Since I spent some time today on this, I’d rather write it down. Creating a Prometheus datasource that uses Azure Authentication was not straight forward.
Here’s the end result:
---
- name: Create a datasource in Grafana
hosts: localhost
gather_facts: false
tasks:
- name: Create prometheus datasource
community.grafana.grafana_datasource:
name: prometheus_test
ds_type: prometheus
ds_url: https://example.westeurope.prometheus.monitor.azure.com
url: "https://example.com"
url_username: foo
url_password: bar
enforce_secure_data: true
additional_json_data:
azureCredentials:
authType: clientsecret
azureCloud: AzureCloud
clientId: "{{ lookup('cloud.terraform.tf_output', 'clientid', project_path=playbook_dir + '../terraform/') }}"
tenantId: "{{ lookup('cloud.terraform.tf_output', 'tenant_id', project_path=playbook_dir + '../terraform/') }}"
additional_secure_json_data:
azureClientSecret: "{{ lookup('cloud.terraform.tf_output', 'password', project_path=playbook_dir + '../terraform/') }}"
(Bonus: I lookup the client and tenant ID from Terraform state.)
How did I get to this? By creating the datasource by hand and then querying it via the Grafana API:
> curl -s 'https://example.com/api/datasources/7' | jq .
{
"id": 7,
"uid": "3E8CgP2Vk",
"orgId": 1,
"name": "Prometheus",
"type": "prometheus",
"typeLogoUrl": "",
"access": "proxy",
"url": "https://example.com.westeurope.prometheus.monitor.azure.com",
"user": "",
"database": "",
"basicAuth": false,
"withCredentials": false,
"isDefault": false,
"jsonData": {
"azureCredentials": {
"authType": "clientsecret",
"azureCloud": "AzureCloud",
"clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"httpMethod": "POST"
},
"secureJsonFields": {
"azureClientSecret": true,
"basicAuthPassword": true
},
"version": 10,
"readOnly": false
}
There you get the jsonData and secureJsonFields. These are the special, required fields that you have to pass to Ansible to get exactly what you want.