Skip to content

lipovsek-aws/terraform-aws-managed-service-grafana

Β 
Β 

Repository files navigation

AWS Managed Service for Grafana (AMG) Terraform module

Terraform module which creates AWS Managed Service for Grafana (AMG) resources.

SWUbanner

Usage

See examples directory for working examples to reference:

module "managed_grafana" {
  source = "terraform-aws-modules/managed-service-grafana/aws"

  # Workspace
  name                      = "example"
  description               = "AWS Managed Grafana service example workspace"
  account_access_type       = "CURRENT_ACCOUNT"
  authentication_providers  = ["AWS_SSO"]
  permission_type           = "SERVICE_MANAGED"
  data_sources              = ["CLOUDWATCH", "PROMETHEUS", "XRAY"]
  notification_destinations = ["SNS"]

  # Workspace API keys
  workspace_api_keys = {
    viewer = {
      key_name        = "viewer"
      key_role        = "VIEWER"
      seconds_to_live = 3600
    }
    editor = {
      key_name        = "editor"
      key_role        = "EDITOR"
      seconds_to_live = 3600
    }
    admin = {
      key_name        = "admin"
      key_role        = "ADMIN"
      seconds_to_live = 3600
    }
  }

  # Workspace SAML configuration
  saml_admin_role_values  = ["admin"]
  saml_editor_role_values = ["editor"]
  saml_email_assertion    = "mail"
  saml_groups_assertion   = "groups"
  saml_login_assertion    = "mail"
  saml_name_assertion     = "displayName"
  saml_org_assertion      = "org"
  saml_role_assertion     = "role"
  saml_idp_metadata_url   = "https://my_idp_metadata.url"

  # Role associations
  role_associations = {
    "ADMIN" = {
      "group_ids" = ["1111111111-abcdefgh-1234-5678-abcd-999999999999"]
    }
    "EDITOR" = {
      "user_ids" = ["2222222222-abcdefgh-1234-5678-abcd-999999999999"]
    }
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name Version
terraform >= 0.13.1
aws >= 4.66.1

Providers

Name Version
aws >= 4.66.1

Modules

No modules.

Resources

Name Type
aws_grafana_license_association.this resource
aws_grafana_role_association.this resource
aws_grafana_workspace.this resource
aws_grafana_workspace_api_key.this resource
aws_grafana_workspace_saml_configuration.this resource
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.additional resource
aws_iam_role_policy_attachment.this resource
aws_security_group.this resource
aws_security_group_rule.this resource
aws_caller_identity.current data source
aws_iam_policy_document.assume data source
aws_iam_policy_document.this data source
aws_partition.current data source
aws_subnet.this data source

Inputs

Name Description Type Default Required
account_access_type The type of account access for the workspace. Valid values are CURRENT_ACCOUNT and ORGANIZATION string "CURRENT_ACCOUNT" no
associate_license Determines whether a license will be associated with the workspace bool true no
authentication_providers The authentication providers for the workspace. Valid values are AWS_SSO, SAML, or both list(string)
[
"AWS_SSO"
]
no
configuration The configuration string for the workspace string null no
create Determines whether a resources will be created bool true no
create_iam_role Determines whether a an IAM role is created or to use an existing IAM role bool true no
create_saml_configuration Determines whether the SAML configuration will be created bool true no
create_security_group Determines if a security group is created bool true no
create_workspace Determines whether a workspace will be created or to use an existing workspace bool true no
data_sources The data sources for the workspace. Valid values are AMAZON_OPENSEARCH_SERVICE, ATHENA, CLOUDWATCH, PROMETHEUS, REDSHIFT, SITEWISE, TIMESTREAM, XRAY list(string) [] no
description The workspace description string null no
grafana_version Specifies the version of Grafana to support in the new workspace. If not specified, the default version for the aws_grafana_workspace resource will be used. See aws_grafana_workspace documentation for available options. string null no
iam_role_arn Existing IAM role ARN for the workspace. Required if create_iam_role is set to false string null no
iam_role_description The description of the workspace IAM role string null no
iam_role_force_detach_policies Determines whether the workspace IAM role policies will be forced to detach bool true no
iam_role_max_session_duration Maximum session duration (in seconds) that you want to set for the IAM role number null no
iam_role_name Name to use on workspace IAM role created string null no
iam_role_path Workspace IAM role path string null no
iam_role_permissions_boundary ARN of the policy that is used to set the permissions boundary for the IAM role string null no
iam_role_policy_arns List of ARNs of IAM policies to attach to the workspace IAM role list(string) [] no
iam_role_tags A map of additional tags to add to the IAM role created map(string) {} no
license_type The type of license for the workspace license association. Valid values are ENTERPRISE and ENTERPRISE_FREE_TRIAL string "ENTERPRISE" no
name The Grafana workspace name string null no
notification_destinations The notification destinations. If a data source is specified here, Amazon Managed Grafana will create IAM roles and permissions needed to use these destinations. Must be set to SNS list(string) [] no
organization_role_name The role name that the workspace uses to access resources through Amazon Organizations string null no
organizational_units The Amazon Organizations organizational units that the workspace is authorized to use data sources from list(string) [] no
permission_type The permission type of the workspace. If SERVICE_MANAGED is specified, the IAM roles and IAM policy attachments are generated automatically. If CUSTOMER_MANAGED is specified, the IAM roles and IAM policy attachments will not be created string "SERVICE_MANAGED" no
role_associations Map of maps to assocaite user/group IDs to a role. Map key can be used as the role any {} no
saml_admin_role_values SAML authentication admin role values list(string) [] no
saml_allowed_organizations SAML authentication allowed organizations list(string) [] no
saml_editor_role_values SAML authentication editor role values list(string) [] no
saml_email_assertion SAML authentication email assertion string null no
saml_groups_assertion SAML authentication groups assertion string null no
saml_idp_metadata_url SAML authentication IDP Metadata URL. Note that either saml_idp_metadata_url or saml_idp_metadata_xml string null no
saml_idp_metadata_xml SAML authentication IDP Metadata XML. Note that either saml_idp_metadata_url or saml_idp_metadata_xml string null no
saml_login_assertion SAML authentication email assertion string null no
saml_login_validity_duration SAML authentication login validity duration number null no
saml_name_assertion SAML authentication name assertion string null no
saml_org_assertion SAML authentication org assertion string null no
saml_role_assertion SAML authentication role assertion string null no
security_group_description Description of the security group created string null no
security_group_name Name to use on security group created string null no
security_group_rules Security group rules to add to the security group created any {} no
security_group_tags A map of additional tags to add to the security group created map(string) {} no
security_group_use_name_prefix Determines whether the security group name (security_group_name) is used as a prefix bool true no
stack_set_name The AWS CloudFormation stack set name that provisions IAM roles to be used by the workspace string null no
tags A map of tags to add to all resources map(string) {} no
use_iam_role_name_prefix Determines whether the IAM role name (wokspace_iam_role_name) is used as a prefix bool true no
vpc_configuration The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to any {} no
workspace_api_keys Map of workspace API key definitions to create any {} no
workspace_id The ID of an existing workspace to use when create_workspace is false string "" no

Outputs

Name Description
license_expiration If license_type is set to ENTERPRISE, this is the expiration date of the enterprise license
license_free_trial_expiration If license_type is set to ENTERPRISE_FREE_TRIAL, this is the expiration date of the free trial
saml_configuration_status Status of the SAML configuration
security_group_arn Amazon Resource Name (ARN) of the security group
security_group_id ID of the security group
workspace_api_keys The workspace API keys created including their attributes
workspace_arn The Amazon Resource Name (ARN) of the Grafana workspace
workspace_endpoint The endpoint of the Grafana workspace
workspace_grafana_version The version of Grafana running on the workspace
workspace_iam_role_arn IAM role ARN of the Grafana workspace
workspace_iam_role_name IAM role name of the Grafana workspace
workspace_iam_role_unique_id Stable and unique string identifying the IAM role
workspace_id The ID of the Grafana workspace

License

Apache-2.0 Licensed. See LICENSE.

About

Terraform module which creates AWS Managed Service for Grafana (AMG) resources πŸ‡ΊπŸ‡¦

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HCL 100.0%