Configure serverless Azure metrics
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Monitor infrastructurebreadcrumb arrow Cloud Provider Observabilitybreadcrumb arrow Azurebreadcrumb arrow Collect serverless Azure Metricsbreadcrumb arrow Configure serverless Azure metrics
Grafana Cloud

Configure serverless Azure metrics

Complete the following steps to configure serverless Azure metrics.

Configure Azure authorization

To collect metrics from Azure Monitor, create a service principal with the proper authorization to allow Grafana Cloud to pull Azure metrics on your behalf.

Create a service principal with Azure CLI

  1. Log in to your Azure account.

    shell 
    az login

  2. List your available subscriptions.

    shell 
    az account list --output table

  3. Create a service principal for each subscription you want to monitor, and give it the appropriate role. If a service principal already exists with this name, it will be updated with the role and scopes you provide. Make sure to replace <subscription-id> with the appropriate value.

    shell 
    az ad sp create-for-rbac --name grafana-cloud-azure-metrics --role "Monitoring Reader" --scopes "/subscriptions/{subscriptionId}"

  4. When the service principal is created, capture the output of the command. This output includes the credential information that you need for the Terraform configuration steps.

    shell 
    {
  "appId": "54321a67-8fd9-123d-45d6-7891234567fd",
  "displayName": "grafana-cloud-azure-metrics",
  "password": "asdf1234~4321fdsa",
  "tenant": "12345a67-8fd9-123d-45d6-7891234567fd"
}

Create a service principal with Terraform

The following snippet shows how to configure the Azure service principal using Terraform. You do not need to apply the Terraform to create the service principal before moving forward.

hcl 
data "azurerm_client_config" "current" {}

resource "azuread_application" "grafana_cloud_azure_metrics" {
  display_name = "grafana-cloud-azure-metrics"
}

resource "azuread_application_password" "grafana_cloud_azure_metrics" {
  application_id = azuread_application.grafana_cloud_azure_metrics.client_id
  end_date_relative = "8760h" # 1 year
}

resource "azurerm_role_assignment" "grafana_cloud_azure_metrics" {
  scope                = "/subscriptions/<subscription-id>"
  role_definition_name = "Monitoring Reader"
  principal_id         = azuread_application.grafana_cloud_azure_metrics.client_id
}

Configure Grafana Cloud

After deciding how you want to configure the Azure service principal, you can configure Grafana Cloud to use it.

Create an Access Policy for the Grafana Terraform provider

Note: If you are already using the Grafana Terraform provider, you can skip this step after you ensure the access policy you are using has the following scopes:

  • orgs: Read
  • stacks: Read
  • accesspolicies: Read, Write, Delete

Since this Access Policy is necessary to use the Terraform provider, you must create it through Grafana Cloud.

  1. Log in to Grafana Cloud.
  2. In the Cloud Portal, navigate to Security in the menu to the left and select Access Policies.
  3. Select Create Access Policy.
  4. Assign the required scopes. If you don’t see the following scopes listed, use the Add scope text box to search for and add them:
    • orgs: Read
    • stacks: Read
    • accesspolicies: Read, Write, Delete
  5. Click Create
  6. Find your created Access Policy and click Add token
  7. Enter a Token name and optionally configure an Expiration date
  8. Click Create to generate the token
  9. Click Copy to clipboard to copy the token to your clipboard and save it for use in the next steps

For more information on Access Policies and tokens, refer to the following: Create access policies and tokens.

Configure the Grafana Terraform provider with your Access Policy

Include the Grafana Terraform provider as a dependency in your Terraform configuration file. The version of the provider must be 3.18.0 or later.

hcl 
terraform {
    required_providers {
        grafana = {
        source = "grafana/grafana"
        version = ">= 3.18.0"
        }
    }
}

Choose one of the following methods to configure the Grafana Terraform provider to use the provisioned Access Policy token.

  1. Embed the token in Terraform configuration,
hcl 
provider "grafana" {
  cloud_access_policy_token = "<cloud_access_policy_token_from_previous_step>"
}
  1. Use environment variable GRAFANA_CLOUD_ACCESS_POLICY_TOKEN set to the created token when running Terraform commands with the following provider block:
hcl 
provider "grafana" {}

Configure the Terraform provider to use the Cloud Provider API

We suggest creating a dedicated Access Policy for interacting with the Cloud Provider API through the Terraform provider. The following snippet shows how to configure the Access Policy using Terraform. You do not need to apply the Terraform to create the Access Policy before moving forward.

hcl 

provider "grafana" {
}

data "grafana_cloud_organization" "current" {
  slug = "<org-slug>"
}

data "grafana_cloud_stack" "current" {
  slug = "<stack-slug>"
}

resource "grafana_cloud_access_policy" "cloud_provider_policy" {
  region       = data.grafana_cloud_stack.current.region_slug
  name         = "cloud-provider-terraform"
  display_name = "Access policy used for Cloud Provider o11y setup"

  scopes = ["integration-management:read", "integration-management:write", "stacks:read"]

  realm {
    type       = "org"
    identifier = data.grafana_cloud_organization.current.id
  }
}

resource "grafana_cloud_access_policy_token" "cloud_provider_token" {
  region           = data.grafana_cloud_stack.current.region_slug
  access_policy_id = grafana_cloud_access_policy.cloud_provider_policy.policy_id
  name             = "cloud-provider-terraform"
  display_name     = "Token used for Cloud Provider o11y setup"
}

provider "grafana" {
  alias                       = "cloud_provider"
  cloud_provider_url          = format("https://cloud-provider-api-%s.grafana.net", data.grafana_cloud_stack.current.cluster_slug)
  cloud_provider_access_token = grafana_cloud_access_policy_token.cloud_provider_token.token
}

The Azure Credential Terraform model

The Cloud Provider portion of the Grafana Terraform provider enables configuring Azure metric collection through the following resources and data sources.

NameDescription
grafana_cloud_provider_azure_credentialA resource representing an Azure Service Principal credential that is used by Grafana Cloud to pull Azure Monitor metrics from one or more subscriptions. For a full reference of this resource, refer to the Terraform resource documentation.

The following is a minimal Azure Credential resource definition.

hcl 
resource "grafana_cloud_provider_azure_credential" "myazurecred" {
  stack_id = <stack_id>
  name = "my-credential"

  client_id = "<client_id>"
  client_secret = "<client_secret>"
  tenant_id = "<tenant_id>"
}

Full Terraform Example

The following snippet shows a full Terraform example that provisions an Azure service principal and uses it to collect Azure metrics.

hcl 
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.0"
    }
    grafana = {
      source  = "grafana/grafana"
      version = ">= 3.18.0"
    }
  }
}

variable "azure_subscription_id" {
  type        = string
  description = "Azure Subscription ID source of the Azure metrics"
}
variable "org_slug" {
  type        = string
  description = "Grafana Cloud Organization Slug where the Azure metrics will be collected"
}
variable "stack_slug" {
  type        = string
  description = "Grafana Cloud Stack Slug where the Azure metrics will be collected"
}
variable "credential_name" {
  type        = string
  description = "The name of the Azure Credential resource that will be created"
  default     = "azure-credential"
}

data "azurerm_client_config" "current" {}

resource "azuread_application" "grafana_cloud_azure_metrics" {
  display_name = "grafana-cloud-azure-metrics"
}

resource "azuread_application_password" "grafana_cloud_azure_metrics" {
  application_id    = azuread_application.grafana_cloud_azure_metrics.client_id
  end_date_relative = "8760h" # 1 year
}

resource "azurerm_role_assignment" "grafana_cloud_azure_metrics" {
  scope                = "/subscriptions/${var.azure_subscription_id}"
  role_definition_name = "Monitoring Reader"
  principal_id         = azuread_application.grafana_cloud_azure_metrics.client_id
}

provider "grafana" {
}

data "grafana_cloud_organization" "current" {
  slug = var.org_slug
}

data "grafana_cloud_stack" "current" {
  slug = var.stack_slug
}

resource "grafana_cloud_access_policy" "cloud_provider_policy" {
  region       = data.grafana_cloud_stack.current.region_slug
  name         = "cloud-provider-terraform"
  display_name = "Access policy used for Cloud Provider o11y setup"

  scopes = ["integration-management:read", "integration-management:write", "stacks:read"]

  realm {
    type       = "org"
    identifier = data.grafana_cloud_organization.current.id
  }
}

resource "grafana_cloud_access_policy_token" "cloud_provider_token" {
  region           = data.grafana_cloud_stack.current.region_slug
  access_policy_id = grafana_cloud_access_policy.cloud_provider_policy.policy_id
  name             = "cloud-provider-terraform"
  display_name     = "Token used for Cloud Provider o11y setup"
}

provider "grafana" {
  alias                       = "cloud_provider"
  cloud_provider_url          = format("https://cloud-provider-api-%s.grafana.net", data.grafana_cloud_stack.current.cluster_slug)
  cloud_provider_access_token = grafana_cloud_access_policy_token.cloud_provider_token.token
}

resource "grafana_cloud_provider_azure_credential" "azurecred" {
  provider = grafana.cloud_provider
  stack_id = data.grafana_cloud_stack.current.id
  name     = var.credential_name

  client_id     = azuread_application.grafana_cloud_azure_metrics.client_id
  client_secret = azuread_application_password.grafana_cloud_azure_metrics.value
  tenant_id     = data.azurerm_client_config.grafana_cloud_azure_metrics.tenant_id
}