Overview
Grant Wayfinder with cloud access (AWS cloud account, Azure subscription or GCP project) to enable it to manage specific cloud resources and provide cloud automation.
Wayfinder supports:
- An implicit connection: Wayfinder's installation instance is in the same cloud access that you're adding e.g., Wayfinder is installed in Azure and you're adding an Azure Subscription.
- A cross-cloud connection: Wayfinder's installation instance is in a different cloud account, subscription or project than the on you're adding e.g., Wayfinder is installed in Azure and you're adding an AWS account or Google Project.
Quick links
You can jump to the relevant documentation according to what you're trying to add and where Wayfinder is installed.
- You're adding an AWS account and Wayfinder is installed in either: AWS, Azure, or GCP.
- You're adding an Azure subscription and Wayfinder is installed in either: AWS, Azure, or GCP.
- You're adding a GCP project and Wayfinder is installed in either: AWS, Azure, or GCP.
- Wayfinder is installed off-cloud and you want to use static credentials for: AWS, Azure, or GCP.
Overview of steps
For each cloud access that you want to connect, you need to:
- Specify the type of cloud access you need.
- Limit the scope of the cloud access to a specific workspace and stage.
- Specify an authentication method to allow Wayfinder to securely connect to the cloud access that you're adding. You can configure authentication without credentials which uses Wayfinder's identity to connect. You can also configure static credentails for authentication, but that is less secure and we recommend that you only use it when Wayfinder is installed off-cloud in non-production environments.
- Give Wayfinder cloud permissions to access cloud resources and perform relevant tasks. At this point you can run Wayfinder's terraform module to create the needed configuration and permissions in the target account, subscription or project (or you can do the configuration manually).
Access Type
When you've selected the Access Type as 'Kubernetes Cluster Provisioning', you need to set the scope to control where you want to provide the access to. This section is not visible for other Access Types.
What is the difference between a workspace and a stage?
- A workspace is where teams provision and manage applications, environments, clusters, and cloud resources.
- A stage is used to isolate and test resources at the infrastructure level such as production or development.
What is 'platform' scope?
Access types that are designated as 'platform' are for configurations that are outside the scope of any particular workspace or stage and are intended for the use by Wayfinder administrators.
| Access Type | Description | Scope |
|---|---|---|
| Kubernetes Cluster Provisioning | Used for creating, updating and managing Kubernetes, cluster networking and workspace scoped DNS records for applications. | Workspace and Stage |
| DNS Provisioning | Used for managing a top-level domain, so that Wayfinder can create sub domains within it that are delegated to workspace clusters. | Platform |
| Peering | Used for peering automation. Wayfinder can accept peering requests enabling connectivity between Wayfinder provisioned Kubernetes clusters and any external VPC network. | Platform |
| Cost Estimates | Used for cost data retrieval in order to provide infrastructure cost estimates. | Platform |
| Private Links (Azure only) | Used when Wayfinder is installed in Azure, and you need to grant it access to a private cluster within a private virtual network (VNet) | Platform |
Wayfinder's Terraform Module
Use Wayfinder's terraform module to create the needed configuration and permissions in the target AWS account, Azure subscription or GCP project.
Wayfinder's web interface provides you with the needed input values for Wayfinder's terraform module. Use the output values from Wayfinder's terraform module to test the cloud access configuration in Wayfinder's web interface. Upon success, Wayfinder's web interface outputs the yaml for the cloud access configuration that you can apply immediately or save for later.
CLI Quick Reference
| Instruction | CLI Command |
|---|---|
| Create a workspace (only if Access Type is Kubernetes Cluster Provisioning) | wf create workspace WORKSPACE-KEY -s SUMMARY |
| Create a stage (only if Access Type is Kubernetes Cluster Provisioning) | wf create stage STAGE-NAME -d DESCRIPTION |
| View Cloud Access Configurations | wf get cloudaccessconfig -c CLOUD -w WORKSPACE-KEY |
| Output the Cloud Access Configuration to console | wf get cloudaccessconfig CONFIG-NAME -o yaml |
| Output the Cloud Access Configuration to file | wf get cloudaccessconfig CONFIG-NAME > ./PATH/TO/FILE.yaml |
| Apply the Cloud Access Configuration from file | wf apply cloudaccessconfig -f ./PATH/TO/FILE.yaml |
| View Cloud Permissions | wf get cloudpermissions |
| View the Permissions of the specified Cloud Permission | wf describe cloudpermissions PERMISSION-NAME -c CLOUD -o JSON |
| View input values for Wayfinder's terraform module | wf describe cloudaccess --cloud-identity CLOUDIDENTITY-NAME --to-cloud TARGET-CLOUD --for-type ACCESS-TYPE --for-stage STAGE-NAME --for-workspace WORKSPACE-KEY -o tfvars |
| View cloud identities | wf get cloudidentities |
| Output the details of the cloud identity to console | wf get cloudidentities NAME-OF-IDENTITY -o yaml |
| Create a cloud identity for Wayfinder's workload identity (You only have to do this once) | wf create cloudidentity CLOUDIDENTITY-NAME --for-workload-identity |
| [ADVANCED USERS] Create a Cloud Access Configuration | wf create cloudaccessconfig [flags] |