There are more AWS SDK examples available in the [AWS Doc SDK Examples](https://github.com/awsdocs/aws-doc-sdk-examples) GitHub repo. # Amazon Managed Grafana examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon Managed Grafana. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Creating an Amazon Managed Grafana workspace The following code example shows how to: + Create an IAM role for your workspace + Create a Grafana workspace + Configure authentication + Configure optional settings + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/044-amazon-managed-grafana-gs) repository. ``` #!/bin/bash # Amazon Managed Grafana Workspace Creation Script # This script creates an Amazon Managed Grafana workspace and configures it # Set up logging LOG_FILE="grafana-workspace-creation.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Managed Grafana workspace creation script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error\|exception\|fail" > /dev/null; then echo "ERROR: Command '$cmd' failed with output:" echo "$output" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Attempting to clean up resources..." if [ -n "$WORKSPACE_ID" ]; then echo "Deleting workspace $WORKSPACE_ID..." aws grafana delete-workspace --workspace-id "$WORKSPACE_ID" fi if [ -n "$ROLE_NAME" ]; then echo "Detaching policies from role $ROLE_NAME..." if [ -n "$POLICY_ARN" ]; then aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$POLICY_ARN" fi echo "Deleting role $ROLE_NAME..." aws iam delete-role --role-name "$ROLE_NAME" fi if [ -n "$POLICY_ARN" ]; then echo "Deleting policy..." aws iam delete-policy --policy-arn "$POLICY_ARN" fi # Clean up JSON files rm -f trust-policy.json cloudwatch-policy.json echo "Cleanup completed. See $LOG_FILE for details." } # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) WORKSPACE_NAME="GrafanaWorkspace-${RANDOM_ID}" ROLE_NAME="GrafanaWorkspaceRole-${RANDOM_ID}" echo "Using workspace name: $WORKSPACE_NAME" echo "Using role name: $ROLE_NAME" # Step 1: Get AWS account ID echo "Getting AWS account ID..." ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) check_error "$ACCOUNT_ID" "get-caller-identity" echo "AWS Account ID: $ACCOUNT_ID" # Step 2: Create IAM role for Grafana workspace echo "Creating IAM role for Grafana workspace..." # Create trust policy document cat > trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "grafana.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role ROLE_OUTPUT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://trust-policy.json \ --description "Role for Amazon Managed Grafana workspace") check_error "$ROLE_OUTPUT" "create-role" echo "IAM role created successfully" # Extract role ARN ROLE_ARN=$(echo "$ROLE_OUTPUT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) echo "Role ARN: $ROLE_ARN" # Attach policies to the role echo "Attaching policies to the role..." # CloudWatch policy cat > cloudwatch-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricData" ], "Resource": "*" } ] } EOF POLICY_OUTPUT=$(aws iam create-policy \ --policy-name "GrafanaCloudWatchPolicy-${RANDOM_ID}" \ --policy-document file://cloudwatch-policy.json) check_error "$POLICY_OUTPUT" "create-policy" POLICY_ARN=$(echo "$POLICY_OUTPUT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) echo "CloudWatch policy ARN: $POLICY_ARN" ATTACH_OUTPUT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN") check_error "$ATTACH_OUTPUT" "attach-role-policy" echo "CloudWatch policy attached to role" # Step 3: Create the Grafana workspace echo "Creating Amazon Managed Grafana workspace..." WORKSPACE_OUTPUT=$(aws grafana create-workspace \ --workspace-name "$WORKSPACE_NAME" \ --authentication-providers "SAML" \ --permission-type "CUSTOMER_MANAGED" \ --account-access-type "CURRENT_ACCOUNT" \ --workspace-role-arn "$ROLE_ARN" \ --workspace-data-sources "CLOUDWATCH" "PROMETHEUS" "XRAY" \ --grafana-version "10.4" \ --tags Environment=Development) check_error "$WORKSPACE_OUTPUT" "create-workspace" echo "Workspace creation initiated:" echo "$WORKSPACE_OUTPUT" # Extract workspace ID WORKSPACE_ID=$(echo "$WORKSPACE_OUTPUT" | grep -o '"id": "[^"]*' | cut -d'"' -f4) if [ -z "$WORKSPACE_ID" ]; then echo "ERROR: Failed to extract workspace ID from output" exit 1 fi echo "Workspace ID: $WORKSPACE_ID" # Step 4: Wait for workspace to become active echo "Waiting for workspace to become active. This may take several minutes..." ACTIVE=false MAX_ATTEMPTS=30 ATTEMPT=0 while [ $ACTIVE = false ] && [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do ATTEMPT=$((ATTEMPT+1)) echo "Checking workspace status (attempt $ATTEMPT of $MAX_ATTEMPTS)..." DESCRIBE_OUTPUT=$(aws grafana describe-workspace --workspace-id "$WORKSPACE_ID") check_error "$DESCRIBE_OUTPUT" "describe-workspace" STATUS=$(echo "$DESCRIBE_OUTPUT" | grep -o '"status": "[^"]*' | cut -d'"' -f4) echo "Current status: $STATUS" if [ "$STATUS" = "ACTIVE" ]; then ACTIVE=true echo "Workspace is now ACTIVE" elif [ "$STATUS" = "FAILED" ]; then echo "ERROR: Workspace creation failed" cleanup_on_error exit 1 else echo "Workspace is still being created. Waiting 30 seconds..." sleep 30 fi done if [ $ACTIVE = false ]; then echo "ERROR: Workspace did not become active within the expected time" cleanup_on_error exit 1 fi # Extract workspace endpoint URL WORKSPACE_URL=$(echo "$DESCRIBE_OUTPUT" | grep -o '"endpoint": "[^"]*' | cut -d'"' -f4) echo "Workspace URL: https://$WORKSPACE_URL" # Step 5: Display workspace information echo "" echo "===========================================" echo "WORKSPACE INFORMATION" echo "===========================================" echo "Workspace ID: $WORKSPACE_ID" echo "Workspace URL: https://$WORKSPACE_URL" echo "Workspace Name: $WORKSPACE_NAME" echo "IAM Role: $ROLE_NAME" echo "" echo "Note: Since SAML authentication is used, you need to configure SAML settings" echo "using the AWS Management Console or the update-workspace-authentication command." echo "===========================================" # Step 6: Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Resources created:" echo "- Amazon Managed Grafana workspace: $WORKSPACE_ID" echo "- IAM Role: $ROLE_NAME" echo "- IAM Policy: GrafanaCloudWatchPolicy-${RANDOM_ID}" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then echo "Cleaning up resources..." echo "Deleting workspace $WORKSPACE_ID..." DELETE_OUTPUT=$(aws grafana delete-workspace --workspace-id "$WORKSPACE_ID") check_error "$DELETE_OUTPUT" "delete-workspace" echo "Waiting for workspace to be deleted..." DELETED=false ATTEMPT=0 while [ $DELETED = false ] && [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do ATTEMPT=$((ATTEMPT+1)) echo "Checking deletion status (attempt $ATTEMPT of $MAX_ATTEMPTS)..." if aws grafana describe-workspace --workspace-id "$WORKSPACE_ID" 2>&1 | grep -i "not found\|does not exist" > /dev/null; then DELETED=true echo "Workspace has been deleted" else echo "Workspace is still being deleted. Waiting 30 seconds..." sleep 30 fi done if [ $DELETED = false ]; then echo "WARNING: Workspace deletion is taking longer than expected. It may still be in progress." fi # Detach policy from role echo "Detaching policy from role..." aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN" # Delete policy echo "Deleting IAM policy..." aws iam delete-policy \ --policy-arn "$POLICY_ARN" # Delete role echo "Deleting IAM role..." aws iam delete-role \ --role-name "$ROLE_NAME" # Clean up JSON files rm -f trust-policy.json cloudwatch-policy.json echo "Cleanup completed" else echo "Skipping cleanup. Resources will remain in your AWS account." fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateWorkspace](https://docs.aws.amazon.com/goto/aws-cli/grafana-2020-08-18/CreateWorkspace) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteWorkspace](https://docs.aws.amazon.com/goto/aws-cli/grafana-2020-08-18/DeleteWorkspace) + [DescribeWorkspace](https://docs.aws.amazon.com/goto/aws-cli/grafana-2020-08-18/DescribeWorkspace) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity)