terraform-app-grafana/helm.tf

resource "helm_release" "this" {
  name      = "grafana"
  namespace = kubernetes_namespace.this.metadata.0.name

  repository = "https://grafana.github.io/helm-charts"
  chart      = "grafana"
  version    = "7.0.8"

  values = [
    jsonencode({
      ingress = {
        enabled          = true
        hosts            = [local.ingress_domain]
        ingressClassName = "traefik"
        annotations = {
          "cert-manager.io/cluster-issuer" = "acme-thomasklein-me"
        }
        labels = {}
        tls = [
          {
            hosts      = [local.ingress_domain]
            secretName = "grafana-thomasklein-me-tls"
          }
        ]
      }
    }),

    jsonencode({
      persistence = {
        enabled       = "true"
        type          = "pvc"
        existingClaim = module.grafana_persistance.pvc_name
      }
    }),

    jsonencode({
      "grafana.ini" = {
        server = {
          root_url = "https://${local.ingress_domain}"
        }
        "auth.anonymous" = {
          enabled      = true
          org_role     = "Viewer"
          hide_version = true
        }
        "smtp" = {
          enabled   = true
          host      = "smtp.lawndale.:25"
          from      = "noreply@grafana.thomasklein.me"
          from_name = "Grafana"
        }
      }
    }),

    jsonencode({
      envRenderSecret = {
        GF_AUTH_GENERIC_OAUTH_NAME      = "Cognito"
        GF_AUTH_GENERIC_OAUTH_ENABLED   = "true"
        GF_AUTH_GENERIC_OAUTH_AUTH_URL  = local.cognito_authz_url
        GF_AUTH_GENERIC_OAUTH_TOKEN_URL = local.cognito_token_url
        // below, the `?` is necessary to fix a bad assumtion on grafana's side
        GF_AUTH_GENERIC_OAUTH_API_URL = "${local.cognito_userinfo_url}?"
        GF_AUTH_GENERIC_OAUTH_SCOPES  = "email openid profile"
		// https://github.com/grafana/grafana/issues/70203#issuecomment-1603895013
		// https://github.com/advisories/GHSA-mpv3-g8m3-3fjc
		// https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/#enable-email-lookup
		GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP = "true"
      }
    })
  ]


  set_sensitive {
    name  = "envRenderSecret.GF_AUTH_GENERIC_OAUTH_CLIENT_ID"
    value = aws_cognito_user_pool_client.this.id
  }
  set_sensitive {
    name  = "envRenderSecret.GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET"
    value = aws_cognito_user_pool_client.this.client_secret
  }
}