mhausenblas
commented
2 years ago @AndyMoore thanks a lot, understood and certainly something we're planning to support.
Open AndyMoore opened 2 years ago
mhausenblas
commented
2 years ago @AndyMoore thanks a lot, understood and certainly something we're planning to support.
mhausenblas
commented
2 years ago @AndyMoore did you see https://docs.aws.amazon.com/grafana/latest/APIReference/API_CreateWorkspaceApiKey.html already?
AndyMoore
commented
2 years ago I did - haven't had a chance to test yet but will do soon
Thanks
devalibvr
commented
1 year ago Hi - any update on this?
jacobwoffenden
commented
5 months ago FWIW I'd originally tried to force rotation of aws_grafana_workspace_api_key using
locals {
expiration_days = 30
expiration_seconds = 60 * 60 * 24 * local.expiration_days
}
resource "time_rotating" "rotate" {
rotation_days = local.expiration_days
}
resource "time_static" "rotate" {
rfc3339 = time_rotating.rotate.rfc3339
}
resource "aws_grafana_workspace_api_key" "automation_key" {
workspace_id = module.managed_grafana.workspace_id
key_name = "automation"
key_role = "ADMIN"
seconds_to_live = local.expiration_seconds
lifecycle {
replace_triggered_by = [
time_static.rotate
]
}
}But ran into an issue when the key expired, causing the plan to be blocked because we used the outputted key to instantiate the Grafana provider https://github.com/ministryofjustice/observability-platform/issues/16
As a result we've just written a small Lambda function to rotate the API key once a week, upload it to Secrets Manager, and then read it to instantiate the Grafana provider https://github.com/ministryofjustice/modernisation-platform-environments/pull/4512
Hi Team,
I'd really like to get a one-stop configuration of Grafana with the ability to setup dashboards, datasources as part of the provisioning. Looking at https://aws-observability.github.io/aws-o11y-recipes/recipes/amg-automation-tf/ I can see there's an intermediate step of adding an API key before I can set things up. This key would have a maximum life of 30 days, so any changes (manual or via a pipeline) would need intervention. The key would also need to be stored somewhere for its lifespan..
It'd be great if a key could be created/returned via the aws api which would enable further provisioning. The key would preferably be long lived, but in theory if it was stored and rotated, it would be fine as long as any tools retrieve the latest key before running..
Thanks in advance
Andy