Skip to content

Groups Configuration#

Groups create a single system account whose access token grants access across multiple control planes. They are declared under kontfix.groups.<region>.<name>.

Note

A Kontfix group is not the same as CLUSTER_TYPE_CONTROL_PLANE_GROUP. A CP group is a Kong gateway-level construct for routing data planes. A Kontfix group is for system account management: one token, multiple control planes.

View all groups options

Example#

A platform team group that manages two control planes and stores its token in AWS Secrets Manager:

kontfix = {
  controlPlanes.au = {
    service-a = { };
    service-b = { };
  };

  groups.au.platform-team = {
    members = [ "service-a" "service-b" ];
    generate_token = true;
    storage_backend = [ "aws" ];
    aws = {
      enable = true;
      region = "ap-southeast-2";
      tags = {
        Team = "platform";
        ManagedBy = "kontfix";
      };
    };
  };
};

This creates:

  • A konnect_system_account for platform-team
  • A konnect_system_account_access_token scoped to both service-a and service-b
  • An AWS Secrets Manager secret containing the token and member metadata

Key Constraints#

  • Group members must be individual control planes — groups cannot be members of other groups
  • Group members cannot have create_certificate = true or store_cluster_config = true
  • Groups do not support system_account.enable (the group itself acts as the system account)
  • AWS storage requires aws.enable = true and non-empty aws.tags