workspaces

Creates, updates, deletes or gets a workspace resource or lists workspaces in a region

Overview

Name	`workspaces`
Type	Resource
Description	Definition of AWS::Grafana::Workspace Resource Type
Id	`aws.grafana.workspaces`

Fields

Name	Datatype	Description
`authentication_providers`	`array`	List of authentication providers to enable.
`sso_client_id`	`string`	The client ID of the AWS SSO Managed Application.
`saml_configuration`	`object`	SAML configuration data associated with an AMG workspace.
`network_access_control`	`object`	The configuration settings for Network Access Control.
`vpc_configuration`	`object`	The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to.
`saml_configuration_status`	`string`	Valid SAML configuration statuses.
`client_token`	`string`	A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request.
`status`	`string`	These enums represent the status of a workspace.
`creation_timestamp`	`string`	Timestamp when the workspace was created.
`modification_timestamp`	`string`	Timestamp when the workspace was last modified
`grafana_version`	`string`	The version of Grafana to support in your workspace.
`endpoint`	`string`	Endpoint for the Grafana workspace.
`account_access_type`	`string`	These enums represent valid account access types. Specifically these enums determine whether the workspace can access AWS resources in the AWS account only, or whether it can also access resources in other accounts in the same organization. If the value CURRENT_ACCOUNT is used, a workspace role ARN must be provided. If the value is ORGANIZATION, a list of organizational units must be provided.
`organization_role_name`	`string`	The name of an IAM role that already exists to use with AWS Organizations to access AWS data sources and notification channels in other accounts in an organization.
`permission_type`	`string`	These enums represent valid permission types to use when creating or configuring a Grafana workspace. The SERVICE_MANAGED permission type means the Managed Grafana service will create a workspace IAM role on your behalf. The CUSTOMER_MANAGED permission type means that the customer is expected to provide an IAM role that the Grafana workspace can use to query data sources.
`stack_set_name`	`string`	The name of the AWS CloudFormation stack set to use to generate IAM roles to be used for this workspace.
`data_sources`	`array`	List of data sources on the service managed IAM role.
`description`	`string`	Description of a workspace.
`id`	`string`	The id that uniquely identifies a Grafana workspace.
`name`	`string`	The user friendly name of a workspace.
`notification_destinations`	`array`	List of notification destinations on the customers service managed IAM role that the Grafana workspace can query.
`organizational_units`	`array`	List of Organizational Units containing AWS accounts the Grafana workspace can pull data from.
`role_arn`	`string`	IAM Role that will be used to grant the Grafana workspace access to a customers AWS resources.
`plugin_admin_enabled`	`boolean`	Allow workspace admins to install plugins
`region`	`string`	AWS region.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`AuthenticationProviders, PermissionType, AccountAccessType, region`
`delete_resource`	`DELETE`	`data__Identifier, region`
`update_resource`	`UPDATE`	`data__Identifier, data__PatchDocument, region`
`list_resources`	`SELECT`	`region`
`get_resource`	`SELECT`	`data__Identifier, region`

`SELECT` examples

Gets all workspaces in a region.

SELECT
region,
authentication_providers,
sso_client_id,
saml_configuration,
network_access_control,
vpc_configuration,
saml_configuration_status,
client_token,
status,
creation_timestamp,
modification_timestamp,
grafana_version,
endpoint,
account_access_type,
organization_role_name,
permission_type,
stack_set_name,
data_sources,
description,
id,
name,
notification_destinations,
organizational_units,
role_arn,
plugin_admin_enabled
FROM aws.grafana.workspaces
WHERE region = 'us-east-1';

Gets all properties from an individual workspace.

SELECT
region,
authentication_providers,
sso_client_id,
saml_configuration,
network_access_control,
vpc_configuration,
saml_configuration_status,
client_token,
status,
creation_timestamp,
modification_timestamp,
grafana_version,
endpoint,
account_access_type,
organization_role_name,
permission_type,
stack_set_name,
data_sources,
description,
id,
name,
notification_destinations,
organizational_units,
role_arn,
plugin_admin_enabled
FROM aws.grafana.workspaces
WHERE region = 'us-east-1' AND data__Identifier = '<Id>';

`INSERT` example

Use the following StackQL query and manifest file to create a new workspace resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO aws.grafana.workspaces (
 AuthenticationProviders,
 AccountAccessType,
 PermissionType,
 region
)
SELECT 
'{{ AuthenticationProviders }}',
 '{{ AccountAccessType }}',
 '{{ PermissionType }}',
'{{ region }}';

/*+ create */
INSERT INTO aws.grafana.workspaces (
 AuthenticationProviders,
 SamlConfiguration,
 NetworkAccessControl,
 VpcConfiguration,
 ClientToken,
 GrafanaVersion,
 AccountAccessType,
 OrganizationRoleName,
 PermissionType,
 StackSetName,
 DataSources,
 Description,
 Name,
 NotificationDestinations,
 OrganizationalUnits,
 RoleArn,
 PluginAdminEnabled,
 region
)
SELECT 
 '{{ AuthenticationProviders }}',
 '{{ SamlConfiguration }}',
 '{{ NetworkAccessControl }}',
 '{{ VpcConfiguration }}',
 '{{ ClientToken }}',
 '{{ GrafanaVersion }}',
 '{{ AccountAccessType }}',
 '{{ OrganizationRoleName }}',
 '{{ PermissionType }}',
 '{{ StackSetName }}',
 '{{ DataSources }}',
 '{{ Description }}',
 '{{ Name }}',
 '{{ NotificationDestinations }}',
 '{{ OrganizationalUnits }}',
 '{{ RoleArn }}',
 '{{ PluginAdminEnabled }}',
 '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: workspace
    props:
      - name: AuthenticationProviders
        value:
          - '{{ AuthenticationProviders[0] }}'
      - name: SamlConfiguration
        value:
          IdpMetadata:
            Url: '{{ Url }}'
            Xml: '{{ Xml }}'
          AssertionAttributes:
            Name: '{{ Name }}'
            Login: '{{ Login }}'
            Email: '{{ Email }}'
            Groups: '{{ Groups }}'
            Role: '{{ Role }}'
            Org: '{{ Org }}'
          RoleValues:
            Editor:
              - '{{ Editor[0] }}'
            Admin:
              - '{{ Admin[0] }}'
          AllowedOrganizations:
            - '{{ AllowedOrganizations[0] }}'
          LoginValidityDuration: null
      - name: NetworkAccessControl
        value:
          PrefixListIds:
            - '{{ PrefixListIds[0] }}'
          VpceIds:
            - '{{ VpceIds[0] }}'
      - name: VpcConfiguration
        value:
          SecurityGroupIds:
            - '{{ SecurityGroupIds[0] }}'
          SubnetIds:
            - '{{ SubnetIds[0] }}'
      - name: ClientToken
        value: '{{ ClientToken }}'
      - name: GrafanaVersion
        value: '{{ GrafanaVersion }}'
      - name: AccountAccessType
        value: '{{ AccountAccessType }}'
      - name: OrganizationRoleName
        value: '{{ OrganizationRoleName }}'
      - name: PermissionType
        value: '{{ PermissionType }}'
      - name: StackSetName
        value: '{{ StackSetName }}'
      - name: DataSources
        value:
          - '{{ DataSources[0] }}'
      - name: Description
        value: '{{ Description }}'
      - name: Name
        value: '{{ Name }}'
      - name: NotificationDestinations
        value:
          - '{{ NotificationDestinations[0] }}'
      - name: OrganizationalUnits
        value:
          - '{{ OrganizationalUnits[0] }}'
      - name: RoleArn
        value: '{{ RoleArn }}'
      - name: PluginAdminEnabled
        value: '{{ PluginAdminEnabled }}'

`DELETE` example

/*+ delete */
DELETE FROM aws.grafana.workspaces
WHERE data__Identifier = '<Id>'
AND region = 'us-east-1';

Permissions

To operate on the workspaces resource, the following permissions are required:

Create

grafana:CreateWorkspace,
grafana:DescribeWorkspace,
grafana:DescribeWorkspaceAuthentication,
grafana:DescribeWorkspaceConfiguration,
grafana:UpdateWorkspaceAuthentication,
sso:DescribeRegisteredRegions,
sso:CreateManagedApplicationInstance,
organizations:DescribeOrganization,
sso:GetSharedSsoConfiguration,
iam:PassRole,
ec2:GetManagedPrefixListEntries,
ec2:DescribeSecurityGroups,
ec2:DescribeSubnets,
ec2:DescribeVpcs,
iam:CreateServiceLinkedRole,
sso:ListApplicationInstances,
sso:GetApplicationInstance

Read

grafana:DescribeWorkspace,
grafana:DescribeWorkspaceAuthentication,
grafana:DescribeWorkspaceConfiguration

Update

grafana:DescribeWorkspace,
grafana:DescribeWorkspaceAuthentication,
grafana:DescribeWorkspaceConfiguration,
grafana:UpdateWorkspace,
grafana:UpdateWorkspaceAuthentication,
grafana:UpdateWorkspaceConfiguration,
sso:DescribeRegisteredRegions,
sso:CreateManagedApplicationInstance,
ec2:GetManagedPrefixListEntries,
iam:PassRole,
ec2:DescribeSecurityGroups,
ec2:DescribeSubnets,
ec2:DescribeVpcs,
iam:CreateServiceLinkedRole,
sso:ListApplicationInstances,
sso:GetApplicationInstance

Delete

grafana:DeleteWorkspace,
grafana:DescribeWorkspace,
grafana:DescribeWorkspaceAuthentication,
grafana:DescribeWorkspaceConfiguration,
sso:DeleteManagedApplicationInstance,
sso:DescribeRegisteredRegions

List

grafana:ListWorkspaces,
grafana:DescribeWorkspaceAuthentication,
grafana:DescribeWorkspaceConfiguration

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Permissions​

Create​

Read​

Update​

Delete​

List​