Error: Missing required argument β β on ..\..\modules\grafana\main.tf line 10, in resource "aws_grafana_workspace" "main": β 10: network_access_control { β β The argument "vpce_ids" is required, but no definition was found.
I am constantly hitting a: Error: creating Grafana Workspace: ValidationException: SSO is not enabled in any region. when creating a new AMG instance using the Terraform example shown below.
[ x ] β I have searched the open/closed issues and my issue is not listed.
Is your request related to a problem? Please describe.
When trying to provision grafana using grafana provider I cannot do it in the same terraform run, the common provider issue of resource not being known at the creation time for provider to refresh state, or being deleted on a destroy which results in some resources being orphaned in the terraform state making it invalid.
Describe the solution you'd like.
Right now both prometheus workspace data type, and grafana workspace data type are being found by id. ID is not in the outputs. It would also be preferable to be able to find those by { Tag = Name } rather then just by the id which allows other terraform runs to get those without creating a file just to pass id in between or read it directly from terraform stat (sic!)
Except for being able to find a resource using data query by name it would also be preferable if grafana api keys would be in the attributes as well. Meaning other terraform run can get those staticly in the provider definition.
Is your request related to a problem? Please describe.
No, its not a problem , its just that currently the module will always create a workspace with open public access , and I have to manuallly assign the vpc endpoint I have created to it.
Describe the solution you'd like.
I saw that the resource grafana_workspace can optionaly accept network_access_control and I was wondering if this can be requested as a feature request to the managed_grafana_module to accept it optionally so that I can initialize the workspace with restricted access instead of manually changing it.
Describe alternatives you've considered.
I have been tried only one alternative solution and that is to assigning a VPC endpoint manually to the grafana workspace after I create it with terraform with open access.
Additional context
I have been playing around with the module and I came to the use case where I want to create the workspace with a vpc endpoint so that upon creation it is in a private subnet behind a VPN
I ran into a few errors while trying to perform an initial standup using this module. I think there are components of the documentation that could be improved to better describe how the module should be used, especially so that users do not run into a dead-end and meaningless API response from AWS, which is another problem that should be resolved not in this repository.
Required name input
Problem Description
One of the inputs "name" or "stack_set_name" is actually required, and must match certain syntax. The code sets this as null by default, which I think is fine for distribution, but the documentation should mention that you need to create this value since not creating it will cause an error in Terraform during planning:
β·
β Error: Error in function call
β
β on .terraform/modules/managed-service-grafana/main.tf line 27, in resource "aws_grafana_workspace" "this":
β 27: stack_set_name = coalesce(var.stack_set_name, var.name)
β βββββββββββββββββ
β β while calling coalesce(vals...)
β β var.name is null
β β var.stack_set_name is null
β
β Call to function "coalesce" failed: no non-null, non-empty-string arguments.
When providing a value for "name", but with bad syntax (this one with spaces in the string), Terraform will plan correctly, but AWS will return a fairly useless error:
Reproduction Code [Required]
module "managed-service-grafana" {
source = "terraform-aws-modules/managed-service-grafana/aws"
version = "1.6.0"
name = "Company Name with spaces"
data_sources = ["PROMETHEUS"]
iam_role_name = "AMG"
associate_license = false
}
Terminal Output
β·
β Error: error updating Grafana Workspace (g-27f2e365af): BadRequestException:
β status code: 400, request id: 96b32ea4-db72-4e9e-a8ad-c617d5a82a32
β
β with module.managed-service-grafana.aws_grafana_workspace.this[0],
β on .terraform/modules/managed-service-grafana/main.tf line 12, in resource "aws_grafana_workspace" "this":
β 12: resource "aws_grafana_workspace" "this" {
β
β΅
Suggested fix
I agree with not calling these fields required, as either one or the other is required. The descriptions should instead be modified to indicate this:
README.md > Inputs > name > Description = "The Grafana workspace name. Required if stack_set_name is not provided. Valid special characters include "-", ".", "_", β~β. Cannot contain non-ASCII characters or spaces. Max length of 255 characters."
variables.tf > variable "name" > description = "The Grafana workspace name. Required if stack_set_name is not provided. Valid special characters include "-", ".", "_", β~β. Cannot contain non-ASCII characters or spaces. Max length of 255 characters."
README.md > Inputs > stack_set_name > Description = "The AWS CloudFormation stack set name that provisions IAM roles to be used by the workspace. Required if name is not provided. Valid special characters include "-", ".", "_", β~β. Cannot contain non-ASCII characters or spaces. Max length of 255 characters."
variables.tf > variable "stack_set_name" > description = "The AWS CloudFormation stack set name that provisions IAM roles to be used by the workspace. Required if name is not provided. Valid special characters include "-", ".", "_", β~β. Cannot contain non-ASCII characters or spaces. Max length of 255 characters."
I extracted the last 3 sentences from the setup process for AMG in the console, which I don't think every person who uses this module should have to visit in order to troubleshoot, so it would be ideal if it is in the descriptions for each input.
Unlicensed Grafana
Problem Description
Grafana is freely distributed, open source software, yet the configuration of this module as it's currently configured will error and fail to properly build the license_association resource. Easy enough to troubleshoot, but an unnecessary error for new users to encounter.
Reproduction Code [Required]
module "managed-service-grafana" {
source = "terraform-aws-modules/managed-service-grafana/aws"
version = "1.6.0"
name = "Company_Name_with_underscores"
data_sources = ["PROMETHEUS"]
iam_role_name = "AMG"
}
Terminal Output
β·
β Error: error creating Grafana License Association: ValidationException: Active marketplace agreement not found
β {
β RespMetadata: {
β StatusCode: 400,
β RequestID: "a343e176-014d-4299-8cfb-ae275350eb0b"
β },
β Message_: "Active marketplace agreement not found"
β }
β
β with module.managed-service-grafana.aws_grafana_license_association.this[0],
β on .terraform/modules/managed-service-grafana/main.tf line 293, in resource "aws_grafana_license_association" "this":
β 293: resource "aws_grafana_license_association" "this" {
β
Suggested fix
I recommend that the variable associate_license be set to false as a default so that the system will build regardless of whether the user has a license attached to the account. The user can easily add a new attribute to the module call which enables the license association if they have one.
Regardless of whether we agree on that point, I think more description should be added to this variable description to make clear how the variable should be used.
variables.tf > variable "associate_license" > description = "Determines whether a license will be associated with the workspace. Use false if you do not have an active enterprise license in the AWS Marketplace."
README.md > Inputs > associate_license > Description = "Determines whether a license will be associated with the workspace. Use false if you do not have an active enterprise license in the AWS Marketplace."
β I have searched the open/closed issues and my issue is not listed.
β οΈ Note
Before you submit an issue, please perform the following first:
Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists
N/A regarding cache, as I am suggesting documentation changes.
I describe the steps taken in each problem description above. Sorry for the strange formatting, I'd rather keep all of the details logically grouped.
Expected behavior
I describe the problem description in each problem description above. Sorry for the strange formatting, I'd rather keep all of the details logically grouped.
Actual behavior
I describe the symptom in each problem description above. Sorry for the strange formatting, I'd rather keep all of the details logically grouped.
Terminal Output Screenshot(s)
I provide the terminal output in each Terminal Output section above. Sorry for the strange formatting, I'd rather keep all of the details logically grouped.
Additional context
edit > added README entry to match var.associate_license
With AWS Managed Grafana, you can choose between "Service Managed" or "Customer Managed" IAM permissions.
Either AWS creates IAM roles/policies for you or you supply your own.
Code logic improvement
Now, the code has conditional creation of IAM resources
description="The permission type of the workspace. If `SERVICE_MANAGED` is specified, the IAM roles and IAM policy attachments are generated automatically. If `CUSTOMER_MANAGED` is specified, the IAM roles and IAM policy attachments will not be created"
description="Determines whether a an IAM role is created or to use an existing IAM role"
type=bool
default=true
defaults should either favor customer-managed or aws-managed creation. the business logic results in favoring customer-managed while the default of permission_type suggests differently
Examples
The "complete" example is misleading, as it again has create_iam_role=true together with permission_type="SERVICE_MANAGED". While demonstrating all possible configurations, they still should make sense as some people copy blindly.
(Also the example in README has same flaw as it shows permission_type="SERVICE_MANAGED" together with create_iam_role=true from defaults.
Yes β : please list the AWS provider version which introduced this functionality
Current version
Is your request related to a problem? Please describe.
The aws_grafana_license_association defaults to ENTERPRISE. The enterprise licence has a large cost involved, I'm not sure if this will make the marketplace purchase but could inadvertently cause a cost spike.
If possible it would be great to have the option to disable the aws_grafana_license_association resource on its own.
Describe the solution you'd like.
Switch default from ENTERPRISE to ENTERPRISE_FREE_TRIAL and provide a variable to disable aws_grafana_license_association
Describe alternatives you've considered.
Will have to avoid using this module to not use the aws_grafana_license_association resource
Hi, I wonder is there a way to get an output of grafana api key or provision dashboards via json files while creating a grafana? Helm/Kubernetes created grafana has ways for it, but I cannot seem to find a way to do it via terraform with aws managed grafana. If there is no way to do it except for manual UI, then please do tell and sorry for bothering.
Error: Error attaching policy arn:aws:iam::aws:policy/AmazonGrafanaAthenaAccess to IAM Role. NoSuchEntity: Policy arn:aws:iam::aws:policy/AmazonGrafanaAthenaAccess does not exist or is not attachable. status code: 404
β I have searched the open/closed issues and my issue is not listed.
The official resource docs for aws_grafana_workspace shows security_group_ids as an option:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace [VPC Configuration])
[security_group_ids]- (Required) - The list of Amazon EC2 security group IDs attached to the Amazon VPC for your Grafana workspace to connect.
[subnet_ids]- (Required) - The list of Amazon EC2 subnet IDs created in the Amazon VPC for your Grafana workspace to connect.
In the README example and the main.tf and the variables.tf there is no option or suggestion to use security_group_ids which appeared to indicate that adding existing security_group_ids to this module wasn't possible.
I've tested this by adding security_group_ids to the vpc_configuration block and it has successfully added my existing security groups to the workspace.
Feature request to add this the README example or the inputs or main.tf to confirm this this available in the module
This is required to upgrade workspace version: Specifies the version of Grafana to support in the new workspace. Supported values are 8.4 and 9.4. If not specified, defaults to 8.4. Upgrading the workspace version isn't supported, however it's possible to copy content from the old version to the new one using AWS official migration tool.