Create an Amazon Managed Grafana workspace using Terraform

In this note, I describe the steps to provision a new Amazon Managed Grafana (AMG) workspace using the AWS Terraform provider.

Grafana is an open-source observability tool to visualize data. It provides charts, graphs, and alerts for the web when connected to supported data sources.
Per AWS-Docs, AMG is a fully managed and secure data visualization service that you can use to instantly query, correlate, and visualize operational metrics, logs, and traces from multiple data sources. In addition, AMG makes it easy to deploy, operate, and scale Grafana.

A pre-requisite to creating an Amazon Managed Grafana workspace is to enable AWS organizations in your AWS account. You may read about that here: knowledge-center-get-started-organizations.

Note: Terraform must access the AWS Cloud to provision and manage resources. It does so by securely accessing the access_key and the secret_key stored in Azure DevOps. I have the procedure detailed in this post: manage-secure-variables-with-azure-devops-library-and-azure-pipelines.

If you want the code repository handy as you walk through the steps, here’s the link to my GitHub repo:  aws_managed_grafana_workspace_dashboard. You will have to navigate to the amg_workspace folder for the code on AMG workspace.

Pre-requisite:
Create an AWS IAM user who can manage the resources this Terraform stack provisions. Store the access_key and secret_key of the user in Azure DevOps Library. If you are cautious and want to use a tight IAM permission policy, I have that in the repository: aws-iam-policy.json. This tackles only the grafana section of the code. And here is the path to the IAM permission policy to manage the Terraform state file in an s3 bucket: aws-iam-tf-statefile-policy.json. Attach these two policies to the IAM user whose credentials are stored in Azure DevOps Library.

Creating and accessing an Amazon Managed Grafana workspace has five steps.
Step 1: Create an Identity Center user
Before you create a user, you will need to enable “IAM Identity Center” in your AWS account. You can search for the service in your account, and if the service is not enabled, you will be greeted with the following image. Click on the Enable button.
67-image-2
Once enabled, you may create an IAM Identity Center user by navigating to the Users on the left-hand panel and clicking “Add User.”
67-image-3
I provided the below info and proceeded with creating a user.
67-image-4
On confirmation, I received the username, one-time password, and a link to the AWS access portal. I saved the information which I will require in step 5.
I could see the user on successful creation on the portal. I then clicked on the username and saved the associated User ID. This information is required in step 4 below by Terraform.
67-image-5
At an enterprise level, technical architects can select a separate identity provider. In my case, however, I proceeded with the IAM Identity Center directory. Here is a link to the AWS-Docs if you are new to IAM Identity Center.
Note: Can Terraform help in provisioning an IAM Identity Center user? I have yet to try that.

Step 2: Manage access for Amazon Managed Grafana workspace
An Amazon Managed Grafana workspace hosts dashboard/s to display data. In my case, the data source for the dashboard was Amazon CloudWatch. So I created a role that the Grafana workspace could assume to access the data. I achieved that by attaching a policy to the role. If you have worked with IAM roles, you’d know that there are two policies attached to an IAM role: the assume role policy (who can assume this role) and the IAM policy (what can be done to which resources and in my case, access the Amazon Cloudwatch logs).
67-image-11
The above code states that only an Amazon Managed Grafana workspace can assume the tf-grafana-assume IAM role. Then I created an IAM policy that allowed access to the Amazon Cloudwatch logs and metrics.
67-image-12
And finally, I attached the policy with the desired permissions to the role that the Amazon Managed Grafana workspace can assume.
67-image-13
Step 3: Create an Amazon Managed Grafana workspace
You will rarely create and continuously update your Amazon Managed Grafana, so creating it manually via the AWS console should also be acceptable. However, having worked with Terraform and coming from a DevOps background, I automate as much as possible. I used the aws provider to provision the following resource (aws_grafana_workspace), where I stated the type of resource, the name of the Amazon Managed Grafana workspace, the role that the workspace can assume, and a few other necessary associated features.
67-image-9
Step 4: Grant access to the Amazon Managed Grafana workspace
In this step, I attached the user created in step 1 with the workspace created in step 3 with the following piece of Terraform code.
67-image-10
The user_ids value is the same as that I saved in Step 1 above.

I have the Terraform stack and the pipeline to deploy the amg-grafana-stack at my GitHub repository – aws_managed_grafana_workspace_dashboard. You will have to navigate to the amg_workspace folder for the code on AMG workspace. So that you know, you will have to tweak the code (only backend.tf) since the configuration (to store the state file) is for my use case.

After the CI build ran successfully, I verified on the AWS console that Terraform created the Amazon Managed Grafana workspace and associated the correct user with the ADMIN role.
67-image-6

Step 5: Log in to the AMG workspace
I used the Grafana workspace portal URL available on the Workspaces page and the credentials saved in step 1 to log in to the AMG workspace. And I was greeted with the familiar home page of an Amazon Grafana Managed workspace.
67-image-8
You might be asked via the login prompt to change your password if you still need to.

I could see the buttons on the left-hand side to create/manage the dashboards, access, and data source configurations. If my access did not have the gear icon, that would mean I do not have Admin permission.

And that brings us to the end of this note. Let me know if you have any questions or suggestions. Creating the Identity center user via Terraform would improve the process. If you know how to do that, please share it with me.

One thought on “Create an Amazon Managed Grafana workspace using Terraform

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s