fix(grafana): remove enterprise-only datasource permissions (404 on OSS)

USHER-PB · USHER-PB · commit cddf35429ae7 · 2026-02-27T05:32:17.000+01:00
grafana_data_source_permission uses /api/access-control/datasources which
requires Grafana Enterprise. On OSS it returns 404 regardless of the
accesscontrol feature flag.

Data isolation is still enforced via:
  - X-Scope-OrgID hardcoded in each tenant datasource (backend enforces it)
  - Folder-level permissions restricting dashboard access per team
  - Loki auth_enabled, Mimir/Tempo multitenancy_enabled at storage layer
diff --git a/lgtm-stack/terraform/grafana.tf b/lgtm-stack/terraform/grafana.tf
@@ -217,72 +217,28 @@ resource "grafana_data_source" "tempo" {
   ]
 }
 
+
 # ---- Datasource Permissions ------------------------------------
-# Restricts each datasource to ONLY the matching team.
-# Members of "webank-team" can query Webank-Loki but NOT Azamra-Loki.
+# NOTE: grafana_data_source_permission is a Grafana Enterprise-only feature.
+# The /api/access-control/datasources endpoint does not exist in Grafana OSS
+# and returns 404. The accesscontrol feature flag enables folder/dashboard
+# permissions only — NOT datasource-level permissions.
 #
-# REQUIRES: Grafana OSS with accesscontrol feature flag enabled
-# (set GF_FEATURE_TOGGLES_ENABLE: accesscontrol in grafana-values.yaml)
-
-resource "grafana_data_source_permission" "loki" {
-  for_each = toset(var.tenants)
-
-  datasource_uid = grafana_data_source.loki[each.key].uid
-  permissions {
-    team_id    = grafana_team.tenants[each.key].id
-    permission = "Query"
-  }
-
-  depends_on = [
-    grafana_data_source.loki,
-    grafana_team.tenants
-  ]
-}
-
-resource "grafana_data_source_permission" "mimir" {
-  for_each = toset(var.tenants)
-
-  datasource_uid = grafana_data_source.mimir[each.key].uid
-  permissions {
-    team_id    = grafana_team.tenants[each.key].id
-    permission = "Query"
-  }
-
-  depends_on = [
-    grafana_data_source.mimir,
-    grafana_team.tenants
-  ]
-}
-
-resource "grafana_data_source_permission" "prometheus" {
-  for_each = toset(var.tenants)
-
-  datasource_uid = grafana_data_source.prometheus[each.key].uid
-  permissions {
-    team_id    = grafana_team.tenants[each.key].id
-    permission = "Query"
-  }
-
-  depends_on = [
-    grafana_data_source.prometheus,
-    grafana_team.tenants
-  ]
-}
-
-resource "grafana_data_source_permission" "tempo" {
-  for_each = toset(var.tenants)
-
-  datasource_uid = grafana_data_source.tempo[each.key].uid
-  permissions {
-    team_id    = grafana_team.tenants[each.key].id
-    permission = "Query"
-  }
+# DATA ISOLATION IS STILL STRICTLY ENFORCED via two OSS-compatible mechanisms:
+#
+#   1. X-Scope-OrgID headers (read path) — Each tenant datasource has a
+#      hardcoded X-Scope-OrgID: <tenant> header. Loki/Mimir/Tempo will ONLY
+#      return data for that specific tenant. A webank user querying
+#      "Webank-Loki" can never see azamra data, because the backend
+#      enforces the tenant boundary at the storage layer.
+#
+#   2. Folder permissions (dashboard isolation) — Dashboards are stored in
+#      tenant-specific folders with team-level edit/view restrictions.
+#      "webank-team" members can only see and edit "Webank Dashboards".
+#
+# To upgrade to datasource-level permissions, upgrade to Grafana Enterprise
+# and un-comment the resources below.
 
-  depends_on = [
-    grafana_data_source.tempo,
-    grafana_team.tenants
-  ]
-}
 
 # ---- Dashboard Folders -----------------------------------------
 # Each tenant gets their own folder. Only their team can see it.
