Skip to content

appvia/terraform-azurerm-wayfinder

Repository files navigation

Appvia Banner

Terraform Registry Latest Release Slack Community Contributors

Description

The "terraform-azurerm-wayfinder" Terraform Module can be used to provision and manage a licensed edition of Appvia Wayfinder on Azure.

Requirements

To run this module, you will need the following:

  1. Product Licence Key & Instance ID. Request a free licence key from the Appvia Portal.
  2. (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a localadmin user for initial access if no IDP details are provided.
  3. A public Azure DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates.
  4. Existing Virtual Network and Subnet: This module will deploy an AKS Cluster and so requires an existing vnet with outbound internet connectivity.

Deployment

Please see the examples directory to see how to deploy this module. To get up and running quickly with minimal pre-requisites, use the quickstart example.

(Optional) Connecting to an Identity Provider

Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID).

This configuration is optional within Terraform, and can also be setup within the product. Please view the documentation for more information: https://docs.appvia.io/wayfinder/admin/auth

The Authorized Redirect URI for the IDP Application should be set to: https://${wayfinder_domain_name_api}/oauth/callback

Note: If you are using Azure Active Directory, you must:

  1. Set azureTenantId to your Azure Tenant ID (serverUrl is not required)
  2. Set the IDP type to aad

Example: Generic IDP Configuration

wayfinder_idp_details = {
    type         = "generic"
    clientId     = "IDP-APP-CLIENT-ID"
    clientSecret = "IDP-APP-CLIENT-SECRET"
    serverUrl    = "https://example.okta.com" # Or "https://example.auth0.com/"
}

Example: Azure AD IDP Configuration

wayfinder_idp_details = {
    type          = "aad"
    clientId      = "IDP-APP-CLIENT-ID"
    clientSecret  = "IDP-APP-CLIENT-SECRET"
    azureTenantId = "12345678-1234-1234-1234-123456789012"
}

Updating Docs

The terraform-docs utility is used to generate this README. Follow the below steps to update:

  1. Make changes to the .terraform-docs.yml file
  2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
  3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Providers

Name Version
azuread >= 2.53.0
azurerm >=3.51.0, < 4.0
helm >= 2.9.0
kubectl >= 2.0
random >= 3.5
time >= 0.9.0

Inputs

Name Description Type Default Required
aks_vnet_subnet_id The ID of the subnet in which to deploy the Kubernetes Cluster. string n/a yes
clusterissuer_email The email address to use for the cert-manager cluster issuer. string n/a yes
dns_zone_id The ID of the Azure DNS Zone to use. string n/a yes
dns_zone_name The name of the Azure DNS zone to use. string n/a yes
resource_group_name The name of the resource group in which to create the AKS cluster. string n/a yes
user_assigned_identity MSI id for AKS to run as string n/a yes
wayfinder_domain_name_api The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com) string n/a yes
wayfinder_domain_name_ui The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com) string n/a yes
wayfinder_instance_id The instance ID to use for Wayfinder. string n/a yes
wayfinder_licence_key The licence key to use for Wayfinder string n/a yes
adcs ADCS variables required when using ADCS Issuer with Cert Manager
object({
url = string
username = string
ca_bundle = string
certificate_template_name = string
})
null no
adcs_password ADCS password required when using ADCS Issuer with Cert Manager string "" no
aks_agents_size The default size of the agents pool. string "Standard_D2s_v3" no
aks_api_server_authorized_ip_ranges The list of authorized IP ranges to contact the API server. list(string)
[
"0.0.0.0/0"
]
no
aks_enable_host_encryption Whether to enable host encryption. bool false no
aks_maintenance_window Maintenance configuration of the managed cluster.
object({
allowed = list(object({
day = string
hours = set(number)
})),
not_allowed = list(object({
end = string
start = string
})),
})
{
"allowed": [
{
"day": "Sunday",
"hours": [
22,
23
]
}
],
"not_allowed": []
}
no
aks_rbac_aad_admin_group_object_ids List of object IDs of the Azure AD groups that will be set as cluster admin. list(string) [] no
aks_sku_tier The SKU tier for this Kubernetes Cluster. string "Standard" no
cert_manager_keyvault_cert_name Keyvault certificate name to use for cert-manager. Required if cluster issuer is keyvault string null no
cert_manager_keyvault_name Keyvault name to use for cert-manager. Required if cluster issuer is keyvault string null no
cluster_nodepool_version The Kubernetes version to use for the AKS cluster Nodepools. string "1.30" no
cluster_version The Kubernetes version to use for the AKS cluster. string "1.30" no
clusterissuer Cluster Issuer name to use for certs string "letsencrypt-prod" no
create_duration_delay Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type.
object({
azurerm_role_definition = optional(string, "180s")
kubectl_manifest_cloud_identity = optional(string, "30s")
})
{} no
create_localadmin_user Whether to create a localadmin user for access to the Wayfinder Portal and API bool true no
destroy_duration_delay Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type.
object({
azurerm_role_definition = optional(string, "0s")
kubectl_manifest_cloud_identity = optional(string, "60s")
})
{} no
disable_internet_access Whether to disable internet access for AKS and the Wayfinder ingress controller bool false no
disable_local_login Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. bool false no
dns_provider DNS provider for External DNS string "azure" no
dns_resource_group_id The ID of the resource group where the DNS Zone exists, if different to Wayfinder's resource group. string "" no
enable_cross_tenant_access Whether to enable cross-tenant access for Wayfinder. Will create a suitable Enterprise Application with federated credential for Wayfinder to use. bool false no
enable_k8s_resources Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments) bool true no
enable_wf_cloudaccess Whether to configure CloudIdentity and admin CloudAccessConfig resources in Wayfinder once installed (requires enable_k8s_resources) bool true no
enable_wf_costestimates Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) bool true no
enable_wf_dnszonemanager Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) bool false no
enable_wf_privatelinks Whether to configure admin CloudAccessConfig for Private Link Management in the account wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) bool false no
environment The environment in which the resources are deployed. string "production" no
location The Azure region to use. string "uksouth" no
private_dns_zone_id Private DNS zone to use for private clusters string null no
private_link_resourcegroup The name of the resource group in which to create central private link resources for each AKS cluster. string "" no
tags A mapping of tags to assign to resources. map(string) {} no
venafi_apikey Venafi API key - required if using Venafi cluster issuer string "" no
venafi_zone Venafi zone - required if using Venafi cluster issuer string "" no
wayfinder_idp_details The IDP details to use for Wayfinder to enable SSO
object({
type = string
clientId = optional(string)
clientSecret = optional(string)
serverUrl = optional(string)
azureTenantId = optional(string)
})
{
"azureTenantId": "",
"clientId": null,
"clientSecret": null,
"serverUrl": "",
"type": "none"
}
no
wayfinder_no_defaults Set to true to stop Wayfinder from applying compiled-in defaults (e.g. default roles, cluster plans, etc). bool true no
wayfinder_release_channel The release channel to use for Wayfinder string "wayfinder-releases" no
wayfinder_version The version to use for Wayfinder string "v2.9.8" no

Outputs

Name Description
aks_admin_host The API URL of the Azure Kubernetes Managed Cluster.
aks_client_certificate The client_certificate in the azurerm_kubernetes_cluster's kube_admin_config block. Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
aks_client_key The client_key in the azurerm_kubernetes_cluster's kube_admin_config block. Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
aks_cluster_ca_certificate The cluster_ca_certificate in the azurerm_kubernetes_cluster's kube_admin_config block. Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
aks_kubeconfig_host The Kubernetes cluster server host. This is a Private Link address if 'disable_internet_access' is configured.
aks_oidc_issuer_url The issuer URL for the Azure Kubernetes Managed Cluster.
cluster_name The name of the Wayfinder AKS cluster.
wayfinder_admin_password The password for the Wayfinder local admin user.
wayfinder_admin_username The username for the Wayfinder local admin user.
wayfinder_api_url The URL for the Wayfinder API.
wayfinder_cross_tenant_identity_client_id The client ID for the cross-tenant identity.
wayfinder_instance_id The unique identifier for the Wayfinder instance.
wayfinder_ui_url The URL for the Wayfinder UI.