#!/usr/bin/env bash
# Amazon Managed Grafana — create a Grafana 12.4 workspace (mid-2026)
#
# Prerequisites:
#   - AWS CLI v2 with grafana:CreateWorkspace permission
#     (AWSGrafanaAccountAdministrator or equivalent)
#   - For IAM Identity Center auth on first workspace: also
#     AWSSSOMemberAccountAdministrator + AWSSSODirectoryAdministrator
#   - An IAM role AMG can assume for AWS data sources (CloudWatch, AMP, X-Ray)
#
# Confirm current grafana-version strings and flags against:
#   https://docs.aws.amazon.com/grafana/latest/userguide/AMG-create-workspace.html
#   https://aws.amazon.com/about-aws/whats-new/2026/04/amazon-managed-grafana-v12-create/
#
# Usage:
#   export GRAFANA_WORKSPACE_ROLE_ARN=arn:aws:iam::ACCOUNT:role/AmgWorkspaceRole
#   ./workspace-create.sh
#
set -euo pipefail

: "${GRAFANA_WORKSPACE_ROLE_ARN:?Set GRAFANA_WORKSPACE_ROLE_ARN to the workspace IAM role ARN}"

# Grafana 12.4 — prefer for new workspaces (Drilldown, Scenes, CloudWatch PPL/SQL).
# Dual-stack requires Grafana version 10+. CMK encryption is set at create time.
aws grafana create-workspace \
  --account-access-type CURRENT_ACCOUNT \
  --workspace-role-arn "${GRAFANA_WORKSPACE_ROLE_ARN}" \
  --authentication-providers AWS_SSO \
  --permission-type SERVICE_MANAGED \
  --grafana-version "12.4" \
  --workspace-name "platform-observability" \
  --configuration '{"plugins": {"pluginAdminEnabled": true}}'

echo "Next:"
echo "  1. Assign IAM Identity Center users/groups; default most to Viewer."
echo "  2. Enable Network Access Control if the workspace is internet-reachable."
echo "  3. Connect data sources (CloudWatch, AMP, X-Ray) in the Grafana console."
echo "  4. Disable unused service accounts / API users — they bill like seats."
echo "See amg-best-practices-checklist.md for the full ops checklist."
