Terraform module for Amazon Managed Service for Prometheus (AMP) workspaces and related control-plane resources.
This module follows tfstack conventions and groups tightly coupled AMP resources into two submodules:
| Submodule | Responsibility |
|---|---|
workspace-core |
Workspace lifecycle, optional KMS encryption, retention configuration |
workspace-content |
Alertmanager definition, rule group namespaces, workspace resource policy |
module "managed_prometheus" {
source = "tfstack/managed-prometheus/aws"
version = "~> 0.1"
workspace_alias = "eks-21-metrics"
retention_period_in_days = 30
create_alert_manager = true
alert_manager_definition = <<-EOT
alertmanager_config: |
route:
receiver: 'default'
receivers:
- name: 'default'
EOT
rule_group_namespaces = {
basic = {
name = "basic-rules"
data = <<-EORULES
groups:
- name: basic
rules:
- record: demo:http_requests_total:sum
expr: sum(http_requests_total)
EORULES
}
}
create_resource_policy = true
tags = {
Environment = "dev"
ManagedBy = "terraform"
}
}See examples/basic for a working end-to-end example.
- Set
create = falseto disable all module resources (useful for conditional stacks). - Set
create_workspace = falseand provideworkspace_idto attach alertmanager, rules, and resource policy to an existing AMP workspace. - Set
retention_period_in_days = nullto skipaws_prometheus_workspace_configuration(workspace default retention applies). - When
create_resource_policy = true, the module creates a baseline policy statement allowing Amazon Managed Grafana query APIs (aps:QueryMetrics, etc.). Add further principals or conditions viaresource_policy_statements. prometheus_endpointis populated when the module creates a new workspace; it isnullwhen attaching to an existing workspace by ID.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.0 |
No providers.
| Name | Source | Version |
|---|---|---|
| workspace_content | ./modules/workspace-content | n/a |
| workspace_core | ./modules/workspace-core | n/a |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alert_manager_definition | Alert manager definition YAML payload. | string |
`"alertmanager_config: | \n route:\n receiver: 'default'\n receivers:\n - name: 'default'\n"` |
| create | Determines whether resources will be created. | bool |
true |
no |
| create_alert_manager | Controls whether an Alert Manager definition is created. | bool |
false |
no |
| create_resource_policy | Controls whether an AMP resource policy is created. | bool |
false |
no |
| create_workspace | Determines whether an AMP workspace will be created or an existing workspace_id will be used. | bool |
true |
no |
| kms_key_arn | ARN of the KMS key used for workspace encryption at rest. | string |
"" |
no |
| resource_policy_statements | A map of IAM policy statements that will be merged into the AMP resource policy document. | map(object({ |
{} |
no |
| retention_period_in_days | Number of days to retain metric data in the workspace. When null, no workspace configuration is applied. | number |
null |
no |
| rule_group_namespaces | Map of AMP rule group namespaces to create. | map(object({ |
{} |
no |
| tags | A map of tags to apply to resources. | map(string) |
{} |
no |
| workspace_alias | Alias for the AMP workspace. Required when create and create_workspace are true. | string |
null |
no |
| workspace_id | ID of an existing AMP workspace to use when create_workspace is false. | string |
"" |
no |
| Name | Description |
|---|---|
| prometheus_endpoint | Prometheus endpoint available for this workspace. |
| resource_policy_json | Rendered JSON AMP resource policy document. |
| rule_group_namespace_names | List of rule group namespace names created in AMP. |
| workspace_arn | Amazon Resource Name (ARN) of the workspace. |
| workspace_configuration_applied | Whether workspace configuration (retention period) was applied. |
| workspace_id | Identifier of the workspace. |