diff --git a/main.tf b/main.tf
index 0d8ba9c..c73708a 100644
--- a/main.tf
+++ b/main.tf
@@ -258,6 +258,86 @@ resource "helm_release" "influxdb" {
   ]
 }
 
+resource "keycloak_openid_client" "grafana_client" {
+  realm_id = keycloak_realm.realm.id
+  client_id = "grafana"
+  enabled = true
+  access_type = "CONFIDENTIAL"
+  standard_flow_enabled = true
+  implicit_flow_enabled = false
+  use_refresh_tokens = false
+  client_secret = var.keycloak_grafana_secret
+  valid_redirect_uris = [
+    "https://grafana.${var.domain_suffix}/login/generic_oauth"
+  ]
+}
+
+resource "kubernetes_config_map" "grafana_ini" {
+  metadata {
+    name = "grafana-ini"
+    namespace = var.grafana_namespace
+  }
+  data = {
+    "grafana.ini" = <<-EOT
+      [server]
+      root_url = https://grafana.${var.domain_suffix}/
+      [auth.generic_oauth]
+      enabled = true
+      name = md1clv.im
+      allow_sign_up = true
+      client_id = ${keycloak_openid_client.grafana_client.client_id}
+      client_secret = ${keycloak_openid_client.grafana_client.client_secret}
+      scopes = openid email profile offline_access roles
+      email_attribute_path = email
+      login_attribute_path = username
+      name_attribute_path = full_name
+      auth_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/auth
+      token_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/token
+      api_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/userinfo
+      signout_redirect_url = https://keycloak.${var.domain_suffix}/realms/${keycloak_realm.realm.realm}/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fgrafana.${var.domain_suffix}%2Flogin
+      role_attribute_path = contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
+      allow_assign_grafana_admin = true
+      groups_attribute_path = groups
+    EOT
+  }
+}
+
+resource "helm_release" "grafana" {
+  name = "grafana"
+  namespace = var.grafana_namespace
+  repository = "https://charts.bitnami.com/bitnami/"
+  chart = "grafana"
+  create_namespace = true
+  values = [
+    <<-EOT
+    admin:
+      password: ${var.default_password}
+    config:
+      grafanaIniConfigMap: grafana-ini
+      useGrafanaIniFile: true
+    datasources:
+      secretDefinition:
+        apiVersion: 1
+        datasources:
+        - isDefault: true
+          name: InfluxDB
+          type: influxdb
+          url: http://influxdb.${var.influxdb_namespace}.svc.cluster.local:8006
+        - name: Prometheus
+          type: prometheus
+          url: http://prometheus.${var.prometheus_namespace}.svc.cluster.local
+    global:
+      storageClass: ${var.storageclass}
+    ingress:
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+      enabled: true
+      hostname: grafana.${var.domain_suffix}
+      tls: true
+    EOT
+  ]
+}
+
 resource "helm_release" "freeipa" {
   name = "freeipa"
   namespace = var.freeipa_namespace
diff --git a/vars.tf b/vars.tf
index 3d34efd..f8acfbb 100644
--- a/vars.tf
+++ b/vars.tf
@@ -37,3 +37,7 @@ variable "freeipa_namespace" {
 variable "influxdb_namespace" {
   default = "influxdb"
 }
+
+variable "grafana_namespace" {
+  default = "grafana"
+}