Bicep Module Documentation
← Back to Overview
Module grafana
grafana
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| sku (required) | sku | |
| apiKey | 'Disabled' 'Enabled' |
The API key setting of the Grafana instance. (default: Disabled) |
| zoneRedundancy | 'Disabled' 'Enabled' |
The zone redundancy setting of the Grafana instance. (default: Disabled) |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Indicate the state for enable or disable traffic over the public interface. (default: Enabled) |
| deterministicOutboundIP | 'Disabled' 'Enabled' |
Whether a Grafana instance uses deterministic outbound IPs. (default: Disabled) |
| creatorCanAdmin | 'Disabled' 'Enabled' |
The creator will have admin access for the Grafana instance. (default: Disabled) |
| enterpriseConfigurations | enterpriseConfigurations | Enterprise settings of a Grafana instance |
| grafanaConfigurations | grafanaConfigurations | Server configurations of a Grafana instance |
| grafanaIntegrations | grafanaIntegrations | GrafanaIntegrations is a bundled observability experience (e.g. pre-configured data source, tailored Grafana dashboards, alerting defaults) for common monitoring scenarios. |
| grafanaMajorVersion (required) | '11' '12' |
The major Grafana software version to target. |
| grafanaPlugins | object | Installed plugin list of the Grafana instance. Key is plugin id, value is plugin definition. |
sku
| Property | Value | Description |
|---|---|---|
| name (required) | 'Standard' | |
| size (required) | 'X1' 'X2' |
Specifies the capacity tier of the Grafana instance. |
enterpriseConfigurations
| Property | Value | Description |
|---|---|---|
| marketplaceAutoRenew (required) | 'Disabled' 'Enabled' |
The AutoRenew setting of the Enterprise subscription |
| marketplacePlanId (required) | string | The Plan ID of the Azure Marketplace subscription for the Enterprise plugins |
security
| Property | Value | Description |
|---|---|---|
| csrfAlwaysCheck | bool | Set to true to execute the CSRF check even if the login cookie is not in a request. (default: false). |
smtp
| Property | Value | Description |
|---|---|---|
| enabled | bool | Enable this to allow Grafana to send email. (default: false) |
| fromAddress (required) | string | Address used when sending out emails |
| fromName | string | Name to be used when sending out emails. (default: Azure Managed Grafana Notification) |
| host (required) | string | SMTP server hostname with port, e.g. test.email.net:587 |
| password (required) | securestring | Password of SMTP auth. If the password contains # or ;, then you have to wrap it with triple quotes |
| skipVerify | bool | Verify SSL for SMTP server. (default: false) |
| startTLSPolicy (required) | string | The StartTLSPolicy setting of the SMTP configuration |
| user (required) | string | User of SMTP auth |
snapshots
| Property | Value | Description |
|---|---|---|
| externalEnabled (required) | bool | Set to false to disable external snapshot publish endpoint. (default: true) |
unifiedAlertingScreenshots
| Property | Value | Description |
|---|---|---|
| captureEnabled (required) | bool | Set to false to disable capture screenshot in Unified Alert due to performance issue. (default: false) |
users
| Property | Value | Description |
|---|---|---|
| editorsCanAdmin (required) | bool | Set to true so editors can administrate dashboards, folders and teams they create. (default: false) |
| viewersCanEdit (required) | bool | Set to true so viewers can access and use explore and perform temporary edits on panels in dashboards they have access to. They cannot save their changes. This feature is no longer available in Grafana 12. (default: false) |
grafanaConfigurations
| Property | Value | Description |
|---|---|---|
| security | security | Grafana security settings |
| smtp | smtp | Email server settings. |
| snapshots | snapshots | Grafana Snapshots settings |
| unifiedAlertingScreenshots | unifiedAlertingScreenshots | Grafana Unified Alerting Screenshots settings |
| users | users | Grafana users settings |
azureMonitorWorkspaceIntegrations
| Property | Value | Description |
|---|---|---|
| azureMonitorWorkspaceResourceId (required) | string | The resource Id of the connected Azure Monitor Workspace. |
grafanaIntegrations
| Property | Value | Description |
|---|---|---|
| azureMonitorWorkspaceIntegrations (required) | azureMonitorWorkspaceIntegrations[] |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
Changelog
1.0.1 (2026-03-26)
Bug Fixes
- incorrect array type definition of azureMonitorWorkspaceIntegrations
1.0.0 (2026-03-26)
⚠ BREAKING CHANGES
- initial version
Features
- initial version