Skip to content

liatrio/aws-managed-services

Repository files navigation

aws-managed-services

Contains AWS managed services.

AMG Private VPC Connectivity

To set up AMG to work with a VPC you must provide the vpc_private_subnets and vpc_security_group_ids inputs. This will set up the outbound VPC connections.

If you want to restrict traffic to AMG we need to set up Network Access Controls. You can provide a prefix list via the nac_prefix_list_ids input and you must provide the vpc endpoint via the vpc_endpoint_ids input.

If you do not provide the nac_configuration then AMG will be open to the internet and can be publicly accessed through the URL generated by the workspace.

When you set up NAC the VPC endpoint URL will not have a route to the public URL that the Grafana workspace provides, so you will need to establish that route yourself in some way. Below are some possible solutions you could implement:

  • Add the VPCE IP addresses and public url to your hosts file.

    Example:

    .grafana-workspace..amazonaws.com

    The IP address is the subnet associated with the VPCE. You can find it by navigating to the VPC dashboard, selecting Endpoints and opening your VPC endpoint. The URL is the Public URL provided by the Grafana workspace when created. You can find it by navigating to Amazon Managed Grafana, clicking on workspace, and selecting your grafana workspace.

  • Implement a reverse proxy inside the VPC that will redirect to the public url.

    NOTE: This is an assumption as we have not tested it.

  • Have DNS infrastructure resolve to the VPCE DNS instead of the public. Route 53 Resolver endpoints and forwarding rule

    NOTE: This is an assumption as we have not tested it.

Terraform Documentation

Requirements

Name Version
terraform >= 1.1.0
aws >= 5.7.0
awscc >= 0.24.0

Providers

Name Version
aws >= 5.7.0

Modules

Name Source Version
managed_grafana github.com/liatrio/terraform-aws-managed-service-grafana.git n/a
managed_prometheus terraform-aws-modules/managed-service-prometheus/aws n/a

Resources

Name Type
aws_cloudwatch_log_group.amp_log_group resource
aws_iam_role.amp_iam_role resource
aws_iam_role_policy.amp_role_policy resource
aws_iam_role_policy.grafana_xray_policy resource
aws_route53_record.s3_alias resource
aws_route53_zone.private resource
aws_s3_bucket.amg_bucket resource
aws_s3_bucket_public_access_block.amg_bucket resource
aws_s3_bucket_website_configuration.amg_bucket_website resource
aws_grafana_workspace.this data source
aws_region.current data source

Inputs

Name Description Type Default Required
account_access_type The account access type. string "CURRENT_ACCOUNT" no
alert_manager_config The contents of the alarm rules file. string `" alertmanager_config: \n route:\n receiver: 'default'\n receivers:\n - name: 'default'\n"`
amg_redirect_hostname The hostname to which the S3 bucket will redirect requests string "" no
amp_create_workspace Specifies if the AMP workspace has to be created or not bool true no
amp_workspace_id If 'amp_create_workspace' is set to 'false' then a workspace has to be supplied. string "" no
amp_ws_alias The alias of the AMP workspace string "observability-amp-workspace" no
authentication_providers List containing the methods used to authenticate. list(any) n/a yes
aws_cloudwatch_log_group_retention_in_days The retention period of the CloudWatch log group in days number 60 no
aws_region AWS Region string "us-east-1" no
aws_route53_zone_tags value of the private hosted zone tags map(string) {} no
create Determines whether a resources will be created bool true no
create_amp_iam_role Whether to create the AMP IAM role or not. 1 per account is needed. bool true no
create_dashboard_folder Boolean flag to enable Amazon Managed Grafana folder and dashboards bool true no
create_iam_role Determines whether a an IAM role is created or to use an existing IAM role bool true no
create_prometheus_data_source Boolean flag to enable Amazon Managed Grafana datasource bool true no
create_redirect Whether to create a redirect from the S3 bucket to the workspace or not bool false no
create_saml_configuration Flag to indicate whether or not to create a SAML configuratino in Grafana Workspace. string false no
create_workspace Determines whether a workspace will be created or to use an existing workspace bool true no
data_sources List of data sources to create in the workspace list(string)
[
"CLOUDWATCH",
"PROMETHEUS",
"XRAY"
]
no
enable_alertmanager Creates Amazon Managed Service for Prometheus AlertManager for all workloads bool false no
enable_managed_prometheus Creates a new Amazon Managed Service for Prometheus Workspace bool true no
environment Environment name string n/a yes
generate_metadata_url Boolean on whether or not to generate the metadata url bool false no
iam_role_arn Existing IAM role ARN for the workspace. Required if create_iam_role is set to false string null no
iam_role_name The name of the IAM Role to create or associate with string "aws-observability-workspace-iam-role" no
idp_url_with_postfix The FQDN of the IDP metadata URL with a postfix as needed to generate the metadata IDP url. Works for Ping string "" no
logging_configuration Map that contains the logging configuration for prometheus. map(string) {} no
managed_grafana_workspace_id Amazon Managed Grafana Workspace ID string "" no
managed_prometheus_workspace_id Amazon Managed Service for Prometheus Workspace ID string "" no
managed_prometheus_workspace_region Region where Amazon Managed Service for Prometheus is deployed string null no
nac_configuration The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to any {} no
name The name of the deployment string "aws-o11y-managed-services" no
route53_hosted_zone_name value of the private hosted zone name string "" no
s3_website_endpoint_zone_ids S3 website endpoint zone IDs by region map(string)
{
"us-east-1": "Z3AQBSTGFYJSTF",
"us-west-1": "Z2F56UZL2M1ACD",
"us-west-2": "Z3BJ6K6RIION7M"
}
no
saml_admin_role_values Name of the admin role value. list(any) [] no
saml_editor_role_values Name of the editor role value. list(any) [] no
saml_email_assertion Name of the saml email used for assertion. string "" no
saml_groups_assertion Name of the saml groups used for assertion. string "" no
saml_idp_metadata_url IDP Meta data url. string "" no
saml_login_assertion Method of login used for assertion. string "" no
saml_name_assertion Display name for SAML. string "" no
saml_org_assertion Name of the org used for assertion. string "" no
saml_role_assertion Name of the role used for assertion. string "" no
tags Additional tags (e.g. map('BusinessUnit,XYZ) map(string)
{
"GithubOrg": "aws-observability",
"GithubRepo": "terraform-aws-observability-accelerator"
}
no
use_iam_role_name_prefix Whether or not to use a prefix on the IAM Role name bool true no
vpc_configuration The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to any {} no
vpc_ids List of VPC IDs list(string) [] no

Outputs

Name Description
amg_route53_alias value for the route53 alias, which contains the bucket name, hosted zone id and amg fqdn
aws_region AWS Region
create The creatae flag that gets passed to the module.
create_workspace The create_workspace flag that gets passed to the module.
managed_grafana_workspace_endpoint Amazon Managed Grafana workspace endpoint
managed_grafana_workspace_id Amazon Managed Grafana workspace ID
managed_prometheus_workspace_endpoint Amazon Managed Prometheus workspace endpoint
managed_prometheus_workspace_id Amazon Managed Prometheus workspace ID