dep: upgrade grafana to 10.1.4

Reviewed-on: #1

.drone.yml

@@ -15,7 +15,7 @@ trigger:
 
 steps:
 - name: terraform init
-  image: hashicorp/terraform:1.1.8
+  image: hashicorp/terraform:1.3.5
   commands:
     - echo "$${CI_SSH_KEY}" | base64 -d > id_rsa
     - chmod 600 id_rsa
@@ -29,9 +29,9 @@ steps:
       from_secret: terraform-aws-secret-access-key
 
 - name: terraform plan
-  image: hashicorp/terraform:1.1.8
+  image: hashicorp/terraform:1.3.5
   commands:
-  - terraform plan $([[ $${DRONE_BUILD_EVENT} = cron ]] && echo "-detailed-exit-code") -out .tfplan
+  - terraform plan $([[ $${DRONE_BUILD_EVENT} = cron ]] && echo "-detailed-exitcode") -out .tfplan
   environment:
     AWS_ACCESS_KEY_ID:
       from_secret: terraform-aws-key-id
@@ -46,7 +46,7 @@ steps:
     - main
     event:
     - push
-  image: hashicorp/terraform:1.1.8
+  image: hashicorp/terraform:1.3.5
   commands:
     - terraform apply .tfplan
   environment:
@@ -71,7 +71,7 @@ trigger:
 
 steps:
 - name: format and generate docs
-  image: hashicorp/terraform:1.1.8
+  image: hashicorp/terraform:1.3.5
   commands:
     - apk add bash wget 
     - wget -q https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz -O - | tar -xz terraform-docs -C /usr/local/bin
@@ -81,6 +81,6 @@ steps:
 
 ---
 kind: signature
-hmac: d6d804b969ccdaebcbfa8e0a1917989763915bea57b0e68cf5be1aabe37d17cf
+hmac: 31fe03c2cd0cd528698da1da29eba5be6fe33d8d32cafc4f2986156c6dc845ea
 
 ...

README.md

@@ -27,7 +27,13 @@ The following providers are used by this module:
 
 ## Modules
 
-No modules.
+The following Modules are called:
+
+### <a name="module_grafana_persistance"></a> [grafana\_persistance](#module\_grafana\_persistance)
+
+Source: git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume
+
+Version:
 
 ## Resources
 
@@ -36,8 +42,6 @@ The following resources are used by this module:
 - [aws_cognito_user_pool_client.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client) (resource)
 - [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) (resource)
 - [kubernetes_namespace.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) (resource)
-- [kubernetes_persistent_volume.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/persistent_volume) (resource)
-- [kubernetes_persistent_volume_claim.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/persistent_volume_claim) (resource)
 - [aws_cognito_user_pools.thomasklein_infra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cognito_user_pools) (data source)
 - [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) (data source)
 

helm.tf

@@ -4,21 +4,29 @@ resource "helm_release" "this" {
 
   repository = "https://grafana.github.io/helm-charts"
   chart      = "grafana"
+  version    = "10.1.4"
 
   values = [
+    jsonencode({
+      initChownData = {
+        enabled = false
+      }
+    }),
     jsonencode({
       ingress = {
-        enabled = true
+        enabled          = true
-        hosts   = [local.ingress_domain]
+        hosts            = [local.ingress_domain]
+        ingressClassName = "traefik"
         annotations = {
-          "kubernetes.io/ingress.class"                             = "traefik"
+          "cert-manager.io/cluster-issuer" = "acme-thomasklein-me"
-          "traefik.ingress.kubernetes.io/router.entrypoints"        = "websecure"
-          "traefik.ingress.kubernetes.io/router.tls"                = "true"
-          "traefik.ingress.kubernetes.io/router.tls.certresolver"   = "acme-thomasklein-me"
-          "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain
-          "traefik.ingress.kubernetes.io/router.middlewares"        = "redirect-metrics@file" # hide /metrics from the internet
         }
         labels = {}
+        tls = [
+          {
+            hosts      = [local.ingress_domain]
+            secretName = "grafana-thomasklein-me-tls"
+          }
+        ]
       }
     }),
 
@@ -26,7 +34,7 @@ resource "helm_release" "this" {
       persistence = {
         enabled       = "true"
         type          = "pvc"
-        existingClaim = kubernetes_persistent_volume_claim.this.metadata.0.name
+        existingClaim = module.grafana_persistance.pvc_name
       }
     }),
 
@@ -35,6 +43,17 @@ resource "helm_release" "this" {
         server = {
           root_url = "https://${local.ingress_domain}"
         }
+        "auth.anonymous" = {
+          enabled      = true
+          org_role     = "Viewer"
+          hide_version = true
+        }
+        "smtp" = {
+          enabled   = true
+          host      = "smtp.lawndale.:25"
+          from      = "noreply@grafana.thomasklein.me"
+          from_name = "Grafana"
+        }
       }
     }),
 
@@ -47,6 +66,10 @@ resource "helm_release" "this" {
         // below, the `?` is necessary to fix a bad assumtion on grafana's side
         GF_AUTH_GENERIC_OAUTH_API_URL = "${local.cognito_userinfo_url}?"
         GF_AUTH_GENERIC_OAUTH_SCOPES  = "email openid profile"
+        // https://github.com/grafana/grafana/issues/70203#issuecomment-1603895013
+        // https://github.com/advisories/GHSA-mpv3-g8m3-3fjc
+        // https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/#enable-email-lookup
+        GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP = "true"
       }
     })
   ]

volume.tf

@@ -1,36 +1,8 @@
-locals {
+module "grafana_persistance" {
+  source = "git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume"
+
+  namespace               = kubernetes_namespace.this.metadata.0.name
+  name                    = "grafana"
   volume_storage_capacity = "1Gi"
 }
 
-resource "kubernetes_persistent_volume" "this" {
-  metadata {
-    name = "pv-p9hostpath-grafana"
-  }
-  spec {
-    capacity = {
-      storage = local.volume_storage_capacity
-    }
-    access_modes = ["ReadWriteMany"]
-    persistent_volume_source {
-      host_path {
-        path = "/mnt/datastore/grafana"
-      }
-    }
-  }
-}
-
-resource "kubernetes_persistent_volume_claim" "this" {
-  metadata {
-    name      = "grafana"
-    namespace = kubernetes_namespace.this.metadata.0.name
-  }
-  spec {
-    access_modes = ["ReadWriteMany"]
-    resources {
-      requests = {
-        storage = local.volume_storage_capacity
-      }
-    }
-    volume_name = kubernetes_persistent_volume.this.metadata.0.name
-  }
-}