Support for azurerm_dashboard_grafana_api_key

[sebastianlolv]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add support for creating Azure Managed Grafana API keys. This is already possible in Azure CLI.

New or Affected Resource(s)/Data Source(s)

azurerm_dashboard_grafana_api_key

Potential Terraform Configuration

resource "azurerm_dashboard_grafana" "example" {
  name                              = "example-dg"
  resource_group_name               = azurerm_resource_group.example.name
  location                          = "West Europe"
  api_key_enabled                   = true
  deterministic_outbound_ip_enabled = true
  public_network_access_enabled     = false

  identity {
    type = "SystemAssigned"
  }

  tags = {
    key = "value"
  }
}

resource "azurerm_dashboard_grafana_api_key" "example" {
  name           = "example-key"
  dashboard_name = azurerm_dashboard_grafana.name
}

References

https://learn.microsoft.com/en-us/cli/azure/grafana/api-key?view=azure-cli-latest#az-grafana-api-key-create

[jiaweitao001]

Hi @sebastianlolv , thanks for bringing this up. In my understanding this is not what a TF resource should do. A grafana API key is something generated by the grafana dashboard instead of an independent azurerm API. A TF resource should not be used to manipulate an existing resource. You can always use the portal or CLI to obtain the API key. Thanks.

[pszypowicz]

This is something which absolutely should be possible to do with TF.

https://learn.microsoft.com/en-us/azure/managed-grafana/how-to-api-calls?tabs=azure-cli

azurerm provider creates a grafana, we need to obtain the key to be able to initialise grafana provider.

[rdvansloten]

Hi @sebastianlolv , thanks for bringing this up. In my understanding this is not what a TF resource should do. A grafana API key is something generated by the grafana dashboard instead of an independent azurerm API. A TF resource should not be used to manipulate an existing resource. You can always use the portal or CLI to obtain the API key. Thanks.

The Grafana OSS provider for Terraform does literally that, though. https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/api_key

After a week of bumbling with the dashboard_grafana resource, I was actually considering posting this request also. (so thanks for that Sebastian)

Furthermore, there is no API key in the Portal for as far as I can see, and if it does exists, it is definitely not able to be queried from the dashboard_grafana resource:

---

the following Attributes are exported: id - The ID of the Dashboard Grafana. endpoint - The endpoint of the Grafana instance. grafana_version - The Grafana software version. identity - An identity block as defined below. outbound_ip - List of outbound IPs if deterministicOutboundIP is enabled.

---

Managed Grafana only allows Azure AD login. Right now, the way to integrate the Managed Grafana Instance into an automation where you also make dashboards is to use an SPN, run an .sh script to get an oauth token and pass that to the Grafana OSS provider. This is super undesirable and creates inconsistent results at random times (error 407 on some occasions)

So we have 2 options right now:

• Use sh scripts to get oauth tokens and hack an interactive login via the data.external resource
• Manually login to the newly created Grafana instance, create a key in the GUI, store it somewhere, then run separate pipelines that interact with Grafana.

It would help immensely if we had the resource @sebastianlolv describes, or alternatively if during creation the [api_key_enabled] setting is True, an API key would be generated as an output for use in automation.

[pszypowicz]

Small remark from my side: please do not provide api key as tag, but make it just as an argument, or output via attribute reference like @rdvansloten suggested.

[rdvansloten]

@jiaweitao001 Any progress on this issue or reconsideration on your side regarding the API key generation?

[jiaweitao001]

Hi @rdvansloten , thank you for the detailed follow up. I understand the need for Grafana API key for ops. We are a team which develops TF providers based on the APIs given by the real service providers. If the proper API was given, we will onboard it to TF and it can be used to obtain the key. However, the corresponding API is not provided by the service team, we are limited by the API specs. I'll try to pass this feature request to the service provider and see if they can help on it. Thanks!

[jiaweitao001]

Hi guys, I've come up with a work around that may help getting the API key. We can leverage hashicorp's offical http provider to make a POST request like this in the official doc. Here's my TF code snippet.

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.46.0"
    }
    http = {
      source = "hashicorp/http"
      version = "3.4.0"
    }
  }
}

provider "azurerm" {
  features {}
}

provider "http" {}

variable "tenant_id" {
  type = string
}

variable "client_secret" {
  type = string
}

variable "client_id" {
  type = string
}

resource "azurerm_resource_group" "test" {
  name = "example-rg"
  location = "West Europe"
}

resource "azurerm_dashboard_grafana" "test" {
  name = "exampledashboard"
  resource_group_name = azurerm_resource_group.test.name
  location = azurerm_resource_group.test.location
  api_key_enabled = true
  deterministic_outbound_ip_enabled = true
  public_network_access_enabled = false

  identity {
    type = "SystemAssigned"
  }

  tags = {
    key = "value"
  }
}

data "http" "api_key" {
  url = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/token"

  method = "POST"
  request_headers = {
    Content-Type = "application/x-www-form-urlencoded"
  }
  request_body = "grant_type=client_credentials&client_id=${var.client_id}&client_secret=${var.client_secret}" 
}

output "key" {
  value = data.http.api_key.response_body
}

Hope it helps. Thanks!

[Ardemium]

Is there any progress on this issue?

[AiRev-SebastianBienert]

Hi guys, was there any progress on this topic?