Jack Baldry
2004463405
Explicitly set all front matter labels in the source files (#71548)
* Set every page to have defaults of 'Enterprise' and 'Open source' labels
* Set administration pages to have of 'Cloud', 'Enterprise', and 'Open source' labels
* Set administration/enterprise-licensing pages to have 'Enterprise' labels
* Set administration/organization-management pages to have 'Enterprise' and 'Open source' labels
* Set administration/provisioning pages to have 'Enterprise' and 'Open source' labels
* Set administration/recorded-queries pages to have labels cloud,enterprise
* Set administration/roles-and-permissions/access-control pages to have labels cloud,enterprise
* Set administration/stats-and-license pages to have labels cloud,enterprise
* Set alerting pages to have labels cloud,enterprise,oss
* Set breaking-changes pages to have labels cloud,enterprise,oss
* Set dashboards pages to have labels cloud,enterprise,oss
* Set datasources pages to have labels cloud,enterprise,oss
* Set explore pages to have labels cloud,enterprise,oss
* Set fundamentals pages to have labels cloud,enterprise,oss
* Set introduction/grafana-cloud pages to have labels cloud
* Fix introduction pages products
* Set panels-visualizations pages to have labels cloud,enterprise,oss
* Set release-notes pages to have labels cloud,enterprise,oss
* Set search pages to have labels cloud,enterprise,oss
* Set setup-grafana/configure-security/audit-grafana pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-authentication pages to have labels cloud,enterprise,oss
* Set setup-grafana/configure-security/configure-authentication/enhanced-ldap pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-authentication/saml pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/configure-request-security pages to have labels cloud,enterprise,oss
* Set setup-grafana/configure-security/configure-team-sync pages to have labels cloud,enterprise
* Set setup-grafana/configure-security/export-logs pages to have labels cloud,enterprise
* Set troubleshooting pages to have labels cloud,enterprise,oss
* Set whatsnew pages to have labels cloud,enterprise,oss
* Apply updated labels from review
---------
(cherry picked from commit 7eb17bccca)
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com>
Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com>
5.9 KiB
aliases, description, labels, menuTitle, title, weight
| aliases | description | labels | menuTitle | title | weight | |||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Learn about RBAC Terraform provisioning and view an example of provisioning configuration for Grafana roles and role assignments. |
|
Provisioning RBAC with Terraform | Provisioning RBAC with Terraform | 60 |
Provisioning RBAC with Terraform
{{% admonition type="note" %}} Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise/" >}}) and Grafana Cloud. {{% /admonition %}}
You can create, change or remove Custom roles and create or remove basic and custom role assignments, by using Terraform's Grafana provider.
Before you begin
-
Ensure you have the grafana/grafana Terraform provider 1.29.0 or higher.
-
Ensure you are using Grafana 9.2 or higher.
Create a Service Account Token for provisioning
We recommend using service account tokens for provisioning. [Service accounts]({{< relref "../../../service-accounts/" >}}) support fine grained permissions, which allows you to easily authenticate and use the minimum set of permissions needed to provision your RBAC infrastructure.
To create a service account token for provisioning, complete the following steps.
- [Create a new service account]({{< relref "../../../service-accounts/#create-a-service-account-in-grafana" >}}) for your CI pipeline.
- [Assign permissions to service account]({{< relref "../../../service-accounts/#assign-roles-to-a-service-account-in-grafana" >}}):
- You will need roles “Role reader”, "Role writer" and roles including any permissions that will be provisioned. For example, to create or assign a role that allows creating users, a service account needs permissions to create users.
- Alternatively, you can assign "Admin" basic role to the service account.
- [Create a new service account token]({{< relref "../../../service-accounts/#to-add-a-token-to-a-service-account" >}}) for use in Terraform.
Alternatively, you can use basic authentication. To view all the supported authentication formats, see here.
Configure the Terraform provider
RBAC support is included as part of the Grafana Terraform provider.
The following is an example you can use to configure the Terraform provider.
terraform {
required_providers {
grafana = {
source = "grafana/grafana"
version = ">= 1.29.0"
}
}
}
provider "grafana" {
url = <YOUR_GRAFANA_URL>
auth = <YOUR_GRAFANA_SERVICE_ACCOUNT_TOKEN>
}
Provision custom roles
The following example shows how to provision a custom role with some permissions.
- Copy this code block into a .tf file on your local machine.
resource "grafana_role" "my_new_role" {
name = "my_new_role"
description = "My test role"
version = 1
uid = "newroleuid"
global = true
permissions {
action = "org.users:add"
scope = "users:*"
}
permissions {
action = "org.users:write"
scope = "users:*"
}
permissions {
action = "org.users:read"
scope = "users:*"
}
permissions {
action = "teams:create"
}
permissions {
action = "teams:read"
scope = "teams:*"
}
permissions {
action = "teams:write"
scope = "teams:*"
}
}
- Run the command
terraform apply. - Go to Grafana's UI and check that the new role appears in the role picker:
Provision role assignments
The following example shows how to provision role assignments. In this example a team, user and service account are provisioned, and the custom role from the previous example is assigned to them.
- Extend the configuration file from the previous example with the following:
resource "grafana_team" "test_team" {
name = "terraform_test_team"
}
resource "grafana_user" "test_user" {
email = "terraform_user@test.com"
login = "terraform_test_user"
password = <TEST_PASSWORD>
}
resource "grafana_service_account" "test_sa" {
name = "terraform_test_sa"
role = "Viewer"
}
resource "grafana_role_assignment" "my_new_role_assignment" {
role_uid = grafana_role.my_new_role.uid
users = [grafana_user.test_user.id]
teams = [grafana_team.test_team.id]
service_accounts = [grafana_service_account.test_sa.id]
}
-
Substitute
<TEST_PASSWORD>with a test password for your test user. -
Run the command
terraform apply. -
Go to Grafana's UI and check that a user, team and service account have been created, and that the role has been assigned to them:
Note that instead of using a provisioned role, you can also look up the uid of an already existing fixed or custom role and use that instead.
You can use the API endpoint for listing roles to look up role uids.
Similarly, you can look up and use ids of users, teams and service accounts that have not been provisioned to assign roles to them.
Useful Links
[RBAC setup with Grafana provisioning]({{< relref "./rbac-grafana-provisioning">}})