Skip to main content

workspaces

Creates, updates, deletes or gets a workspace resource or lists workspaces in a region

Overview

Nameworkspaces
TypeResource
DescriptionDefinition of AWS::Grafana::Workspace Resource Type
Idawscc.grafana.workspaces

Fields

NameDatatypeDescription
authentication_providersarrayList of authentication providers to enable.
sso_client_idstringThe client ID of the AWS SSO Managed Application.
saml_configurationobjectSAML configuration data associated with an AMG workspace.
network_access_controlobjectThe configuration settings for Network Access Control.
vpc_configurationobjectThe configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to.
saml_configuration_statusstringValid SAML configuration statuses.
client_tokenstringA unique, case-sensitive, user-provided identifier to ensure the idempotency of the request.
statusstringThese enums represent the status of a workspace.
creation_timestampstringTimestamp when the workspace was created.
modification_timestampstringTimestamp when the workspace was last modified
grafana_versionstringThe version of Grafana to support in your workspace.
endpointstringEndpoint for the Grafana workspace.
account_access_typestringThese enums represent valid account access types. Specifically these enums determine whether the workspace can access AWS resources in the AWS account only, or whether it can also access resources in other accounts in the same organization. If the value CURRENT_ACCOUNT is used, a workspace role ARN must be provided. If the value is ORGANIZATION, a list of organizational units must be provided.
organization_role_namestringThe name of an IAM role that already exists to use with AWS Organizations to access AWS data sources and notification channels in other accounts in an organization.
permission_typestringThese enums represent valid permission types to use when creating or configuring a Grafana workspace. The SERVICE_MANAGED permission type means the Managed Grafana service will create a workspace IAM role on your behalf. The CUSTOMER_MANAGED permission type means that the customer is expected to provide an IAM role that the Grafana workspace can use to query data sources.
stack_set_namestringThe name of the AWS CloudFormation stack set to use to generate IAM roles to be used for this workspace.
data_sourcesarrayList of data sources on the service managed IAM role.
descriptionstringDescription of a workspace.
idstringThe id that uniquely identifies a Grafana workspace.
namestringThe user friendly name of a workspace.
notification_destinationsarrayList of notification destinations on the customers service managed IAM role that the Grafana workspace can query.
organizational_unitsarrayList of Organizational Units containing AWS accounts the Grafana workspace can pull data from.
role_arnstringIAM Role that will be used to grant the Grafana workspace access to a customers AWS resources.
plugin_admin_enabledbooleanAllow workspace admins to install plugins
regionstringAWS region.

For more information, see AWS::Grafana::Workspace.

Methods

NameResourceAccessible byRequired Params
create_resourceworkspacesINSERTAuthenticationProviders, PermissionType, AccountAccessType, region
delete_resourceworkspacesDELETEIdentifier, region
update_resourceworkspacesUPDATEIdentifier, PatchDocument, region
list_resourcesworkspaces_list_onlySELECTregion
get_resourceworkspacesSELECTIdentifier, region

SELECT examples

Gets all properties from an individual workspace.

SELECT
  region,
  authentication_providers,
  sso_client_id,
  saml_configuration,
  network_access_control,
  vpc_configuration,
  saml_configuration_status,
  client_token,
  status,
  creation_timestamp,
  modification_timestamp,
  grafana_version,
  endpoint,
  account_access_type,
  organization_role_name,
  permission_type,
  stack_set_name,
  data_sources,
  description,
  id,
  name,
  notification_destinations,
  organizational_units,
  role_arn,
  plugin_admin_enabled
FROM awscc.grafana.workspaces
WHERE
  region = 'us-east-1' AND
  Identifier = '{{ id }}';

INSERT example

Use the following StackQL query and manifest file to create a new workspace resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.grafana.workspaces (
  AuthenticationProviders,
  AccountAccessType,
  PermissionType,
  region
)
SELECT
  '{{ authentication_providers }}',
  '{{ account_access_type }}',
  '{{ permission_type }}',
  '{{ region }}';

UPDATE example

Use the following StackQL query and manifest file to update a workspace resource, using stack-deploy.

/*+ update */
UPDATE awscc.grafana.workspaces
SET PatchDocument = string('{{ {
    "AuthenticationProviders": authentication_providers,
    "SamlConfiguration": saml_configuration,
    "NetworkAccessControl": network_access_control,
    "VpcConfiguration": vpc_configuration,
    "GrafanaVersion": grafana_version,
    "AccountAccessType": account_access_type,
    "OrganizationRoleName": organization_role_name,
    "PermissionType": permission_type,
    "StackSetName": stack_set_name,
    "DataSources": data_sources,
    "Description": description,
    "Name": name,
    "NotificationDestinations": notification_destinations,
    "OrganizationalUnits": organizational_units,
    "RoleArn": role_arn,
    "PluginAdminEnabled": plugin_admin_enabled
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ id }}';

DELETE example

/*+ delete */
DELETE FROM awscc.grafana.workspaces
WHERE
  Identifier = '{{ id }}' AND
  region = 'us-east-1';

Permissions

To operate on the workspaces resource, the following permissions are required:

grafana:CreateWorkspace,
grafana:DescribeWorkspace,
grafana:DescribeWorkspaceAuthentication,
grafana:DescribeWorkspaceConfiguration,
grafana:UpdateWorkspaceAuthentication,
sso:DescribeRegisteredRegions,
sso:CreateManagedApplicationInstance,
organizations:DescribeOrganization,
sso:GetSharedSsoConfiguration,
iam:PassRole,
ec2:GetManagedPrefixListEntries,
ec2:DescribeSecurityGroups,
ec2:DescribeSubnets,
ec2:DescribeVpcs,
iam:CreateServiceLinkedRole,
sso:ListApplicationInstances,
sso:GetApplicationInstance