The "terraform-azurerm-wayfinder" Terraform Module can be used to provision and manage a licensed edition of Appvia Wayfinder on Azure.
To run this module, you will need the following:
- Product Licence Key & Instance ID. Request a free licence key from the Appvia Portal.
- (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a
localadmin
user for initial access if no IDP details are provided. - A public Azure DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates.
- Existing Virtual Network and Subnet: This module will deploy an AKS Cluster and so requires an existing vnet with outbound internet connectivity.
Please see the examples directory to see how to deploy this module. To get up and running quickly with minimal pre-requisites, use the quickstart example.
Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID).
This configuration is optional within Terraform, and can also be setup within the product. Please view the documentation for more information: https://docs.appvia.io/wayfinder/admin/auth
The Authorized Redirect URI for the IDP Application should be set to: https://${wayfinder_domain_name_api}/oauth/callback
Note: If you are using Azure Active Directory, you must:
- Set
azureTenantId
to your Azure Tenant ID (serverUrl
is not required) - Set the IDP type to
aad
wayfinder_idp_details = {
type = "generic"
clientId = "IDP-APP-CLIENT-ID"
clientSecret = "IDP-APP-CLIENT-SECRET"
serverUrl = "https://example.okta.com" # Or "https://example.auth0.com/"
}
wayfinder_idp_details = {
type = "aad"
clientId = "IDP-APP-CLIENT-ID"
clientSecret = "IDP-APP-CLIENT-SECRET"
azureTenantId = "12345678-1234-1234-1234-123456789012"
}
The terraform-docs
utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.yml
file - Fetch the
terraform-docs
binary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
Name | Version |
---|---|
azuread | >= 2.53.0 |
azurerm | >=3.51.0, < 4.0 |
helm | >= 2.9.0 |
kubectl | >= 2.0 |
random | >= 3.5 |
time | >= 0.9.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aks_vnet_subnet_id | The ID of the subnet in which to deploy the Kubernetes Cluster. | string |
n/a | yes |
clusterissuer_email | The email address to use for the cert-manager cluster issuer. | string |
n/a | yes |
dns_zone_id | The ID of the Azure DNS Zone to use. | string |
n/a | yes |
dns_zone_name | The name of the Azure DNS zone to use. | string |
n/a | yes |
resource_group_name | The name of the resource group in which to create the AKS cluster. | string |
n/a | yes |
user_assigned_identity | MSI id for AKS to run as | string |
n/a | yes |
wayfinder_domain_name_api | The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com) | string |
n/a | yes |
wayfinder_domain_name_ui | The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com) | string |
n/a | yes |
wayfinder_instance_id | The instance ID to use for Wayfinder. | string |
n/a | yes |
wayfinder_licence_key | The licence key to use for Wayfinder | string |
n/a | yes |
adcs | ADCS variables required when using ADCS Issuer with Cert Manager | object({ |
null |
no |
adcs_password | ADCS password required when using ADCS Issuer with Cert Manager | string |
"" |
no |
aks_agents_size | The default size of the agents pool. | string |
"Standard_D2s_v3" |
no |
aks_api_server_authorized_ip_ranges | The list of authorized IP ranges to contact the API server. | list(string) |
[ |
no |
aks_enable_host_encryption | Whether to enable host encryption. | bool |
false |
no |
aks_maintenance_window | Maintenance configuration of the managed cluster. | object({ |
{ |
no |
aks_rbac_aad_admin_group_object_ids | List of object IDs of the Azure AD groups that will be set as cluster admin. | list(string) |
[] |
no |
aks_sku_tier | The SKU tier for this Kubernetes Cluster. | string |
"Standard" |
no |
cert_manager_keyvault_cert_name | Keyvault certificate name to use for cert-manager. Required if cluster issuer is keyvault | string |
null |
no |
cert_manager_keyvault_name | Keyvault name to use for cert-manager. Required if cluster issuer is keyvault | string |
null |
no |
cluster_nodepool_version | The Kubernetes version to use for the AKS cluster Nodepools. | string |
"1.30" |
no |
cluster_version | The Kubernetes version to use for the AKS cluster. | string |
"1.30" |
no |
clusterissuer | Cluster Issuer name to use for certs | string |
"letsencrypt-prod" |
no |
create_duration_delay | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | object({ |
{} |
no |
create_localadmin_user | Whether to create a localadmin user for access to the Wayfinder Portal and API | bool |
true |
no |
destroy_duration_delay | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | object({ |
{} |
no |
disable_internet_access | Whether to disable internet access for AKS and the Wayfinder ingress controller | bool |
false |
no |
disable_local_login | Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. | bool |
false |
no |
dns_provider | DNS provider for External DNS | string |
"azure" |
no |
dns_resource_group_id | The ID of the resource group where the DNS Zone exists, if different to Wayfinder's resource group. | string |
"" |
no |
enable_cross_tenant_access | Whether to enable cross-tenant access for Wayfinder. Will create a suitable Enterprise Application with federated credential for Wayfinder to use. | bool |
false |
no |
enable_k8s_resources | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments) | bool |
true |
no |
enable_wf_cloudaccess | Whether to configure CloudIdentity and admin CloudAccessConfig resources in Wayfinder once installed (requires enable_k8s_resources) | bool |
true |
no |
enable_wf_costestimates | Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) | bool |
true |
no |
enable_wf_dnszonemanager | Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) | bool |
false |
no |
enable_wf_privatelinks | Whether to configure admin CloudAccessConfig for Private Link Management in the account wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) | bool |
false |
no |
environment | The environment in which the resources are deployed. | string |
"production" |
no |
location | The Azure region to use. | string |
"uksouth" |
no |
private_dns_zone_id | Private DNS zone to use for private clusters | string |
null |
no |
private_link_resourcegroup | The name of the resource group in which to create central private link resources for each AKS cluster. | string |
"" |
no |
tags | A mapping of tags to assign to resources. | map(string) |
{} |
no |
venafi_apikey | Venafi API key - required if using Venafi cluster issuer | string |
"" |
no |
venafi_zone | Venafi zone - required if using Venafi cluster issuer | string |
"" |
no |
wayfinder_idp_details | The IDP details to use for Wayfinder to enable SSO | object({ |
{ |
no |
wayfinder_no_defaults | Set to true to stop Wayfinder from applying compiled-in defaults (e.g. default roles, cluster plans, etc). | bool |
true |
no |
wayfinder_release_channel | The release channel to use for Wayfinder | string |
"wayfinder-releases" |
no |
wayfinder_version | The version to use for Wayfinder | string |
"v2.9.7" |
no |
Name | Description |
---|---|
aks_admin_host | The API URL of the Azure Kubernetes Managed Cluster. |
aks_client_certificate | The client_certificate in the azurerm_kubernetes_cluster 's kube_admin_config block. Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster. |
aks_client_key | The client_key in the azurerm_kubernetes_cluster 's kube_admin_config block. Base64 encoded private key used by clients to authenticate to the Kubernetes cluster. |
aks_cluster_ca_certificate | The cluster_ca_certificate in the azurerm_kubernetes_cluster 's kube_admin_config block. Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster. |
aks_kubeconfig_host | The Kubernetes cluster server host. This is a Private Link address if 'disable_internet_access' is configured. |
aks_oidc_issuer_url | The issuer URL for the Azure Kubernetes Managed Cluster. |
cluster_name | The name of the Wayfinder AKS cluster. |
wayfinder_admin_password | The password for the Wayfinder local admin user. |
wayfinder_admin_username | The username for the Wayfinder local admin user. |
wayfinder_api_url | The URL for the Wayfinder API. |
wayfinder_cross_tenant_identity_client_id | The client ID for the cross-tenant identity. |
wayfinder_instance_id | The unique identifier for the Wayfinder instance. |
wayfinder_ui_url | The URL for the Wayfinder UI. |