feat: Add workspace resource policy support

README.md

@@ -76,9 +76,15 @@ No modules.
 |------|------|
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_prometheus_alert_manager_definition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_alert_manager_definition) | resource |
+| [aws_prometheus_resource_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_resource_policy) | resource |
 | [aws_prometheus_rule_group_namespace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_rule_group_namespace) | resource |
 | [aws_prometheus_workspace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_workspace) | resource |
 | [aws_prometheus_workspace_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/prometheus_workspace_configuration) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_service_principal.grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 
@@ -92,11 +98,13 @@ No modules.
 | <a name="input_cloudwatch_log_group_use_name_prefix"></a> [cloudwatch\_log\_group\_use\_name\_prefix](#input\_cloudwatch\_log\_group\_use\_name\_prefix) | Determines whether the log group name should be used as a prefix | `bool` | `false` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether a resources will be created | `bool` | `true` | no |
 | <a name="input_create_alert_manager"></a> [create\_alert\_manager](#input\_create\_alert\_manager) | Controls whether an Alert Manager definition is created along with the AMP workspace | `bool` | `true` | no |
+| <a name="input_create_resource_policy"></a> [create\_resource\_policy](#input\_create\_resource\_policy) | Controls whether a resource policy is created along with the AMP workspace | `bool` | `true` | no |
 | <a name="input_create_workspace"></a> [create\_workspace](#input\_create\_workspace) | Determines whether a workspace will be created or to use an existing workspace | `bool` | `true` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS Key to for encryption at rest | `string` | `null` | no |
 | <a name="input_limits_per_label_set"></a> [limits\_per\_label\_set](#input\_limits\_per\_label\_set) | Configuration block for setting limits on metrics with specific label sets | <pre>list(object({<br/>    label_set = map(string)<br/>    limits = object({<br/>      max_series = number<br/>    })<br/>  }))</pre> | `null` | no |
 | <a name="input_logging_configuration"></a> [logging\_configuration](#input\_logging\_configuration) | The logging configuration of the prometheus workspace. | <pre>object({<br/>    create_log_group      = optional(bool, true)<br/>    logging_configuration = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
+| <a name="input_resource_policy_statements"></a> [resource\_policy\_statements](#input\_resource\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | <pre>map(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string, "Allow")<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })))<br/>  }))</pre> | `null` | no |
 | <a name="input_retention_period_in_days"></a> [retention\_period\_in\_days](#input\_retention\_period\_in\_days) | Number of days to retain metric data in the workspace | `number` | `null` | no |
 | <a name="input_rule_group_namespaces"></a> [rule\_group\_namespaces](#input\_rule\_group\_namespaces) | A map of one or more rule group namespace definitions | <pre>map(object({<br/>    name = string<br/>    data = string<br/>  }))</pre> | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |

examples/complete/README.md

@@ -28,7 +28,9 @@ Note that this example may create resources which will incur monetary charges on
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.22 |
 
 ## Modules
 
@@ -40,7 +42,9 @@ No providers.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 
 ## Inputs
 

examples/complete/main.tf

@@ -2,6 +2,8 @@ provider "aws" {
   region = local.region
 }
 
+data "aws_caller_identity" "current" {}
+
 locals {
   region = "us-east-1"
   name   = "amp-ex-${basename(path.cwd)}"
@@ -42,6 +44,23 @@ module "prometheus" {
     }
   ]
 
+  create_resource_policy = true
+  resource_policy_statements = {
+    something = {
+      sid = "OtherAccountRead"
+      principals = [{
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      }]
+      actions = [
+        "aps:QueryMetrics",
+        "aps:GetSeries",
+        "aps:GetLabels",
+        "aps:GetMetricMetadata",
+      ]
+    }
+  }
+
   create_alert_manager     = true
   alert_manager_definition = <<-EOT
   alertmanager_config: |

main.tf

@@ -1,5 +1,26 @@
+data "aws_caller_identity" "current" {
+  count = local.create_resource_policy ? 1 : 0
+}
+
+data "aws_partition" "current" {
+  count = local.create_resource_policy ? 1 : 0
+}
+
+data "aws_region" "current" {
+  count = local.create_resource_policy ? 1 : 0
+
+  region = var.region
+}
+
 locals {
+  partition  = try(data.aws_partition.current[0].partition, "aws")
+  account_id = try(data.aws_caller_identity.current[0].account_id, "")
+  region     = try(data.aws_region.current[0].region, "")
+
   workspace_id = var.create && var.create_workspace ? aws_prometheus_workspace.this[0].id : var.workspace_id
+
+  # Since we are accepting externally created workspaces, we need to re-construct the ARN for the policy
+  workspace_arn = var.create && var.create_workspace ? aws_prometheus_workspace.this[0].arn : "arn:${local.partition}:aps:${local.region}:${local.account_id}:workspace/${var.workspace_id}"
 }
 
 ################################################################################
@@ -30,7 +51,7 @@ resource "aws_prometheus_workspace" "this" {
 ################################################################################
 
 resource "aws_prometheus_workspace_configuration" "this" {
-  count = var.create && var.create_workspace ? 1 : 0
+  count = var.create && var.create_workspace && var.limits_per_label_set != null ? 1 : 0
 
   region = var.region
 
@@ -44,7 +65,7 @@ resource "aws_prometheus_workspace_configuration" "this" {
       label_set = limits_per_label_set.value.label_set
 
       dynamic "limits" {
-        for_each = limits_per_label_set.value.limits
+        for_each = [limits_per_label_set.value.limits]
 
         content {
           max_series = limits.value.max_series
@@ -54,6 +75,116 @@ resource "aws_prometheus_workspace_configuration" "this" {
   }
 }
 
+################################################################################
+# Resource Policy
+################################################################################
+
+data "aws_service_principal" "grafana" {
+  count = local.create_resource_policy ? 1 : 0
+
+  region       = var.region
+  service_name = "grafana"
+}
+
+locals {
+  create_resource_policy = var.create && var.create_workspace && var.create_resource_policy
+}
+
+data "aws_iam_policy_document" "resource_policy" {
+  count = local.create_resource_policy ? 1 : 0
+
+  dynamic "statement" {
+    # Default permissions if custom permissions are not provided
+    for_each = var.resource_policy_statements == null ? [1] : []
+
+    content {
+      sid = "DefaultAccountReadWrite"
+      principals {
+        type        = "AWS"
+        identifiers = [data.aws_caller_identity.current[0].account_id]
+      }
+      actions = [
+        "aps:RemoteWrite",
+        "aps:QueryMetrics",
+        "aps:GetSeries",
+        "aps:GetLabels",
+        "aps:GetMetricMetadata",
+      ]
+      resources = [local.workspace_arn]
+    }
+  }
+
+  dynamic "statement" {
+    # Default permissions if custom permissions are not provided
+    for_each = var.resource_policy_statements == null ? [1] : []
+
+    content {
+      sid = "DefaultGrafanaRead"
+      principals {
+        type        = "Service"
+        identifiers = [data.aws_service_principal.grafana[0].name]
+      }
+      actions = [
+        "aps:QueryMetrics",
+        "aps:GetSeries",
+        "aps:GetLabels",
+        "aps:GetMetricMetadata",
+      ]
+      resources = [local.workspace_arn]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.resource_policy_statements != null ? var.resource_policy_statements : {}
+
+    content {
+      sid           = try(coalesce(statement.value.sid, statement.key))
+      actions       = statement.value.actions
+      not_actions   = statement.value.not_actions
+      effect        = statement.value.effect
+      resources     = coalescelist(statement.value.resources, [local.workspace_arn])
+      not_resources = statement.value.not_resources
+
+      dynamic "principals" {
+        for_each = statement.value.principals != null ? statement.value.principals : []
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = statement.value.condition != null ? statement.value.condition : []
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
+    }
+  }
+}
+
+resource "aws_prometheus_resource_policy" "this" {
+  count = local.create_resource_policy ? 1 : 0
+
+  region = var.region
+
+  workspace_id    = local.workspace_id
+  policy_document = data.aws_iam_policy_document.resource_policy[0].json
+}
+
 ################################################################################
 # Cloudwatch Log Group
 ################################################################################

variables.tf

@@ -74,6 +74,42 @@ variable "limits_per_label_set" {
   default = null
 }
 
+################################################################################
+# Resource Policy
+################################################################################
+
+variable "create_resource_policy" {
+  description = "Controls whether a resource policy is created along with the AMP workspace"
+  type        = bool
+  default     = true
+}
+
+variable "resource_policy_statements" {
+  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
+  type = map(object({
+    sid           = optional(string)
+    actions       = optional(list(string))
+    not_actions   = optional(list(string))
+    effect        = optional(string, "Allow")
+    resources     = optional(list(string))
+    not_resources = optional(list(string))
+    principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    not_principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    condition = optional(list(object({
+      test     = string
+      variable = string
+      values   = list(string)
+    })))
+  }))
+  default = null
+}
+
 ################################################################################
 # CloudWatch Log Group
 ################################################################################