Terraform module which creates AWS Managed Service for Grafana (AMG) resources.
See examples
directory for working examples to reference:
module "managed_grafana" {
source = "terraform-aws-modules/managed-service-grafana/aws"
# Workspace
name = "example"
description = "AWS Managed Grafana service example workspace"
account_access_type = "CURRENT_ACCOUNT"
authentication_providers = ["AWS_SSO"]
permission_type = "SERVICE_MANAGED"
data_sources = ["CLOUDWATCH", "PROMETHEUS", "XRAY"]
notification_destinations = ["SNS"]
# Workspace API keys
workspace_api_keys = {
viewer = {
key_name = "viewer"
key_role = "VIEWER"
seconds_to_live = 3600
}
editor = {
key_name = "editor"
key_role = "EDITOR"
seconds_to_live = 3600
}
admin = {
key_name = "admin"
key_role = "ADMIN"
seconds_to_live = 3600
}
}
# Workspace SAML configuration
saml_admin_role_values = ["admin"]
saml_editor_role_values = ["editor"]
saml_email_assertion = "mail"
saml_groups_assertion = "groups"
saml_login_assertion = "mail"
saml_name_assertion = "displayName"
saml_org_assertion = "org"
saml_role_assertion = "role"
saml_idp_metadata_url = "https://my_idp_metadata.url"
# Role associations
role_associations = {
"ADMIN" = {
"group_ids" = ["1111111111-abcdefgh-1234-5678-abcd-999999999999"]
}
"EDITOR" = {
"user_ids" = ["2222222222-abcdefgh-1234-5678-abcd-999999999999"]
}
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
Examples codified under the examples
are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
Name | Version |
---|---|
terraform | >= 0.13.1 |
aws | >= 4.66.1 |
Name | Version |
---|---|
aws | >= 4.66.1 |
No modules.
Name | Type |
---|---|
aws_grafana_license_association.this | resource |
aws_grafana_role_association.this | resource |
aws_grafana_workspace.this | resource |
aws_grafana_workspace_api_key.this | resource |
aws_grafana_workspace_saml_configuration.this | resource |
aws_iam_policy.this | resource |
aws_iam_role.this | resource |
aws_iam_role_policy_attachment.additional | resource |
aws_iam_role_policy_attachment.this | resource |
aws_security_group.this | resource |
aws_security_group_rule.this | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.assume | data source |
aws_iam_policy_document.this | data source |
aws_partition.current | data source |
aws_subnet.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_access_type | The type of account access for the workspace. Valid values are CURRENT_ACCOUNT and ORGANIZATION |
string |
"CURRENT_ACCOUNT" |
no |
associate_license | Determines whether a license will be associated with the workspace | bool |
true |
no |
authentication_providers | The authentication providers for the workspace. Valid values are AWS_SSO , SAML , or both |
list(string) |
[ |
no |
configuration | The configuration string for the workspace | string |
null |
no |
create | Determines whether a resources will be created | bool |
true |
no |
create_iam_role | Determines whether a an IAM role is created or to use an existing IAM role | bool |
true |
no |
create_saml_configuration | Determines whether the SAML configuration will be created | bool |
true |
no |
create_security_group | Determines if a security group is created | bool |
true |
no |
create_workspace | Determines whether a workspace will be created or to use an existing workspace | bool |
true |
no |
data_sources | The data sources for the workspace. Valid values are AMAZON_OPENSEARCH_SERVICE , ATHENA , CLOUDWATCH , PROMETHEUS , REDSHIFT , SITEWISE , TIMESTREAM , XRAY |
list(string) |
[] |
no |
description | The workspace description | string |
null |
no |
grafana_version | Specifies the version of Grafana to support in the new workspace. If not specified, the default version for the aws_grafana_workspace resource will be used. See aws_grafana_workspace documentation for available options. |
string |
null |
no |
iam_role_arn | Existing IAM role ARN for the workspace. Required if create_iam_role is set to false |
string |
null |
no |
iam_role_description | The description of the workspace IAM role | string |
null |
no |
iam_role_force_detach_policies | Determines whether the workspace IAM role policies will be forced to detach | bool |
true |
no |
iam_role_max_session_duration | Maximum session duration (in seconds) that you want to set for the IAM role | number |
null |
no |
iam_role_name | Name to use on workspace IAM role created | string |
null |
no |
iam_role_path | Workspace IAM role path | string |
null |
no |
iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the IAM role | string |
null |
no |
iam_role_policy_arns | List of ARNs of IAM policies to attach to the workspace IAM role | list(string) |
[] |
no |
iam_role_tags | A map of additional tags to add to the IAM role created | map(string) |
{} |
no |
license_type | The type of license for the workspace license association. Valid values are ENTERPRISE and ENTERPRISE_FREE_TRIAL |
string |
"ENTERPRISE" |
no |
name | The Grafana workspace name | string |
null |
no |
notification_destinations | The notification destinations. If a data source is specified here, Amazon Managed Grafana will create IAM roles and permissions needed to use these destinations. Must be set to SNS |
list(string) |
[] |
no |
organization_role_name | The role name that the workspace uses to access resources through Amazon Organizations | string |
null |
no |
organizational_units | The Amazon Organizations organizational units that the workspace is authorized to use data sources from | list(string) |
[] |
no |
permission_type | The permission type of the workspace. If SERVICE_MANAGED is specified, the IAM roles and IAM policy attachments are generated automatically. If CUSTOMER_MANAGED is specified, the IAM roles and IAM policy attachments will not be created |
string |
"SERVICE_MANAGED" |
no |
role_associations | Map of maps to assocaite user/group IDs to a role. Map key can be used as the role |
any |
{} |
no |
saml_admin_role_values | SAML authentication admin role values | list(string) |
[] |
no |
saml_allowed_organizations | SAML authentication allowed organizations | list(string) |
[] |
no |
saml_editor_role_values | SAML authentication editor role values | list(string) |
[] |
no |
saml_email_assertion | SAML authentication email assertion | string |
null |
no |
saml_groups_assertion | SAML authentication groups assertion | string |
null |
no |
saml_idp_metadata_url | SAML authentication IDP Metadata URL. Note that either saml_idp_metadata_url or saml_idp_metadata_xml |
string |
null |
no |
saml_idp_metadata_xml | SAML authentication IDP Metadata XML. Note that either saml_idp_metadata_url or saml_idp_metadata_xml |
string |
null |
no |
saml_login_assertion | SAML authentication email assertion | string |
null |
no |
saml_login_validity_duration | SAML authentication login validity duration | number |
null |
no |
saml_name_assertion | SAML authentication name assertion | string |
null |
no |
saml_org_assertion | SAML authentication org assertion | string |
null |
no |
saml_role_assertion | SAML authentication role assertion | string |
null |
no |
security_group_description | Description of the security group created | string |
null |
no |
security_group_name | Name to use on security group created | string |
null |
no |
security_group_rules | Security group rules to add to the security group created | any |
{} |
no |
security_group_tags | A map of additional tags to add to the security group created | map(string) |
{} |
no |
security_group_use_name_prefix | Determines whether the security group name (security_group_name ) is used as a prefix |
bool |
true |
no |
stack_set_name | The AWS CloudFormation stack set name that provisions IAM roles to be used by the workspace | string |
null |
no |
tags | A map of tags to add to all resources | map(string) |
{} |
no |
use_iam_role_name_prefix | Determines whether the IAM role name (wokspace_iam_role_name ) is used as a prefix |
bool |
true |
no |
vpc_configuration | The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to | any |
{} |
no |
workspace_api_keys | Map of workspace API key definitions to create | any |
{} |
no |
workspace_id | The ID of an existing workspace to use when create_workspace is false |
string |
"" |
no |
Name | Description |
---|---|
license_expiration | If license_type is set to ENTERPRISE , this is the expiration date of the enterprise license |
license_free_trial_expiration | If license_type is set to ENTERPRISE_FREE_TRIAL , this is the expiration date of the free trial |
saml_configuration_status | Status of the SAML configuration |
security_group_arn | Amazon Resource Name (ARN) of the security group |
security_group_id | ID of the security group |
workspace_api_keys | The workspace API keys created including their attributes |
workspace_arn | The Amazon Resource Name (ARN) of the Grafana workspace |
workspace_endpoint | The endpoint of the Grafana workspace |
workspace_grafana_version | The version of Grafana running on the workspace |
workspace_iam_role_arn | IAM role ARN of the Grafana workspace |
workspace_iam_role_name | IAM role name of the Grafana workspace |
workspace_iam_role_unique_id | Stable and unique string identifying the IAM role |
workspace_id | The ID of the Grafana workspace |
Apache-2.0 Licensed. See LICENSE.