Reduce context-switching for engineers

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Grafana Task Definition - AWS ECS Configuration

Configure your Grafana Task Definition for AWS ECS. This guide provides a detailed JSON example for setting up Grafana with EFS volumes, environment variables, and secrets.

Grafana Task Definition for AWS ECS

Understanding the Grafana ECS Task Definition

This document outlines a comprehensive AWS Elastic Container Service (ECS) Task Definition for deploying Grafana. The provided JSON configuration is designed for robustness and flexibility, enabling persistent storage for Grafana data, provisioning configurations, and dashboards using Amazon Elastic File System (EFS). It also details essential environment variables for regional settings, AWS integration, plugin installations, and server configurations, along with secure handling of AWS credentials via AWS Systems Manager Parameter Store.

Key Configuration Components

The Grafana Task Definition is structured to manage the Grafana container effectively within an AWS ECS environment. It specifies the Docker image to use, resource allocations, port mappings, and critical environment variables. The configuration includes:

  • Container Name and Image: Identifies the Grafana container and its version (e.g., grafana/grafana:7.3.4).
  • Resource Allocation: Sets memory reservation (e.g., 512MB).
  • Port Mapping: Configures the container port (3000) to be accessible.
  • Environment Variables: Crucial for setting up Grafana's behavior, including AWS region, profile, provisioning paths, and plugin installations.
  • Secrets Management: Securely injects AWS access keys and secret access keys from AWS Systems Manager Parameter Store.
  • Volume Mounts: Connects EFS volumes to specific paths within the container for persistent data storage.

EFS Volume Configuration for Grafana

Persistent storage is vital for Grafana to retain its data, configurations, and dashboards across container restarts or updates. This Task Definition utilizes EFS volumes for:

  • Grafana Data: Mounted at /var/lib/grafana for storing databases, sessions, and other runtime data.
  • Grafana Provisioning: Mounted at /etc/grafana/provisioning for custom configuration files, data sources, and dashboards.
  • Grafana Dashboards: Mounted at /etc/grafana/dashboards for loading pre-defined dashboard JSON files.

Each EFS volume is configured with a specific fileSystemId and rootDirectory, ensuring data is correctly mapped.

Security and Best Practices

This Task Definition incorporates security best practices by using IAM roles for the ECS task execution and the task itself, granting necessary permissions without hardcoding credentials directly into the container image. Sensitive information like AWS access keys and secret access keys are managed through AWS Systems Manager Parameter Store, accessed securely via the secrets block. The use of privileged: true should be reviewed based on specific security requirements, as it grants extended privileges to the container.

For more information on configuring Grafana with AWS ECS, refer to the official Grafana documentation and AWS ECS documentation.

Grafana Documentation | AWS ECS Task Definitions | AWS EFS Mount Configuration

{
  "family": "grafana",
  "executionRoleArn":"arn:aws:iam::000000000000:role/ecs-exec-role",
  "taskRoleArn":"arn:aws:iam::000000000000:role/ecs-task-role",
  "containerDefinitions": [
    {
      "name": "grafana",
      "image": "grafana/grafana:7.3.4",
      "memoryReservation": 512,
      "portMappings":[
        {
          "protocol":"tcp",
          "containerPort":3000,
          "hostPort":0
        }
      ],
      "environment": [
        {
          "name": "AWS_DEFAULT_REGION",
          "value": "eu-west-1"
        },
        {
          "name": "GF_AWS_PROFILES",
          "value": "default"
        },
        {
          "name": "GF_AWS_default_REGION",
          "value": "eu-west-1"
        },
        {
          "name": "GF_PATHS_PROVISIONING",
          "value": "/etc/grafana/provisioning"
        },
        {
          "name": "GF_INSTALL_PLUGINS",
          "value": "grafana-clock-panel,grafana-simple-json-datasource,grafana-piechart-panel,camptocamp-prometheus-alertmanager-datasource"
        },
        {
          "name": "GF_SERVER_ROOT_URL",
          "value": "https://grafana.domain.com"
        },
        {
          "name": "GF_SERVER_DOMAIN",
          "value": "domain.com"
        }
      ],
      "secrets": [
        {
          "valueFrom": "arn:aws:ssm:eu-west-1:000000000000:parameter/grafana/prod/AWS_ACCESS_KEY_ID",
          "name": "GF_AWS_default_ACCESS_KEY_ID"
        },
        {
          "valueFrom": "arn:aws:ssm:eu-west-1:000000000000:parameter/grafana/prod/AWS_SECRET_ACCESS_KEY",
          "name": "GF_AWS_default_SECRET_ACCESS_KEY"
        }
      ],
      "essential": true,
      "privileged": true,
      "mountPoints": [
        {
          "containerPath": "/var/lib/grafana",
          "sourceVolume": "grafana-data",
          "readOnly": false
        },
        {
          "containerPath": "/etc/grafana/provisioning",
          "sourceVolume": "grafana-provisioning",
          "readOnly": false
        },
        {
          "containerPath": "/etc/grafana/dashboards",
          "sourceVolume": "grafana-dashboards",
          "readOnly": false
        }
      ]
    }
  ],
  "volumes": [
    {
      "name": "grafana-data",
      "efsVolumeConfiguration": {
         "fileSystemId": "fs-00000000",
         "rootDirectory": "/grafana/data"
      }
    },
    {
      "name": "grafana-provisioning",
      "efsVolumeConfiguration": {
         "fileSystemId": "fs-00000000",
         "rootDirectory": "/grafana/provisioning"
      }
    },
    {
      "name": "grafana-dashboards",
      "efsVolumeConfiguration": {
         "fileSystemId": "fs-00000000",
         "rootDirectory": "/grafana/dashboards"
      }
    }
  ]
}
← Back to ecs cheatsheets All cheatsheets 🙏  Credits & Acknowledgments