AWS::Grafana::Workspace
Specifies a workspace. In a workspace, you can create Grafana dashboards and visualizations to analyze your metrics, logs, and traces. You don't have to build, package, or deploy any hardware to run the Grafana server.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Grafana::Workspace", "Properties" : { "AccountAccessType" :String, "AuthenticationProviders" :[ String, ... ], "ClientToken" :String, "DataSources" :[ String, ... ], "Description" :String, "Name" :String, "NetworkAccessControl" :NetworkAccessControl, "NotificationDestinations" :[ String, ... ], "OrganizationalUnits" :[ String, ... ], "OrganizationRoleName" :String, "PermissionType" :String, "RoleArn" :String, "SamlConfiguration" :SamlConfiguration, "StackSetName" :String, "VpcConfiguration" :VpcConfiguration} }
YAML
Type: AWS::Grafana::Workspace Properties: AccountAccessType:StringAuthenticationProviders:- StringClientToken:StringDataSources:- StringDescription:StringName:StringNetworkAccessControl:NetworkAccessControlNotificationDestinations:- StringOrganizationalUnits:- StringOrganizationRoleName:StringPermissionType:StringRoleArn:StringSamlConfiguration:SamlConfigurationStackSetName:StringVpcConfiguration:VpcConfiguration
Properties
AccountAccessType-
Specifies whether the workspace can access Amazon resources in this Amazon account only, or whether it can also access Amazon resources in other accounts in the same organization. If this is
ORGANIZATION, theOrganizationalUnitsparameter specifies which organizational units the workspace can access.Required: Yes
Type: String
Allowed values:
CURRENT_ACCOUNT | ORGANIZATIONUpdate requires: No interruption
AuthenticationProviders-
Specifies whether this workspace uses SAML 2.0, Amazon IAM Identity Center (successor to Amazon Single Sign-On), or both to authenticate users for using the Grafana console within a workspace. For more information, see User authentication in Amazon Managed Grafana.
Required: Yes
Type: List of String
Update requires: No interruption
ClientToken-
A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request.
Required: No
Type: String
Pattern:
^[!-~]{1,64}$Update requires: Replacement
DataSources-
Specifies the Amazon data sources that have been configured to have IAM roles and permissions created to allow Amazon Managed Grafana to read data from these sources.
This list is only used when the workspace was created through the Amazon console, and the
permissionTypeisSERVICE_MANAGED.Required: No
Type: List of String
Update requires: No interruption
Description-
The user-defined description of the workspace.
Required: No
Type: String
Minimum:
0Maximum:
2048Update requires: No interruption
Name-
The name of the workspace.
Required: No
Type: String
Pattern:
^[a-zA-Z0-9-._~]{1,255}$Update requires: No interruption
NetworkAccessControl-
The configuration settings for network access to your workspace.
Required: No
Type: NetworkAccessControl
Update requires: No interruption
NotificationDestinations-
The Amazon notification channels that Amazon Managed Grafana can automatically create IAM roles and permissions for, to allow Amazon Managed Grafana to use these channels.
Required: No
Type: List of String
Update requires: No interruption
OrganizationalUnits-
Specifies the organizational units that this workspace is allowed to use data sources from, if this workspace is in an account that is part of an organization.
Required: No
Type: List of String
Update requires: No interruption
OrganizationRoleName-
The name of the IAM role that is used to access resources through Organizations.
Required: No
Type: String
Minimum:
1Maximum:
2048Update requires: No interruption
PermissionType-
If this is
SERVICE_MANAGED, and the workplace was created through the Amazon Managed Grafana console, then Amazon Managed Grafana automatically creates the IAM roles and provisions the permissions that the workspace needs to use Amazon data sources and notification channels.If this is
CUSTOMER_MANAGED, you must manage those roles and permissions yourself.If you are working with a workspace in a member account of an organization and that account is not a delegated administrator account, and you want the workspace to access data sources in other Amazon accounts in the organization, this parameter must be set to
CUSTOMER_MANAGED.For more information about converting between customer and service managed, see Managing permissions for data sources and notification channels. For more information about the roles and permissions that must be managed for customer managed workspaces, see Amazon Managed Grafana permissions and policies for Amazon data sources and notification channels
Required: Yes
Type: String
Allowed values:
CUSTOMER_MANAGED | SERVICE_MANAGEDUpdate requires: No interruption
RoleArn-
The IAM role that grants permissions to the Amazon resources that the workspace will view data from. This role must already exist.
Required: No
Type: String
Minimum:
1Maximum:
2048Update requires: No interruption
SamlConfiguration-
If the workspace uses SAML, use this structure to map SAML assertion attributes to workspace user information and define which groups in the assertion attribute are to have the
AdminandEditorroles in the workspace.Required: No
Type: SamlConfiguration
Update requires: No interruption
StackSetName-
The name of the Amazon CloudFormation stack set that is used to generate IAM roles to be used for this workspace.
Required: No
Type: String
Update requires: No interruption
VpcConfiguration-
The configuration for connecting to data sources in a private VPC (Amazon Virtual Private Cloud).
Required: No
Type: VpcConfiguration
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the resource name. For example:
{ "Ref": "Id" }
For more information about using the Reffunction, see Ref.
Fn::GetAtt
The Fn::GetAttintrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAttintrinsic function, see Fn::GetAtt.
CreationTimestamp-
The date that the workspace was created.
Type: Timestamp
Endpoint-
The URL that users can use to access the Grafana console in the workspace.
Type: String
GrafanaVersion-
The version of Grafana supported in this workspace.
Type: String
Id-
The unique ID of this workspace.
Type: String
ModificationTimestamp-
The most recent date that the workspace was modified.
Type: Timestamp
SamlConfigurationStatus-
Specifies whether the workspace's SAML configuration is complete.
Valid values:
CONFIGURED | NOT_CONFIGUREDType: String
SsoClientId-
The ID of the IAM Identity Center-managed application that is created by Amazon Managed Grafana.
Type: String
Status-
The current status of the workspace.
Valid values:
ACTIVE | CREATING | DELETING | FAILED | UPDATING | UPGRADING | DELETION_FAILED | CREATION_FAILED | UPDATE_FAILED | UPGRADE_FAILED | LICENSE_REMOVAL_FAILEDType: String
Examples
Create a workspace
Create an Amazon Managed Grafana workspace using CloudFormation
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Amazon Grafana workspace stack", "Resources": { "AmazonGrafanaWorkspaceIAMRole": { "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonGrafanaAthenaAccess"], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "grafana.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] }] } } }, "AmazonGrafanaWorkspace": { "Type": "AWS::Grafana::Workspace", "Properties": { "AccountAccessType": "CURRENT_ACCOUNT", "Name": "AmazonGrafanaWorkspace", "Description": "Amazon Grafana Workspace", "AuthenticationProviders": ["SAML"], "PermissionType": "CUSTOMER_MANAGED", "RoleArn": { "Fn::GetAtt": [ "AmazonGrafanaWorkspaceIAMRole", "Arn" ] }, "SamlConfiguration": { "IdpMetadata": { "Xml": "<md:EntityDescriptor xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' entityID='entityId'>DATA</md:EntityDescriptor>" }, "AssertionAttributes": { "Name": "displayName", "Login": "login", "Email": "email", "Groups": "group", "Role": "role", "Org": "org" }, "RoleValues": { "Editor": ["editor1"], "Admin": ["admin1"] }, "AllowedOrganizations": ["org1"], "LoginValidityDuration": 60 } } } }, "Outputs": { "WorkspaceEndpoint": { "Value": { "Fn::GetAtt": [ "AmazonGrafanaWorkspace", "Endpoint" ] } }, "WorkspaceStatus": { "Value": { "Fn::GetAtt": [ "AmazonGrafanaWorkspace", "Status" ] } }, "WorkspaceId": { "Value": { "Ref": "AmazonGrafanaWorkspace" } }, "GrafanaVersion": { "Value": { "Fn::GetAtt": [ "AmazonGrafanaWorkspace", "GrafanaVersion" ] } } } }
YAML
Description: Amazon Grafana workspace stack Resources: AmazonGrafanaWorkspaceIAMRole: Type: 'AWS::IAM::Role' Properties: ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonGrafanaAthenaAccess' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - grafana.amazonaws.com Action: - 'sts:AssumeRole' AmazonGrafanaWorkspace: Type: 'AWS::Grafana::Workspace' Properties: AccountAccessType: CURRENT_ACCOUNT Name: AmazonGrafanaWorkspace Description: Amazon Grafana Workspace AuthenticationProviders: - SAML PermissionType: CUSTOMER_MANAGED RoleArn: !GetAtt - AmazonGrafanaWorkspaceIAMRole - Arn SamlConfiguration: IdpMetadata: Xml: >- <md:EntityDescriptor xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' entityID='entityId'>DATA</md:EntityDescriptor> AssertionAttributes: Name: displayName Login: login Email: email Groups: group Role: role Org: org RoleValues: Editor: - editor1 Admin: - admin1 AllowedOrganizations: - org1 LoginValidityDuration: 60 Outputs: WorkspaceEndpoint: Value: !GetAtt - AmazonGrafanaWorkspace - Endpoint WorkspaceStatus: Value: !GetAtt - AmazonGrafanaWorkspace - Status WorkspaceId: Value: !Ref AmazonGrafanaWorkspace GrafanaVersion: Value: !GetAtt - AmazonGrafanaWorkspace - GrafanaVersion