From 8de25345cc7c413576032b23ce71364f5000db02 Mon Sep 17 00:00:00 2001 From: Illia Pshonkin Date: Mon, 24 Nov 2025 11:59:03 +0100 Subject: [PATCH 1/4] feat: Add workspace resource policy support --- README.md | 10 ++++++++++ examples/complete/main.tf | 23 +++++++++++++++++++++++ main.tf | 33 +++++++++++++++++++++++++++++++++ variables.tf | 12 ++++++++++++ 4 files changed, 78 insertions(+) diff --git a/README.md b/README.md index d44e096..ee55e76 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,11 @@ module "prometheus" { } ``` +### Prometheus workspace with a custom policy attached + +When you need to attach a custom policy to the bucket, you can use the `policy` argument. To keep policy with correct Prometheus Workspace ARN and AWS account properties, you can use the placeholders `_PROMETHEUS_ARN_` and `_AWS_ACCOUNT_ID_` in the policy document. Those values will be replaced with the actual values during the policy attachment. + + ## Examples Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-managed-service-prometheus/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you! @@ -76,15 +81,19 @@ No modules. |------|------| | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_prometheus_alert_manager_definition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_alert_manager_definition) | resource | +| [aws_prometheus_resource_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_resource_policy) | resource | | [aws_prometheus_rule_group_namespace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_rule_group_namespace) | resource | | [aws_prometheus_workspace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_workspace) | resource | | [aws_prometheus_workspace_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_workspace_configuration) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [alert\_manager\_definition](#input\_alert\_manager\_definition) | The alert manager definition that you want to be applied. See more in the [AWS Docs](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-alert-manager.html) | `string` | `"alertmanager_config: |\n route:\n receiver: 'default'\n receivers:\n - name: 'default'\n"` | no | +| [attach\_policy](#input\_attach\_policy) | Controls if Prometheus Workspace should have policy attached (set to `true` to use value of `policy` as Prometheus Workspace policy) | `bool` | `false` | no | | [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no | | [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | `string` | `null` | no | | [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Custom name of CloudWatch log group for a service associated with the container definition | `string` | `null` | no | @@ -96,6 +105,7 @@ No modules. | [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS Key to for encryption at rest | `string` | `null` | no | | [limits\_per\_label\_set](#input\_limits\_per\_label\_set) | Configuration block for setting limits on metrics with specific label sets | 
list(object({
    label_set = map(string)
    limits = object({
      max_series = number
    })
  }))
| `null` | no | | [logging\_configuration](#input\_logging\_configuration) | The logging configuration of the prometheus workspace. | 
object({
    create_log_group      = optional(bool, true)
    logging_configuration = optional(string)
  })
| `null` | no | +| [policy](#input\_policy) | (Optional) A valid policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. | `string` | `null` | no | | [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no | | [retention\_period\_in\_days](#input\_retention\_period\_in\_days) | Number of days to retain metric data in the workspace | `number` | `null` | no | | [rule\_group\_namespaces](#input\_rule\_group\_namespaces) | A map of one or more rule group namespace definitions | 
map(object({
    name = string
    data = string
  }))
| `null` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index b5c38ed..503be99 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -42,6 +42,29 @@ module "prometheus" { } ] + attach_policy = true + policy = <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "_AWS_ACCOUNT_ID_" + }, + "Action": [ + "aps:RemoteWrite", + "aps:QueryMetrics", + "aps:GetSeries", + "aps:GetLabels", + "aps:GetMetricMetadata" + ], + "Resource": "_PROMETHEUS_ARN_" + } + ] + } + EOT + create_alert_manager = true alert_manager_definition = <<-EOT alertmanager_config: | diff --git a/main.tf b/main.tf index 4616bcd..42ec384 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,21 @@ +data "aws_caller_identity" "current" {} + locals { workspace_id = var.create && var.create_workspace ? aws_prometheus_workspace.this[0].id : var.workspace_id + + # Placeholders in the policy document to be replaced with the actual values + policy_placeholders = { + "_PROMETHEUS_ARN_" = try(aws_prometheus_workspace.this[0].arn, null), + "_AWS_ACCOUNT_ID_" = try(data.aws_caller_identity.current.account_id, null) + } + + policy = var.create && var.create_workspace && var.attach_policy ? replace( + replace( + data.aws_iam_policy_document.combined[0].json, + "_PROMETHEUS_ARN_", local.policy_placeholders["_PROMETHEUS_ARN_"] + ), + "_AWS_ACCOUNT_ID_", local.policy_placeholders["_AWS_ACCOUNT_ID_"] + ) : "" } ################################################################################ @@ -54,6 +70,23 @@ resource "aws_prometheus_workspace_configuration" "this" { } } +data "aws_iam_policy_document" "combined" { + count = var.create && var.create_workspace && var.attach_policy ? 1 : 0 + + source_policy_documents = compact([ + var.attach_policy ? var.policy : "" + ]) +} + +resource "aws_prometheus_resource_policy" "this" { + count = var.create && var.create_workspace && var.attach_policy ? 1 : 0 + + region = var.region + + workspace_id = local.workspace_id + policy_document = local.policy +} + ################################################################################ # Cloudwatch Log Group ################################################################################ diff --git a/variables.tf b/variables.tf index d4e79c4..2274c65 100644 --- a/variables.tf +++ b/variables.tf @@ -74,6 +74,18 @@ variable "limits_per_label_set" { default = null } +variable "attach_policy" { + description = "Controls if Prometheus Workspace should have policy attached (set to `true` to use value of `policy` as Prometheus Workspace policy)" + type = bool + default = false +} + +variable "policy" { + description = "(Optional) A valid policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide." + type = string + default = null +} + ################################################################################ # CloudWatch Log Group ################################################################################ From 7f2c968c6a3aa067f041eb853aa4aa6f8add194d Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sat, 29 Nov 2025 09:15:01 -0600 Subject: [PATCH 2/4] fix: Correct logic to use resources directly instead of templating --- README.md | 12 ++-- examples/complete/main.tf | 36 +++++------ main.tf | 125 +++++++++++++++++++++++++++++++------- variables.tf | 38 +++++++++--- 4 files changed, 153 insertions(+), 58 deletions(-) diff --git a/README.md b/README.md index ee55e76..33a27c1 100644 --- a/README.md +++ b/README.md @@ -46,11 +46,6 @@ module "prometheus" { } ``` -### Prometheus workspace with a custom policy attached - -When you need to attach a custom policy to the bucket, you can use the `policy` argument. To keep policy with correct Prometheus Workspace ARN and AWS account properties, you can use the placeholders `_PROMETHEUS_ARN_` and `_AWS_ACCOUNT_ID_` in the policy document. Those values will be replaced with the actual values during the policy attachment. - - ## Examples Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-managed-service-prometheus/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you! @@ -86,14 +81,14 @@ No modules. | [aws_prometheus_workspace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_workspace) | resource | | [aws_prometheus_workspace_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_workspace_configuration) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_service_principal.grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [alert\_manager\_definition](#input\_alert\_manager\_definition) | The alert manager definition that you want to be applied. See more in the [AWS Docs](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-alert-manager.html) | `string` | `"alertmanager_config: |\n route:\n receiver: 'default'\n receivers:\n - name: 'default'\n"` | no | -| [attach\_policy](#input\_attach\_policy) | Controls if Prometheus Workspace should have policy attached (set to `true` to use value of `policy` as Prometheus Workspace policy) | `bool` | `false` | no | | [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no | | [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | `string` | `null` | no | | [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Custom name of CloudWatch log group for a service associated with the container definition | `string` | `null` | no | @@ -101,12 +96,13 @@ No modules. | [cloudwatch\_log\_group\_use\_name\_prefix](#input\_cloudwatch\_log\_group\_use\_name\_prefix) | Determines whether the log group name should be used as a prefix | `bool` | `false` | no | | [create](#input\_create) | Determines whether a resources will be created | `bool` | `true` | no | | [create\_alert\_manager](#input\_create\_alert\_manager) | Controls whether an Alert Manager definition is created along with the AMP workspace | `bool` | `true` | no | +| [create\_resource\_policy](#input\_create\_resource\_policy) | Controls whether a resource policy is created along with the AMP workspace | `bool` | `true` | no | | [create\_workspace](#input\_create\_workspace) | Determines whether a workspace will be created or to use an existing workspace | `bool` | `true` | no | | [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS Key to for encryption at rest | `string` | `null` | no | | [limits\_per\_label\_set](#input\_limits\_per\_label\_set) | Configuration block for setting limits on metrics with specific label sets | 
list(object({
    label_set = map(string)
    limits = object({
      max_series = number
    })
  }))
| `null` | no | | [logging\_configuration](#input\_logging\_configuration) | The logging configuration of the prometheus workspace. | 
object({
    create_log_group      = optional(bool, true)
    logging_configuration = optional(string)
  })
| `null` | no | -| [policy](#input\_policy) | (Optional) A valid policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. | `string` | `null` | no | | [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no | +| [resource\_policy\_statements](#input\_resource\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | 
map(object({
    sid           = optional(string)
    actions       = optional(list(string))
    not_actions   = optional(list(string))
    effect        = optional(string, "Allow")
    resources     = optional(list(string))
    not_resources = optional(list(string))
    principals = optional(list(object({
      type        = string
      identifiers = list(string)
    })))
    not_principals = optional(list(object({
      type        = string
      identifiers = list(string)
    })))
    condition = optional(list(object({
      test     = string
      variable = string
      values   = list(string)
    })))
  }))
| `null` | no | | [retention\_period\_in\_days](#input\_retention\_period\_in\_days) | Number of days to retain metric data in the workspace | `number` | `null` | no | | [rule\_group\_namespaces](#input\_rule\_group\_namespaces) | A map of one or more rule group namespace definitions | 
map(object({
    name = string
    data = string
  }))
| `null` | no | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 503be99..41be2d8 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -42,28 +42,22 @@ module "prometheus" { } ] - attach_policy = true - policy = <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "_AWS_ACCOUNT_ID_" - }, - "Action": [ - "aps:RemoteWrite", - "aps:QueryMetrics", - "aps:GetSeries", - "aps:GetLabels", - "aps:GetMetricMetadata" - ], - "Resource": "_PROMETHEUS_ARN_" - } - ] + create_resource_policy = true + resource_policy_statements = { + something = { + sid = "OtherAccountRead" + principals = [{ + type = "AWS" + identifiers = ["arn:aws:iam::123456789012:root"] + }] + actions = [ + "aps:QueryMetrics", + "aps:GetSeries", + "aps:GetLabels", + "aps:GetMetricMetadata", + ] + } } - EOT create_alert_manager = true alert_manager_definition = <<-EOT diff --git a/main.tf b/main.tf index 42ec384..3912d52 100644 --- a/main.tf +++ b/main.tf @@ -1,21 +1,9 @@ -data "aws_caller_identity" "current" {} +data "aws_caller_identity" "current" { + count = local.create_resource_policy ? 1 : 0 +} locals { workspace_id = var.create && var.create_workspace ? aws_prometheus_workspace.this[0].id : var.workspace_id - - # Placeholders in the policy document to be replaced with the actual values - policy_placeholders = { - "_PROMETHEUS_ARN_" = try(aws_prometheus_workspace.this[0].arn, null), - "_AWS_ACCOUNT_ID_" = try(data.aws_caller_identity.current.account_id, null) - } - - policy = var.create && var.create_workspace && var.attach_policy ? replace( - replace( - data.aws_iam_policy_document.combined[0].json, - "_PROMETHEUS_ARN_", local.policy_placeholders["_PROMETHEUS_ARN_"] - ), - "_AWS_ACCOUNT_ID_", local.policy_placeholders["_AWS_ACCOUNT_ID_"] - ) : "" } ################################################################################ @@ -70,21 +58,114 @@ resource "aws_prometheus_workspace_configuration" "this" { } } -data "aws_iam_policy_document" "combined" { - count = var.create && var.create_workspace && var.attach_policy ? 1 : 0 +################################################################################ +# Resource Policy +################################################################################ + +data "aws_service_principal" "grafana" { + count = local.create_resource_policy ? 1 : 0 + + region = var.region + service_name = "grafana" +} + +locals { + create_resource_policy = var.create && var.create_workspace && var.create_resource_policy +} + +data "aws_iam_policy_document" "resource_policy" { + count = local.create_resource_policy ? 1 : 0 + + dynamic "statement" { + # Default permissions if custom permissions are not provided + for_each = var.resource_policy_statements == null ? [1] : [] + + content { + sid = "DefaultAccountReadWrite" + principals { + type = "AWS" + identifiers = [data.aws_caller_identity.current[0].account_id] + } + actions = [ + "aps:RemoteWrite", + "aps:QueryMetrics", + "aps:GetSeries", + "aps:GetLabels", + "aps:GetMetricMetadata", + ] + resources = [local.workspace_id] + } + } + + dynamic "statement" { + # Default permissions if custom permissions are not provided + for_each = var.resource_policy_statements == null ? [1] : [] + + content { + sid = "DefaultGrafanaRead" + principals { + type = "Service" + identifiers = [data.aws_service_principal.grafana[0].name] + } + actions = [ + "aps:QueryMetrics", + "aps:GetSeries", + "aps:GetLabels", + "aps:GetMetricMetadata", + ] + resources = [local.workspace_id] + } + } + + dynamic "statement" { + for_each = var.resource_policy_statements != null ? var.resource_policy_statements : {} + + content { + sid = try(coalesce(statement.value.sid, statement.key)) + actions = statement.value.actions + not_actions = statement.value.not_actions + effect = statement.value.effect + resources = coalescelist(statement.value.resources, [local.workspace_id]) + not_resources = statement.value.not_resources + + dynamic "principals" { + for_each = statement.value.principals != null ? statement.value.principals : [] + + content { + type = principals.value.type + identifiers = principals.value.identifiers + } + } + + dynamic "not_principals" { + for_each = statement.value.not_principals != null ? statement.value.not_principals : [] + + content { + type = not_principals.value.type + identifiers = not_principals.value.identifiers + } + } + + dynamic "condition" { + for_each = statement.value.condition != null ? statement.value.condition : [] - source_policy_documents = compact([ - var.attach_policy ? var.policy : "" - ]) + content { + test = condition.value.test + values = condition.value.values + variable = condition.value.variable + } + } + } + } } resource "aws_prometheus_resource_policy" "this" { - count = var.create && var.create_workspace && var.attach_policy ? 1 : 0 + count = local.create_resource_policy ? 1 : 0 region = var.region workspace_id = local.workspace_id - policy_document = local.policy + policy_document = data.aws_iam_policy_document.resource_policy[0].json } ################################################################################ diff --git a/variables.tf b/variables.tf index 2274c65..4ac4289 100644 --- a/variables.tf +++ b/variables.tf @@ -74,16 +74,40 @@ variable "limits_per_label_set" { default = null } -variable "attach_policy" { - description = "Controls if Prometheus Workspace should have policy attached (set to `true` to use value of `policy` as Prometheus Workspace policy)" +################################################################################ +# Resource Policy +################################################################################ + +variable "create_resource_policy" { + description = "Controls whether a resource policy is created along with the AMP workspace" type = bool - default = false + default = true } -variable "policy" { - description = "(Optional) A valid policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide." - type = string - default = null +variable "resource_policy_statements" { + description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage" + type = map(object({ + sid = optional(string) + actions = optional(list(string)) + not_actions = optional(list(string)) + effect = optional(string, "Allow") + resources = optional(list(string)) + not_resources = optional(list(string)) + principals = optional(list(object({ + type = string + identifiers = list(string) + }))) + not_principals = optional(list(object({ + type = string + identifiers = list(string) + }))) + condition = optional(list(object({ + test = string + variable = string + values = list(string) + }))) + })) + default = null } ################################################################################ From 85696fce51341bbcc44db83cff6da7a2bc32db89 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sat, 29 Nov 2025 09:30:51 -0600 Subject: [PATCH 3/4] fix: Correct workspace configuration empty logic --- examples/complete/main.tf | 4 +++- main.tf | 27 ++++++++++++++++++++++----- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 41be2d8..0c6627f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -2,6 +2,8 @@ provider "aws" { region = local.region } +data "aws_caller_identity" "current" {} + locals { region = "us-east-1" name = "amp-ex-${basename(path.cwd)}" @@ -48,7 +50,7 @@ module "prometheus" { sid = "OtherAccountRead" principals = [{ type = "AWS" - identifiers = ["arn:aws:iam::123456789012:root"] + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] }] actions = [ "aps:QueryMetrics", diff --git a/main.tf b/main.tf index 3912d52..6f631a7 100644 --- a/main.tf +++ b/main.tf @@ -2,8 +2,25 @@ data "aws_caller_identity" "current" { count = local.create_resource_policy ? 1 : 0 } +data "aws_partition" "current" { + count = local.create_resource_policy ? 1 : 0 +} + +data "aws_region" "current" { + count = local.create_resource_policy ? 1 : 0 + + region = var.region +} + locals { + partition = try(data.aws_partition.current[0].partition, "aws") + account_id = try(data.aws_caller_identity.current[0].account_id, "") + region = try(data.aws_region.current[0].region, "") + workspace_id = var.create && var.create_workspace ? aws_prometheus_workspace.this[0].id : var.workspace_id + + # Since we are accepting externally created workspaces, we need to re-construct the ARN for the policy + workspace_arn = var.create && var.create_workspace ? aws_prometheus_workspace.this[0].arn : "arn:${local.partition}:aps:${local.region}:${local.account_id}:workspace/${var.workspace_id}" } ################################################################################ @@ -34,7 +51,7 @@ resource "aws_prometheus_workspace" "this" { ################################################################################ resource "aws_prometheus_workspace_configuration" "this" { - count = var.create && var.create_workspace ? 1 : 0 + count = var.create && var.create_workspace && var.limits_per_label_set != null ? 1 : 0 region = var.region @@ -48,7 +65,7 @@ resource "aws_prometheus_workspace_configuration" "this" { label_set = limits_per_label_set.value.label_set dynamic "limits" { - for_each = limits_per_label_set.value.limits + for_each = [limits_per_label_set.value.limits] content { max_series = limits.value.max_series @@ -93,7 +110,7 @@ data "aws_iam_policy_document" "resource_policy" { "aps:GetLabels", "aps:GetMetricMetadata", ] - resources = [local.workspace_id] + resources = [local.workspace_arn] } } @@ -113,7 +130,7 @@ data "aws_iam_policy_document" "resource_policy" { "aps:GetLabels", "aps:GetMetricMetadata", ] - resources = [local.workspace_id] + resources = [local.workspace_arn] } } @@ -125,7 +142,7 @@ data "aws_iam_policy_document" "resource_policy" { actions = statement.value.actions not_actions = statement.value.not_actions effect = statement.value.effect - resources = coalescelist(statement.value.resources, [local.workspace_id]) + resources = coalescelist(statement.value.resources, [local.workspace_arn]) not_resources = statement.value.not_resources dynamic "principals" { From 198a163e36db21b2824f5c21b5b0ec575c70c7d5 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sat, 29 Nov 2025 09:38:09 -0600 Subject: [PATCH 4/4] fix: Run `pre-commit run -a` --- README.md | 2 ++ examples/complete/README.md | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 33a27c1..38325bd 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,8 @@ No modules. | [aws_prometheus_workspace_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_workspace_configuration) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_service_principal.grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source | ## Inputs diff --git a/examples/complete/README.md b/examples/complete/README.md index b49dbf5..c41857d 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -28,7 +28,9 @@ Note that this example may create resources which will incur monetary charges on ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 6.22 | ## Modules @@ -40,7 +42,9 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | ## Inputs