Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update docs for Service accounts and Grafana v10 #273

Merged
merged 3 commits into from
May 17, 2024
Merged

Update docs for Service accounts and Grafana v10 #273

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
198df06
Update documentation for v10
bonclay7 May 9, 2024
3f26a9e
Update SA command
bonclay7 May 16, 2024
95efbd9
Update doc
bonclay7 May 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 39 additions & 12 deletions docs/eks/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,23 +83,50 @@ To create a new workspace, visit [our supporting example for Grafana](https://aw
export TF_VAR_managed_grafana_workspace_id=g-xxx
```

#### 6. Grafana API Key
#### 6. Grafana authentication

Amazon Managed Grafana provides a control plane API for generating Grafana API keys.
As a security best practice, we will provide to Terraform a short lived API key to
Grafana Service Accounts and Service Account Tokens have been introduced in
Amazon Managed Grafana v9.4, which replaces Grafana API Keys in v10.4.
Amazon Managed Grafana provides new control plane APIs to automate their creation.
If you are still using a workspace in Grafana v8.4, you can use a Grafana API Key.

As a security best practice, we will provide Terraform a short lived token to
run the `apply` or `destroy` command.

Ensure you have necessary IAM permissions (`CreateWorkspaceApiKey, DeleteWorkspaceApiKey`)
Ensure you have necessary IAM permissions
(`CreateWorkspaceServiceAccount, CreateWorkspaceServiceAccountToken, DeleteWorkspaceServiceAccounts, DeleteWorkspaceServiceAccountToken`)
for Service Accounts and (`CreateWorkspaceApiKey, DeleteWorkspaceApiKey`) for Grafana API key.

=== "v10.4 & v9.4 workspaces"

```console
# skip this command if you already have a service token
GRAFANA_SA_ID=$(aws grafana create-workspace-service-account \
--workspace-id $TF_VAR_managed_grafana_workspace_id \
--grafana-role ADMIN \
--name terraform-accelerator-eks \
--query 'id' \
--output text)

# creates a new token for running Terraform
export TF_VAR_grafana_api_key=$(aws grafana create-workspace-service-account-token \
--workspace-id $TF_VAR_managed_grafana_workspace_id \
--name "observability-accelerator-$(date +%s)" \
--seconds-to-live 7200 \
--service-account-id $GRAFANA_SA_ID \
--query 'serviceAccountToken.key' \
--output text)
```

=== "v8.4 workspaces"

```bash
export TF_VAR_grafana_api_key=`aws grafana create-workspace-api-key --key-name "observability-accelerator-$(date +%s)" --key-role ADMIN --seconds-to-live 7200 --workspace-id $TF_VAR_managed_grafana_workspace_id --query key --output text`
```

!!! note
Starting version v2.5.x and above, we use Grafana Operator and External Secrets to
manage Grafana contents. Your API Key will be stored securely on AWS SSM Parameter Store
and the Grafana Operator will use it to sync dashboards, folders and data sources.
Read more [here](https://aws-observability.github.io/terraform-aws-observability-accelerator/concepts/).

```bash
export TF_VAR_grafana_api_key=`aws grafana create-workspace-api-key --key-name "observability-accelerator-$(date +%s)" --key-role ADMIN --seconds-to-live 7200 --workspace-id $TF_VAR_managed_grafana_workspace_id --query key --output text`
```
The `grafana_api_key` variable accepts both Grafana API key or a service
account token

## Deploy

Expand Down
Loading