Data source permissions API endpoint clarification

[jacobwoffenden]

Terraform Version

• Terraform: v1.5.7
• Terraform Grafana Provider: v2.7.0
• Grafana: v9.4.7 (Amazon Managed Grafana Enterprise)

Affected Resource(s)

grafana_data_source_permission

Terraform Configuration Files

resource "grafana_data_source_permission" "this" {
  for_each = toset(var.cloudwatch_accounts)

  datasource_id = data.grafana_data_source.this[each.key].id

  permissions {
    team_id    = grafana_team.this.id
    permission = "Query"
  }
}

Pull request ministryofjustice/modernisation-platform-environments#4229

Debug Output

We are working on obtaining this

Panic Output

n/a

Expected Behavior

data source permissions are reconciled as defined in code

Is there a specific version of Grafana's Terraform provider to use against Grafana v9.4.7?

Actual Behavior

Error: error getting datasources resource permissions at /api/access-control/datasources/${DATA_SOURCE_UID}: status: 404, body:

Steps to Reproduce

1. Terraform apply

Important Factoids

I would expect to see Grafana provider calling this API https://grafana.com/docs/grafana/v10.1/developers/http_api/datasource_permissions/ which matches AMG's documented API https://docs.aws.amazon.com/grafana/latest/userguide/Grafana-API-DatasourcePermissions.html#Grafana-API-DatasourcePermissions-add, however it is calling the newer API https://grafana.com/docs/grafana/v10.2/developers/http_api/datasource_permissions/

For example, when breaking this down into raw API calls, it works using the older API endpoints

getId=$(curl \
  --silent \
  --request GET \
  --header "Authorization: Bearer ${GRAFANA_BEARER_TOKEN}" \
  --url "${GRAFANA_SERVER}/api/datasources" \
  | jq -r  '.[] | select(.name=="<insert name of data source>") | .id')
export getId
echo "ID: ${getId}"

curl \
  --silent \
  --request GET \
  --header "Authorization: Bearer ${GRAFANA_BEARER_TOKEN}" \
  --url "${GRAFANA_SERVER}/api/datasources/${getId}/permissions" | jq

EDIT:

I dropped the provider to 2.4.0 (which was the release before this was added #1106) and it applied. I will try 2.5.0 and 2.6.0 and try and figure out the diffs between them if a particular version stops working

EDIT 2:

My testing shows that 2.5.0 is the last version this works with,

2.6.0 output

Terraform will perform the following actions:

  # module.tenant_rbac["<team name>"].grafana_data_source_permission.this["<insert name of data source>"] will be created
  + resource "grafana_data_source_permission" "this" {
      + datasource_id = "1:11"
      + id            = (known after apply)

      + permissions {
          + permission = "Query"
          + team_id    = "1:8"
          + user_id    = "0"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Warning: datasource permissions with ID "0:11" is in Terraform state, but no longer exists in Grafana
│ 
│   with module.tenant_rbac["<team name>"].grafana_data_source_permission.this["<insert name of data source>"],
│   on modules/grafana/tenant-rbac/main.tf line 26, in resource "grafana_data_source_permission" "this":
│   26: resource "grafana_data_source_permission" "this" {
│ 
│ "0:11" will be recreated when you apply
╵

References

n/a

[julienduchesne]

Yes, this is the PR that causes the issue: #1133 which was released in v2.6.0. So that's why v2.5.0 works. I will check if we can't test enterprise features on the last major version (v9) as well

So for now, you'll have to use v2.5.0 unfortunately

[jacobwoffenden]

Thanks, @julienduchesne!

Using 2.5.0 is OK for now, hopefully Amazon Managed Grafana will release a v10 soon 🤞

[julienduchesne]

Leave this issue open anyways. I don't think it makes sense to support v9 for OSS but not for enterprise

[julienduchesne]

I will close this. This is essentially just an Amazon issue (RBAC is disabled: aws/amazon-managed-grafana-roadmap#69).
We now run enterprise tests on the same versions as we do for OSS and I have found that datasource permissions actually are supported in v9.