Configure serverless Azure Metrics with Terraform

Complete the following steps to configure serverless Azure metrics using Terraform.

Before you begin

Before configuring serverless Azure metrics using Terraform, ensure you have:

Terraform: Version 1.0 or later installed
Azure credentials: Configured for Terraform (with Azure CLI, environment variables, or Service Principal) For more information on authentication options, see the Azure Active Directory Terraform Provider documentation.

Configure Azure authorization

To collect metrics from Azure Monitor, create a service principal with the proper authorization to allow Grafana Cloud to pull Azure metrics on your behalf.

Create a service principal with Azure CLI

Log in to your Azure account with the following command:
shell
```
az login
```
List your available subscriptions with the following command:
shell
```
az account list --output table
```
Create a service principal for each subscription you want to monitor, and give it the appropriate role. If a service principal already exists with this name, it updates with the role and scopes you provide. Replace AZURE_SUBSCRIPTION_ID with the appropriate value and use the following command:
shell
```
az ad sp create-for-rbac --name grafana-cloud-azure-metrics --role "Monitoring Reader" --scopes "/subscriptions/@@@AZURE_SUBSCRIPTION_ID@@@"
```

When the service principal is created, save the output of the command to use as the credential information that you need for the Terraform configuration steps.

{
  "appId": "54321a67-8fd9-123d-45d6-7891234567fd",
  "displayName": "grafana-cloud-azure-metrics",
  "password": "asdf1234~4321fdsa",
  "tenant": "12345a67-8fd9-123d-45d6-7891234567fd"
}

For more information on creating service principals using Azure CLI, refer to the Azure CLI documentation.

Create a service principal with Terraform

The following snippet shows how to configure the Azure service principal using Terraform. You do not need to apply the Terraform to create the service principal before moving forward.

data "azurerm_client_config" "current" {}

resource "azuread_application" "grafana_cloud_azure_metrics" {
  display_name = var.azure_application_display_name
}

resource "azuread_application_password" "grafana_cloud_azure_metrics" {
  display_name      = "${var.azure_application_display_name}-secret"
  application_id    = azuread_application.grafana_cloud_azure_metrics.id
  end_date_relative = "8760h" # 1 year

  rotate_when_changed = {
    rotation = time_rotating.azure_monitor_exporter_time_rotation.id
  }
}

resource "time_rotating" "azure_monitor_exporter_time_rotation" {
  // Rotate every 180 days
  // This is to ensure the password is rotated before it expires
  rotation_days = 180
}

# Service Principal for the application — required so we have a client id to grant role assignments
resource "azuread_service_principal" "grafana_cloud_azure_metrics" {
  client_id = azuread_application.grafana_cloud_azure_metrics.client_id
}

# Role assignment for Monitoring Reader - use the Service Principal's client id for principal_id
resource "azurerm_role_assignment" "grafana_cloud_azure_metrics" {
  scope                = "/subscriptions/${var.azure_subscription_id}"
  role_definition_name = "Monitoring Reader"
  principal_id         = azuread_service_principal.grafana_cloud_azure_metrics.id
}

Configure Grafana Cloud

After deciding how you want to configure the Azure service principal, you can configure Grafana Cloud to use it.

Create an Access Policy for the Grafana Terraform provider

If you are already using the Grafana Terraform provider, ensure the access policy you are using has the following scopes:

orgs: Read
stacks: Read
accesspolicies: Read, Write, Delete

If you haven’t used the Grafana Terraform provider yet, you must create an access policy. Since this access policy is necessary to use the Terraform provider, you must create it through Grafana Cloud.

Follow the steps to Create access policies and tokens.

To create an access policy token:

Follow the Create an access policy for a stack instructions.
In step 6, add the following scopes:
- integration-management:read
- integration-management:write
- stacks:read
After creating the policy, click Add token and generate a token.
Give your token an appropriate name and select an Expiration date. We recommend you select a specific expiration date and do not set the Expiration date to No expiry, as this can create a security vulnerability.
Store this token securely—you’ll use it to configure the Grafana Terraform provider.

Configure the Grafana Terraform provider with your Access Policy

Include the Grafana Terraform provider as a dependency in your Terraform configuration file. The version of the provider must be 3.24.1 or later, as in the following example:

terraform {
    required_providers {
        grafana = {
        source = "grafana/grafana"
        version = ">= 3.24.1"
        }
    }
}

Choose one of the following methods to configure the Grafana Terraform provider to use the provisioned Access Policy token:

Embed the token in Terraform configuration, as in the following example:

provider "grafana" {
  cloud_access_policy_token = "@@@GRAFANA_CLOUD_ACCESS_POLICY_TOKEN@@@"
}

Use the environment variable GRAFANA_CLOUD_ACCESS_POLICY_TOKEN set to the created token when running Terraform commands with the following provider block:

provider "grafana" {}

Configure the Terraform provider to use the Cloud Provider API

Replacing values with your own, use the following snippet to configure the provider block with the Cloud Provider API:

provider "grafana" {
  cloud_access_policy_token   = var.grafana_cloud_access_policy_token
  cloud_provider_url          = format("https://cloud-provider-api-%s.grafana.net", data.grafana_cloud_stack.current.cluster_slug)
  cloud_provider_access_token = var.grafana_cloud_access_policy_token
}

The Azure Credential Terraform model

The Cloud Provider portion of the Grafana Terraform provider enables configuring Azure metric collection through the following resources and data sources:

Name	Description
`grafana_cloud_provider_azure_credential`	A resource representing an Azure Service Principal credential that is used by Grafana Cloud to pull Azure Monitor metrics from one or more subscriptions. For a full reference of this resource, refer to the Terraform resource documentation.

The following is a minimal Azure Credential resource definition:

data "grafana_cloud_stack" "current" {
  slug = var.stack_slug
}

resource "grafana_cloud_provider_azure_credential" "azurecred" {
  stack_id = data.grafana_cloud_stack.current.id
  name     = var.credential_name

  client_id     = azuread_application.grafana_cloud_azure_metrics.client_id
  client_secret = azuread_application_password.grafana_cloud_azure_metrics.value
  tenant_id     = data.azurerm_client_config.current.tenant_id

  depends_on = [azurerm_role_assignment.grafana_cloud_azure_metrics] # If the application has no role, this will fail.
}

Full Terraform Example

The following snippet shows a full Terraform example that provisions an Azure service principal and uses it to collect Azure metrics:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 4.1.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.46.0"
    }
    grafana = {
      source  = "grafana/grafana"
      version = ">= 3.24.1"
    }
  }
}

########################
# Variables
########################

variable "azure_application_display_name" {
  description = "Display name for the Azure application"
  type        = string
  default     = "grafana-cloud-azure-metrics"
}
variable "azure_subscription_id" {
  type        = string
  description = "Azure Subscription ID source of the Azure metrics"
}
variable "credential_name" {
  type        = string
  description = "The name of the Azure Credential resource that will be created"
  default     = "test-azure-credential"
}
// Required scopes: integration-management:read, integration-management:write, stacks:read
variable "grafana_cloud_access_policy_token" {
  type        = string
  description = "Access policy token for a token with permissions to manage Cloud Provider credentials (recommend using env var/secret manager)"
}
variable "stack_slug" {
  type        = string
  description = "Grafana Cloud Stack Slug where the Azure metrics will be collected"
}

########################
# Providers
########################

# no config required here for most setups (auth via Azure CLI or environment)
# provider "azurerm" {}
# provider "azuread" {}

provider "grafana" {
  cloud_access_policy_token   = var.grafana_cloud_access_policy_token
  cloud_provider_url          = format("https://cloud-provider-api-%s.grafana.net", data.grafana_cloud_stack.current.cluster_slug)
  cloud_provider_access_token = var.grafana_cloud_access_policy_token
}

########################
# Azure: create app / sp / secret / role assignment
########################

data "azurerm_client_config" "current" {}

resource "azuread_application" "grafana_cloud_azure_metrics" {
  display_name = var.azure_application_display_name
}

resource "azuread_application_password" "grafana_cloud_azure_metrics" {
  display_name      = "${var.azure_application_display_name}-secret"
  application_id    = azuread_application.grafana_cloud_azure_metrics.id
  end_date_relative = "8760h" # 1 year

  rotate_when_changed = {
    rotation = time_rotating.azure_monitor_exporter_time_rotation.id
  }
}

resource "time_rotating" "azure_monitor_exporter_time_rotation" {
  // Rotate every 180 days
  // This is to ensure the password is rotated before it expires
  rotation_days = 180
}

# Service Principal for the application — required so we have a client id to grant role assignments
resource "azuread_service_principal" "grafana_cloud_azure_metrics" {
  client_id = azuread_application.grafana_cloud_azure_metrics.client_id
}

# Role assignment for Monitoring Reader - use the Service Principal's client id for principal_id
resource "azurerm_role_assignment" "grafana_cloud_azure_metrics" {
  scope                = "/subscriptions/${var.azure_subscription_id}"
  role_definition_name = "Monitoring Reader"
  principal_id         = azuread_service_principal.grafana_cloud_azure_metrics.id
}


########################
# Grafana Cloud Provider Azure credential
########################

data "grafana_cloud_stack" "current" {
  slug = var.stack_slug
}

resource "grafana_cloud_provider_azure_credential" "azurecred" {
  stack_id = data.grafana_cloud_stack.current.id
  name     = var.credential_name

  client_id     = azuread_application.grafana_cloud_azure_metrics.client_id
  client_secret = azuread_application_password.grafana_cloud_azure_metrics.value
  tenant_id     = data.azurerm_client_config.current.tenant_id

  depends_on = [azurerm_role_assignment.grafana_cloud_azure_metrics] # If the application has no role, this will fail.
}