fix: make Grafana Cloud Run admin credentials configurable#61
Open
lokeshmuvva wants to merge 3 commits into
Open
fix: make Grafana Cloud Run admin credentials configurable#61lokeshmuvva wants to merge 3 commits into
lokeshmuvva wants to merge 3 commits into
Conversation
The Grafana Cloud Run module set no admin env vars, so the admin password came solely from the value baked into the container image, leaving no way to override it at deploy time. Add grafana_admin_user / grafana_admin_password variables (defaulting to admin to preserve current behavior; password marked sensitive) and wire them to GF_SECURITY_ADMIN_USER / GF_SECURITY_ADMIN_PASSWORD. A Cloud Run container env var overrides the image's baked-in ENV, which sets up removing the hardcoded credentials from the Dockerfile.
…odule The Cloud Run main templates invoked the Grafana module without forwarding any admin credentials, so the module inputs added in the previous commit were unreachable from a user's stack config. Forward grafana_admin_user / grafana_admin_password from the grafana tool's params (defaulting to admin) in both main.tf.j2 and mlflow_main.tf.j2. Verified by rendering the documented MLflow+Grafana stack: it emits a single Grafana module with the credentials applied, and a custom password in config passes through.
The Grafana image set GF_SECURITY_ADMIN_USER / GF_SECURITY_ADMIN_PASSWORD to admin via ENV, embedding a credential in a readable image layer (visible through docker history). With the Cloud Run module and templates now supplying these at deploy time, the baked values are redundant. Remove them. Behavior is unchanged: deployed services get their credentials from Terraform, and a standalone container falls back to Grafana's own admin default, so the documented login still holds. GF_SERVER_HTTP_PORT is kept as it is non-secret port configuration.
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The Grafana admin credentials on the Cloud Run path were hardcoded to
admin/adminand baked into the container image (DockerfileENV), with no way to override them at deploy time. This makes them configurable through the stack config and removes the secret from the image:grafana_admin_user/grafana_admin_passwordinputs to the Grafana Cloud Run module, wired toGF_SECURITY_ADMIN_USER/GF_SECURITY_ADMIN_PASSWORD(password markedsensitive). Defaults toadminto preserve current behavior.paramsin both Cloud Run main templates (main.tf.j2,mlflow_main.tf.j2).GF_SECURITY_ADMIN_*ENVfrom the Grafana image.Why
Baking credentials into an image stores them in a readable layer (
docker history) and leaves operators no way to set a real password. On stateless Cloud Run, an admin password changed via the UI does not survive a cold start (Grafana's SQLite config DB sits on ephemeral disk unless a metrics Postgres DB is configured), so supplying the password as deploy-time env is the correct pattern — this change makes that possible.Behavior
Unchanged by default: deployed services get
admin/adminfrom Terraform, and a standalone image falls back to Grafana's own admin default, so documented logins still hold. Operators can now override by settinggrafana_admin_password(andgrafana_admin_user) in their stack config.Verification
Rendered the documented MLflow + Grafana stack through
mlflow_main.tf.j2: it emits a single Grafana module with the credentials applied, and a custom password set in config passes through to the rendered Terraform.terraform fmtclean on the new module lines.Out of scope (follow-up)
While verifying, found a pre-existing bug:
main.tf.j2emits the Grafana module twice (generic tool loop + dedicated block) and passes arguments the module doesn't declare, so Grafana via that path (a stack with no MLflow/W&B) cannot deploy today. It's independent of credentials and will be addressed separately.Test plan
terraform fmtclean on the new module lines