A comprehensive demonstration of Role-Based Access Control (RBAC) implementation in Grafana Cloud using Terraform. This project showcases enterprise-grade team management, SSO integration, and granular permission controls across development and production environments.

This demo illustrates how to implement:

• Multi-environment Grafana Cloud infrastructure (dev/prod)
• Team-based access controls with granular permissions
• SSO integration with Okta for enterprise authentication
• Label-Based Access Control (LBAC) for data source security

grafana-rbac-demo/
├── dev/                    # Development environment
│   ├── provider.tf         # Grafana Cloud provider configuration
│   ├── variables.tf        # Input variables definition
│   ├── terraform.tfvars    # Development-specific values
│   ├── stack.tf           # Grafana Cloud stack creation
│   ├── auth.tf            # Okta SSO configuration
│   ├── teams.tf           # Team creation and sync
│   ├── roles.tf           # RBAC role assignments
│   ├── folders.tf         # Dashboard folders and permissions
│   └── datasource.tf      # Data source configuration and LBAC
├── prod/                  # Production environment
│   └── [similar structure with prod-specific configs]
├── .gitignore            # Terraform-specific ignore patterns
└── README.md             # This file

• Grafana Cloud account with appropriate permissions
• Okta developer account for SSO integration

git clone <repository-url>
cd grafana-rbac-demo

Create or update terraform.tfvars files for each environment with your specific values:

cd dev/

Update terraform.tfvars with your configuration:

grafana_cloud_access_policy_token = "your_grafana_cloud_token"
okta_auth_url                    = "https://your-org.okta.com/oauth2/v1/authorize"
okta_token_url                   = "https://your-org.okta.com/oauth2/v1/token"
okta_api_url                     = "https://your-org.okta.com/oauth2/v1/userinfo"
okta_client_id                   = "your_okta_client_id"
okta_client_secret               = "your_okta_client_secret"
loki_datasource_name             = "your_loki_datasource_name"
stack_name                       = "your_dev_stack_name"
stack_description                = "Development Stack"

Update providers.tf to the URL of your stack

provider "grafana" {
  alias = "dev"
  url   = "https://<your_stack>.grafana.net"
  auth  = grafana_cloud_stack_service_account_token.cloud_sa_token.key
}

cd dev/
terraform init
terraform plan
terraform apply

cd ../prod/
terraform init
terraform plan
terraform apply

• Admins Team: Full administrative access across all resources
• Dev Team A: Scoped access to Team A resources and data
• Dev Team B: Scoped access to Team B resources and data

• Dashboard creation and editing within assigned folders
• Data source exploration and querying
• Alerting rule management
• Library panel creation and sharing
• Folder-specific administrative access

• All development team permissions
• Organization and user management
• Team management capabilities
• Data source administration
• System-wide configuration access

• Team A: Access restricted to logs matching { app = "a" }
• Team B: Access restricted to logs matching { app = "b" }
• Automatic data filtering based on team membership
• Prevents cross-team data access

• Okta OAuth2 authentication
• Automatic team synchronization based on Okta groups
• Role mapping from Okta to Grafana teams
• Just-in-time provisioning of users

All sensitive and environment-specific values are externalized into variables:

• Authentication tokens and secrets
• Okta configuration parameters
• Stack naming and descriptions
• Data source configurations
• URL endpoints for different environments

• Local state for demo purposes
• Separate state per environment
• Gitignored state files for security

• ✅ Secrets externalization via variables
• ✅ Least privilege access using specific roles
• ✅ Data isolation through LBAC rules
• ✅ SSO integration for centralized authentication
• ✅ Team-based segregation of resources

• 🔐 Use secret management (HashiCorp Vault, AWS Secrets Manager)
• 🔐 Enable remote state with encryption
• 🔐 Implement CI/CD with proper approval workflows
• 🔐 Regular access reviews and permission audits
• 🔐 Monitor and alert on configuration changes

• Grafana RBAC Documentation
• Grafana Terraform Provider
• Okta OAuth2 Integration
• Terraform Best Practices

1. Fork the repository
2. Create a feature branch
3. Test changes in development environment
4. Update documentation as needed
5. Submit a pull request with detailed description

This project is licensed under the terms specified in the LICENSE file.

⚠️ Security Notice: This demo contains example credentials and tokens. Never use these values in production environments. Always generate your own secure credentials and follow proper secret management practices.