resource "helm_release" "this" { name = "grafana" namespace = kubernetes_namespace.this.metadata.0.name repository = "https://grafana.github.io/helm-charts" chart = "grafana" version = "10.1.4" values = [ jsonencode({ initChownData = { enabled = false } }), jsonencode({ ingress = { enabled = true hosts = [local.ingress_domain] ingressClassName = "traefik" annotations = { "cert-manager.io/cluster-issuer" = "acme-thomasklein-me" } labels = {} tls = [ { hosts = [local.ingress_domain] secretName = "grafana-thomasklein-me-tls" } ] } }), jsonencode({ persistence = { enabled = "true" type = "pvc" existingClaim = module.grafana_persistance.pvc_name } }), jsonencode({ "grafana.ini" = { server = { root_url = "https://${local.ingress_domain}" } "auth.anonymous" = { enabled = true org_role = "Viewer" hide_version = true } "smtp" = { enabled = true host = "smtp.lawndale.:25" from = "noreply@grafana.thomasklein.me" from_name = "Grafana" } } }), jsonencode({ envRenderSecret = { GF_AUTH_GENERIC_OAUTH_NAME = "Cognito" GF_AUTH_GENERIC_OAUTH_ENABLED = "true" GF_AUTH_GENERIC_OAUTH_AUTH_URL = local.cognito_authz_url GF_AUTH_GENERIC_OAUTH_TOKEN_URL = local.cognito_token_url // below, the `?` is necessary to fix a bad assumtion on grafana's side GF_AUTH_GENERIC_OAUTH_API_URL = "${local.cognito_userinfo_url}?" GF_AUTH_GENERIC_OAUTH_SCOPES = "email openid profile" // https://github.com/grafana/grafana/issues/70203#issuecomment-1603895013 // https://github.com/advisories/GHSA-mpv3-g8m3-3fjc // https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/#enable-email-lookup GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP = "true" } }) ] set_sensitive { name = "envRenderSecret.GF_AUTH_GENERIC_OAUTH_CLIENT_ID" value = aws_cognito_user_pool_client.this.id } set_sensitive { name = "envRenderSecret.GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" value = aws_cognito_user_pool_client.this.client_secret } }