for Cluster Manager. Use Wayfinder's terraform module to assign permissions or create it manually.
- Validate (button)	Verification that the needed permissions were assigned correctly.
DNS management	Permissions that create and manage DNS records.
-- Permissions	JSON outlining the needed permissions to manage the DNS records on a sub domain of your global DNS entry. Use Wayfinder's terraform module to assign permissions or create it manually.
-- Validate (button)	Verification that the needed permissions were assigned correctly.
Network management	Permissions that create and manage AKS clusters.
-- Permissions	JSON outlining the needed permissions. Use Wayfinder's terraform module to assign permissions or create it manually.
-- Validate (button)	Verification that the needed permissions were assigned correctly.

Summary Section Properties

Wayfinder provides you with a summary of the configuration details you've entered.

Important

You will not be able to apply the configuration if any of the validations failed.

YAML Section Properties

You will be presented with the manifest (yaml) files for the configuration details you entered.

You have the option to apply the configuration immediately by clicking the Apply button, or to download the YAML so that you can apply it later using Wayfinder's CLI or your CI system.

The following YAML files are produced:

Workspace

Only shown when you create a new workspace.

apiVersion: org.appvia.io/v2beta1
kind: Workspace
metadata:
  name: sand
spec:
  description: sandbox
  key: sand
  summary: sandbox for dev
  resourceNamespace: ''

Stage

Only shown when you create a new stage.

apiVersion: org.appvia.io/v2beta1
kind: Stage
metadata:
  name: nonprod
spec:
  displayName: nonprod
  description: non production stage for dev

Cloud Identity

Only shown when you create a new Azure AD Client Secret. Wayfinder's web interface will redact the secret values. When you click the Apply button Wayfinder will create a Kubernetes secret. If you are applying this manually, then you need to create the Kubernetes secret yourself.

apiVersion: cloudaccess.appvia.io/v2beta2
kind: CloudIdentity                                    <-- Note the kind
metadata:
  name: wf-azure-static
  namespace: ws-admin
spec:
  cloud: azure
  type: AzureADClientSecret                            <-- Note the type
  azure:
    tenantID: 87654321-abcd-458d-aa01-0123abcd1234     <-- The Azure Tenant ID that you're connecting to
    clientID: 90123456-efgh-7890-abcd-1234efgh5678     <-- The Azure Client ID that you're connecting to
  credentialsInputData:
    client_secret: redacted

YAML with Kubernetes secret.

spec:
  cloud: azure
  type: AzureADClientSecret                            <-- Note the type
  azure:
    tenantID: 87654321-abcd-458d-aa01-0123abcd1234     <-- The Azure Tenant ID that you're connecting to
    clientID: 90123456-efgh-7890-abcd-1234efgh5678     <-- The Azure Client ID that you're connecting to
  credentialsUpdated: "2023-10-26T16:24:28Z"
  secretRef:
    name: cred-wf-azure-static
    namespace: ws-sand

Cloud Access Configuration

The type of manifest depends on the Access Type you've selected.

Provisioning

apiVersion: cloudaccess.appvia.io/v2beta2
kind: CloudAccessConfig                                  <-- Note the kind
metadata:
  name: azure-test1-static
  namespace: ws-sand
spec:
  cloudIdentityRef:
    cloud: azure                                          <-- Cloud Wayfinder is connecting from
    name: wf-azure-static                                 <-- Identity Wayfinder is connecting with
  azure:
    subscription: 12345678-abcd-458d-aa01-0123abcd1234    <-- The Azure Subscription ID that you're connecting to
    tenantID: 87654321-abcd-458d-aa01-0123abcd1234        <-- The Azure Tenant ID that you're connecting to
  type: Provisioning                                      <-- Note the type
  permissions:
  - permission: ClusterManager
  - permission: NetworkManager
  - permission: DNSZoneManager
  stage: nonprod

DNS Zone Management

apiVersion: cloudaccess.appvia.io/v2beta2
kind: CloudAccessConfig                                   <-- Note the kind
metadata:
  name: azure-devsand
spec:
  cloudIdentityRef:
    cloud: azure                                          <-- Cloud Wayfinder is connecting from
    name: wf-azure-static                                 <-- Identity Wayfinder is connecting with
  azure:
    subscription: 12345678-abcd-458d-aa01-0123abcd1234    <-- The Azure Subscription ID that you're connecting to
    tenantID: 87654321-abcd-458d-aa01-0123abcd1234        <-- The Azure Tenant ID that you're connecting to
  type: DNSZoneManagement                                 <-- Note the type
  permissions:
  - permission: DNSZoneManager
  stage: nonprod

Network Peering

apiVersion: cloudaccess.appvia.io/v2beta2
kind: CloudAccessConfig                                   <-- Note the kind
metadata:
  name: azure-devsand
spec:
  cloudIdentityRef:
    cloud: azure                                          <-- Cloud Wayfinder is connecting from
    name: wf-azure-static                                 <-- Identity Wayfinder is connecting with
  azure:
    subscription: 12345678-abcd-458d-aa01-0123abcd1234    <-- The Azure Subscription ID that you're connecting to
    tenantID: 87654321-abcd-458d-aa01-0123abcd1234        <-- The Azure Tenant ID that you're connecting to
  type: NetworkPeering                                    <-- Note the type
  permissions:
  - permission: NetworkManager
  stage: nonprod

Cost Estimates

apiVersion: cloudaccess.appvia.io/v2beta2
kind: CloudAccessConfig                                  <-- Note the kind
metadata:
  name: azure-devsand
spec:
  cloudIdentityRef:
    cloud: azure                                          <-- Cloud Wayfinder is connecting from
    name: wf-azure-static                                 <-- Identity Wayfinder is connecting with
  azure:
    subscription: 12345678-abcd-458d-aa01-0123abcd1234    <-- The Azure Subscription ID that you're connecting to
    tenantID: 87654321-abcd-458d-aa01-0123abcd1234        <-- The Azure Tenant ID that you're connecting to
  type: CostEstimates                                     <-- Note the type
  permissions:
  - permission: CostInfo
  stage: nonprod

View Cloud Access Configurations

Use the wf get cloudaccessconfig CLI command to view a list of cloud access configurations. Use the --cloud flag to limit the results to the specified cloud provider and the -w flag to specify the workspace.

wf get cloudaccessconfig --cloud azure -w sand
NAME                     PROVIDER    STATUS     IDENTIFIER    AGE
azure-test1-static       azure       Success    Unknown       9m47s
azure-nonprod            azure       Success    Unknown       19d
azure-prod               azure       Success    Unknown       19d

Use the -o yaml flag to output the cloud access configuration details to the console.

wf get cloudaccessconfig azure-dev1 -o yaml

Using Wayfinder's web interface:

• Select Admin, then navigate to Cloud > Access
• Select your cloud provider, for example Microsoft Azure
• The Cloud Access lists all the Cloud Access configurations for the selected cloud provider

Create a Cloud Access Configuration using CLI

[ADVANCED USERS]

Use the wf create cloudaccessconfig command to create a cloud access configuration using the CLI. Follow the CLI prompts or use the --help flag for a full list of options. You need to configure the target subscription manually or use Wayfinder's terraform module.

If you need more guidance then see the quick start section.

Edit & Apply Cloud Access Configurations

Output the cloud access configuration to file using the wf get cloudaccessconfigNAME-OF-CONFIG command with the > FILENAME.yaml postfix.

wf get cloudaccessconfig azure-dev1 > ./manifests/azuredev1.yaml

Update the file as needed and use wf apply command with the -f PATH-TO-FILE.yaml flag to apply the changes.

wf apply cloudaccessconfig -f ./manifests/clouddev1.yaml

Using Wayfinder's web interface:

• Select Admin, then navigate to Cloud > Access
• Select your cloud provider, for example Microsoft Azure
• The Cloud Access lists all the Cloud Access configurations for the selected cloud provider
• Click on the name of the Cloud Access to open the form in Edit mode.
• Update as needed.

note

You will not be able to change the values of the fields below. If they need changing then you need to create a new cloud access configuration.

• Name
• Subscription ID
• Access Type

note

All validations need to pass before you can re-apply the configuration.

View Permissions

These are the permissions that Wayfinder need in the target account to create and manage cloud resources.

Use the wf get cloudpermissions CLI command to view a list of available cloud permissions.

wf get cloudpermissions
NAME              WAYFINDER FUNCTIONALITY SET    DESCRIPTION
ClusterManager    Provisioning                   Used for managing cluster provisioning inside the child account
DNSZoneManager    Provisioning                   Used for managing application DNS records on a sub domain of the Global DNS entry
NetworkManager    Provisioning                   Used for managing network permissions inside the child account
DNSZoneManager    DNSZoneManagement              Used to create sub domains for workspace clusters inside of the imported top-level domain
NetworkManager    NetworkPeering                 Accepts peering requests in an external VPC network to provide end-to-end peering automation
CloudInfo         CostsEstimates                 Used to retrieve cost data for infrastructure cost estimation

Use the wf describe cloudpermissions CLI command to view the JSON of the specified permission.

Also see the Permisisons Section section.

wf describe cloudpermission DNSZoneManager -c azure -o json
Permission: DNSZoneManager
Description: Used for managing application DNS records on a sub domain of the Global DNS entry
Permissions:
actions:
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Authorization/roleDefinitions/read
- Microsoft.Resources/subscriptions/providers/read
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/resourceGroups/delete
- Microsoft.Network/dnszones/read
- Microsoft.Network/dnszones/write
- Microsoft.Network/dnszones/delete
- Microsoft.Network/dnszones/recordsets/read
- Microsoft.Network/dnszones/NS/read
- Microsoft.Network/dnszones/NS/write
- Microsoft.Network/dnszones/NS/delete
- Microsoft.Network/dnszones/TXT/read
- Microsoft.Network/dnszones/TXT/write
- Microsoft.Network/dnszones/TXT/delete

Using Wayfinder's web interface:

• Select Admin, then navigate to Cloud > Access
• Select your cloud provider, for example Microsoft Azure
• The Cloud Access lists all the Cloud Access configurations for the selected cloud provider
• Click on the name of the Cloud Access to open the form in Edit mode.
• Navigate to the Permissions section.
• Click on the Configure button.
• The JSON outlining the permissions are displayed. Also see the Permisisons Section section.

View Cloud Identity

Use the wf get cloudidentities CLI Command to view the cloud identities that you've created.

wf get cloudidentities
NAME                         STATUS            VERIFIED    AGE
azure-test1-static           Success           true        3m

Use the -o yaml flag to view the manifest details.

wf get cloudidentities azure-test1-static -o yaml

Using Wayfinder's web interface:

• Select Admin, then navigate to Cloud > Access
• Select your cloud provider, for example Microsoft Azure
• The Cloud Access lists all the Cloud Access configurations for the selected cloud provider
• Click on the Cloud Identities tab to view a list of cloud identities that you've created.