Configure serverless Azure metrics
Grafana Cloud

Configure serverless Azure metrics

Complete the following steps to configure serverless Azure metrics with Terraform.

Configure Azure authorization

To collect metrics from Azure Monitor, create a service principal with the proper authorization to allow Grafana Cloud to pull Azure metrics on your behalf.

  1. Log in to your Azure account.

    shell
    az login
  2. List your available subscriptions.

    shell
    az account list --output table
  3. Create a service principal for each subscription you want to monitor, and give it the appropriate role. If a service principal already exists with this name, it will be updated with the role and scopes you provide. Make sure to replace <subscription-id> with the appropriate value.

    shell
    az ad sp create-for-rbac --name grafana-cloud-azure-metrics --role "Monitoring Reader" --scopes "/subscriptions/{subscriptionId}"
  4. When the service principal is created, capture the output of the command. This output includes the credential information that you need for the Terraform configuration steps.

    shell
    {
      "appId": "54321a67-8fd9-123d-45d6-7891234567fd",
      "displayName": "grafana-cloud-azure-metrics",
      "password": "asdf1234~4321fdsa",
      "tenant": "12345a67-8fd9-123d-45d6-7891234567fd"
    }

Configure Grafana Cloud authentication

You need Grafana Cloud authentication to manage Grafana Cloud observability resources, such as Azure credentials. It’s important to configure Grafana Cloud authentication before you configure the Terraform provider.

Create an Access Policy token

After you create an Access Policy, you can generate a token to authenticate the Terraform provider with the Cloud Provider API.

Complete the following steps to create an Access Policy token:

  1. Log in to Grafana Cloud.
  2. In the Cloud Portal, navigate to Security in the menu to the left and select Access Policies.
  3. Select Create Access Policy.
  4. Assign the required scopes. If you don’t see the following scopes listed, use the Add scope text box to search for and add them:
    • integration-management: Read
    • integration-management: Write
    • stacks: Read
  5. Click Create and follow the prompts to generate an access token. For more information on creating an Access Policy token, refer to the following: Create one or more access policy tokens.

If you need more information on creating an Access Policy, refer to Create an access policy for an organization.

Update the Cloud Provider API URL

Update the Cloud Provider API URL so that the Cloud Provider can communicate with Grafana Cloud.

  1. Retrieve the URL by running the following script:

    shell
    curl -sH "Authorization: Bearer <Access Token from previous step>"
    "https://grafana.com/api/instances" | \
      jq '[.items[]|{stackName: .slug, clusterName:.clusterSlug, cloudProviderAPIURL:
    "https://cloud-provider-api-\(.clusterSlug).grafana.net"}]'
  2. Select the hostname for the stack you want to manage. The script above returns a list of all the Grafana stacks you manage, as well as their respective Cloud Provider hostnames.

    For example, in the response below, the correct hostname for the kerokublogpost stack is https://cloud-provider-api-prod-us-central-0.grafana.net.

    shell
    [
      {
        "stackName": "herokublogpost",
        "clusterName": "prod-us-central-0",
        "cloudProviderAPIURL": "https://cloud-provider-api-prod-us-central-0.grafana.net"
      }
    ]

Configure the Terraform provider

Create a provider block in your Terraform configuration file. The provider block specifies the Grafana Cloud provider and the required authentication details.

  1. Include the Grafana Terraform provider as a dependency in your Terraform configuration file. The version of the provider must be 3.18.0 or later.

    hcl
    terraform {
        required_providers {
            grafana = {
            source = "grafana/grafana"
            version = ">= 3.18.0"
            }
        }
    }
  2. Choose one of the following methods to configure Azure support for the Grafana Terraform provider.

  • Use the following snippet to configure Azure support for the Grafana Terraform provider. This snippet uses the access token and Cloud Provider API URL obtained in the previous steps.
hcl
provider "grafana" {
  cloud_access_policy_token = "<cloud_access_policy_token_from_previous_step>"
  cloud_provider_access_token = "<cloud_provider_access_token_from_previous_step>"
  cloud_provider_url = "<cloud_provider_url_from_previous_step>"
}
  • Use an empty Grafana provider block, and set the Cloud Provider URL , Cloud Provider Access Token, and Cloud Access Policy Token via environment variables (GRAFANA_CLOUD_PROVIDER_ACCESS_TOKEN, GRAFANA_CLOUD_PROVIDER_URL,and GRAFANA_CLOUD_ACCESS_POLICY_TOKEN) when running Terraform commands.
hcl
provider "grafana" {}

The Grafana Terraform provider model

The Grafana Terraform provider enables interaction with Grafana Azure Monitor Metrics through the following resources and data sources.

NameDescription
grafana_cloud_provider_azure_credentialA resource representing an Azure Service Principal credential that is used by Grafana Cloud to pull Azure Monitor metrics from one or more subscriptions. There should be one of these resources for each configured Azure Subscription. For more information, refer to the terraform resource documentation.
resource_discovery_tag_filterA block list of tag filters to apply to credential resources. For more information, refer to the Terraform resource documentation.

The following is a sample Terraform snippet for pulling Azure metrics. Resource discovery tags are optional.

hcl
terraform {
  required_providers {
    grafana = {
      source  = "grafana/grafana"
      version = ">= 3.16.0"
    }
  }
}

provider "grafana" {
  cloud_access_policy_token = "<cloud_access_policy_token>"
  cloud_provider_access_token = "<cloud_provider_access_token>"
  cloud_provider_url = "<cloud_provider_url>"
}

data "grafana_cloud_stack" "your_stack" {
  slug = "name of your stack"
}

resource "grafana_cloud_provider_azure_credential" "myazurecred" {
  stack_id = data.grafana_cloud_stack.your_stack.id
  name = "my-credential"

  client_id = "<client_id>"
  client_secret = "<client_secret>"
  tenant_id = "<tenant_id>"

  resource_discovery_tag_filter {
    key = "key-1"
    value = "value-1"
  }

  resource_discovery_tag_filter {
    key = "key-2"
    value = "value-2"
  }
}