Terraform module which creates a Grafana deployment in a Fargate ECS cluster on AWS.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
docker/grafana-aws-env move dockerfile into repo Sep 28, 2018
modules bump rds instance version to fix error with overlapping maintenance a… Oct 18, 2018
.gitignore fix: gitignore vscode Aug 7, 2018
CODEOWNERS Initial commit Aug 2, 2018



Build Status

Terraform module which creates a Grafana deployment in a Fargate ECS cluster on AWS.



Currently maintained by these contributors.


MIT License. See LICENSE for full details.

Quick Start


This module assumes that the AWS account this is deployed to has both a Route53 zone set up and a wildcard certificate for that zone so that this can be launched behind SSL

  1. Create a folder for the environment <your_environment>
  2. Create an init subfolder in that folder
  3. In the init folder Create a terraform script that uses the modules/init submodule and run it once (and only once) to create a key for encrypting parameters and generating random credentials
  4. Note the parameters_key_arn output from the last step
  5. Create the following SSM parameters and set them to "secure-string" and encrypt them with the key created in the previous step and replace <name_prefix> below with the value used for name_prefix used for the init and main module.
    • /*<name_prefix>*/github-auth-enabled (set to true to enable github oauth)
    • /*<name_prefix>*/github-client-id (obtained from github when you register oauth app)
    • /*<name_prefix>*/github-client-secret (obtained from github when you register oauth app)
    • /*<name_prefix>*/github-allowed-organisations (members from this list of github organisations can login)
    • /*<name_prefix>*/admin-user-password (a name for the initial admin user)
    • /*<name_prefix>*/admin-user-name (a password for the initial admin user)
  6. In the <your_envirnoment> folder create a terraform script that uses the main module and use the value recorded in step 4 for the parameters_key_arn parameter
  7. Remember to set the correct Route53 zone and web certificate ARN
  8. Run terraform to deploy Grafana

Granting Grafana Access To Cloudwatch In Other Accounts

To allow Grafana to report on metrics in a different AWS account you will need to create a role in that additional account with the CloudWatchReadyOnlyAccess policy attached and allow the task in the account with Grafana installed to assume that role. The terraform script below (replace <grafana_aws_account> and <name-prefix>) when run in the additional account will grant the necessary access.

resource "aws_iam_role" "grafana-machine-user" {
  name               = "machine-user-grafana"
  assume_role_policy = "${data.aws_iam_policy_document.grafana-machine-user.json}"

data "aws_iam_policy_document" "grafana-machine-user" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      identifiers = [

      type = "AWS"

resource "aws_iam_role_policy_attachment" "grafana-machine-user" {
  role       = "${aws_iam_role.grafana-machine-user.name}"
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess"