From 198df066040c6c2c0f51cbcc07d274624e8dd692 Mon Sep 17 00:00:00 2001 From: Rodrigue Koffi Date: Thu, 9 May 2024 12:21:26 +0200 Subject: [PATCH 1/3] Update documentation for v10 --- docs/eks/index.md | 40 ++++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/docs/eks/index.md b/docs/eks/index.md index f1f03079..60741ffd 100644 --- a/docs/eks/index.md +++ b/docs/eks/index.md @@ -83,23 +83,39 @@ To create a new workspace, visit [our supporting example for Grafana](https://aw export TF_VAR_managed_grafana_workspace_id=g-xxx ``` -#### 6. Grafana API Key +#### 6. Grafana authentication -Amazon Managed Grafana provides a control plane API for generating Grafana API keys. -As a security best practice, we will provide to Terraform a short lived API key to +Grafana Service Accounts and Service Account Tokens have been introduced in +Amazon Managed Grafana v9.4, which definitely replaces Grafana API Keys in v10.4. +Amazon Managed Grafana provides two control plane APIs to automate their creation. +If you are still using a workspace in Grafana v8.4, you can use a Grafana API Key. + +As a security best practice, we will provide to Terraform a short lived token to run the `apply` or `destroy` command. -Ensure you have necessary IAM permissions (`CreateWorkspaceApiKey, DeleteWorkspaceApiKey`) +Ensure you have necessary IAM permissions +(`CreateWorkspaceServiceAccount, CreateWorkspaceServiceAccountToken, DeleteWorkspaceServiceAccounts, DeleteWorkspaceServiceAccountToken`) +for Service Accounts and (`CreateWorkspaceApiKey, DeleteWorkspaceApiKey`) for Grafana API key. -!!! note - Starting version v2.5.x and above, we use Grafana Operator and External Secrets to - manage Grafana contents. Your API Key will be stored securely on AWS SSM Parameter Store - and the Grafana Operator will use it to sync dashboards, folders and data sources. - Read more [here](https://aws-observability.github.io/terraform-aws-observability-accelerator/concepts/). +=== "v10.4 & v9.4 workspaces" -```bash -export TF_VAR_grafana_api_key=`aws grafana create-workspace-api-key --key-name "observability-accelerator-$(date +%s)" --key-role ADMIN --seconds-to-live 7200 --workspace-id $TF_VAR_managed_grafana_workspace_id --query key --output text` -``` + ```console + # skip this command if you already have a service token + GRAFANA_SA_ID=$(aws grafana create-workspace-service-account --workspace-id $TF_VAR_managed_grafana_workspace_id --grafana-role ADMIN --name terraform-accelerator-eks --query 'id' --output text) + + # creates a new token for running Terraform + export TF_VAR_grafana_api_key=`aws grafana create-workspace-service-account-token --workspace-id $TF_VAR_managed_grafana_workspace_id --name --key-name "observability-accelerator-$(date +%s)" --seconds-to-live 7200 --service-account-id $GRAFANA_SA_ID --query 'serviceAccountToken.key' --output text` + ``` + +=== "v8.4 workspaces" + + ```bash + export TF_VAR_grafana_api_key=`aws grafana create-workspace-api-key --key-name "observability-accelerator-$(date +%s)" --key-role ADMIN --seconds-to-live 7200 --workspace-id $TF_VAR_managed_grafana_workspace_id --query key --output text` + ``` + +!!! note + The `grafana_api_key` variable accepts both Grafana API key or a service + account token ## Deploy From 3f26a9e6d0fbb34cfe64ca2886fae3600793052a Mon Sep 17 00:00:00 2001 From: Rodrigue Koffi Date: Thu, 16 May 2024 13:10:00 +0200 Subject: [PATCH 2/3] Update SA command --- docs/eks/index.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/eks/index.md b/docs/eks/index.md index 60741ffd..73a0c842 100644 --- a/docs/eks/index.md +++ b/docs/eks/index.md @@ -101,10 +101,21 @@ for Service Accounts and (`CreateWorkspaceApiKey, DeleteWorkspaceApiKey`) for Gr ```console # skip this command if you already have a service token - GRAFANA_SA_ID=$(aws grafana create-workspace-service-account --workspace-id $TF_VAR_managed_grafana_workspace_id --grafana-role ADMIN --name terraform-accelerator-eks --query 'id' --output text) + GRAFANA_SA_ID=$(aws grafana create-workspace-service-account \ + --workspace-id $TF_VAR_managed_grafana_workspace_id \ + --grafana-role ADMIN \ + --name terraform-accelerator-eks \ + --query 'id' \ + --output text) # creates a new token for running Terraform - export TF_VAR_grafana_api_key=`aws grafana create-workspace-service-account-token --workspace-id $TF_VAR_managed_grafana_workspace_id --name --key-name "observability-accelerator-$(date +%s)" --seconds-to-live 7200 --service-account-id $GRAFANA_SA_ID --query 'serviceAccountToken.key' --output text` + export TF_VAR_grafana_api_key=$(aws grafana create-workspace-service-account-token \ + --workspace-id $TF_VAR_managed_grafana_workspace_id \ + --name "observability-accelerator-$(date +%s)" \ + --seconds-to-live 7200 \ + --service-account-id $GRAFANA_SA_ID \ + --query 'serviceAccountToken.key' \ + --output text) ``` === "v8.4 workspaces" From 95efbd91a51a9fa7a4d62de25c6b9a7d89530b71 Mon Sep 17 00:00:00 2001 From: Rodrigue Koffi Date: Thu, 16 May 2024 23:13:55 +0200 Subject: [PATCH 3/3] Update doc --- docs/eks/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/eks/index.md b/docs/eks/index.md index 73a0c842..6d8ec20a 100644 --- a/docs/eks/index.md +++ b/docs/eks/index.md @@ -86,11 +86,11 @@ export TF_VAR_managed_grafana_workspace_id=g-xxx #### 6. Grafana authentication Grafana Service Accounts and Service Account Tokens have been introduced in -Amazon Managed Grafana v9.4, which definitely replaces Grafana API Keys in v10.4. -Amazon Managed Grafana provides two control plane APIs to automate their creation. +Amazon Managed Grafana v9.4, which replaces Grafana API Keys in v10.4. +Amazon Managed Grafana provides new control plane APIs to automate their creation. If you are still using a workspace in Grafana v8.4, you can use a Grafana API Key. -As a security best practice, we will provide to Terraform a short lived token to +As a security best practice, we will provide Terraform a short lived token to run the `apply` or `destroy` command. Ensure you have necessary IAM permissions