From 3fec5dee07db0cedfe3d991e74551fbeba69cb37 Mon Sep 17 00:00:00 2001
From: Colin Saliceti <colin.saliceti@digital.education.gov.uk>
Date: Thu, 30 Jun 2022 13:31:15 +0100
Subject: [PATCH] Grafana anonymous authentication

Add a variable to enable anonymous readonly access to the Grafana
dashboards and metrics. This is useful to be able to present on logged
out TV screens.

Default is: not enabled
---
 README.md                   | 2 +-
 grafana/config/grafana.ini  | 8 ++++++++
 grafana/input.tf            | 7 +++++--
 prometheus_all/input.tf     | 5 +++++
 prometheus_all/resources.tf | 1 +
 5 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 97bb61e..1d2e889 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ Collection of [terraform](https://www.terraform.io/) modules to deploy the [prom
 - Metrics-based alerts can be created in prometheus and processed by [alertmanager](https://prometheus.io/docs/alerting/) to send to Slack, email, pagerduty, etc
 - Finally, the metrics are available in [grafana](https://grafana.com/) to build dashboards, help troubleshooting and create alerts.
 
-The [prometheus_all module](#prometheus-all) is a good starting point as it includes all the other modules.
+The [prometheus_all module](#prometheus-all) is a good starting point as it includes all the other modules. Check the variables in [prometheus_all](https://github.com/DFE-Digital/cf-monitoring/blob/master/prometheus_all/input.tf) for a description of all configuration options.
 
 ## Source
 
diff --git a/grafana/config/grafana.ini b/grafana/config/grafana.ini
index 3de3f85..33e2e1d 100644
--- a/grafana/config/grafana.ini
+++ b/grafana/config/grafana.ini
@@ -9,3 +9,11 @@ token_url = https://accounts.google.com/o/oauth2/token
 allowed_domains = digital.education.gov.uk
 allow_sign_up = true
 %{ endif }
+
+%{ if enable_anonymous_auth }
+[auth.anonymous]
+enabled = true
+org_name = Main Org.
+org_role = Viewer
+hide_version = true
+%{ endif }
diff --git a/grafana/input.tf b/grafana/input.tf
index f24163d..64c530d 100644
--- a/grafana/input.tf
+++ b/grafana/input.tf
@@ -10,6 +10,8 @@ variable "runtime_version" { default = "" }
 variable "google_client_id" { default = "" }
 variable "google_client_secret" { default = "" }
 variable "google_jwt" { default = "" }
+variable "enable_anonymous_auth" { default = false }
+
 variable "influxdb_credentials" { default = null }
 variable "elasticsearch_credentials" {
   type = map(any)
@@ -30,8 +32,9 @@ locals {
   dashboard_list          = fileset(path.module, "dashboards/*.json")
   dashboards              = [for f in local.dashboard_list : file("${path.module}/${f}")]
   grafana_ini_variables = {
-    google_client_id     = var.google_client_id
-    google_client_secret = var.google_client_secret
+    google_client_id      = var.google_client_id
+    google_client_secret  = var.google_client_secret
+    enable_anonymous_auth = var.enable_anonymous_auth
   }
   grafana_datasource_variables = {
     google_jwt             = var.google_jwt
diff --git a/prometheus_all/input.tf b/prometheus_all/input.tf
index 10e80ae..3e0670f 100644
--- a/prometheus_all/input.tf
+++ b/prometheus_all/input.tf
@@ -98,6 +98,11 @@ variable "grafana_elasticsearch_credentials" {
   }
 }
 
+variable "grafana_anonymous_auth" {
+  description = "Enable anonymous readonly access to Grafana"
+  default     = false
+}
+
 variable "docker_credentials" {
   description = "Credentials for Dockerhub. Map of {username, password}."
   type        = map(any)
diff --git a/prometheus_all/resources.tf b/prometheus_all/resources.tf
index 60b2428..3a73558 100644
--- a/prometheus_all/resources.tf
+++ b/prometheus_all/resources.tf
@@ -126,4 +126,5 @@ module "grafana" {
   influxdb_credentials       = module.influxdb[0].credentials
   runtime_version            = var.grafana_runtime_version
   elasticsearch_credentials  = var.grafana_elasticsearch_credentials
+  enable_anonymous_auth      = var.grafana_anonymous_auth
 }