[Enhancement]: aws_grafana_workspace_api_key recreation after expire

[tanshihaj]

Description

In #25286 new aws_grafana_workspace_api_key resource was created to automate API Key receive. But I have a questions about module usage. After seconds_to_live API key expires but resource aws_grafana_workspace_api_key will not be recreated automatically. So you have to manually recreate this resource to keep this API Key valid, right?

Is there any mechanics to recreate resource automatically? Current behavior makes any automation really hard.

Affected Resource(s) and/or Data Source(s)

aws_grafana_workspace_api_key

Potential Terraform Configuration

No response

References

No response

Would you like to implement a fix?

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[chriselion]

Has anyone found a workaround for this? I had hoped that appending floor(time_static.current_time.unix / seconds_to_live) to the key_name would automatically change the name and generate a new key pair, but it appears that doesn't work that way.

[chriselion]

Using time_rotating + replace_triggered_by + this workaround seems promising - ask me in 30 days!

[dnaprawa-capgemini]

+1 – really needed feature

@chriselion do you have any working sample code? :)

[chriselion]

@dnaprawa-capgemini Sorry, I missed the notification for this. Here's what worked for me

locals {
  expiration_days    = 30
  expiration_seconds = 60 * 60 * 24 * local.expiration_days
}

resource "time_rotating" "rotate" {
  rotation_days = local.expiration_days
}

resource "time_static" "rotate" {
  rfc3339 = time_rotating.rotate.rfc3339
}

resource "aws_grafana_workspace_api_key" "admin_key" {
  key_name        = # ...
  key_role        = # ...
  seconds_to_live = local.expiration_seconds
  workspace_id    = # ...

  lifecycle {
    replace_triggered_by = [
      time_static.rotate
    ]
  }
}

[chriselion]

I can confirm that applying after the keys have expired correctly rotated them.

[ff-pjha]

Is the functionality supported by the official resource? The keys still expire and it doesn't regenerate.
I will try the solution provided by @chriselion

[IDUN-BogdanPi]

I used the key rotation mechanism suggested above, the problem is that the provider depends on the key:

provider "grafana" {
  url  = "https://${aws_grafana_workspace.grafana_ep.endpoint}"
  auth = aws_grafana_workspace_api_key.key.key
}

So, when I apply the workspace is replaced:

  # aws_grafana_workspace_api_key.key will be replaced due to changes in replace_triggered_by
-/+ resource "aws_grafana_workspace_api_key" "key" {
      ~ id              = "g-xxxxxxxxx/api-key" -> (known after apply)
      ~ key             = "eyJrIjoiM...." -> (known after apply)
        # (4 unchanged attributes hidden)
    }
    

But the provider somehow is not replaced, because then I get this error form the other resources that depend on the provider:

Plan: 6 to add, 3 to change, 2 to destroy.
╷
│ Error: the Grafana client is required for `grafana_data_source`. Set the auth and url provider attributes
│ 
│   with grafana_data_source.postgres_DB,
│   on grafana.tf line 83, in resource "grafana_data_source" "postgres_DB":
│   83: resource "grafana_data_source" "postgres_DB" {
│ 
╵
╷
│ Error: the Grafana client is required for `grafana_folder`. Set the auth and url provider attributes
│ 
│   with grafana_folder.data,
│   on grafana.tf line 108, in resource "grafana_folder" "data":
│  108: resource "grafana_folder" "data" {
│ 
╵

Is this happening to anyone else or am i missing something?

[Sadarex]

I used the key rotation mechanism suggested above, the problem is that the provider depends on the key:

provider "grafana" {
  url  = "https://${aws_grafana_workspace.grafana_ep.endpoint}"
  auth = aws_grafana_workspace_api_key.key.key
}

So, when I apply the workspace is replaced:

  # aws_grafana_workspace_api_key.key will be replaced due to changes in replace_triggered_by
-/+ resource "aws_grafana_workspace_api_key" "key" {
      ~ id              = "g-xxxxxxxxx/api-key" -> (known after apply)
      ~ key             = "eyJrIjoiM...." -> (known after apply)
        # (4 unchanged attributes hidden)
    }
    

But the provider somehow is not replaced, because then I get this error form the other resources that depend on the provider:

Plan: 6 to add, 3 to change, 2 to destroy.
╷
│ Error: the Grafana client is required for `grafana_data_source`. Set the auth and url provider attributes
│ 
│   with grafana_data_source.postgres_DB,
│   on grafana.tf line 83, in resource "grafana_data_source" "postgres_DB":
│   83: resource "grafana_data_source" "postgres_DB" {
│ 
╵
╷
│ Error: the Grafana client is required for `grafana_folder`. Set the auth and url provider attributes
│ 
│   with grafana_folder.data,
│   on grafana.tf line 108, in resource "grafana_folder" "data":
│  108: resource "grafana_folder" "data" {
│ 
╵

Is this happening to anyone else or am i missing something?

You have a syntax error.

auth = aws_grafana_workspace_api_key.key.key
should be
auth = aws_grafana_workspace_api_key.key

[IDUN-BogdanPi]

I used the key rotation mechanism suggested above, the problem is that the provider depends on the key:

provider "grafana" {
  url  = "https://${aws_grafana_workspace.grafana_ep.endpoint}"
  auth = aws_grafana_workspace_api_key.key.key
}

So, when I apply the workspace is replaced:

  # aws_grafana_workspace_api_key.key will be replaced due to changes in replace_triggered_by
-/+ resource "aws_grafana_workspace_api_key" "key" {
      ~ id              = "g-xxxxxxxxx/api-key" -> (known after apply)
      ~ key             = "eyJrIjoiM...." -> (known after apply)
        # (4 unchanged attributes hidden)
    }
    

But the provider somehow is not replaced, because then I get this error form the other resources that depend on the provider:

Plan: 6 to add, 3 to change, 2 to destroy.
╷
│ Error: the Grafana client is required for `grafana_data_source`. Set the auth and url provider attributes
│ 
│   with grafana_data_source.postgres_DB,
│   on grafana.tf line 83, in resource "grafana_data_source" "postgres_DB":
│   83: resource "grafana_data_source" "postgres_DB" {
│ 
╵
╷
│ Error: the Grafana client is required for `grafana_folder`. Set the auth and url provider attributes
│ 
│   with grafana_folder.data,
│   on grafana.tf line 108, in resource "grafana_folder" "data":
│  108: resource "grafana_folder" "data" {
│ 
╵

Is this happening to anyone else or am i missing something?

You have a syntax error.

auth = aws_grafana_workspace_api_key.key.key should be auth = aws_grafana_workspace_api_key.key

Thanks for the quick response. The name of the resource is key. I know, it's confusing:

resource "aws_grafana_workspace_api_key" "key" {

so it's key.key because I need the key value from the key resource :D

[IDUN-BogdanPi]

I used the key rotation mechanism suggested above, the problem is that the provider depends on the key:

provider "grafana" {
  url  = "https://${aws_grafana_workspace.grafana_ep.endpoint}"
  auth = aws_grafana_workspace_api_key.key.key
}

So, when I apply the workspace is replaced:

  # aws_grafana_workspace_api_key.key will be replaced due to changes in replace_triggered_by
-/+ resource "aws_grafana_workspace_api_key" "key" {
      ~ id              = "g-xxxxxxxxx/api-key" -> (known after apply)
      ~ key             = "eyJrIjoiM...." -> (known after apply)
        # (4 unchanged attributes hidden)
    }
    

But the provider somehow is not replaced, because then I get this error form the other resources that depend on the provider:

Plan: 6 to add, 3 to change, 2 to destroy.
╷
│ Error: the Grafana client is required for `grafana_data_source`. Set the auth and url provider attributes
│ 
│   with grafana_data_source.postgres_DB,
│   on grafana.tf line 83, in resource "grafana_data_source" "postgres_DB":
│   83: resource "grafana_data_source" "postgres_DB" {
│ 
╵
╷
│ Error: the Grafana client is required for `grafana_folder`. Set the auth and url provider attributes
│ 
│   with grafana_folder.data,
│   on grafana.tf line 108, in resource "grafana_folder" "data":
│  108: resource "grafana_folder" "data" {
│ 
╵

Is this happening to anyone else or am i missing something?

You have a syntax error.

auth = aws_grafana_workspace_api_key.key.key should be auth = aws_grafana_workspace_api_key.key

It seems someone else also has this issue (in the comments section): https://devopstar.com/2023/02/25/automatic-api-key-rotation-for-amazon-managed-grafana/

The author suggests as a possible solution to move the key generation into a separate terraform module and pass that to the provider:

module "managed-grafana" {
source = "../modules/managed-grafana" # put the workspace/api-key terraform in a module like this
account = data.aws_caller_identity.current.account_id
region = data.aws_region.current.name
}

resource "grafana_data_source" "athena" {
type = "grafana-athena-datasource"
name = "Amazon Athena"
}

I'll give this a try.