AWS::Grafana::Workspace

Specifies a workspace. In a workspace, you can create Grafana dashboards and visualizations to analyze your metrics, logs, and traces. You don't have to build, package, or deploy any hardware to run the Grafana server.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Grafana::Workspace", "Properties" : { "AccountAccessType" : String, "AuthenticationProviders" : [ String, ... ], "ClientToken" : String, "DataSources" : [ String, ... ], "Description" : String, "Name" : String, "NotificationDestinations" : [ String, ... ], "OrganizationalUnits" : [ String, ... ], "OrganizationRoleName" : String, "PermissionType" : String, "RoleArn" : String, "SamlConfiguration" : SamlConfiguration, "StackSetName" : String, "VpcConfiguration" : VpcConfiguration } }

YAML

Type: AWS::Grafana::Workspace Properties: AccountAccessType: String AuthenticationProviders: - String ClientToken: String DataSources: - String Description: String Name: String NotificationDestinations: - String OrganizationalUnits: - String OrganizationRoleName: String PermissionType: String RoleArn: String SamlConfiguration: SamlConfiguration StackSetName: String VpcConfiguration: VpcConfiguration

Properties

AccountAccessType

Specifies whether the workspace can access AWS resources in this AWS account only, or whether it can also access AWS resources in other accounts in the same organization. If this is ORGANIZATION, the workspaceOrganizationalUnits parameter specifies which organizational units the workspace can access.

Required: No

Type: String

Allowed values: CURRENT_ACCOUNT | ORGANIZATION

Update requires: No interruption

AuthenticationProviders

Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center (successor to AWS Single Sign-On), or both to authenticate users for using the Grafana console within a workspace. For more information, see User authentication in Amazon Managed Grafana.

Required: No

Type: List of String

Update requires: No interruption

ClientToken

A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request.

Required: No

Type: String

Pattern: ^[!-~]{1,64}$

Update requires: Replacement

DataSources

Specifies the AWS data sources that have been configured to have IAM roles and permissions created to allow Amazon Managed Grafana to read data from these sources.

This list is only used when the workspace was created through the AWS console, and the permissionType is SERVICE_MANAGED.

Required: No

Type: List of String

Update requires: No interruption

Description

The user-defined description of the workspace.

Required: No

Type: String

Minimum: 0

Maximum: 2048

Update requires: No interruption

Name

The name of the workspace.

Required: No

Type: String

Pattern: ^[a-zA-Z0-9-._~]{1,255}$

Update requires: No interruption

NotificationDestinations

The AWS notification channels that Amazon Managed Grafana can automatically create IAM roles and permissions for, to allow Amazon Managed Grafana to use these channels.

Required: No

Type: List of String

Update requires: No interruption

OrganizationalUnits

Specifies the organizational units that this workspace is allowed to use data sources from, if this workspace is in an account that is part of an organization.

Required: No

Type: List of String

Update requires: No interruption

OrganizationRoleName

The name of the IAM role that is used to access resources through Organizations.

Required: No

Type: String

Minimum: 1

Maximum: 2048

Update requires: No interruption

PermissionType

If this is SERVICE_MANAGED, and the workplace was created through the Amazon Managed Grafana console, then Amazon Managed Grafana automatically creates the IAM roles and provisions the permissions that the workspace needs to use AWS data sources and notification channels.

If this is CUSTOMER_MANAGED, you must manage those roles and permissions yourself.

If you are working with a workspace in a member account of an organization and that account is not a delegated administrator account, and you want the workspace to access data sources in other AWS accounts in the organization, this parameter must be set to CUSTOMER_MANAGED.

For more information about converting between customer and service managed, see Managing permissions for data sources and notification channels. For more information about the roles and permissions that must be managed for customer managed workspaces, see Amazon Managed Grafana permissions and policies for AWS data sources and notification channels

Required: No

Type: String

Allowed values: CUSTOMER_MANAGED | SERVICE_MANAGED

Update requires: No interruption

RoleArn

The IAM role that grants permissions to the AWS resources that the workspace will view data from. This role must already exist.

Required: No

Type: String

Minimum: 1

Maximum: 2048

Update requires: No interruption

SamlConfiguration

If the workspace uses SAML, use this structure to map SAML assertion attributes to workspace user information and define which groups in the assertion attribute are to have the Admin and Editor roles in the workspace.

Required: No

Type: SamlConfiguration

Update requires: No interruption

StackSetName

The name of the AWS CloudFormation stack set that is used to generate IAM roles to be used for this workspace.

Required: No

Type: String

Update requires: No interruption

VpcConfiguration

The configuration for connecting to data sources in a private VPC (Amazon Virtual Private Cloud).

Required: No

Type: VpcConfiguration

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name. For example:

{ "Ref": "Id" }

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

CreationTimestamp

The date that the workspace was created.

Type: Timestamp

Endpoint

The URL that users can use to access the Grafana console in the workspace.

Type: String

GrafanaVersion

The version of Grafana supported in this workspace.

Type: String

Id

The unique ID of this workspace.

Type: String

ModificationTimestamp

The most recent date that the workspace was modified.

Type: Timestamp

SamlConfigurationStatus

Specifies whether the workspace's SAML configuration is complete.

Valid values: CONFIGURED | NOT_CONFIGURED

Type: String

SsoClientId

The ID of the IAM Identity Center-managed application that is created by Amazon Managed Grafana.

Type: String

Status

The current status of the workspace.

Valid values: ACTIVE | CREATING | DELETING | FAILED | UPDATING | UPGRADING | DELETION_FAILED | CREATION_FAILED | UPDATE_FAILED | UPGRADE_FAILED | LICENSE_REMOVAL_FAILED

Type: String

Examples

Create a workspace

Create an Amazon Managed Grafana workspace using CloudFormation

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Amazon Grafana workspace stack", "Resources": { "AmazonGrafanaWorkspaceIAMRole": { "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonGrafanaAthenaAccess"], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "grafana.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] }] } } }, "AmazonGrafanaWorkspace": { "Type": "AWS::Grafana::Workspace", "Properties": { "AccountAccessType": "CURRENT_ACCOUNT", "Name": "AmazonGrafanaWorkspace", "Description": "Amazon Grafana Workspace", "AuthenticationProviders": ["SAML"], "PermissionType": "CUSTOMER_MANAGED", "RoleArn": { "Fn::GetAtt": [ "AmazonGrafanaWorkspaceIAMRole", "Arn" ] }, "SamlConfiguration": { "IdpMetadata": { "Xml": "<md:EntityDescriptor xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' entityID='entityId'>DATA</md:EntityDescriptor>" }, "AssertionAttributes": { "Name": "displayName", "Login": "login", "Email": "email", "Groups": "group", "Role": "role", "Org": "org" }, "RoleValues": { "Editor": ["editor1"], "Admin": ["admin1"] }, "AllowedOrganizations": ["org1"], "LoginValidityDuration": 60 } } } }, "Outputs": { "WorkspaceEndpoint": { "Value": { "Fn::GetAtt": [ "AmazonGrafanaWorkspace", "Endpoint" ] } }, "WorkspaceStatus": { "Value": { "Fn::GetAtt": [ "AmazonGrafanaWorkspace", "Status" ] } }, "WorkspaceId": { "Value": { "Ref": "AmazonGrafanaWorkspace" } }, "GrafanaVersion": { "Value": { "Fn::GetAtt": [ "AmazonGrafanaWorkspace", "GrafanaVersion" ] } } } }

YAML

Description: Amazon Grafana workspace stack Resources: AmazonGrafanaWorkspaceIAMRole: Type: 'AWS::IAM::Role' Properties: ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonGrafanaAthenaAccess' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - grafana.amazonaws.com Action: - 'sts:AssumeRole' AmazonGrafanaWorkspace: Type: 'AWS::Grafana::Workspace' Properties: AccountAccessType: CURRENT_ACCOUNT Name: AmazonGrafanaWorkspace Description: Amazon Grafana Workspace AuthenticationProviders: - SAML PermissionType: CUSTOMER_MANAGED RoleArn: !GetAtt - AmazonGrafanaWorkspaceIAMRole - Arn SamlConfiguration: IdpMetadata: Xml: >- <md:EntityDescriptor xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' entityID='entityId'>DATA</md:EntityDescriptor> AssertionAttributes: Name: displayName Login: login Email: email Groups: group Role: role Org: org RoleValues: Editor: - editor1 Admin: - admin1 AllowedOrganizations: - org1 LoginValidityDuration: 60 Outputs: WorkspaceEndpoint: Value: !GetAtt - AmazonGrafanaWorkspace - Endpoint WorkspaceStatus: Value: !GetAtt - AmazonGrafanaWorkspace - Status WorkspaceId: Value: !Ref AmazonGrafanaWorkspace GrafanaVersion: Value: !GetAtt - AmazonGrafanaWorkspace - GrafanaVersion