├── .editorconfig
├── .github
└── workflows
│ ├── lock.yml
│ ├── pr-title.yml
│ ├── pre-commit.yml
│ ├── release.yml
│ └── stale-actions.yaml
├── .gitignore
├── .pre-commit-config.yaml
├── .releaserc.json
├── CHANGELOG.md
├── LICENSE
├── README.md
├── examples
├── README.md
└── complete
│ ├── README.md
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf
├── main.tf
├── outputs.tf
├── variables.tf
└── versions.tf
/.editorconfig:
--------------------------------------------------------------------------------
1 | # EditorConfig is awesome: http://EditorConfig.org
2 | # Uses editorconfig to maintain consistent coding styles
3 |
4 | # top-most EditorConfig file
5 | root = true
6 |
7 | # Unix-style newlines with a newline ending every file
8 | [*]
9 | charset = utf-8
10 | end_of_line = lf
11 | indent_size = 2
12 | indent_style = space
13 | insert_final_newline = true
14 | max_line_length = 80
15 | trim_trailing_whitespace = true
16 |
17 | [*.{tf,tfvars}]
18 | indent_size = 2
19 | indent_style = space
20 |
21 | [*.md]
22 | max_line_length = 0
23 | trim_trailing_whitespace = false
24 |
25 | [Makefile]
26 | tab_width = 2
27 | indent_style = tab
28 |
29 | [COMMIT_EDITMSG]
30 | max_line_length = 0
31 |
--------------------------------------------------------------------------------
/.github/workflows/lock.yml:
--------------------------------------------------------------------------------
1 | name: 'Lock Threads'
2 |
3 | on:
4 | schedule:
5 | - cron: '50 1 * * *'
6 |
7 | jobs:
8 | lock:
9 | runs-on: ubuntu-latest
10 | steps:
11 | - uses: dessant/lock-threads@v5
12 | with:
13 | github-token: ${{ secrets.GITHUB_TOKEN }}
14 | issue-comment: >
15 | I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
16 | If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
17 | issue-inactive-days: '30'
18 | pr-comment: >
19 | I'm going to lock this pull request because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
20 | If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
21 | pr-inactive-days: '30'
22 |
--------------------------------------------------------------------------------
/.github/workflows/pr-title.yml:
--------------------------------------------------------------------------------
1 | name: 'Validate PR title'
2 |
3 | on:
4 | pull_request_target:
5 | types:
6 | - opened
7 | - edited
8 | - synchronize
9 |
10 | jobs:
11 | main:
12 | name: Validate PR title
13 | runs-on: ubuntu-latest
14 | steps:
15 | # Please look up the latest version from
16 | # https://github.com/amannn/action-semantic-pull-request/releases
17 | - uses: amannn/action-semantic-pull-request@v5.5.3
18 | env:
19 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
20 | with:
21 | # Configure which types are allowed.
22 | # Default: https://github.com/commitizen/conventional-commit-types
23 | types: |
24 | fix
25 | feat
26 | docs
27 | ci
28 | chore
29 | # Configure that a scope must always be provided.
30 | requireScope: false
31 | # Configure additional validation for the subject based on a regex.
32 | # This example ensures the subject starts with an uppercase character.
33 | subjectPattern: ^[A-Z].+$
34 | # If `subjectPattern` is configured, you can use this property to override
35 | # the default error message that is shown when the pattern doesn't match.
36 | # The variables `subject` and `title` can be used within the message.
37 | subjectPatternError: |
38 | The subject "{subject}" found in the pull request title "{title}"
39 | didn't match the configured pattern. Please ensure that the subject
40 | starts with an uppercase character.
41 | # For work-in-progress PRs you can typically use draft pull requests
42 | # from Github. However, private repositories on the free plan don't have
43 | # this option and therefore this action allows you to opt-in to using the
44 | # special "[WIP]" prefix to indicate this state. This will avoid the
45 | # validation of the PR title and the pull request checks remain pending.
46 | # Note that a second check will be reported if this is enabled.
47 | wip: true
48 | # When using "Squash and merge" on a PR with only one commit, GitHub
49 | # will suggest using that commit message instead of the PR title for the
50 | # merge commit, and it's easy to commit this by mistake. Enable this option
51 | # to also validate the commit message for one commit PRs.
52 | validateSingleCommit: false
53 |
--------------------------------------------------------------------------------
/.github/workflows/pre-commit.yml:
--------------------------------------------------------------------------------
1 | name: Pre-Commit
2 |
3 | on:
4 | pull_request:
5 | branches:
6 | - main
7 | - master
8 |
9 | env:
10 | TERRAFORM_DOCS_VERSION: v0.19.0
11 | TFLINT_VERSION: v0.53.0
12 |
13 | jobs:
14 | collectInputs:
15 | name: Collect workflow inputs
16 | runs-on: ubuntu-latest
17 | outputs:
18 | directories: ${{ steps.dirs.outputs.directories }}
19 | steps:
20 | - name: Checkout
21 | uses: actions/checkout@v4
22 |
23 | - name: Get root directories
24 | id: dirs
25 | uses: clowdhaus/terraform-composite-actions/directories@v1.9.0
26 |
27 | preCommitMinVersions:
28 | name: Min TF pre-commit
29 | needs: collectInputs
30 | runs-on: ubuntu-latest
31 | strategy:
32 | matrix:
33 | directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
34 | steps:
35 | # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
36 | - name: Delete huge unnecessary tools folder
37 | run: |
38 | rm -rf /opt/hostedtoolcache/CodeQL
39 | rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
40 | rm -rf /opt/hostedtoolcache/Ruby
41 | rm -rf /opt/hostedtoolcache/go
42 |
43 | - name: Checkout
44 | uses: actions/checkout@v4
45 |
46 | - name: Terraform min/max versions
47 | id: minMax
48 | uses: clowdhaus/terraform-min-max@v1.3.1
49 | with:
50 | directory: ${{ matrix.directory }}
51 |
52 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
53 | # Run only validate pre-commit check on min version supported
54 | if: ${{ matrix.directory != '.' }}
55 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1
56 | with:
57 | terraform-version: ${{ steps.minMax.outputs.minVersion }}
58 | tflint-version: ${{ env.TFLINT_VERSION }}
59 | args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
60 |
61 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
62 | # Run only validate pre-commit check on min version supported
63 | if: ${{ matrix.directory == '.' }}
64 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1
65 | with:
66 | terraform-version: ${{ steps.minMax.outputs.minVersion }}
67 | tflint-version: ${{ env.TFLINT_VERSION }}
68 | args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
69 |
70 | preCommitMaxVersion:
71 | name: Max TF pre-commit
72 | runs-on: ubuntu-latest
73 | needs: collectInputs
74 | steps:
75 | # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
76 | - name: Delete huge unnecessary tools folder
77 | run: |
78 | rm -rf /opt/hostedtoolcache/CodeQL
79 | rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
80 | rm -rf /opt/hostedtoolcache/Ruby
81 | rm -rf /opt/hostedtoolcache/go
82 |
83 | - name: Checkout
84 | uses: actions/checkout@v4
85 | with:
86 | ref: ${{ github.event.pull_request.head.ref }}
87 | repository: ${{github.event.pull_request.head.repo.full_name}}
88 |
89 | - name: Terraform min/max versions
90 | id: minMax
91 | uses: clowdhaus/terraform-min-max@v1.3.1
92 |
93 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
94 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1
95 | with:
96 | terraform-version: ${{ steps.minMax.outputs.maxVersion }}
97 | tflint-version: ${{ env.TFLINT_VERSION }}
98 | terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
99 | install-hcledit: true
100 |
--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
1 | name: Release
2 |
3 | on:
4 | workflow_dispatch:
5 | push:
6 | branches:
7 | - main
8 | - master
9 | paths:
10 | - '**/*.tpl'
11 | - '**/*.py'
12 | - '**/*.tf'
13 | - '.github/workflows/release.yml'
14 |
15 | jobs:
16 | release:
17 | name: Release
18 | runs-on: ubuntu-latest
19 | # Skip running release workflow on forks
20 | if: github.repository_owner == 'terraform-aws-modules'
21 | steps:
22 | - name: Checkout
23 | uses: actions/checkout@v4
24 | with:
25 | persist-credentials: false
26 | fetch-depth: 0
27 |
28 | - name: Release
29 | uses: cycjimmy/semantic-release-action@v4
30 | with:
31 | semantic_version: 23.0.2
32 | extra_plugins: |
33 | @semantic-release/changelog@6.0.3
34 | @semantic-release/git@10.0.1
35 | conventional-changelog-conventionalcommits@7.0.2
36 | env:
37 | GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
38 |
--------------------------------------------------------------------------------
/.github/workflows/stale-actions.yaml:
--------------------------------------------------------------------------------
1 | name: 'Mark or close stale issues and PRs'
2 | on:
3 | schedule:
4 | - cron: '0 0 * * *'
5 |
6 | jobs:
7 | stale:
8 | runs-on: ubuntu-latest
9 | steps:
10 | - uses: actions/stale@v9
11 | with:
12 | repo-token: ${{ secrets.GITHUB_TOKEN }}
13 | # Staling issues and PR's
14 | days-before-stale: 30
15 | stale-issue-label: stale
16 | stale-pr-label: stale
17 | stale-issue-message: |
18 | This issue has been automatically marked as stale because it has been open 30 days
19 | with no activity. Remove stale label or comment or this issue will be closed in 10 days
20 | stale-pr-message: |
21 | This PR has been automatically marked as stale because it has been open 30 days
22 | with no activity. Remove stale label or comment or this PR will be closed in 10 days
23 | # Not stale if have this labels or part of milestone
24 | exempt-issue-labels: bug,wip,on-hold
25 | exempt-pr-labels: bug,wip,on-hold
26 | exempt-all-milestones: true
27 | # Close issue operations
28 | # Label will be automatically removed if the issues are no longer closed nor locked.
29 | days-before-close: 10
30 | delete-branch: true
31 | close-issue-message: This issue was automatically closed because of stale in 10 days
32 | close-pr-message: This PR was automatically closed because of stale in 10 days
33 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Local .terraform directories
2 | **/.terraform/*
3 |
4 | # .tfstate files
5 | *.tfstate
6 | *.tfstate.*
7 |
8 | # terraform lockfile
9 | .terraform.lock.hcl
10 |
11 | # Crash log files
12 | crash.log
13 |
14 | # Exclude all .tfvars files, which are likely to contain sentitive data, such as
15 | # password, private keys, and other secrets. These should not be part of version
16 | # control as they are data points which are potentially sensitive and subject
17 | # to change depending on the environment.
18 | #
19 | *.tfvars
20 |
21 | # Ignore override files as they are usually used to override resources locally and so
22 | # are not checked in
23 | override.tf
24 | override.tf.json
25 | *_override.tf
26 | *_override.tf.json
27 |
28 | # Include override files you do wish to add to version control using negated pattern
29 | #
30 | # !example_override.tf
31 |
32 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
33 | # example: *tfplan*
34 |
35 | # Ignore CLI configuration files
36 | .terraformrc
37 | terraform.rc
38 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | repos:
2 | - repo: https://github.com/antonbabenko/pre-commit-terraform
3 | rev: v1.96.1
4 | hooks:
5 | - id: terraform_fmt
6 | - id: terraform_docs
7 | args:
8 | - '--args=--lockfile=false'
9 | - id: terraform_tflint
10 | args:
11 | - '--args=--only=terraform_deprecated_interpolation'
12 | - '--args=--only=terraform_deprecated_index'
13 | - '--args=--only=terraform_unused_declarations'
14 | - '--args=--only=terraform_comment_syntax'
15 | - '--args=--only=terraform_documented_outputs'
16 | - '--args=--only=terraform_documented_variables'
17 | - '--args=--only=terraform_typed_variables'
18 | - '--args=--only=terraform_module_pinned_source'
19 | - '--args=--only=terraform_naming_convention'
20 | - '--args=--only=terraform_required_version'
21 | - '--args=--only=terraform_required_providers'
22 | - '--args=--only=terraform_standard_module_structure'
23 | - '--args=--only=terraform_workspace_remote'
24 | - id: terraform_validate
25 | - repo: https://github.com/pre-commit/pre-commit-hooks
26 | rev: v5.0.0
27 | hooks:
28 | - id: check-merge-conflict
29 | - id: end-of-file-fixer
30 | - id: trailing-whitespace
31 |
--------------------------------------------------------------------------------
/.releaserc.json:
--------------------------------------------------------------------------------
1 | {
2 | "branches": [
3 | "main",
4 | "master"
5 | ],
6 | "ci": false,
7 | "plugins": [
8 | [
9 | "@semantic-release/commit-analyzer",
10 | {
11 | "preset": "conventionalcommits"
12 | }
13 | ],
14 | [
15 | "@semantic-release/release-notes-generator",
16 | {
17 | "preset": "conventionalcommits"
18 | }
19 | ],
20 | [
21 | "@semantic-release/github",
22 | {
23 | "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:",
24 | "labels": false,
25 | "releasedLabels": false
26 | }
27 | ],
28 | [
29 | "@semantic-release/changelog",
30 | {
31 | "changelogFile": "CHANGELOG.md",
32 | "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
33 | }
34 | ],
35 | [
36 | "@semantic-release/git",
37 | {
38 | "assets": [
39 | "CHANGELOG.md"
40 | ],
41 | "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
42 | }
43 | ]
44 | ]
45 | }
46 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # Changelog
2 |
3 | All notable changes to this project will be documented in this file.
4 |
5 | ## [2.3.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v2.2.1...v2.3.0) (2024-11-01)
6 |
7 |
8 | ### Features
9 |
10 | * Support `aws_grafana_license_association.grafana_token` ([#43](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/43)) ([ce90f62](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/ce90f62734238ec10e1c7f86720220384f1b7d06))
11 |
12 | ## [2.2.1](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v2.2.0...v2.2.1) (2024-10-26)
13 |
14 |
15 | ### Bug Fixes
16 |
17 | * Output for `workspace_service_accounts` ([#42](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/42)) ([911b74b](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/911b74b1157d0d68f68441a10a828b9ba618b536))
18 | * Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/40)) ([fc86ff8](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/fc86ff814e6749b9dda5cf4a8c36b5fd1df5cb82))
19 |
20 | ## [2.2.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v2.1.2...v2.2.0) (2024-08-13)
21 |
22 |
23 | ### Features
24 |
25 | * Add support for service account and service account token resources ([#36](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/36)) ([6d2a78f](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/6d2a78f62de815bb036e1b4aef22def3e5cde919))
26 |
27 | ## [2.1.2](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v2.1.1...v2.1.2) (2024-03-06)
28 |
29 |
30 | ### Bug Fixes
31 |
32 | * Update CI workflow versions to remove deprecated runtime warnings ([#33](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/33)) ([9899b66](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/9899b665c4aa8c98b884cbed0bf9e89131494cb1))
33 |
34 | ### [2.1.1](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v2.1.0...v2.1.1) (2024-02-01)
35 |
36 |
37 | ### Bug Fixes
38 |
39 | * IAM policy to correct permission for deleting alert manager silence ([#29](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/29)) ([8857168](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/88571687dba922c69d1a8e0ae81c48fdb4c066ed))
40 |
41 | ## [2.1.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v2.0.0...v2.1.0) (2023-10-06)
42 |
43 |
44 | ### Features
45 |
46 | * Add support for external integration with prometheus alertmanager for grafana ([#27](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/27)) ([a4bd8f4](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/a4bd8f4fa5bd3eef064c88c1ae0275663383a859))
47 |
48 | ## [2.0.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.10.0...v2.0.0) (2023-07-27)
49 |
50 |
51 | ### ⚠ BREAKING CHANGES
52 |
53 | * Add support for `network_access_control`, updated minimum supported version of Terraform to `1.0` and AWS provider to `5.0` (#25)
54 |
55 | ### Features
56 |
57 | * Add support for `network_access_control`, updated minimum supported version of Terraform to `1.0` and AWS provider to `5.0` ([#25](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/25)) ([9f025d9](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/9f025d98e691951b8e9db3992aa8293a1b49d3cf))
58 |
59 | ## [1.10.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.9.0...v1.10.0) (2023-05-09)
60 |
61 |
62 | ### Features
63 |
64 | * Add support for Grafana version specification ([#21](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/21)) ([421b2b6](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/421b2b698a965ea4c983da7ccc8e716f76abb009))
65 |
66 | ## [1.9.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.8.0...v1.9.0) (2023-03-25)
67 |
68 |
69 | ### Features
70 |
71 | * Control creation of SAML configuration via `create_saml_configuration` ([#20](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/20)) ([eb37802](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/eb3780220dc426166522197d7a35437ed4503990))
72 |
73 | ## [1.8.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.7.0...v1.8.0) (2023-02-02)
74 |
75 |
76 | ### Features
77 |
78 | * Add workpace `configuration` argument ([#17](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/17)) ([85ada19](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/85ada198438acd218ee1e10850f2ff820de73be3))
79 |
80 | ## [1.7.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.6.0...v1.7.0) (2023-02-02)
81 |
82 |
83 | ### Features
84 |
85 | * Add support for `vpc_configuration` along with creating an associated security group ([#15](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/15)) ([6d50e63](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/6d50e6336b44045ab63c6d1cac31514b61feee98))
86 |
87 | ## [1.6.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.5.1...v1.6.0) (2022-12-04)
88 |
89 |
90 | ### Features
91 |
92 | * Add workspace ID as output attribute ([#11](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/11)) ([d2e19e9](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/d2e19e94eb72c6877372e75b1a8fd79fdc19a152))
93 |
94 | ### [1.5.1](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.5.0...v1.5.1) (2022-11-07)
95 |
96 |
97 | ### Bug Fixes
98 |
99 | * Update CI configuration files to use latest version ([#12](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/12)) ([8027f54](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/8027f549a69ac565bd13a0ed10e22844945eb68e))
100 |
101 | ## [1.5.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.4.0...v1.5.0) (2022-08-26)
102 |
103 |
104 | ### Features
105 |
106 | * Add support for generating workspace API keys ([#9](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/9)) ([c45bf3b](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/c45bf3b9a3dcaf519f603292fd981c97f595e367))
107 |
108 | ## [1.4.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.3.1...v1.4.0) (2022-07-28)
109 |
110 |
111 | ### Features
112 |
113 | * Add support for using an existing/external workspace ([#8](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/8)) ([eb31531](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/eb31531ab9af3393d601bdd6a7d243d8fa98b703))
114 |
115 | ### [1.3.1](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.3.0...v1.3.1) (2022-06-27)
116 |
117 |
118 | ### Bug Fixes
119 |
120 | * Correct policy ARN paths for Redshift and Athena to use service-role ([#6](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/6)) ([1cd2098](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/1cd2098bd93eea9f35b78b98f7dd51fe0791dd33))
121 |
122 | ## [1.3.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.2.0...v1.3.0) (2022-06-16)
123 |
124 |
125 | ### Features
126 |
127 | * Add IAM permissions to support workspace role for `CURRENT_ACCOUNT` setting ([#3](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/3)) ([0cfb5e0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/0cfb5e07cd8f949075f5a0939f581b0fa6993672))
128 |
129 | ## [1.2.0](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/compare/v1.1.0...v1.2.0) (2022-06-07)
130 |
131 |
132 | ### Features
133 |
134 | * Add support for Grafana workspace tags ([#2](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/issues/2)) ([35b32e9](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/commit/35b32e9d4e3adb306f8b5e7315ee5c900fb88b4b))
135 |
136 | ## [1.1.0](https://github.com/clowdhaus/terraform-aws-managed-service-grafana/compare/v1.0.1...v1.1.0) (2022-04-20)
137 |
138 |
139 | ### Features
140 |
141 | * Repo has moved to [`terraform-aws-modules`](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana) organization ([3890f37](https://github.com/clowdhaus/terraform-aws-managed-service-grafana/commit/3890f3772e74becc18b3c506548d36d98bea9251))
142 |
143 |
144 | ### Bug Fixes
145 |
146 | * Add path that will pick up change to initiate release for repo change ([0f01872](https://github.com/clowdhaus/terraform-aws-managed-service-grafana/commit/0f01872c8ea8bbe913323396f22deecd5f617d04))
147 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AWS Managed Service for Grafana (AMG) Terraform module
2 |
3 | Terraform module which creates AWS Managed Service for Grafana (AMG) resources.
4 |
5 | [](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)
6 |
7 | ## Usage
8 |
9 | See [`examples`](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/tree/main/examples) directory for working examples to reference:
10 |
11 | ```hcl
12 | module "managed_grafana" {
13 | source = "terraform-aws-modules/managed-service-grafana/aws"
14 |
15 | # Workspace
16 | name = "example"
17 | description = "AWS Managed Grafana service example workspace"
18 | account_access_type = "CURRENT_ACCOUNT"
19 | authentication_providers = ["AWS_SSO"]
20 | permission_type = "SERVICE_MANAGED"
21 | data_sources = ["CLOUDWATCH", "PROMETHEUS", "XRAY"]
22 | notification_destinations = ["SNS"]
23 |
24 | # Workspace API keys
25 | workspace_api_keys = {
26 | viewer = {
27 | key_name = "viewer"
28 | key_role = "VIEWER"
29 | seconds_to_live = 3600
30 | }
31 | editor = {
32 | key_name = "editor"
33 | key_role = "EDITOR"
34 | seconds_to_live = 3600
35 | }
36 | admin = {
37 | key_name = "admin"
38 | key_role = "ADMIN"
39 | seconds_to_live = 3600
40 | }
41 | }
42 |
43 | # Workspace SAML configuration
44 | saml_admin_role_values = ["admin"]
45 | saml_editor_role_values = ["editor"]
46 | saml_email_assertion = "mail"
47 | saml_groups_assertion = "groups"
48 | saml_login_assertion = "mail"
49 | saml_name_assertion = "displayName"
50 | saml_org_assertion = "org"
51 | saml_role_assertion = "role"
52 | saml_idp_metadata_url = "https://my_idp_metadata.url"
53 |
54 | # Role associations
55 | role_associations = {
56 | "ADMIN" = {
57 | "group_ids" = ["1111111111-abcdefgh-1234-5678-abcd-999999999999"]
58 | }
59 | "EDITOR" = {
60 | "user_ids" = ["2222222222-abcdefgh-1234-5678-abcd-999999999999"]
61 | }
62 | }
63 |
64 | tags = {
65 | Terraform = "true"
66 | Environment = "dev"
67 | }
68 | }
69 | ```
70 |
71 | ## Examples
72 |
73 | Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/tree/main/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
74 |
75 | - [Complete](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/tree/main/examples/complete)
76 |
77 |
78 | ## Requirements
79 |
80 | | Name | Version |
81 | |------|---------|
82 | | [terraform](#requirement\_terraform) | >= 1.0 |
83 | | [aws](#requirement\_aws) | >= 5.63 |
84 |
85 | ## Providers
86 |
87 | | Name | Version |
88 | |------|---------|
89 | | [aws](#provider\_aws) | >= 5.63 |
90 |
91 | ## Modules
92 |
93 | No modules.
94 |
95 | ## Resources
96 |
97 | | Name | Type |
98 | |------|------|
99 | | [aws_grafana_license_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_license_association) | resource |
100 | | [aws_grafana_role_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_role_association) | resource |
101 | | [aws_grafana_workspace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace) | resource |
102 | | [aws_grafana_workspace_api_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_api_key) | resource |
103 | | [aws_grafana_workspace_saml_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_saml_configuration) | resource |
104 | | [aws_grafana_workspace_service_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_service_account) | resource |
105 | | [aws_grafana_workspace_service_account_token.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_service_account_token) | resource |
106 | | [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
107 | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
108 | | [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
109 | | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
110 | | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
111 | | [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
112 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
113 | | [aws_iam_policy_document.assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
114 | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
115 | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
116 | | [aws_subnet.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
117 |
118 | ## Inputs
119 |
120 | | Name | Description | Type | Default | Required |
121 | |------|-------------|------|---------|:--------:|
122 | | [account\_access\_type](#input\_account\_access\_type) | The type of account access for the workspace. Valid values are `CURRENT_ACCOUNT` and `ORGANIZATION` | `string` | `"CURRENT_ACCOUNT"` | no |
123 | | [associate\_license](#input\_associate\_license) | Determines whether a license will be associated with the workspace | `bool` | `true` | no |
124 | | [authentication\_providers](#input\_authentication\_providers) | The authentication providers for the workspace. Valid values are `AWS_SSO`, `SAML`, or both | `list(string)` | [
"AWS_SSO"
]
| no |
125 | | [configuration](#input\_configuration) | The configuration string for the workspace | `string` | `null` | no |
126 | | [create](#input\_create) | Determines whether a resources will be created | `bool` | `true` | no |
127 | | [create\_iam\_role](#input\_create\_iam\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
128 | | [create\_saml\_configuration](#input\_create\_saml\_configuration) | Determines whether the SAML configuration will be created | `bool` | `true` | no |
129 | | [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
130 | | [create\_workspace](#input\_create\_workspace) | Determines whether a workspace will be created or to use an existing workspace | `bool` | `true` | no |
131 | | [data\_sources](#input\_data\_sources) | The data sources for the workspace. Valid values are `AMAZON_OPENSEARCH_SERVICE`, `ATHENA`, `CLOUDWATCH`, `PROMETHEUS`, `REDSHIFT`, `SITEWISE`, `TIMESTREAM`, `XRAY` | `list(string)` | `[]` | no |
132 | | [description](#input\_description) | The workspace description | `string` | `null` | no |
133 | | [enable\_alerts](#input\_enable\_alerts) | Determines whether IAM permissions for alerting are enabled for the workspace IAM role | `bool` | `false` | no |
134 | | [grafana\_token](#input\_grafana\_token) | A token from Grafana Labs that ties your AWS account with a Grafana Labs account | `string` | `null` | no |
135 | | [grafana\_version](#input\_grafana\_version) | Specifies the version of Grafana to support in the new workspace. If not specified, the default version for the `aws_grafana_workspace` resource will be used. See `aws_grafana_workspace` documentation for available options. | `string` | `null` | no |
136 | | [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN for the workspace. Required if `create_iam_role` is set to `false` | `string` | `null` | no |
137 | | [iam\_role\_description](#input\_iam\_role\_description) | The description of the workspace IAM role | `string` | `null` | no |
138 | | [iam\_role\_force\_detach\_policies](#input\_iam\_role\_force\_detach\_policies) | Determines whether the workspace IAM role policies will be forced to detach | `bool` | `true` | no |
139 | | [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | Maximum session duration (in seconds) that you want to set for the IAM role | `number` | `null` | no |
140 | | [iam\_role\_name](#input\_iam\_role\_name) | Name to use on workspace IAM role created | `string` | `null` | no |
141 | | [iam\_role\_path](#input\_iam\_role\_path) | Workspace IAM role path | `string` | `null` | no |
142 | | [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
143 | | [iam\_role\_policy\_arns](#input\_iam\_role\_policy\_arns) | List of ARNs of IAM policies to attach to the workspace IAM role | `list(string)` | `[]` | no |
144 | | [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
145 | | [license\_type](#input\_license\_type) | The type of license for the workspace license association. Valid values are `ENTERPRISE` and `ENTERPRISE_FREE_TRIAL` | `string` | `"ENTERPRISE"` | no |
146 | | [name](#input\_name) | The Grafana workspace name | `string` | `null` | no |
147 | | [network\_access\_control](#input\_network\_access\_control) | Configuration for network access to your workspace | `any` | `{}` | no |
148 | | [notification\_destinations](#input\_notification\_destinations) | The notification destinations. If a data source is specified here, Amazon Managed Grafana will create IAM roles and permissions needed to use these destinations. Must be set to `SNS` | `list(string)` | `[]` | no |
149 | | [organization\_role\_name](#input\_organization\_role\_name) | The role name that the workspace uses to access resources through Amazon Organizations | `string` | `null` | no |
150 | | [organizational\_units](#input\_organizational\_units) | The Amazon Organizations organizational units that the workspace is authorized to use data sources from | `list(string)` | `[]` | no |
151 | | [permission\_type](#input\_permission\_type) | The permission type of the workspace. If `SERVICE_MANAGED` is specified, the IAM roles and IAM policy attachments are generated automatically. If `CUSTOMER_MANAGED` is specified, the IAM roles and IAM policy attachments will not be created | `string` | `"SERVICE_MANAGED"` | no |
152 | | [role\_associations](#input\_role\_associations) | Map of maps to assocaite user/group IDs to a role. Map key can be used as the `role` | `any` | `{}` | no |
153 | | [saml\_admin\_role\_values](#input\_saml\_admin\_role\_values) | SAML authentication admin role values | `list(string)` | `[]` | no |
154 | | [saml\_allowed\_organizations](#input\_saml\_allowed\_organizations) | SAML authentication allowed organizations | `list(string)` | `[]` | no |
155 | | [saml\_editor\_role\_values](#input\_saml\_editor\_role\_values) | SAML authentication editor role values | `list(string)` | `[]` | no |
156 | | [saml\_email\_assertion](#input\_saml\_email\_assertion) | SAML authentication email assertion | `string` | `null` | no |
157 | | [saml\_groups\_assertion](#input\_saml\_groups\_assertion) | SAML authentication groups assertion | `string` | `null` | no |
158 | | [saml\_idp\_metadata\_url](#input\_saml\_idp\_metadata\_url) | SAML authentication IDP Metadata URL. Note that either `saml_idp_metadata_url` or `saml_idp_metadata_xml` | `string` | `null` | no |
159 | | [saml\_idp\_metadata\_xml](#input\_saml\_idp\_metadata\_xml) | SAML authentication IDP Metadata XML. Note that either `saml_idp_metadata_url` or `saml_idp_metadata_xml` | `string` | `null` | no |
160 | | [saml\_login\_assertion](#input\_saml\_login\_assertion) | SAML authentication email assertion | `string` | `null` | no |
161 | | [saml\_login\_validity\_duration](#input\_saml\_login\_validity\_duration) | SAML authentication login validity duration | `number` | `null` | no |
162 | | [saml\_name\_assertion](#input\_saml\_name\_assertion) | SAML authentication name assertion | `string` | `null` | no |
163 | | [saml\_org\_assertion](#input\_saml\_org\_assertion) | SAML authentication org assertion | `string` | `null` | no |
164 | | [saml\_role\_assertion](#input\_saml\_role\_assertion) | SAML authentication role assertion | `string` | `null` | no |
165 | | [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
166 | | [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no |
167 | | [security\_group\_rules](#input\_security\_group\_rules) | Security group rules to add to the security group created | `any` | `{}` | no |
168 | | [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the security group created | `map(string)` | `{}` | no |
169 | | [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `bool` | `true` | no |
170 | | [stack\_set\_name](#input\_stack\_set\_name) | The AWS CloudFormation stack set name that provisions IAM roles to be used by the workspace | `string` | `null` | no |
171 | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
172 | | [use\_iam\_role\_name\_prefix](#input\_use\_iam\_role\_name\_prefix) | Determines whether the IAM role name (`wokspace_iam_role_name`) is used as a prefix | `bool` | `true` | no |
173 | | [vpc\_configuration](#input\_vpc\_configuration) | The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to | `any` | `{}` | no |
174 | | [workspace\_api\_keys](#input\_workspace\_api\_keys) | Map of workspace API key definitions to create | `any` | `{}` | no |
175 | | [workspace\_id](#input\_workspace\_id) | The ID of an existing workspace to use when `create_workspace` is `false` | `string` | `""` | no |
176 | | [workspace\_service\_account\_tokens](#input\_workspace\_service\_account\_tokens) | Map of workspace service account tokens to create | `any` | `{}` | no |
177 | | [workspace\_service\_accounts](#input\_workspace\_service\_accounts) | Map of workspace service account definitions to create | `any` | `{}` | no |
178 |
179 | ## Outputs
180 |
181 | | Name | Description |
182 | |------|-------------|
183 | | [license\_expiration](#output\_license\_expiration) | If `license_type` is set to `ENTERPRISE`, this is the expiration date of the enterprise license |
184 | | [license\_free\_trial\_expiration](#output\_license\_free\_trial\_expiration) | If `license_type` is set to `ENTERPRISE_FREE_TRIAL`, this is the expiration date of the free trial |
185 | | [saml\_configuration\_status](#output\_saml\_configuration\_status) | Status of the SAML configuration |
186 | | [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
187 | | [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
188 | | [workspace\_api\_keys](#output\_workspace\_api\_keys) | The workspace API keys created including their attributes |
189 | | [workspace\_arn](#output\_workspace\_arn) | The Amazon Resource Name (ARN) of the Grafana workspace |
190 | | [workspace\_endpoint](#output\_workspace\_endpoint) | The endpoint of the Grafana workspace |
191 | | [workspace\_grafana\_version](#output\_workspace\_grafana\_version) | The version of Grafana running on the workspace |
192 | | [workspace\_iam\_role\_arn](#output\_workspace\_iam\_role\_arn) | IAM role ARN of the Grafana workspace |
193 | | [workspace\_iam\_role\_name](#output\_workspace\_iam\_role\_name) | IAM role name of the Grafana workspace |
194 | | [workspace\_iam\_role\_policy\_arn](#output\_workspace\_iam\_role\_policy\_arn) | IAM Policy ARN of the Grafana workspace IAM role |
195 | | [workspace\_iam\_role\_policy\_id](#output\_workspace\_iam\_role\_policy\_id) | Stable and unique string identifying the IAM Policy |
196 | | [workspace\_iam\_role\_policy\_name](#output\_workspace\_iam\_role\_policy\_name) | IAM Policy name of the Grafana workspace IAM role |
197 | | [workspace\_iam\_role\_unique\_id](#output\_workspace\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
198 | | [workspace\_id](#output\_workspace\_id) | The ID of the Grafana workspace |
199 | | [workspace\_service\_account\_tokens](#output\_workspace\_service\_account\_tokens) | The workspace service account tokens created including their attributes |
200 | | [workspace\_service\_accounts](#output\_workspace\_service\_accounts) | The workspace service accounts created including their attributes |
201 |
202 |
203 | ## License
204 |
205 | Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/blob/main/LICENSE).
206 |
--------------------------------------------------------------------------------
/examples/README.md:
--------------------------------------------------------------------------------
1 | # Terraform AWS Managed Service for Grafana (AMG) Examples
2 |
3 | - [Complete](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/tree/main/examples/complete)
4 |
--------------------------------------------------------------------------------
/examples/complete/README.md:
--------------------------------------------------------------------------------
1 | # Complete AWS Managed Service for Grafana (AMG) Example
2 |
3 | Configuration in this directory creates:
4 |
5 | - Disabled Grafana workspace
6 | - Default Grafana workspace (using defaults provided by the module)
7 | - Complete Grafana workspace showing example of possible configurations
8 |
9 | ## Usage
10 |
11 | To run this example you need to execute:
12 |
13 | ```bash
14 | $ terraform init
15 | $ terraform plan
16 | $ terraform apply
17 | ```
18 |
19 | Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources.
20 |
21 |
22 | ## Requirements
23 |
24 | | Name | Version |
25 | |------|---------|
26 | | [terraform](#requirement\_terraform) | >= 1.0 |
27 | | [aws](#requirement\_aws) | >= 5.63 |
28 |
29 | ## Providers
30 |
31 | | Name | Version |
32 | |------|---------|
33 | | [aws](#provider\_aws) | >= 5.63 |
34 |
35 | ## Modules
36 |
37 | | Name | Source | Version |
38 | |------|--------|---------|
39 | | [managed\_grafana](#module\_managed\_grafana) | ../.. | n/a |
40 | | [managed\_grafana\_default](#module\_managed\_grafana\_default) | ../.. | n/a |
41 | | [managed\_grafana\_disabled](#module\_managed\_grafana\_disabled) | ../.. | n/a |
42 | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
43 |
44 | ## Resources
45 |
46 | | Name | Type |
47 | |------|------|
48 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
49 |
50 | ## Inputs
51 |
52 | No inputs.
53 |
54 | ## Outputs
55 |
56 | | Name | Description |
57 | |------|-------------|
58 | | [license\_expiration](#output\_license\_expiration) | If `license_type` is set to `ENTERPRISE`, this is the expiration date of the enterprise license |
59 | | [license\_free\_trial\_expiration](#output\_license\_free\_trial\_expiration) | If `license_type` is set to `ENTERPRISE_FREE_TRIAL`, this is the expiration date of the free trial |
60 | | [saml\_configuration\_status](#output\_saml\_configuration\_status) | Status of the SAML configuration |
61 | | [workspace\_api\_keys](#output\_workspace\_api\_keys) | The workspace API keys created including their attributes |
62 | | [workspace\_arn](#output\_workspace\_arn) | The Amazon Resource Name (ARN) of the Grafana workspace |
63 | | [workspace\_endpoint](#output\_workspace\_endpoint) | The endpoint of the Grafana workspace |
64 | | [workspace\_grafana\_version](#output\_workspace\_grafana\_version) | The version of Grafana running on the workspace |
65 | | [workspace\_iam\_role\_arn](#output\_workspace\_iam\_role\_arn) | IAM role ARN of the Grafana workspace |
66 | | [workspace\_iam\_role\_name](#output\_workspace\_iam\_role\_name) | IAM role name of the Grafana workspace |
67 | | [workspace\_iam\_role\_policy\_arn](#output\_workspace\_iam\_role\_policy\_arn) | IAM Policy ARN of the Grafana workspace IAM role |
68 | | [workspace\_iam\_role\_policy\_id](#output\_workspace\_iam\_role\_policy\_id) | Stable and unique string identifying the IAM Policy |
69 | | [workspace\_iam\_role\_policy\_name](#output\_workspace\_iam\_role\_policy\_name) | IAM Policy name of the Grafana workspace IAM role |
70 | | [workspace\_iam\_role\_unique\_id](#output\_workspace\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
71 | | [workspace\_id](#output\_workspace\_id) | The ID of the Grafana workspace |
72 | | [workspace\_service\_account\_tokens](#output\_workspace\_service\_account\_tokens) | The workspace service account tokens created including their attributes |
73 | | [workspace\_service\_accounts](#output\_workspace\_service\_accounts) | The workspace service accounts created including their attributes |
74 |
75 |
76 | Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/blob/main/LICENSE).
77 |
--------------------------------------------------------------------------------
/examples/complete/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = local.region
3 | }
4 |
5 | data "aws_availability_zones" "available" {}
6 |
7 | locals {
8 | region = "us-east-1"
9 | name = "amg-ex-${replace(basename(path.cwd), "_", "-")}"
10 | description = "AWS Managed Grafana service for ${local.name}"
11 |
12 | vpc_cidr = "10.0.0.0/16"
13 | azs = slice(data.aws_availability_zones.available.names, 0, 3)
14 |
15 | tags = {
16 | Example = local.name
17 | GithubRepo = "terraform-aws-manage-service-grafana"
18 | GithubOrg = "terraform-aws-modules"
19 | }
20 | }
21 |
22 | ################################################################################
23 | # Managed Grafana Module
24 | ################################################################################
25 |
26 | module "managed_grafana" {
27 | source = "../.."
28 |
29 | # Workspace
30 | name = local.name
31 | associate_license = false
32 | description = local.description
33 | account_access_type = "CURRENT_ACCOUNT"
34 | authentication_providers = ["AWS_SSO"]
35 | permission_type = "SERVICE_MANAGED"
36 | data_sources = ["CLOUDWATCH", "PROMETHEUS", "XRAY"]
37 | notification_destinations = ["SNS"]
38 | stack_set_name = local.name
39 | grafana_version = "10.4"
40 |
41 | configuration = jsonencode({
42 | unifiedAlerting = {
43 | enabled = true
44 | },
45 | plugins = {
46 | pluginAdminEnabled = false
47 | }
48 | })
49 |
50 | # vpc configuration
51 | vpc_configuration = {
52 | subnet_ids = module.vpc.private_subnets
53 | }
54 | security_group_rules = {
55 | egress_postgresql = {
56 | description = "Allow egress to PostgreSQL"
57 | from_port = 5432
58 | to_port = 5432
59 | protocol = "tcp"
60 | cidr_blocks = module.vpc.private_subnets_cidr_blocks
61 | }
62 | }
63 |
64 | # Workspace API keys
65 | workspace_api_keys = {
66 | viewer = {
67 | key_name = "viewer"
68 | key_role = "VIEWER"
69 | seconds_to_live = 3600
70 | }
71 | editor = {
72 | key_name = "editor"
73 | key_role = "EDITOR"
74 | seconds_to_live = 3600
75 | }
76 | admin = {
77 | key_name = "admin"
78 | key_role = "ADMIN"
79 | seconds_to_live = 3600
80 | }
81 | }
82 |
83 | # Workspace service accounts
84 | workspace_service_accounts = {
85 | viewer = {
86 | grafana_role = "VIEWER"
87 | }
88 | editor = {
89 | name = "editor-example"
90 | grafana_role = "EDITOR"
91 | }
92 | admin = {
93 | grafana_role = "ADMIN"
94 | }
95 | }
96 |
97 | workspace_service_account_tokens = {
98 | viewer = {
99 | service_account_key = "viewer"
100 | seconds_to_live = 3600
101 | }
102 | editor = {
103 | name = "editor-example"
104 | service_account_key = "editor"
105 | seconds_to_live = 3600
106 | }
107 | admin = {
108 | service_account_key = "admin"
109 | seconds_to_live = 3600
110 | }
111 | }
112 |
113 | # Workspace IAM role
114 | create_iam_role = true
115 | iam_role_name = local.name
116 | use_iam_role_name_prefix = true
117 | iam_role_description = local.description
118 | iam_role_path = "/grafana/"
119 | iam_role_force_detach_policies = true
120 | iam_role_max_session_duration = 7200
121 | iam_role_tags = { role = true }
122 |
123 | # # Workspace SAML configuration
124 | # saml_admin_role_values = ["admin"]
125 | # saml_editor_role_values = ["editor"]
126 | # saml_email_assertion = "mail"
127 | # saml_groups_assertion = "groups"
128 | # saml_login_assertion = "mail"
129 | # saml_name_assertion = "displayName"
130 | # saml_org_assertion = "org"
131 | # saml_role_assertion = "role"
132 | # saml_idp_metadata_url = "https://my_idp_metadata.url"
133 |
134 | # Role associations
135 | # Ref: https://github.com/aws/aws-sdk/issues/25
136 | # Ref: https://github.com/hashicorp/terraform-provider-aws/issues/18812
137 | # WARNING: https://github.com/hashicorp/terraform-provider-aws/issues/24166
138 | # role_associations = {
139 | # "ADMIN" = {
140 | # "group_ids" = ["1111111111-abcdefgh-1234-5678-abcd-999999999999"]
141 | # }
142 | # "EDITOR" = {
143 | # "user_ids" = ["2222222222-abcdefgh-1234-5678-abcd-999999999999"]
144 | # }
145 | # }
146 |
147 | tags = local.tags
148 | }
149 |
150 | module "managed_grafana_default" {
151 | source = "../.."
152 |
153 | name = "${local.name}-default"
154 | associate_license = false
155 |
156 | tags = local.tags
157 | }
158 |
159 | module "managed_grafana_disabled" {
160 | source = "../.."
161 |
162 | name = local.name
163 | create = false
164 | }
165 |
166 | ################################################################################
167 | # Supporting Resources
168 | ################################################################################
169 |
170 | module "vpc" {
171 | source = "terraform-aws-modules/vpc/aws"
172 | version = "~> 5.0"
173 |
174 | name = local.name
175 | cidr = local.vpc_cidr
176 |
177 | azs = local.azs
178 | private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
179 | public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
180 |
181 | enable_nat_gateway = false # disabling for example, re-evaluate for your environment
182 | single_nat_gateway = true
183 |
184 | tags = local.tags
185 | }
186 |
--------------------------------------------------------------------------------
/examples/complete/outputs.tf:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | # Workspace
3 | ################################################################################
4 |
5 | output "workspace_arn" {
6 | description = "The Amazon Resource Name (ARN) of the Grafana workspace"
7 | value = module.managed_grafana.workspace_arn
8 | }
9 |
10 | output "workspace_id" {
11 | description = "The ID of the Grafana workspace"
12 | value = module.managed_grafana.workspace_id
13 | }
14 |
15 | output "workspace_endpoint" {
16 | description = "The endpoint of the Grafana workspace"
17 | value = module.managed_grafana.workspace_endpoint
18 | }
19 |
20 | output "workspace_grafana_version" {
21 | description = "The version of Grafana running on the workspace"
22 | value = module.managed_grafana.workspace_grafana_version
23 | }
24 |
25 | ################################################################################
26 | # Workspace API Key
27 | ################################################################################
28 |
29 | output "workspace_api_keys" {
30 | description = "The workspace API keys created including their attributes"
31 | value = module.managed_grafana.workspace_api_keys
32 | sensitive = true
33 | }
34 |
35 | ################################################################################
36 | # Workspace Service Account
37 | ################################################################################
38 |
39 | output "workspace_service_accounts" {
40 | description = "The workspace service accounts created including their attributes"
41 | value = module.managed_grafana.workspace_service_accounts
42 | }
43 |
44 | output "workspace_service_account_tokens" {
45 | description = "The workspace service account tokens created including their attributes"
46 | value = module.managed_grafana.workspace_service_account_tokens
47 | sensitive = true
48 | }
49 |
50 | ################################################################################
51 | # Workspace IAM Role
52 | ################################################################################
53 |
54 | output "workspace_iam_role_name" {
55 | description = "IAM role name of the Grafana workspace"
56 | value = module.managed_grafana.workspace_iam_role_name
57 | }
58 |
59 | output "workspace_iam_role_arn" {
60 | description = "IAM role ARN of the Grafana workspace"
61 | value = module.managed_grafana.workspace_iam_role_arn
62 | }
63 |
64 | output "workspace_iam_role_unique_id" {
65 | description = "Stable and unique string identifying the IAM role"
66 | value = module.managed_grafana.workspace_iam_role_unique_id
67 | }
68 |
69 | ################################################################################
70 | # Workspace IAM Policy
71 | ################################################################################
72 |
73 | output "workspace_iam_role_policy_arn" {
74 | description = "IAM Policy ARN of the Grafana workspace IAM role"
75 | value = module.managed_grafana.workspace_iam_role_policy_arn
76 | }
77 |
78 | output "workspace_iam_role_policy_name" {
79 | description = "IAM Policy name of the Grafana workspace IAM role"
80 | value = module.managed_grafana.workspace_iam_role_policy_name
81 | }
82 |
83 | output "workspace_iam_role_policy_id" {
84 | description = "Stable and unique string identifying the IAM Policy"
85 | value = module.managed_grafana.workspace_iam_role_policy_id
86 | }
87 |
88 | ################################################################################
89 | # Workspace SAML Configuration
90 | ################################################################################
91 |
92 | output "saml_configuration_status" {
93 | description = "Status of the SAML configuration"
94 | value = module.managed_grafana.saml_configuration_status
95 | }
96 |
97 | ################################################################################
98 | # License Association
99 | ################################################################################
100 |
101 | output "license_free_trial_expiration" {
102 | description = "If `license_type` is set to `ENTERPRISE_FREE_TRIAL`, this is the expiration date of the free trial"
103 | value = module.managed_grafana.license_free_trial_expiration
104 | }
105 |
106 | output "license_expiration" {
107 | description = "If `license_type` is set to `ENTERPRISE`, this is the expiration date of the enterprise license"
108 | value = module.managed_grafana.license_expiration
109 | }
110 |
--------------------------------------------------------------------------------
/examples/complete/variables.tf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/terraform-aws-modules/terraform-aws-managed-service-grafana/6d82b7f0ee28dd51b7309682409f6fae29683ce5/examples/complete/variables.tf
--------------------------------------------------------------------------------
/examples/complete/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.63"
8 | }
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
1 | data "aws_partition" "current" {}
2 | data "aws_caller_identity" "current" {}
3 |
4 | locals {
5 | workspace_id = var.create_workspace ? try(aws_grafana_workspace.this[0].id, null) : var.workspace_id
6 | }
7 |
8 | ################################################################################
9 | # Workspace
10 | ################################################################################
11 |
12 | resource "aws_grafana_workspace" "this" {
13 | count = var.create && var.create_workspace ? 1 : 0
14 |
15 | account_access_type = var.account_access_type
16 | authentication_providers = var.authentication_providers
17 | configuration = var.configuration
18 | data_sources = var.data_sources
19 | description = var.description
20 | grafana_version = var.grafana_version
21 | name = var.name
22 |
23 | dynamic "network_access_control" {
24 | for_each = length(var.network_access_control) > 0 ? [var.network_access_control] : []
25 |
26 | content {
27 | prefix_list_ids = network_access_control.value.prefix_list_ids
28 | vpce_ids = network_access_control.value.vpce_ids
29 | }
30 | }
31 |
32 | notification_destinations = var.notification_destinations
33 | organization_role_name = var.organization_role_name
34 | organizational_units = var.organizational_units
35 | permission_type = var.permission_type
36 | role_arn = var.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
37 | stack_set_name = coalesce(var.stack_set_name, var.name)
38 |
39 | dynamic "vpc_configuration" {
40 | for_each = length(var.vpc_configuration) > 0 ? [var.vpc_configuration] : []
41 |
42 | content {
43 | security_group_ids = var.create_security_group ? flatten(concat([aws_security_group.this[0].id], try(vpc_configuration.value.security_group_ids, []))) : vpc_configuration.value.security_group_ids
44 | subnet_ids = vpc_configuration.value.subnet_ids
45 | }
46 | }
47 |
48 | tags = var.tags
49 | }
50 |
51 | ################################################################################
52 | # Security Group
53 | ################################################################################
54 |
55 | locals {
56 | create_security_group = length(var.vpc_configuration) > 0 && var.create_security_group
57 | security_group_name = try(coalesce(var.security_group_name, var.name), "")
58 | }
59 |
60 | data "aws_subnet" "this" {
61 | count = local.create_security_group ? 1 : 0
62 |
63 | id = element(var.vpc_configuration.subnet_ids, 0)
64 | }
65 |
66 | resource "aws_security_group" "this" {
67 | count = local.create_security_group ? 1 : 0
68 |
69 | name = var.security_group_use_name_prefix ? null : local.security_group_name
70 | name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
71 | description = var.security_group_description
72 | vpc_id = data.aws_subnet.this[0].vpc_id
73 |
74 | tags = merge(var.tags, var.security_group_tags)
75 |
76 | lifecycle {
77 | create_before_destroy = true
78 | }
79 | }
80 |
81 | resource "aws_security_group_rule" "this" {
82 | for_each = { for k, v in var.security_group_rules : k => v if local.create_security_group }
83 |
84 | # Required
85 | security_group_id = aws_security_group.this[0].id
86 | protocol = each.value.protocol
87 | from_port = each.value.from_port
88 | to_port = each.value.to_port
89 | type = try(each.value.type, "egress")
90 |
91 | # Optional
92 | description = lookup(each.value, "description", null)
93 | cidr_blocks = lookup(each.value, "cidr_blocks", null)
94 | ipv6_cidr_blocks = lookup(each.value, "ipv6_cidr_blocks", null)
95 | prefix_list_ids = lookup(each.value, "prefix_list_ids", null)
96 | self = lookup(each.value, "self", null)
97 | source_security_group_id = lookup(each.value, "source_security_group_id", null)
98 | }
99 |
100 | ################################################################################
101 | # Workspace API Key
102 | ################################################################################
103 |
104 | resource "aws_grafana_workspace_api_key" "this" {
105 | for_each = { for k, v in var.workspace_api_keys : k => v if var.create }
106 |
107 | key_name = try(each.value.key_name, each.key)
108 | key_role = each.value.key_role
109 | seconds_to_live = each.value.seconds_to_live
110 | workspace_id = local.workspace_id
111 | }
112 |
113 | ################################################################################
114 | # Workspace Service Account
115 | ################################################################################
116 |
117 | resource "aws_grafana_workspace_service_account" "this" {
118 | for_each = { for k, v in var.workspace_service_accounts : k => v if var.create }
119 |
120 | name = try(each.value.name, each.key)
121 | grafana_role = each.value.grafana_role
122 | workspace_id = local.workspace_id
123 | }
124 |
125 | resource "aws_grafana_workspace_service_account_token" "this" {
126 | for_each = { for k, v in var.workspace_service_account_tokens : k => v if var.create }
127 |
128 | name = try(each.value.name, each.key)
129 | service_account_id = try(aws_grafana_workspace_service_account.this[each.value.service_account_key].service_account_id, each.value.service_account_id)
130 | seconds_to_live = each.value.seconds_to_live
131 | workspace_id = local.workspace_id
132 | }
133 |
134 | ################################################################################
135 | # Workspace IAM Role
136 | ################################################################################
137 |
138 | locals {
139 | create_role = var.create && var.create_iam_role
140 | iam_role_name = coalesce(var.iam_role_name, var.name)
141 |
142 | create_account_policy = local.create_role && var.account_access_type == "CURRENT_ACCOUNT"
143 | create_custom_policy = length(setintersection(var.data_sources, ["CLOUDWATCH", "AMAZON_OPENSEARCH_SERVICE", "PROMETHEUS", "SNS"])) > 0
144 | }
145 |
146 | data "aws_iam_policy_document" "assume" {
147 | count = local.create_role ? 1 : 0
148 |
149 | statement {
150 | sid = "GrafanaAssume"
151 | effect = "Allow"
152 | actions = ["sts:AssumeRole"]
153 |
154 | principals {
155 | type = "Service"
156 | identifiers = ["grafana.${data.aws_partition.current.dns_suffix}"]
157 | }
158 | }
159 | }
160 |
161 | resource "aws_iam_role" "this" {
162 | count = local.create_role ? 1 : 0
163 |
164 | name = var.use_iam_role_name_prefix ? null : local.iam_role_name
165 | name_prefix = var.use_iam_role_name_prefix ? "${local.iam_role_name}-" : null
166 | description = var.iam_role_description
167 | path = var.iam_role_path
168 |
169 | assume_role_policy = data.aws_iam_policy_document.assume[0].json
170 | force_detach_policies = var.iam_role_force_detach_policies
171 | max_session_duration = var.iam_role_max_session_duration
172 | permissions_boundary = var.iam_role_permissions_boundary
173 |
174 | tags = merge(var.tags, var.iam_role_tags)
175 | }
176 |
177 | resource "aws_iam_role_policy_attachment" "additional" {
178 | for_each = { for k, v in var.iam_role_policy_arns : k => v if local.create_role }
179 |
180 | role = aws_iam_role.this[0].name
181 | policy_arn = each.value
182 | }
183 |
184 | # https://docs.aws.amazon.com/grafana/latest/userguide/AMG-manage-permissions.html
185 | data "aws_iam_policy_document" "this" {
186 | count = local.create_account_policy ? 1 : 0
187 |
188 | # CloudWatch
189 | dynamic "statement" {
190 | for_each = contains(var.data_sources, "CLOUDWATCH") ? [1] : []
191 |
192 | content {
193 | sid = "AllowReadingMetricsFromCloudWatch"
194 | actions = [
195 | "cloudwatch:DescribeAlarmsForMetric",
196 | "cloudwatch:DescribeAlarmHistory",
197 | "cloudwatch:DescribeAlarms",
198 | "cloudwatch:ListMetrics",
199 | "cloudwatch:GetMetricStatistics",
200 | "cloudwatch:GetMetricData",
201 | ]
202 | resources = ["*"]
203 | }
204 | }
205 |
206 | dynamic "statement" {
207 | for_each = contains(var.data_sources, "CLOUDWATCH") ? [1] : []
208 |
209 | content {
210 | sid = "AllowReadingLogsFromCloudWatch"
211 | actions = [
212 | "logs:DescribeLogGroups",
213 | "logs:GetLogGroupFields",
214 | "logs:StartQuery",
215 | "logs:StopQuery",
216 | "logs:GetQueryResults",
217 | "logs:GetLogEvents",
218 | ]
219 | resources = ["*"]
220 | }
221 | }
222 |
223 | dynamic "statement" {
224 | for_each = contains(var.data_sources, "CLOUDWATCH") ? [1] : []
225 |
226 | content {
227 | sid = "AllowReadingTagsInstancesRegionsFromEC2"
228 | actions = [
229 | "ec2:DescribeTags",
230 | "ec2:DescribeInstances",
231 | "ec2:DescribeRegions",
232 | ]
233 | resources = ["*"]
234 | }
235 | }
236 |
237 | dynamic "statement" {
238 | for_each = contains(var.data_sources, "CLOUDWATCH") ? [1] : []
239 |
240 | content {
241 | sid = "AllowReadingResourcesForTags"
242 | actions = [
243 | "tag:GetResources",
244 | ]
245 | resources = ["*"]
246 | }
247 | }
248 |
249 | # OpenSearch
250 | dynamic "statement" {
251 | for_each = contains(var.data_sources, "AMAZON_OPENSEARCH_SERVICE") ? [1] : []
252 |
253 | content {
254 | actions = [
255 | "es:ESHttpGet",
256 | "es:DescribeElasticsearchDomains",
257 | "es:ListDomainNames",
258 | ]
259 | resources = ["*"]
260 | }
261 | }
262 |
263 | dynamic "statement" {
264 | for_each = contains(var.data_sources, "AMAZON_OPENSEARCH_SERVICE") ? [1] : []
265 |
266 | content {
267 | actions = [
268 | "es:ESHttpPost",
269 | ]
270 | resources = [
271 | "arn:${data.aws_partition.current.partition}:es:*:*:domain/*/_msearch*",
272 | "arn:${data.aws_partition.current.partition}:es:*:*:domain/*/_opendistro/_ppl",
273 | ]
274 | }
275 | }
276 |
277 | # Prometheus
278 | dynamic "statement" {
279 | for_each = contains(var.data_sources, "PROMETHEUS") ? [1] : []
280 |
281 | content {
282 | actions = [
283 | "aps:ListWorkspaces",
284 | "aps:DescribeWorkspace",
285 | "aps:QueryMetrics",
286 | "aps:GetLabels",
287 | "aps:GetSeries",
288 | "aps:GetMetricMetadata",
289 | ]
290 | resources = ["*"]
291 | }
292 | }
293 |
294 | # Prometheus alerts
295 | # https://docs.aws.amazon.com/prometheus/latest/userguide/integrating-grafana.html
296 | dynamic "statement" {
297 | for_each = contains(var.data_sources, "PROMETHEUS") && var.enable_alerts ? [1] : []
298 |
299 | content {
300 | actions = [
301 | "aps:ListRules",
302 | "aps:ListAlertManagerSilences",
303 | "aps:ListAlertManagerAlerts",
304 | "aps:GetAlertManagerStatus",
305 | "aps:ListAlertManagerAlertGroups",
306 | "aps:PutAlertManagerSilences",
307 | "aps:DeleteAlertManagerSilence"
308 | ]
309 | resources = ["*"]
310 | }
311 | }
312 |
313 | # SNS Notification
314 | dynamic "statement" {
315 | for_each = contains(var.notification_destinations, "SNS") ? [1] : []
316 |
317 | content {
318 | actions = [
319 | "sns:Publish",
320 | ]
321 | resources = ["arn:${data.aws_partition.current.partition}:sns:*:${data.aws_caller_identity.current.account_id}:grafana*"]
322 | }
323 | }
324 | }
325 |
326 | resource "aws_iam_policy" "this" {
327 | count = local.create_account_policy && local.create_custom_policy ? 1 : 0
328 |
329 | name_prefix = "${local.iam_role_name}-"
330 | description = var.iam_role_description
331 | path = var.iam_role_path
332 | policy = data.aws_iam_policy_document.this[0].json
333 |
334 | tags = var.tags
335 | }
336 |
337 | locals {
338 | policies_to_attach = {
339 | this = {
340 | arn = try(aws_iam_policy.this[0].arn, null)
341 | attach = local.create_custom_policy
342 | }
343 | sitewise = {
344 | arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSIoTSiteWiseReadOnlyAccess"
345 | attach = contains(var.data_sources, "SITEWISE")
346 | }
347 | redshift = {
348 | arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonGrafanaRedshiftAccess"
349 | attach = contains(var.data_sources, "REDSHIFT")
350 | }
351 | athena = {
352 | arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonGrafanaAthenaAccess"
353 | attach = contains(var.data_sources, "ATHENA")
354 | }
355 | timestream = {
356 | arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonTimestreamReadOnlyAccess"
357 | attach = contains(var.data_sources, "TIMESTREAM")
358 | }
359 | xray = {
360 | arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXrayReadOnlyAccess"
361 | attach = contains(var.data_sources, "XRAY")
362 | }
363 | }
364 | }
365 |
366 | resource "aws_iam_role_policy_attachment" "this" {
367 | for_each = { for k, v in local.policies_to_attach : k => v if local.create_account_policy && v.attach }
368 |
369 | role = aws_iam_role.this[0].name
370 | policy_arn = each.value.arn
371 | }
372 |
373 | ################################################################################
374 | # Workspace SAML Configuration
375 | ################################################################################
376 |
377 | resource "aws_grafana_workspace_saml_configuration" "this" {
378 | count = var.create && var.create_saml_configuration && contains(var.authentication_providers, "SAML") ? 1 : 0
379 |
380 | admin_role_values = var.saml_admin_role_values
381 | allowed_organizations = var.saml_allowed_organizations
382 | editor_role_values = var.saml_editor_role_values
383 | email_assertion = var.saml_email_assertion
384 | groups_assertion = var.saml_groups_assertion
385 | idp_metadata_url = var.saml_idp_metadata_url
386 | idp_metadata_xml = var.saml_idp_metadata_xml
387 | login_assertion = var.saml_login_assertion
388 | login_validity_duration = var.saml_login_validity_duration
389 | name_assertion = var.saml_name_assertion
390 | org_assertion = var.saml_org_assertion
391 | role_assertion = var.saml_role_assertion
392 | workspace_id = local.workspace_id
393 | }
394 |
395 | ################################################################################
396 | # License Association
397 | ################################################################################
398 |
399 | resource "aws_grafana_license_association" "this" {
400 | count = var.create && var.associate_license ? 1 : 0
401 |
402 | grafana_token = var.grafana_token
403 | license_type = var.license_type
404 | workspace_id = local.workspace_id
405 | }
406 |
407 | ################################################################################
408 | # Role Association
409 | ################################################################################
410 |
411 | resource "aws_grafana_role_association" "this" {
412 | for_each = { for k, v in var.role_associations : k => v if var.create }
413 |
414 | group_ids = try(each.value.group_ids, null)
415 | role = try(each.value.role, each.key)
416 | user_ids = try(each.value.user_ids, null)
417 | workspace_id = local.workspace_id
418 | }
419 |
--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | # Workspace
3 | ################################################################################
4 |
5 | output "workspace_arn" {
6 | description = "The Amazon Resource Name (ARN) of the Grafana workspace"
7 | value = try(aws_grafana_workspace.this[0].arn, null)
8 | }
9 |
10 | output "workspace_id" {
11 | description = "The ID of the Grafana workspace"
12 | value = try(aws_grafana_workspace.this[0].id, null)
13 | }
14 |
15 | output "workspace_endpoint" {
16 | description = "The endpoint of the Grafana workspace"
17 | value = try(aws_grafana_workspace.this[0].endpoint, null)
18 | }
19 |
20 | output "workspace_grafana_version" {
21 | description = "The version of Grafana running on the workspace"
22 | value = try(aws_grafana_workspace.this[0].grafana_version, null)
23 | }
24 |
25 | ################################################################################
26 | # Workspace API Key
27 | ################################################################################
28 |
29 | output "workspace_api_keys" {
30 | description = "The workspace API keys created including their attributes"
31 | value = aws_grafana_workspace_api_key.this
32 | }
33 |
34 | ################################################################################
35 | # Workspace Service Account
36 | ################################################################################
37 |
38 | output "workspace_service_accounts" {
39 | description = "The workspace service accounts created including their attributes"
40 | value = aws_grafana_workspace_service_account.this
41 | }
42 |
43 | output "workspace_service_account_tokens" {
44 | description = "The workspace service account tokens created including their attributes"
45 | value = aws_grafana_workspace_service_account_token.this
46 | }
47 |
48 | ################################################################################
49 | # Workspace IAM Role
50 | ################################################################################
51 |
52 | output "workspace_iam_role_name" {
53 | description = "IAM role name of the Grafana workspace"
54 | value = try(aws_iam_role.this[0].name, null)
55 | }
56 |
57 | output "workspace_iam_role_arn" {
58 | description = "IAM role ARN of the Grafana workspace"
59 | value = try(aws_iam_role.this[0].arn, null)
60 | }
61 |
62 | output "workspace_iam_role_unique_id" {
63 | description = "Stable and unique string identifying the IAM role"
64 | value = try(aws_iam_role.this[0].unique_id, null)
65 | }
66 |
67 | ################################################################################
68 | # Workspace IAM Policy
69 | ################################################################################
70 |
71 | output "workspace_iam_role_policy_arn" {
72 | description = "IAM Policy ARN of the Grafana workspace IAM role"
73 | value = try(aws_iam_policy.this[0].arn, null)
74 | }
75 |
76 | output "workspace_iam_role_policy_name" {
77 | description = "IAM Policy name of the Grafana workspace IAM role"
78 | value = try(aws_iam_policy.this[0].name, null)
79 | }
80 |
81 | output "workspace_iam_role_policy_id" {
82 | description = "Stable and unique string identifying the IAM Policy"
83 | value = try(aws_iam_policy.this[0].policy_id, null)
84 | }
85 |
86 | ################################################################################
87 | # Workspace SAML Configuration
88 | ################################################################################
89 |
90 | output "saml_configuration_status" {
91 | description = "Status of the SAML configuration"
92 | value = try(aws_grafana_workspace_saml_configuration.this[0].status, null)
93 | }
94 |
95 | ################################################################################
96 | # License Association
97 | ################################################################################
98 |
99 | output "license_free_trial_expiration" {
100 | description = "If `license_type` is set to `ENTERPRISE_FREE_TRIAL`, this is the expiration date of the free trial"
101 | value = try(aws_grafana_license_association.this[0].free_trial_expiration, null)
102 | }
103 |
104 | output "license_expiration" {
105 | description = "If `license_type` is set to `ENTERPRISE`, this is the expiration date of the enterprise license"
106 | value = try(aws_grafana_license_association.this[0].license_expiration, null)
107 | }
108 |
109 | ################################################################################
110 | # Security Group
111 | ################################################################################
112 |
113 | output "security_group_arn" {
114 | description = "Amazon Resource Name (ARN) of the security group"
115 | value = try(aws_security_group.this[0].arn, null)
116 | }
117 |
118 | output "security_group_id" {
119 | description = "ID of the security group"
120 | value = try(aws_security_group.this[0].id, null)
121 | }
122 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "create" {
2 | description = "Determines whether a resources will be created"
3 | type = bool
4 | default = true
5 | }
6 |
7 | variable "tags" {
8 | description = "A map of tags to add to all resources"
9 | type = map(string)
10 | default = {}
11 | }
12 |
13 | ################################################################################
14 | # Workspace
15 | ################################################################################
16 |
17 | variable "create_workspace" {
18 | description = "Determines whether a workspace will be created or to use an existing workspace"
19 | type = bool
20 | default = true
21 | }
22 |
23 | variable "workspace_id" {
24 | description = "The ID of an existing workspace to use when `create_workspace` is `false`"
25 | type = string
26 | default = ""
27 | }
28 |
29 | variable "account_access_type" {
30 | description = "The type of account access for the workspace. Valid values are `CURRENT_ACCOUNT` and `ORGANIZATION`"
31 | type = string
32 | default = "CURRENT_ACCOUNT"
33 | }
34 |
35 | variable "authentication_providers" {
36 | description = "The authentication providers for the workspace. Valid values are `AWS_SSO`, `SAML`, or both"
37 | type = list(string)
38 | default = ["AWS_SSO"]
39 | }
40 |
41 | variable "configuration" {
42 | description = "The configuration string for the workspace"
43 | type = string
44 | default = null
45 | }
46 |
47 | variable "data_sources" {
48 | description = "The data sources for the workspace. Valid values are `AMAZON_OPENSEARCH_SERVICE`, `ATHENA`, `CLOUDWATCH`, `PROMETHEUS`, `REDSHIFT`, `SITEWISE`, `TIMESTREAM`, `XRAY`"
49 | type = list(string)
50 | default = []
51 | }
52 |
53 | variable "description" {
54 | description = "The workspace description"
55 | type = string
56 | default = null
57 | }
58 |
59 | variable "grafana_version" {
60 | description = "Specifies the version of Grafana to support in the new workspace. If not specified, the default version for the `aws_grafana_workspace` resource will be used. See `aws_grafana_workspace` documentation for available options."
61 | type = string
62 | default = null
63 | }
64 |
65 | variable "name" {
66 | description = "The Grafana workspace name"
67 | type = string
68 | default = null
69 | }
70 |
71 | variable "network_access_control" {
72 | description = "Configuration for network access to your workspace"
73 | type = any
74 | default = {}
75 | }
76 |
77 | variable "notification_destinations" {
78 | description = "The notification destinations. If a data source is specified here, Amazon Managed Grafana will create IAM roles and permissions needed to use these destinations. Must be set to `SNS`"
79 | type = list(string)
80 | default = []
81 | }
82 |
83 | variable "organization_role_name" {
84 | description = "The role name that the workspace uses to access resources through Amazon Organizations"
85 | type = string
86 | default = null
87 | }
88 |
89 | variable "organizational_units" {
90 | description = "The Amazon Organizations organizational units that the workspace is authorized to use data sources from"
91 | type = list(string)
92 | default = []
93 | }
94 |
95 | variable "permission_type" {
96 | description = "The permission type of the workspace. If `SERVICE_MANAGED` is specified, the IAM roles and IAM policy attachments are generated automatically. If `CUSTOMER_MANAGED` is specified, the IAM roles and IAM policy attachments will not be created"
97 | type = string
98 | default = "SERVICE_MANAGED"
99 | }
100 |
101 | variable "stack_set_name" {
102 | description = "The AWS CloudFormation stack set name that provisions IAM roles to be used by the workspace"
103 | type = string
104 | default = null
105 | }
106 |
107 | variable "vpc_configuration" {
108 | description = "The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to"
109 | type = any
110 | default = {}
111 | }
112 |
113 | ################################################################################
114 | # Workspace IAM Role
115 | ################################################################################
116 |
117 | variable "create_iam_role" {
118 | description = "Determines whether a an IAM role is created or to use an existing IAM role"
119 | type = bool
120 | default = true
121 | }
122 |
123 | variable "iam_role_arn" {
124 | description = "Existing IAM role ARN for the workspace. Required if `create_iam_role` is set to `false`"
125 | type = string
126 | default = null
127 | }
128 |
129 | variable "iam_role_name" {
130 | description = "Name to use on workspace IAM role created"
131 | type = string
132 | default = null
133 | }
134 |
135 | variable "use_iam_role_name_prefix" {
136 | description = "Determines whether the IAM role name (`wokspace_iam_role_name`) is used as a prefix"
137 | type = bool
138 | default = true
139 | }
140 |
141 | variable "iam_role_description" {
142 | description = "The description of the workspace IAM role"
143 | type = string
144 | default = null
145 | }
146 |
147 | variable "iam_role_path" {
148 | description = "Workspace IAM role path"
149 | type = string
150 | default = null
151 | }
152 |
153 | variable "iam_role_force_detach_policies" {
154 | description = "Determines whether the workspace IAM role policies will be forced to detach"
155 | type = bool
156 | default = true
157 | }
158 |
159 | variable "iam_role_max_session_duration" {
160 | description = "Maximum session duration (in seconds) that you want to set for the IAM role"
161 | type = number
162 | default = null
163 | }
164 |
165 | variable "iam_role_permissions_boundary" {
166 | description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
167 | type = string
168 | default = null
169 | }
170 |
171 | variable "iam_role_policy_arns" {
172 | description = "List of ARNs of IAM policies to attach to the workspace IAM role"
173 | type = list(string)
174 | default = []
175 | }
176 |
177 | variable "iam_role_tags" {
178 | description = "A map of additional tags to add to the IAM role created"
179 | type = map(string)
180 | default = {}
181 | }
182 |
183 | variable "enable_alerts" {
184 | description = "Determines whether IAM permissions for alerting are enabled for the workspace IAM role"
185 | type = bool
186 | default = false
187 | }
188 |
189 | ################################################################################
190 | # Workspace API Key
191 | ################################################################################
192 |
193 | variable "workspace_api_keys" {
194 | description = "Map of workspace API key definitions to create"
195 | type = any
196 | default = {}
197 | }
198 |
199 | ################################################################################
200 | # Workspace Service Account
201 | ################################################################################
202 |
203 | variable "workspace_service_accounts" {
204 | description = "Map of workspace service account definitions to create"
205 | type = any
206 | default = {}
207 | }
208 |
209 | variable "workspace_service_account_tokens" {
210 | description = "Map of workspace service account tokens to create"
211 | type = any
212 | default = {}
213 | }
214 |
215 | ################################################################################
216 | # Workspace SAML Configuration
217 | ################################################################################
218 |
219 | variable "create_saml_configuration" {
220 | description = "Determines whether the SAML configuration will be created"
221 | type = bool
222 | default = true
223 | }
224 |
225 | variable "saml_admin_role_values" {
226 | description = "SAML authentication admin role values"
227 | type = list(string)
228 | default = []
229 | }
230 |
231 | variable "saml_allowed_organizations" {
232 | description = "SAML authentication allowed organizations"
233 | type = list(string)
234 | default = []
235 | }
236 |
237 | variable "saml_editor_role_values" {
238 | description = "SAML authentication editor role values"
239 | type = list(string)
240 | default = []
241 | }
242 |
243 | variable "saml_email_assertion" {
244 | description = "SAML authentication email assertion"
245 | type = string
246 | default = null
247 | }
248 |
249 | variable "saml_groups_assertion" {
250 | description = "SAML authentication groups assertion"
251 | type = string
252 | default = null
253 | }
254 |
255 | variable "saml_idp_metadata_url" {
256 | description = "SAML authentication IDP Metadata URL. Note that either `saml_idp_metadata_url` or `saml_idp_metadata_xml`"
257 | type = string
258 | default = null
259 | }
260 |
261 | variable "saml_idp_metadata_xml" {
262 | description = "SAML authentication IDP Metadata XML. Note that either `saml_idp_metadata_url` or `saml_idp_metadata_xml`"
263 | type = string
264 | default = null
265 | }
266 |
267 | variable "saml_login_assertion" {
268 | description = "SAML authentication email assertion"
269 | type = string
270 | default = null
271 | }
272 |
273 | variable "saml_login_validity_duration" {
274 | description = "SAML authentication login validity duration"
275 | type = number
276 | default = null
277 | }
278 |
279 | variable "saml_name_assertion" {
280 | description = "SAML authentication name assertion"
281 | type = string
282 | default = null
283 | }
284 |
285 | variable "saml_org_assertion" {
286 | description = "SAML authentication org assertion"
287 | type = string
288 | default = null
289 | }
290 |
291 | variable "saml_role_assertion" {
292 | description = "SAML authentication role assertion"
293 | type = string
294 | default = null
295 | }
296 |
297 | ################################################################################
298 | # License Association
299 | ################################################################################
300 |
301 | variable "associate_license" {
302 | description = "Determines whether a license will be associated with the workspace"
303 | type = bool
304 | default = true
305 | }
306 |
307 | variable "license_type" {
308 | description = "The type of license for the workspace license association. Valid values are `ENTERPRISE` and `ENTERPRISE_FREE_TRIAL`"
309 | type = string
310 | default = "ENTERPRISE"
311 | }
312 |
313 | variable "grafana_token" {
314 | description = "A token from Grafana Labs that ties your AWS account with a Grafana Labs account"
315 | type = string
316 | default = null
317 | }
318 |
319 | ################################################################################
320 | # Role Association
321 | ################################################################################
322 |
323 | variable "role_associations" {
324 | description = "Map of maps to assocaite user/group IDs to a role. Map key can be used as the `role`"
325 | type = any
326 | default = {}
327 | }
328 |
329 | ################################################################################
330 | # Security Group
331 | ################################################################################
332 |
333 | variable "create_security_group" {
334 | description = "Determines if a security group is created"
335 | type = bool
336 | default = true
337 | }
338 |
339 | variable "security_group_name" {
340 | description = "Name to use on security group created"
341 | type = string
342 | default = null
343 | }
344 |
345 | variable "security_group_use_name_prefix" {
346 | description = "Determines whether the security group name (`security_group_name`) is used as a prefix"
347 | type = bool
348 | default = true
349 | }
350 |
351 | variable "security_group_description" {
352 | description = "Description of the security group created"
353 | type = string
354 | default = null
355 | }
356 |
357 | variable "security_group_rules" {
358 | description = "Security group rules to add to the security group created"
359 | type = any
360 | default = {}
361 | }
362 |
363 | variable "security_group_tags" {
364 | description = "A map of additional tags to add to the security group created"
365 | type = map(string)
366 | default = {}
367 | }
368 |
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.63"
8 | }
9 | }
10 | }
11 |
--------------------------------------------------------------------------------