Auto-generated
This page is generated by terraform-docs at build time from the infra/ repo. Do not edit manually.
Monitoring Grafana¶
AWS Managed Grafana workspace with SAML (Azure AD) authentication. Intended as the unified observability surface for CookieHub — queries ClickHouse, RDS, and CloudWatch across all groups (core, vault, atrax, edge).
Workspace ENIs are placed in the VPC private subnets via vpc_configuration
so the workspace can reach data sources by security group rather than CIDR.
Callers add ingress rules on their data-source SGs using
module.<this>.security_group_id as the source.
SAML configuration is applied via local-exec because the
aws_grafana_workspace_saml_configuration resource does not support the
assertionAttributes block (needed to map Azure AD claims to Grafana
fields). On first apply leave saml_idp_metadata_url empty, finish the
Azure AD Enterprise App setup using the workspace's ACS URL, then set the
variable and re-apply.
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.6.0 |
| aws | ~> 5.0 |
Providers¶
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| terraform | n/a |
Modules¶
No modules.
Resources¶
| Name | Type |
|---|---|
| aws_grafana_workspace.main | resource |
| aws_grafana_workspace_saml_configuration.main | resource |
| aws_grafana_workspace_service_account.tf | resource |
| aws_grafana_workspace_service_account_token.tf | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy.cloudwatch | resource |
| aws_security_group.this | resource |
| terraform_data.saml_config | resource |
| terraform_data.workspace_configuration | resource |
| aws_iam_policy_document.grafana_assume | data source |
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| base_tags | Base tags applied to all resources | map(string) |
{} |
no |
| data_sources | AWS data sources Grafana is set up to query (auto-managed IAM policies are attached for these) | list(string) |
[ |
no |
| grafana_version | Grafana workspace version | string |
"10.4" |
no |
| name_prefix | Prefix for resource names (e.g. prod-euc1-monitoring) | string |
n/a | yes |
| notification_destinations | Notification destinations Grafana can post to (auto-managed IAM policies are attached for these) | list(string) |
[ |
no |
| plugin_admin_enabled | Allow Admin users to install plugins from the Grafana catalog inside the UI. Off by default in AMG; required for adding the ClickHouse / Postgres data source plugins. | bool |
true |
no |
| private_subnet_ids | Private subnet IDs where the workspace will place ENIs to reach data sources | list(string) |
n/a | yes |
| saml_admin_role_values | SAML Role claim values that map to Grafana Admin. Must match what Azure AD sends in the Role attribute. | list(string) |
[ |
no |
| saml_editor_role_values | SAML Role claim values that map to Grafana Editor. Must match what Azure AD sends in the Role attribute. | list(string) |
[ |
no |
| saml_idp_metadata_url | Azure AD SAML federation metadata URL. Leave empty on first apply; set after configuring the Azure AD Enterprise App with the workspace's ACS URL. | string |
"" |
no |
| vpc_id | VPC ID for the workspace's data-source-facing ENIs | string |
n/a | yes |
Outputs¶
| Name | Description |
|---|---|
| endpoint | Grafana workspace endpoint hostname (without scheme) |
| grafana_url | Full URL of the Grafana workspace |
| role_arn | ARN of the IAM role assumed by the workspace |
| security_group_id | Security group attached to the workspace ENIs. Use as the source for ingress rules on data-source security groups (ClickHouse, RDS, etc.). |
| service_account_token | Service account API token for the Grafana Terraform provider (30-day lifetime, rotated on apply) |
| workspace_id | Grafana workspace ID |