Terraform deployment of synthetic monitoring installation – which permissions are needed?

andreassommer87 · September 28, 2023, 4:31pm

What Grafana version and what operating system are you using?

Grafana Cloud

What are you trying to achieve?

Initialize synthetic monitoring installation using Terraform. No human clicks should be required apart from creating the access policy token used by the Terraform Grafana provider.

How are you trying to achieve it?

This is the current attempt after having to fix outdated documentation of the Grafana provider, and collecting examples from some internet articles.

provider "grafana" {
  url           = "https://myslug.grafana.net/"
  auth          = var.grafana_service_account_token
  cloud_api_key = var.grafana_cloud_api_key_token
}

data "grafana_cloud_stack" "andidog" {
  slug = "myslug"
}

// ...

resource "grafana_cloud_access_policy" "sm_metrics_publish" {
  region       = "eu"
  name         = "terraform-managed-sm-metrics-publish"
  display_name = "terraform-managed-sm-metrics-publish"

  scopes = ["metrics:write"]

  realm {
    type       = "org"
    identifier = data.grafana_cloud_organization.myslug.id

    label_policy {
      selector = "{namespace=\"default\"}"
    }
  }
}

resource "grafana_cloud_access_policy_token" "sm_metrics_publish" {
  region           = "eu"
  access_policy_id = grafana_cloud_access_policy.sm_metrics_publish.policy_id
  name             = "terraform-managed-sm-metrics-publish-token"
  display_name     = "terraform-managed-sm-metrics-publish-token"
  expires_at       = "2024-09-28T00:00:00Z"
}

resource "grafana_synthetic_monitoring_installation" "sm_stack" {
  provider = grafana

  stack_id = data.grafana_cloud_stack.myslug.id

  metrics_publisher_key = grafana_cloud_access_policy_token.sm_metrics_publish.token
}

What happened?

╷
│ Error: registration install request: status="400 Bad Request", msg="cannot get information for grafana instance with ID [...snip...]", err="{"code":"Forbidden","message":"You do not have permission to perform the requested action."}"
│
│   with grafana_synthetic_monitoring_installation.sm_stack,
│   on providers.tf line 49, in resource "grafana_synthetic_monitoring_installation" "sm_stack":
│   49: resource "grafana_synthetic_monitoring_installation" "sm_stack" {
│
╵

What did you expect to happen?

terraform apply should succeed. I need documentation on which permissions are needed by the Terraform Grafana provider, specifically here for creating a synthetic monitoring installation. I scrolled through the scopes (permissions) of access policies but couldn’t figure out which one is missing. It would be very helpful if the error message denoted the missing permission instead of just “You do not have permission”.

leodevops · January 10, 2024, 11:08am

hello,
in your access policy for synthetic monitoring to publish, your need use this scope:
scopes = [“api-keys-metrics-publisher:write”, “stacks:read”]
as indicated in the error message, throuwn the token, synthetic monitoring need read access to the stack. In the plugin page, you have
the access needed: Synthetic Monitoring plugin for Grafana | Grafana Labs

publisherToken is an access policy token used to communicate with your Cloud stack and publish telemetry data from the probes. The access policy needs to have the following scopes:
- Read stacks
- Write metrics
- Write logs
- Write traces

Sinceraly