Skip to main content
Version: 2.3

wf setup cloudaccessconfig

wf setup cloudaccessconfig

Setup the IAM required for cloud access

Synopsis

Setup the IAM permissions required for cloud access given either a specific cloud access configuration or a specified cloud provider and feature(s).

Will either:

  1. Display cloud access IAM output in a structured format for a given cloud provider and cloud access config name (which does not have to exist). This can then be used to distribute to all accounts/subscriptions/projects in your organization.

  2. Automate cloud access in a specific cloud account creating the iam objects required.

To see additional features, run 'wf setup cloudaccessconfig --list-features'. If you wish to enable different features, use the --feature flag.

wf setup cloudaccessconfig [flags]

Examples


# Administrative IAM Examples:
# ----------------------------

# Display default IAM required for an administrative cloud access configuration:
$ wf setup cloudaccessconfig aws-admin --cloud aws --admin --display

# Setup IAM required intended for an administrative cloud access configuration:
$ wf setup cloudaccessconfig aws-admin --cloud aws --admin --apply -i 123456789012
    
# Setup IAM required for an administrative cloud access configuration to enable costs estimates:
$ wf setup cloudaccessconfig aws-costs --apply --cloud aws --admin --feature CostsEstimates

# Workspace IAM examples:
# -----------------------

# Display (when cloud access configuration has NOT been created):
$ wf setup cloudaccessconfig --display -w proj --cloud aws --stage prod -i 123456789012

# Apply (to an existing cloud access configuration by specifying workspace, cloud provider and stage):
$ wf setup cloudaccessconfig --apply   -w proj --cloud aws --stage prod

# Apply (to an existing cloud access configuration by name):
$ wf setup cloudaccessconfig aws-prod --apply -w proj

Options

      --admin                   cloud access for Wayfinder-wide administrative purposes, such as global DNS zone management
      --apply                   will apply the cloud IAM objects that will be needed in cloud to setup the roles for this cloud access
  -c, --cloud string            the cloud this access is for: gcp, aws, azure
      --default-region string   the default region for this account when a specific region is not provided for an operation
  -d, --description string      longer description of this access which workspaces will see if they have multiple allocated access
      --display                 will display the cloud IAM objects that will be needed in cloud to setup the roles for this cloud access
      --feature strings         ways in which this cloud access will be used - defaults to 'Provisioning' for normal accounts, 'DNSZoneManagement' and 'CostEstimates' for admin accounts. Can be specified multiple times to enable multiple features.
  -h, --help                    help for cloudaccessconfig
  -i, --identifier string       the cloud provider's identifier for access, i.e. AWS Account ID, GCP Project, Azure Subscription ID
      --list-features           lists available features that can be enabled for a linked cloud access
      --list-roles              lists roles required for a given cloud provider and feature (or default features)
      --name string             name for the cloud access config in Wayfinder
      --org-id string           the cloud provider's identifier for the organization, i.e. Azure Tenant ID (required for certain features on Azure to function correctly)
      --role-name strings       provider role names to be used for cloud access in the format role-name=provider-role-name. Can be specified multiple times to enable multiple roles.
  -s, --stage string            stage this access can be used for - required unless this is an 'admin' cloud access config

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
      --force              Used to force an operation to happen (default: false)
      --no-wait            Indicates we should not wait for resources to provision
  -o, --output string      Output format of the resource (json,yaml,table,template) (default "table")
      --profile string     Use a profile other than your default for this command
      --show-headers       Indicates we should display headers on table out (default true)
      --verbose            Enables verbose logging for debugging purposes (default: false)
  -w, --workspace string   The workspace you are operating within

SEE ALSO

  • wf setup - Initialises dependencies required to run wayfinder
Last updated on 27 Jun 2023