Terraform deployment of synthetic monitoring installation – which permissions are needed?

  • What Grafana version and what operating system are you using?

Grafana Cloud

  • What are you trying to achieve?

Initialize synthetic monitoring installation using Terraform. No human clicks should be required apart from creating the access policy token used by the Terraform Grafana provider.

  • How are you trying to achieve it?

This is the current attempt after having to fix outdated documentation of the Grafana provider, and collecting examples from some internet articles.

provider "grafana" {
  url           = "https://myslug.grafana.net/"
  auth          = var.grafana_service_account_token
  cloud_api_key = var.grafana_cloud_api_key_token
}

data "grafana_cloud_stack" "andidog" {
  slug = "myslug"
}

// ...

resource "grafana_cloud_access_policy" "sm_metrics_publish" {
  region       = "eu"
  name         = "terraform-managed-sm-metrics-publish"
  display_name = "terraform-managed-sm-metrics-publish"

  scopes = ["metrics:write"]

  realm {
    type       = "org"
    identifier = data.grafana_cloud_organization.myslug.id

    label_policy {
      selector = "{namespace=\"default\"}"
    }
  }
}

resource "grafana_cloud_access_policy_token" "sm_metrics_publish" {
  region           = "eu"
  access_policy_id = grafana_cloud_access_policy.sm_metrics_publish.policy_id
  name             = "terraform-managed-sm-metrics-publish-token"
  display_name     = "terraform-managed-sm-metrics-publish-token"
  expires_at       = "2024-09-28T00:00:00Z"
}

resource "grafana_synthetic_monitoring_installation" "sm_stack" {
  provider = grafana

  stack_id = data.grafana_cloud_stack.myslug.id

  metrics_publisher_key = grafana_cloud_access_policy_token.sm_metrics_publish.token
}
  • What happened?
╷
│ Error: registration install request: status="400 Bad Request", msg="cannot get information for grafana instance with ID [...snip...]", err="{"code":"Forbidden","message":"You do not have permission to perform the requested action."}"
│
│   with grafana_synthetic_monitoring_installation.sm_stack,
│   on providers.tf line 49, in resource "grafana_synthetic_monitoring_installation" "sm_stack":
│   49: resource "grafana_synthetic_monitoring_installation" "sm_stack" {
│
╵
  • What did you expect to happen?

terraform apply should succeed. I need documentation on which permissions are needed by the Terraform Grafana provider, specifically here for creating a synthetic monitoring installation. I scrolled through the scopes (permissions) of access policies but couldn’t figure out which one is missing. It would be very helpful if the error message denoted the missing permission instead of just “You do not have permission”.