Contains AWS managed services.
To set up AMG to work with a VPC you must provide the vpc_private_subnets and vpc_security_group_ids inputs. This will set up the outbound VPC connections.
If you want to restrict traffic to AMG we need to set up Network Access Controls. You can provide a prefix list via the nac_prefix_list_ids input and you must provide the vpc endpoint via the vpc_endpoint_ids input.
If you do not provide the nac_configuration then AMG will be open to the internet and can be publicly accessed through the URL generated by the workspace.
When you set up NAC the VPC endpoint URL will not have a route to the public URL that the Grafana workspace provides, so you will need to establish that route yourself in some way. Below are some possible solutions you could implement:
-
Add the VPCE IP addresses and public url to your hosts file.
Example:
.grafana-workspace..amazonaws.com
The IP address is the subnet associated with the VPCE. You can find it by navigating to the VPC dashboard, selecting Endpoints and opening your VPC endpoint.
The URL is the Public URL provided by the Grafana workspace when created. You can find it by navigating to Amazon Managed Grafana, clicking on workspace, and selecting your grafana workspace.
-
Implement a reverse proxy inside the VPC that will redirect to the public url.
NOTE: This is an assumption as we have not tested it.
-
Have DNS infrastructure resolve to the VPCE DNS instead of the public. Route 53 Resolver endpoints and forwarding rule
NOTE: This is an assumption as we have not tested it.
| Name | Version |
|---|---|
| terraform | >= 1.1.0 |
| aws | >= 5.7.0 |
| awscc | >= 0.24.0 |
| Name | Version |
|---|---|
| aws | >= 5.7.0 |
| Name | Source | Version |
|---|---|---|
| managed_grafana | github.com/liatrio/terraform-aws-managed-service-grafana.git | n/a |
| managed_prometheus | terraform-aws-modules/managed-service-prometheus/aws | n/a |
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.amp_log_group | resource |
| aws_iam_role.amp_iam_role | resource |
| aws_iam_role_policy.amp_role_policy | resource |
| aws_iam_role_policy.grafana_xray_policy | resource |
| aws_route53_record.s3_alias | resource |
| aws_route53_zone.private | resource |
| aws_s3_bucket.amg_bucket | resource |
| aws_s3_bucket_public_access_block.amg_bucket | resource |
| aws_s3_bucket_website_configuration.amg_bucket_website | resource |
| aws_grafana_workspace.this | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_access_type | The account access type. | string |
"CURRENT_ACCOUNT" |
no |
| alert_manager_config | The contents of the alarm rules file. | string |
`" alertmanager_config: | \n route:\n receiver: 'default'\n receivers:\n - name: 'default'\n"` |
| amg_redirect_hostname | The hostname to which the S3 bucket will redirect requests | string |
"" |
no |
| amp_create_workspace | Specifies if the AMP workspace has to be created or not | bool |
true |
no |
| amp_workspace_id | If 'amp_create_workspace' is set to 'false' then a workspace has to be supplied. | string |
"" |
no |
| amp_ws_alias | The alias of the AMP workspace | string |
"observability-amp-workspace" |
no |
| authentication_providers | List containing the methods used to authenticate. | list(any) |
n/a | yes |
| aws_cloudwatch_log_group_retention_in_days | The retention period of the CloudWatch log group in days | number |
60 |
no |
| aws_region | AWS Region | string |
"us-east-1" |
no |
| aws_route53_zone_tags | value of the private hosted zone tags | map(string) |
{} |
no |
| create | Determines whether a resources will be created | bool |
true |
no |
| create_amp_iam_role | Whether to create the AMP IAM role or not. 1 per account is needed. | bool |
true |
no |
| create_dashboard_folder | Boolean flag to enable Amazon Managed Grafana folder and dashboards | bool |
true |
no |
| create_iam_role | Determines whether a an IAM role is created or to use an existing IAM role | bool |
true |
no |
| create_prometheus_data_source | Boolean flag to enable Amazon Managed Grafana datasource | bool |
true |
no |
| create_redirect | Whether to create a redirect from the S3 bucket to the workspace or not | bool |
false |
no |
| create_saml_configuration | Flag to indicate whether or not to create a SAML configuratino in Grafana Workspace. | string |
false |
no |
| create_workspace | Determines whether a workspace will be created or to use an existing workspace | bool |
true |
no |
| data_sources | List of data sources to create in the workspace | list(string) |
[ |
no |
| enable_alertmanager | Creates Amazon Managed Service for Prometheus AlertManager for all workloads | bool |
false |
no |
| enable_managed_prometheus | Creates a new Amazon Managed Service for Prometheus Workspace | bool |
true |
no |
| environment | Environment name | string |
n/a | yes |
| generate_metadata_url | Boolean on whether or not to generate the metadata url | bool |
false |
no |
| iam_role_arn | Existing IAM role ARN for the workspace. Required if create_iam_role is set to false |
string |
null |
no |
| iam_role_name | The name of the IAM Role to create or associate with | string |
"aws-observability-workspace-iam-role" |
no |
| idp_url_with_postfix | The FQDN of the IDP metadata URL with a postfix as needed to generate the metadata IDP url. Works for Ping | string |
"" |
no |
| logging_configuration | Map that contains the logging configuration for prometheus. | map(string) |
{} |
no |
| managed_grafana_workspace_id | Amazon Managed Grafana Workspace ID | string |
"" |
no |
| managed_prometheus_workspace_id | Amazon Managed Service for Prometheus Workspace ID | string |
"" |
no |
| managed_prometheus_workspace_region | Region where Amazon Managed Service for Prometheus is deployed | string |
null |
no |
| nac_configuration | The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to | any |
{} |
no |
| name | The name of the deployment | string |
"aws-o11y-managed-services" |
no |
| route53_hosted_zone_name | value of the private hosted zone name | string |
"" |
no |
| s3_website_endpoint_zone_ids | S3 website endpoint zone IDs by region | map(string) |
{ |
no |
| saml_admin_role_values | Name of the admin role value. | list(any) |
[] |
no |
| saml_editor_role_values | Name of the editor role value. | list(any) |
[] |
no |
| saml_email_assertion | Name of the saml email used for assertion. | string |
"" |
no |
| saml_groups_assertion | Name of the saml groups used for assertion. | string |
"" |
no |
| saml_idp_metadata_url | IDP Meta data url. | string |
"" |
no |
| saml_login_assertion | Method of login used for assertion. | string |
"" |
no |
| saml_name_assertion | Display name for SAML. | string |
"" |
no |
| saml_org_assertion | Name of the org used for assertion. | string |
"" |
no |
| saml_role_assertion | Name of the role used for assertion. | string |
"" |
no |
| tags | Additional tags (e.g. map('BusinessUnit,XYZ) |
map(string) |
{ |
no |
| use_iam_role_name_prefix | Whether or not to use a prefix on the IAM Role name | bool |
true |
no |
| vpc_configuration | The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to | any |
{} |
no |
| vpc_ids | List of VPC IDs | list(string) |
[] |
no |
| Name | Description |
|---|---|
| amg_route53_alias | value for the route53 alias, which contains the bucket name, hosted zone id and amg fqdn |
| aws_region | AWS Region |
| create | The creatae flag that gets passed to the module. |
| create_workspace | The create_workspace flag that gets passed to the module. |
| managed_grafana_workspace_endpoint | Amazon Managed Grafana workspace endpoint |
| managed_grafana_workspace_id | Amazon Managed Grafana workspace ID |
| managed_prometheus_workspace_endpoint | Amazon Managed Prometheus workspace endpoint |
| managed_prometheus_workspace_id | Amazon Managed Prometheus workspace ID |