puppet-prod/site/profiles/manifests/metrics/grafana.pp

# profiles::metrics::grafana
class profiles::metrics::grafana (
  String    $ldap_bind_pass,
  Stdlib::Port $http_port   = 8080,
  String    $app_mode       = 'production',
  Boolean   $allow_sign_up  = false,
  Boolean   $mysql_backend  = false,
  Boolean   $pgsql_backend  = false,
  String    $db_user     = 'grafana',
  String    $db_name     = 'grafana',
  String    $db_pass     = fqdn_rand_string(16),
  Stdlib::Host $db_host  = '127.0.0.1',
  Stdlib::Port $db_port  = 5432,
  Hash      $plugins     = {}
) {

  # set the fqdn
  $fqdn = $::facts['networking']['fqdn']

  # when using mysql backend
  if $mysql_backend {

    @@mysql_user { "${db_user}@${facts['networking']['fqdn']}":
      ensure        => present,
      password_hash => mysql::password($db_pass),
      tag           => $facts['region'],
    }

    @@mysql_grant { "${db_user}@${facts['networking']['fqdn']}/${db_name}.*":
      ensure     => present,
      table      => "${db_name}.*",
      user       => "${db_user}@${facts['networking']['fqdn']}",
      privileges => ['ALL'],
      tag        => $facts['region'],
    }

    $database_config = {
      type     => 'mysql',
      host     => "${db_host}:${db_port}",
      name     => $db_name,
      user     => $db_user,
      password => $db_pass.unwrap,
    }
  }

  # when using mysql backend
  if $pgsql_backend {

    include profiles::sql::postgresdb

    $database_config = {
      type     => 'postgres',
      host     => "${db_host}:${db_port}",
      name     => $db_name,
      user     => $db_user,
      password => $db_pass.unwrap,
    }
  }

  # build the grafana config hash
  $cfg = {
    app_mode => $app_mode,
    server   => {
      http_port => $http_port,
    },
    database => $database_config,
    users    => {
      allow_sign_up => $allow_sign_up,
    },
    'auth.ldap' => {
      enabled     => 'true',
      config_file => '/etc/grafana/ldap.toml',
    },
  }

  # build the ldap config hash
  $ldap_cfg = Sensitive({
    servers => [
      { host            => 'ldap.service.consul',
        port            => 389,
        use_ssl         => false,
        search_filter   => '(uid=%s)',
        search_base_dns => [ 'dc=main,dc=unkin,dc=net' ],
        bind_dn         => 'cn=svc_grafana,ou=services,ou=users,dc=main,dc=unkin,dc=net',
        bind_password   => $ldap_bind_pass,
      },
    ],
    'servers.attributes' => {
      name      => 'givenName',
      surname   => 'sn',
      username  => 'uid',
      member_of => 'memberOf',
      email     => 'mail',
    },
    'servers.group_mappings' => [
      {
        group_dn      => 'ou=grafana_admin,ou=groups,dc=main,dc=unkin,dc=net',
        org_role      => 'Admin',
        grafana_admin => true,
      },
      {
        group_dn => 'ou=grafana_user,ou=groups,dc=main,dc=unkin,dc=net',
        org_role => 'Viewer',
      }
    ],
  })

  # deploy grafana
  class { 'grafana':
    cfg      => $cfg,
    ldap_cfg => $ldap_cfg,
    plugins  => $plugins,
  }

  # fix the package provided systemd service
  systemd::unit_file { 'grafana-server.service':
    content => template('profiles/metrics/grafana.service.erb'),
    require => Package['grafana'],
    before  => Service['grafana'],
  }

  # export haproxy balancemember
  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
    service => 'be_grafana',
    ports   => [443],
    options => [
      "cookie ${facts['networking']['hostname']}",
      'ssl',
      'verify none',
      'check',
      'inter 2s',
      'rise 3',
      'fall 2',
    ]
  }
}