terraform-provider-grafana icon indicating copy to clipboard operation
terraform-provider-grafana copied to clipboard

Published 20 hours ago verified publisher icon grafana

Grafana behing google IAP

Open ruimoreira opened this issue 5 years ago • 2 comments

Hi there, We are running grafana being a identity aware proxy and we were trying to use terraform to manage the folders and dashboards, however it seems like it's not supported.

Terraform Version

Terraform v0.12.29

Affected Resource(s)

grafana_folder grafana_dashboard

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "grafana_folder" "folder_name" {
  title      = "folder_name"
}

Expected Behavior

Folders and dashboards get created

Actual Behavior

Error: status: 401 Unauthorized body: Invalid IAP credentials: empty token

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Run grafana behind a identity aware proxy
  2. terraform apply

Important Factoids

We are running grafana in GKE and it's currently protected by their Identity aware proxy. Grafana was provisioned using the helm chart at https://kubernetes-charts.storage.googleapis.com/

ruimoreira avatar Aug 12 '20 13:08 ruimoreira

Try setting the GRAFANA_AUTH env variable to the identity token. For example, using a service account:

GRAFANA_AUTH=$(gcloud print-identity-token --impersonate-service-account=<service_account> --audiences=<iap_client_id> --include-email)

parthmishra avatar Aug 23 '20 18:08 parthmishra

Thanks @parthmishra . This works if you have grafana auth proxy enabled so that grafana can share same login account as IAP. But not when grafana has its own auth

AkarshSatija avatar Oct 07 '20 09:10 AkarshSatija

You can set the proxy authentication this way:

provider "grafana" {
  url  = "https://my-grafana.domain.com"
  auth = "admin:admin"
  http_headers = {
    "Proxy-Authorization": "<token>"
  }
}

You can use the external datasource to inject the token: https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source

But you can also pass the http headers as an envvar in json format: GRAFANA_HTTP_HEADERS

ref: https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_proxy-authorization_header

julienduchesne avatar Aug 28 '22 22:08 julienduchesne

Hate to comment on a closed issue but since this is the only result that shows up on Google....

Were you ever able to figure out how to do this? My Grafana sits behind IAP as well and I cannot figure out how to make terraform navigate that successfully so I can manage everything that way. Tried reading the comments here but I still don't quite understand what I'd need to do to make this work.

cloudmatt avatar Dec 24 '22 12:12 cloudmatt