feat: Add support for service account and service account token resources (#36)

Co-authored-by: Bryant Biggs <[email protected]>

Author: tyler180

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.92.1
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
@@ -24,7 +24,7 @@ repos:
           - '--args=--only=terraform_unused_required_providers'
       - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

README.md

@@ -80,13 +80,13 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
 
 ## Modules
 
@@ -101,6 +101,8 @@ No modules.
 | [aws_grafana_workspace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace) | resource |
 | [aws_grafana_workspace_api_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_api_key) | resource |
 | [aws_grafana_workspace_saml_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_saml_configuration) | resource |
+| [aws_grafana_workspace_service_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_service_account) | resource |
+| [aws_grafana_workspace_service_account_token.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_service_account_token) | resource |
 | [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -170,6 +172,8 @@ No modules.
 | <a name="input_vpc_configuration"></a> [vpc\_configuration](#input\_vpc\_configuration) | The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to | `any` | `{}` | no |
 | <a name="input_workspace_api_keys"></a> [workspace\_api\_keys](#input\_workspace\_api\_keys) | Map of workspace API key definitions to create | `any` | `{}` | no |
 | <a name="input_workspace_id"></a> [workspace\_id](#input\_workspace\_id) | The ID of an existing workspace to use when `create_workspace` is `false` | `string` | `""` | no |
+| <a name="input_workspace_service_account_tokens"></a> [workspace\_service\_account\_tokens](#input\_workspace\_service\_account\_tokens) | Map of workspace service account tokens to create | `any` | `{}` | no |
+| <a name="input_workspace_service_accounts"></a> [workspace\_service\_accounts](#input\_workspace\_service\_accounts) | Map of workspace service account definitions to create | `any` | `{}` | no |
 
 ## Outputs
 
@@ -191,6 +195,8 @@ No modules.
 | <a name="output_workspace_iam_role_policy_name"></a> [workspace\_iam\_role\_policy\_name](#output\_workspace\_iam\_role\_policy\_name) | IAM Policy name of the Grafana workspace IAM role |
 | <a name="output_workspace_iam_role_unique_id"></a> [workspace\_iam\_role\_unique\_id](#output\_workspace\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 | <a name="output_workspace_id"></a> [workspace\_id](#output\_workspace\_id) | The ID of the Grafana workspace |
+| <a name="output_workspace_service_account_tokens"></a> [workspace\_service\_account\_tokens](#output\_workspace\_service\_account\_tokens) | The workspace service account tokens created including their attributes |
+| <a name="output_workspace_service_accounts"></a> [workspace\_service\_accounts](#output\_workspace\_service\_accounts) | The workspace service accounts created including their attributes |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## License

examples/complete/README.md

@@ -24,13 +24,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
 
 ## Modules
 
@@ -69,6 +69,8 @@ No inputs.
 | <a name="output_workspace_iam_role_policy_name"></a> [workspace\_iam\_role\_policy\_name](#output\_workspace\_iam\_role\_policy\_name) | IAM Policy name of the Grafana workspace IAM role |
 | <a name="output_workspace_iam_role_unique_id"></a> [workspace\_iam\_role\_unique\_id](#output\_workspace\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 | <a name="output_workspace_id"></a> [workspace\_id](#output\_workspace\_id) | The ID of the Grafana workspace |
+| <a name="output_workspace_service_account_tokens"></a> [workspace\_service\_account\_tokens](#output\_workspace\_service\_account\_tokens) | The workspace service account tokens created including their attributes |
+| <a name="output_workspace_service_accounts"></a> [workspace\_service\_accounts](#output\_workspace\_service\_accounts) | The workspace service accounts created including their attributes |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-managed-service-grafana/blob/main/LICENSE).

examples/complete/main.tf

@@ -36,7 +36,7 @@ module "managed_grafana" {
   data_sources              = ["CLOUDWATCH", "PROMETHEUS", "XRAY"]
   notification_destinations = ["SNS"]
   stack_set_name            = local.name
-  grafana_version           = "9.4"
+  grafana_version           = "10.4"
 
   configuration = jsonencode({
     unifiedAlerting = {
@@ -80,6 +80,36 @@ module "managed_grafana" {
     }
   }
 
+  # Workspace service accounts
+  workspace_service_accounts = {
+    viewer = {
+      grafana_role = "VIEWER"
+    }
+    editor = {
+      name         = "editor-example"
+      grafana_role = "EDITOR"
+    }
+    admin = {
+      grafana_role = "ADMIN"
+    }
+  }
+
+  workspace_service_account_tokens = {
+    viewer = {
+      service_account_key = "viewer"
+      seconds_to_live     = 3600
+    }
+    editor = {
+      name                = "editor-example"
+      service_account_key = "editor"
+      seconds_to_live     = 3600
+    }
+    admin = {
+      service_account_key = "admin"
+      seconds_to_live     = 3600
+    }
+  }
+
   # Workspace IAM role
   create_iam_role                = true
   iam_role_name                  = local.name

examples/complete/outputs.tf

@@ -29,6 +29,23 @@ output "workspace_grafana_version" {
 output "workspace_api_keys" {
   description = "The workspace API keys created including their attributes"
   value       = module.managed_grafana.workspace_api_keys
+  sensitive   = true
+}
+
+################################################################################
+# Workspace Service Account
+################################################################################
+
+output "workspace_service_accounts" {
+  description = "The workspace service accounts created including their attributes"
+  value       = module.managed_grafana.workspace_service_accounts
+  sensitive   = true
+}
+
+output "workspace_service_account_tokens" {
+  description = "The workspace service account tokens created including their attributes"
+  value       = module.managed_grafana.workspace_service_account_tokens
+  sensitive   = true
 }
 
 ################################################################################

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.59"
     }
   }
 }

main.tf

@@ -110,6 +110,27 @@ resource "aws_grafana_workspace_api_key" "this" {
   workspace_id    = local.workspace_id
 }
 
+################################################################################
+# Workspace Service Account
+################################################################################
+
+resource "aws_grafana_workspace_service_account" "this" {
+  for_each = { for k, v in var.workspace_service_accounts : k => v if var.create }
+
+  name         = try(each.value.name, each.key)
+  grafana_role = each.value.grafana_role
+  workspace_id = local.workspace_id
+}
+
+resource "aws_grafana_workspace_service_account_token" "this" {
+  for_each = { for k, v in var.workspace_service_account_tokens : k => v if var.create }
+
+  name               = try(each.value.name, each.key)
+  service_account_id = try(aws_grafana_workspace_service_account.this[each.value.service_account_key].service_account_id, each.value.service_account_id)
+  seconds_to_live    = each.value.seconds_to_live
+  workspace_id       = local.workspace_id
+}
+
 ################################################################################
 # Workspace IAM Role
 ################################################################################

outputs.tf

@@ -31,6 +31,20 @@ output "workspace_api_keys" {
   value       = aws_grafana_workspace_api_key.this
 }
 
+################################################################################
+# Workspace Service Account
+################################################################################
+
+output "workspace_service_accounts" {
+  description = "The workspace service accounts created including their attributes"
+  value       = aws_grafana_workspace_service_account_token.this
+}
+
+output "workspace_service_account_tokens" {
+  description = "The workspace service account tokens created including their attributes"
+  value       = aws_grafana_workspace_service_account_token.this
+}
+
 ################################################################################
 # Workspace IAM Role
 ################################################################################

variables.tf

@@ -196,6 +196,22 @@ variable "workspace_api_keys" {
   default     = {}
 }
 
+################################################################################
+# Workspace Service Account
+################################################################################
+
+variable "workspace_service_accounts" {
+  description = "Map of workspace service account definitions to create"
+  type        = any
+  default     = {}
+}
+
+variable "workspace_service_account_tokens" {
+  description = "Map of workspace service account tokens to create"
+  type        = any
+  default     = {}
+}
+
 ################################################################################
 # Workspace SAML Configuration
 ################################################################################

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.59"
     }
   }
 }