AWS cli documentation change
Summary
Updated AWS CLI command reference for 'grafana create-workspace': reordered parameters, added --kms-key-id for encryption, enhanced network access control documentation, and restructured output.
Security assessment
Added --kms-key-id parameter for workspace data encryption and enhanced --network-access-control documentation for IP/VPC restrictions. These are security features but not fixes for existing vulnerabilities.
Diff
diff --git a/cli/latest/reference/grafana/create-workspace.md b/cli/latest/reference/grafana/create-workspace.md index 47231b196..ed43f8ca2 100644 --- a//cli/latest/reference/grafana/create-workspace.md +++ b//cli/latest/reference/grafana/create-workspace.md @@ -15 +15 @@ - * [AWS CLI 2.33.22 Command Reference](../../index.html) » + * [AWS CLI 2.33.25 Command Reference](../../index.html) » @@ -70 +69,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan - --authentication-providers <value> @@ -72,3 +70,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan - [--configuration <value>] - [--grafana-version <value>] - [--network-access-control <value>] @@ -78,2 +73,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan - [--tags <value>] - [--vpc-configuration <value>] @@ -85,0 +80,7 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan + --authentication-providers <value> + [--tags <value>] + [--vpc-configuration <value>] + [--configuration <value>] + [--network-access-control <value>] + [--grafana-version <value>] + [--kms-key-id <value>] @@ -121 +122 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan -`--authentication-providers` (list) [required] +`--client-token` (string) @@ -123 +124 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan -> Specifies whether this workspace uses SAML 2.0, IAM Identity Center, or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) . +> A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request. @@ -125 +126,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan -> (string) +> Constraints: +> +> * pattern: `[!-~]{1,64}` @@ -127,6 +129,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan ->> Possible values: ->> ->> * `AWS_SSO` ->> * `SAML` ->> - @@ -134 +130,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan -Syntax: @@ -135,0 +132 @@ Syntax: +`--organization-role-name` (string) @@ -137 +134,7 @@ Syntax: - "string" "string" ... +> The name of an IAM role that already exists to use with Organizations to access Amazon Web Services data sources and notification channels in other accounts in an organization. +> +> Constraints: +> +> * min: `1` +> * max: `2048` +> @@ -140 +143 @@ Syntax: -`--client-token` (string) +`--permission-type` (string) [required] @@ -142 +145 @@ Syntax: -> A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request. +> When creating a workspace through the Amazon Web Services API, CLI or Amazon Web Services CloudFormation, you must manage IAM roles and provision the permissions that the workspace needs to use Amazon Web Services data sources and notification channels. @@ -144 +147,3 @@ Syntax: -> Constraints: +> You must also specify a `workspaceRoleArn` for a role that you will manage for the workspace to use when accessing those datasources and notification channels. +> +> The ability for Amazon Managed Grafana to create and update IAM roles on behalf of the user is supported only in the Amazon Managed Grafana console, where this value may be set to `SERVICE_MANAGED` . @@ -146 +151,10 @@ Syntax: -> * pattern: `^[!-~]{1,64}$` +> ### Note +> +> Use only the `CUSTOMER_MANAGED` permission type when creating a workspace with the API, CLI or Amazon Web Services CloudFormation. +> +> For more information, see [Amazon Managed Grafana permissions and policies for Amazon Web Services data sources and notification channels](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-manage-permissions.html) . +> +> Possible values: +> +> * `CUSTOMER_MANAGED` +> * `SERVICE_MANAGED` @@ -150 +164 @@ Syntax: -`--configuration` (string) +`--stack-set-name` (string) @@ -152,3 +166,5 @@ Syntax: -> The configuration string for the workspace that you create. For more information about the format and configuration options available, see [Working in your Grafana workspace](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-workspace.html) . -> -> Constraints: +> The name of the CloudFormation stack set to use to generate IAM roles to be used for this workspace. + +`--workspace-data-sources` (list) + +> This parameter is for internal use only, and should not be used. @@ -156,2 +172 @@ Syntax: -> * min: `2` -> * max: `65536` +> (string) @@ -158,0 +174,12 @@ Syntax: +>> Possible values: +>> +>> * `AMAZON_OPENSEARCH_SERVICE` +>> * `CLOUDWATCH` +>> * `PROMETHEUS` +>> * `XRAY` +>> * `TIMESTREAM` +>> * `SITEWISE` +>> * `ATHENA` +>> * `REDSHIFT` +>> * `TWINMAKER` +>> @@ -161 +188 @@ Syntax: -`--grafana-version` (string) +Syntax: @@ -163 +190,7 @@ Syntax: -> Specifies the version of Grafana to support in the new workspace. If not specified, defaults to the latest version (for example, 10.4). + + "string" "string" ... + + +`--workspace-description` (string) + +> A description for the workspace. This is used only to help you identify this workspace. @@ -165 +198 @@ Syntax: -> To get a list of supported versions, use the `ListVersions` operation. +> Pattern: `^[\\p{L}\\p{Z}\\p{N}\\p{P}]{0,2048}$` @@ -169,2 +202,2 @@ Syntax: -> * min: `1` -> * max: `255` +> * min: `0` +> * max: `2048` @@ -174 +207 @@ Syntax: -`--network-access-control` (structure) +`--workspace-name` (string) @@ -176,3 +209 @@ Syntax: -> Configuration for network access to your workspace. -> -> When this is configured, only listed IP addresses and VPC endpoints will be able to access your workspace. Standard Grafana authentication and authorization will still be required. +> The name for the workspace. It does not have to be unique. @@ -180 +211 @@ Syntax: -> If this is not configured, or is removed, then all IP addresses and VPC endpoints will be allowed. Standard Grafana authentication and authorization will still be required. +> Constraints: @@ -182 +213 @@ Syntax: -> prefixListIds -> (list) [required] +> * pattern: `[a-zA-Z0-9-._~]{1,255}` @@ -184,13 +214,0 @@ Syntax: ->> An array of prefix list IDs. A prefix list is a list of CIDR ranges of IP addresses. The IP addresses specified are allowed to access your workspace. If the list is not included in the configuration (passed an empty array) then no IP addresses are allowed to access the workspace. You create a prefix list using the Amazon VPC console. ->> ->> Prefix list IDs have the format ``pl-_1a2b3c4d_ `` . ->> ->> For more information about prefix lists, see [Group CIDR blocks using managed prefix lists](https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html) in the _Amazon Virtual Private Cloud User Guide_ . ->> ->> (string) ->> ->>> Constraints: ->>> ->>> * min: `1` ->>> * max: `100` ->>> @@ -197,0 +216,4 @@ Syntax: + +`--workspace-notification-destinations` (list) + +> Specify the Amazon Web Services notification channels that you plan to use in this workspace. Specifying these data sources here enables Amazon Managed Grafana to create IAM roles and permissions that allow Amazon Managed Grafana to use these channels. @@ -199 +221 @@ Syntax: -> vpceIds -> (list) [required] +> (string) @@ -201,9 +223 @@ Syntax: ->> An array of Amazon VPC endpoint IDs for the workspace. You can create VPC endpoints to your Amazon Managed Grafana workspace for access from within a VPC. If a `NetworkAccessConfiguration` is specified then only VPC endpoints specified here are allowed to access the workspace. If you pass in an empty array of strings, then no VPCs are allowed to access the workspace. ->> ->> VPC endpoint IDs have the format ``vpce-_1a2b3c4d_ `` . ->> ->> For more information about creating an interface VPC endpoint, see [Interface VPC endpoints](https://docs.aws.amazon.com/grafana/latest/userguide/VPC-endpoints) in the _Amazon Managed Grafana User Guide_ . ->> ->> ### Note ->> ->> The only VPC endpoints that can be specified here are interface VPC endpoints for Grafana workspaces (using the `com.amazonaws.[region].grafana-workspace` service endpoint). Other VPC endpoints are ignored. +>> Possible values: @@ -211 +225 @@ Syntax: ->> (string) +>> * `SNS` @@ -213,5 +226,0 @@ Syntax: ->>> Constraints: ->>> ->>> * min: `1` ->>> * max: `100` ->>> @@ -220 +229 @@ Syntax: -Shorthand Syntax: +Syntax: @@ -223 +232 @@ Shorthand Syntax: - prefixListIds=string,string,vpceIds=string,string + "string" "string" ... @@ -226 +235 @@ Shorthand Syntax: -JSON Syntax: +`--workspace-organizational-units` (list) @@ -227,0 +237,3 @@ JSON Syntax: +> Specifies the organizational units that this workspace is allowed to use data sources from, if this workspace is in an account that is part of an organization. +> +> (string) @@ -229,4 +241 @@ JSON Syntax: - { - "prefixListIds": ["string", ...], - "vpceIds": ["string", ...]