The "terraform-google-wayfinder" Terraform Module can be used to provision and manage a licensed edition of Appvia Wayfinder on GCP.
To run this module, you will need the following:
- Product Licence Key & Instance ID. Request a free licence key from the Appvia Portal.
- (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a
localadminuser for initial access if no IDP details are provided. - A public Google DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates.
- Existing Virtual Network and Subnet: This module will deploy a GKE Cluster and so requires an existing vnet with outbound internet connectivity.
Please see the examples directory to see how to deploy this module. To get up and running quickly with minimal pre-requisites, use the quickstart example.
Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID).
This configuration is optional within Terraform, and can also be setup within the product. Please view the documentation for more information: https://docs.appvia.io/wayfinder/admin/auth
The Authorized Redirect URI for the IDP Application should be set to: https://${wayfinder_domain_name_api}/oauth/callback
Note: If you are using Azure Active Directory, you must:
- Set
azureTenantIdto your Azure Tenant ID (serverUrlis not required) - Set the IDP type to
aad
wayfinder_idp_details = {
type = "generic"
clientId = "IDP-APP-CLIENT-ID"
clientSecret = "IDP-APP-CLIENT-SECRET"
serverUrl = "https://example.okta.com" # Or "https://example.auth0.com/"
}wayfinder_idp_details = {
type = "aad"
clientId = "IDP-APP-CLIENT-ID"
clientSecret = "IDP-APP-CLIENT-SECRET"
azureTenantId = "12345678-1234-1234-1234-123456789012"
}The terraform-docs utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.ymlfile - Fetch the
terraform-docsbinary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudaccess_resource_suffix | The resource suffix to use for CloudAccess resources. | string |
"" |
no |
| cluster_endpoint_public_access_cidrs | List of CIDR blocks which can access the GKE API master endpoint. | list(string) |
[ |
no |
| clusterissuer_email | The email address to use for the cert-manager cluster issuer. | string |
n/a | yes |
| create_localadmin_user | Whether to create a localadmin user for access to the Wayfinder Portal and API. | bool |
true |
no |
| disable_internet_access | Whether to disable internet access for GKE and the Wayfinder ingress controller. | bool |
false |
no |
| disable_local_login | Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. | bool |
false |
no |
| enable_k8s_resources | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments). | bool |
true |
no |
| enable_wf_cloudaccess | Whether to configure CloudIdentity and admin CloudAccessConfig resources in Wayfinder once installed (requires enable_k8s_resources) | bool |
true |
no |
| enable_wf_costestimates | Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) | bool |
true |
no |
| enable_wf_dnszonemanager | Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess) | bool |
false |
no |
| environment | The environment name we are provisioning. | string |
"production" |
no |
| gcp_network_name | Google Compute Engine network to which the cluster is connected. | string |
n/a | yes |
| gcp_project | Google Cloud Platform Project ID. | string |
n/a | yes |
| gcp_region | Google Cloud region. | string |
n/a | yes |
| gcp_subnetwork_name | The name or self_link of the Google Compute Engine subnetwork in which the cluster's instances are launched. | string |
n/a | yes |
| gke_nodes_machine_type | The instance types to use for the GKE managed node pool. | string |
"e2-medium" |
no |
| gke_nodes_minimum_size | The minimum size to use for the GKE managed node pool. | number |
2 |
no |
| gke_release_channel | The release channel to use for GKE. | string |
"UNSPECIFIED" |
no |
| gke_version | The version to use for GKE. | string |
"1.30" |
no |
| labels | A map of labels to add to all resources created. | map(string) |
{} |
no |
| pods_subnetwork_range_name | The name of the existing secondary range in the cluster's subnetwork to use for pod IP addresses. | string |
n/a | yes |
| services_subnetwork_range_name | The name of the existing secondary range in the cluster's subnetwork to use for services IP addresses. | string |
n/a | yes |
| wayfinder_domain_name_api | The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com). | string |
n/a | yes |
| wayfinder_domain_name_ui | The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com). | string |
n/a | yes |
| wayfinder_idp_details | The IDP details to use for Wayfinder to enable SSO. | object({ |
{ |
no |
| wayfinder_instance_id | The instance ID to use for Wayfinder. | string |
n/a | yes |
| wayfinder_licence_key | The licence key to use for Wayfinder. | string |
n/a | yes |
| wayfinder_release_channel | The release channel to use for Wayfinder. | string |
"wayfinder-releases" |
no |
| wayfinder_version | The version to use for Wayfinder. | string |
"v2.8.6" |
no |
| Name | Description |
|---|---|
| cluster_ca_certificate | GKE cluster master endpoint CA certificate base64 encoded. |
| cluster_endpoint | The endpoint for the Wayfinder GKE Kubernetes API. |
| wayfinder_admin_password | The password for the Wayfinder local admin user. |
| wayfinder_admin_username | The username for the Wayfinder local admin user. |
| wayfinder_api_url | The URL for the Wayfinder API. |
| wayfinder_instance_id | The unique identifier for the Wayfinder instance. |
| wayfinder_service_account | The GCP service account for Wayfinder admin. |
| wayfinder_ui_url | The URL for the Wayfinder UI. |