Created April 20, 2022 07:05
HCL sample for Azure Managed Grafana (at the beginning of the preview)
set -eo pipefail
eval "$(jq -r '@sh "CLIENT_ID=\(.client_id) CLIENT_SECRET=\(.client_secret) TENANT_ID=\(.tenant_id)"')"
RESP=$(curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
-d "grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&resource=ce34e7e5-485f-4d76-964f-b3d2b16d1e4f" \${TENANT_ID}/oauth2/token)
TOKEN=$(echo $RESP | jq -r '.access_token')
jq -n --arg token "${TOKEN}" '{"token":$token}'
locals {
rg = {
name = "rg-az-managed-grafana-sample"
location = "southcentralus"
data "azurerm_client_config" "current" {}
terraform {
required_version = "~> 1.1.8"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.2.0"
azapi = {
source = "azure/azapi"
version = "~> 0.1.0"
grafana = {
source = "grafana/grafana"
version = "~> 1.21.0"
provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
provider "azapi" {}
resource "azurerm_resource_group" "grafana_sample" {
name =
location = local.rg.location
resource "azurerm_storage_account" "sample_target" {
name = "${var.prefix}azgrfsample"
resource_group_name =
location = azurerm_resource_group.grafana_sample.location
account_tier = "Standard"
account_replication_type = "LRS"
// TODO: This will be replaced with AzureRM provider once it is available
resource "azapi_resource" "grafana" {
type = "Microsoft.Dashboard/grafana@2021-09-01-preview"
name = "grafana-sample"
parent_id =
body = jsonencode({
location = azurerm_resource_group.grafana_sample.location
properties = {}
sku = {
name = "Standard"
identity = {
type = "SystemAssigned"
response_export_values = ["properties.endpoint", "identity.principalId"]
// The document says
// "By default, when a Grafana workspace is created, Azure Managed Grafana grants it the Monitoring Reader role for all Azure Monitor data and Log Analytics resources within a subscription."
// but it seems not set so far, so it'll assign it.
resource "azurerm_role_assignment" "grafana_rg" {
scope = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
// Moniroting Reader
role_definition_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05"
principal_id = jsondecode(azapi_resource.grafana.output).identity.principalId
data "external" "grafana_token" {
program = ["/bin/bash", "-c", "${path.module}/"]
query = {
client_id = var.service_principal.client_id
client_secret = var.service_principal.client_secret
tenant_id = data.azurerm_client_config.current.tenant_id
data "http" "dashboard_azure_monitor_storage_insights" {
url = ""
request_headers = {
Accept = "application/json"
data "template_file" "dashboard_azure_monitor_storage_insights" {
template = data.http.dashboard_azure_monitor_storage_insights.body
vars = {
DS_AZURE_MONITOR = "azure-monitor-oob"
VAR_NS = "Microsoft.Storage/storageAccounts"
provider "grafana" {
alias = "base"
url = jsondecode(azapi_resource.grafana.output).properties.endpoint
auth = data.external.grafana_token.result["token"]
org_id = 1
resource "grafana_dashboard" "azure_monitor_storage_insights" {
provider = grafana.base
config_json = data.template_file.dashboard_azure_monitor_storage_insights.rendered
// Use environment variables if you like
variable "prefix" {
type = string
variable "service_principal" {
type = object({
client_id = string
client_secret = string
sensitive = true
Gallagher-Polyn-DCO commented Sep 8, 2023

I was researching "ce34e7e5-485f-4d76-964f-b3d2b16d1e4f" in the script.

It appears to stand in for the "grafana" resource type here.

