Merge branch 'main' into feat_resource_access_policy_allowed_subnets

.github/CODEOWNERS

@@ -4,6 +4,7 @@
 /internal/resources/cloud/*                 @grafana/platform-monitoring @grafana/grafana-com-maintainers
 /internal/resources/cloudprovider/*         @grafana/platform-monitoring @grafana/middleware-apps
 /internal/resources/connections/*           @grafana/platform-monitoring @grafana/middleware-apps
+/internal/resources/fleetmanagement/*       @grafana/platform-monitoring @grafana/fleet-management-backend
 /internal/resources/machinelearning/*       @grafana/platform-monitoring @grafana/machine-learning
 /internal/resources/oncall/*                @grafana/platform-monitoring @grafana/grafana-irm-backend
 /internal/resources/slo/*                   @grafana/platform-monitoring @grafana/slo-squad

.github/workflows/acc-tests.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with: 
           go-version-file: go.mod
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with: 
           go-version-file: go.mod
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@@ -48,6 +48,8 @@ jobs:
             GRAFANA_CLOUD_PROVIDER_ACCESS_TOKEN=cloudprovider-tests:access-token
             GRAFANA_CLOUD_PROVIDER_AWS_ROLE_ARN=cloudprovider-tests:aws-role-arn
             GRAFANA_CLOUD_PROVIDER_TEST_STACK_ID=cloudprovider-tests:test-stack-id
+            GRAFANA_FLEET_MANAGEMENT_AUTH=cloud-instance-tests:fleet-management-auth
+            GRAFANA_FLEET_MANAGEMENT_URL=cloud-instance-tests:fleet-management-url
       - uses: iFaxity/wait-on-action@a7d13170ec542bdca4ef8ac4b15e9c6aa00a6866 # v1.2.1
         with:
           resource: ${{ env.GRAFANA_URL }}
@@ -103,7 +105,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with: 
           go-version-file: go.mod
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2

.github/workflows/cloud-acc-tests.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with: 
           go-version-file: go.mod
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2

.github/workflows/release.yml

@@ -29,7 +29,7 @@ jobs:
     - name: Unshallow
       run: git fetch --prune --unshallow
     - name: Set up Go
-      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
       with:
         go-version-file: go.mod
     - name: Import GPG key
@@ -39,7 +39,7 @@ jobs:
         gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
         passphrase: ${{ secrets.PASSPHRASE }}
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
+      uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
       with:
         version: latest
         args: release --clean

.github/workflows/unit-tests.yml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with: 
           go-version-file: go.mod
       - name: generate docs
@@ -46,7 +46,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with: 
           go-version-file: go.mod
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2

.linkcheckerrc

@@ -3,6 +3,7 @@ checkextern=1
 ignore=
   # https://regex101.com/r/Pl0jCn/1
   \/\*\!sc\*\/
+ignorewarnings=http-redirected
 
 [MarkdownCheck]
 filename_re=.*\.md

docs/data-sources/cloud_provider_aws_cloudwatch_scrape_job.md

@@ -64,6 +64,11 @@ resource "grafana_cloud_provider_aws_cloudwatch_scrape_job" "test" {
     }
     scrape_interval_seconds = 300
   }
+
+  static_labels = {
+    "label1" = "value1"
+    "label2" = "value2"
+  }
 }
 
 
@@ -93,6 +98,7 @@ data "grafana_cloud_provider_aws_cloudwatch_scrape_job" "test" {
 - `regions_subset_override_used` (Boolean) When true, the `regions` attribute will be the set of regions configured in the override. When false, the `regions` attribute will be the set of regions belonging to the AWS Account resource that is associated with this CloudWatch Scrape Job.
 - `role_arn` (String) The AWS ARN of the IAM role associated with the AWS Account resource that is being used by this CloudWatch Scrape Job.
 - `service` (Block List) One or more configuration blocks to dictate what this CloudWatch Scrape Job should scrape. Each block must have a distinct `name` attribute. When accessing this as an attribute reference, it is a list of objects. (see [below for nested schema](#nestedblock--service))
+- `static_labels` (Map of String) A set of static labels to add to all metrics exported by this scrape job.
 
 <a id="nestedblock--custom_namespace"></a>
 ### Nested Schema for `custom_namespace`

docs/data-sources/cloud_provider_aws_cloudwatch_scrape_jobs.md

@@ -51,6 +51,7 @@ Read-Only:
 - `role_arn` (String) The AWS ARN of the IAM role associated with the AWS Account resource that is being used by this CloudWatch Scrape Job.
 - `service` (Block List) One or more configuration blocks to dictate what this CloudWatch Scrape Job should scrape. Each block must have a distinct `name` attribute. When accessing this as an attribute reference, it is a list of objects. (see [below for nested schema](#nestedblock--scrape_job--service))
 - `stack_id` (String) The Stack ID of the Grafana Cloud instance. Part of the Terraform Resource ID.
+- `static_labels` (Map of String) A set of static labels to add to all metrics exported by this scrape job.
 
 <a id="nestedblock--scrape_job--custom_namespace"></a>
 ### Nested Schema for `scrape_job.custom_namespace`

docs/data-sources/cloud_provider_azure_credential.md

@@ -20,6 +20,8 @@ resource "grafana_cloud_provider_azure_credential" "test" {
   client_secret = "my-client-secret"
   tenant_id     = "my-tenant-id"
 
+  resource_tags_to_add_to_metrics = ["tag1", "tag2"]
+
   resource_discovery_tag_filter {
     key   = "key-1"
     value = "value-1"
@@ -76,6 +78,7 @@ data "grafana_cloud_provider_azure_credential" "test" {
 - `id` (String) The Terraform Resource ID. This has the format "{{ stack_id }}:{{ resource_id }}".
 - `name` (String) The name of the Azure Credential.
 - `resource_discovery_tag_filter` (Block List) The list of tag filters to apply to resources. (see [below for nested schema](#nestedblock--resource_discovery_tag_filter))
+- `resource_tags_to_add_to_metrics` (Set of String) A set of regions that this AWS Account resource applies to.
 - `tenant_id` (String) The tenant ID of the Azure Credential.
 
 <a id="nestedblock--auto_discovery_configuration"></a>

docs/data-sources/cloud_stack.md

@@ -41,6 +41,10 @@ available at “https://<stack_slug>.grafana.net".
 - `alertmanager_user_id` (Number) User ID of the Alertmanager instance configured for this stack.
 - `cluster_slug` (String) Slug of the cluster where this stack resides.
 - `description` (String) Description of stack.
+- `fleet_management_name` (String) Name of the Fleet Management instance configured for this stack.
+- `fleet_management_status` (String) Status of the Fleet Management instance configured for this stack.
+- `fleet_management_url` (String) Base URL of the Fleet Management instance configured for this stack.
+- `fleet_management_user_id` (Number) User ID of the Fleet Management instance configured for this stack.
 - `graphite_name` (String)
 - `graphite_status` (String)
 - `graphite_url` (String)

docs/index.md

@@ -58,7 +58,7 @@ resource "grafana_cloud_stack" "my_stack" {
 
   name        = "myteststack"
   slug        = "myteststack"
-  region_slug = "us"
+  region_slug = "prod-us-east-0"
 }
 
 // Step 2: Create a service account and key for the stack
@@ -102,7 +102,7 @@ variable "cloud_access_policy_token" {
 }
 variable "stack_slug" {}
 variable "cloud_region" {
-  default = "us"
+  default = "prod-us-east-0"
 }
 
 // Step 1: Create a stack
@@ -255,6 +255,8 @@ resource "grafana_oncall_escalation" "example_notify_step" {
 - `cloud_provider_url` (String) A Grafana Cloud Provider backend address. May alternatively be set via the `GRAFANA_CLOUD_PROVIDER_URL` environment variable.
 - `connections_api_access_token` (String, Sensitive) A Grafana Connections API access token. May alternatively be set via the `GRAFANA_CONNECTIONS_API_ACCESS_TOKEN` environment variable.
 - `connections_api_url` (String) A Grafana Connections API address. May alternatively be set via the `GRAFANA_CONNECTIONS_API_URL` environment variable.
+- `fleet_management_auth` (String, Sensitive) A Grafana Fleet Management basic auth in the `username:password` format. May alternatively be set via the `GRAFANA_FLEET_MANAGEMENT_AUTH` environment variable.
+- `fleet_management_url` (String) A Grafana Fleet Management API address. May alternatively be set via the `GRAFANA_FLEET_MANAGEMENT_URL` environment variable.
 - `http_headers` (Map of String, Sensitive) Optional. HTTP headers mapping keys to values used for accessing the Grafana and Grafana Cloud APIs. May alternatively be set via the `GRAFANA_HTTP_HEADERS` environment variable in JSON format.
 - `insecure_skip_verify` (Boolean) Skip TLS certificate verification. May alternatively be set via the `GRAFANA_INSECURE_SKIP_VERIFY` environment variable.
 - `oncall_access_token` (String, Sensitive) A Grafana OnCall access token. May alternatively be set via the `GRAFANA_ONCALL_ACCESS_TOKEN` environment variable.
@@ -286,7 +288,7 @@ the in-screen instructions, of following [this guide](https://grafana.com/docs/g
 
 #### Obtaining Cloud Provider API hostname
 
-Having created the token, we can find the correct Cloud Provider API hostname by running the following script, that requires `curl` and [`jq`](https://jqlang.github.io/jq/) installed:
+Having created the token, we can find the correct Cloud Provider API hostname by running the following script, that requires `curl` and [`jq`](https://jqlang.org/) installed:
 
 ```bash
 curl -sH "Authorization: Bearer <Access Token from previous step>" "https://grafana.com/api/instances" | \
@@ -391,6 +393,11 @@ resource "grafana_cloud_provider_aws_cloudwatch_scrape_job" "test" {
     }
     scrape_interval_seconds = 300
   }
+
+  static_labels = {
+    "label1" = "value1"
+    "label2" = "value2"
+  }
 }
 ```
 
@@ -414,7 +421,7 @@ the in-screen instructions, of following [this guide](https://grafana.com/docs/g
 
 #### Obtaining Connections API hostname
 
-Having created the token, we can find the correct Connections API hostname by running the following script, that requires `curl` and [`jq`](https://jqlang.github.io/jq/) installed:
+Having created the token, we can find the correct Connections API hostname by running the following script, that requires `curl` and [`jq`](https://jqlang.org/) installed:
 
 ```bash
 curl -sH "Authorization: Bearer <Access Token from previous step>" "https://grafana.com/api/instances" | \
@@ -445,6 +452,91 @@ provider "grafana" {
 }
 ```
 
+### Managing Grafana Fleet Management
+
+```terraform
+// Variables
+variable "cloud_access_policy_token" {
+  type        = string
+  description = "Cloud access policy token with scopes: accesspolicies:read|write|delete, stacks:read"
+}
+
+variable "stack_slug" {
+  type        = string
+  description = "Subdomain that the Grafana Cloud instance is available at: https://<stack_slug>.grafana.net"
+}
+
+// Step 1: Retrieve stack details
+provider "grafana" {
+  alias = "cloud"
+
+  cloud_access_policy_token = var.cloud_access_policy_token
+}
+
+data "grafana_cloud_stack" "stack" {
+  provider = grafana.cloud
+
+  slug = var.stack_slug
+}
+
+// Step 2: Create an access policy and token for Fleet Management
+resource "grafana_cloud_access_policy" "policy" {
+  provider = grafana.cloud
+
+  name   = "fleet-management-policy"
+  region = data.grafana_cloud_stack.stack.region_slug
+
+  scopes = [
+    "fleet-management:read",
+    "fleet-management:write"
+  ]
+
+  realm {
+    type       = "stack"
+    identifier = data.grafana_cloud_stack.stack.id
+  }
+}
+
+resource "grafana_cloud_access_policy_token" "token" {
+  provider = grafana.cloud
+
+  name             = "fleet-management-token"
+  region           = grafana_cloud_access_policy.policy.region
+  access_policy_id = grafana_cloud_access_policy.policy.policy_id
+}
+
+// Step 3: Interact with Fleet Management
+provider "grafana" {
+  alias = "fm"
+
+  fleet_management_auth = "${data.grafana_cloud_stack.stack.fleet_management_user_id}:${grafana_cloud_access_policy_token.token.token}"
+  fleet_management_url  = data.grafana_cloud_stack.stack.fleet_management_url
+}
+
+resource "grafana_fleet_management_collector" "collector" {
+  provider = grafana.fm
+
+  id = "my_collector"
+  remote_attributes = {
+    "env"   = "PROD",
+    "owner" = "TEAM-A"
+  }
+  enabled = true
+}
+
+resource "grafana_fleet_management_pipeline" "pipeline" {
+  provider = grafana.fm
+
+  name     = "my_pipeline"
+  contents = file("config.alloy")
+  matchers = [
+    "collector.os=\"linux\"",
+    "env=\"PROD\""
+  ]
+  enabled = true
+}
+```
+
 ## Authentication
 
 One, or many, of the following authentication settings must be set. Each authentication setting allows a subset of resources to be used
@@ -478,3 +570,10 @@ To create one, follow the instructions in the [obtaining cloud provider access t
 An access policy token created on the [Grafana Cloud Portal](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/using-an-access-policy-token/) to manage
 connections resources, such as Metrics Endpoint jobs.
 For guidance on creating one, see section [obtaining connections access token](#obtaining-connections-access-token).
+
+### `fleet_management_auth`
+
+[Grafana Fleet Management](https://grafana.com/docs/grafana-cloud/send-data/fleet-management/api-reference/)
+uses basic auth to allow access to the API, where the username is the Fleet Management instance ID and the
+password is the API token. You can access the instance ID and request a new Fleet Management API token on the
+Connections -> Collector -> Fleet Management page, in the API tab.

docs/resources/cloud_access_policy.md

@@ -27,7 +27,7 @@ data "grafana_cloud_organization" "current" {
 }
 
 resource "grafana_cloud_access_policy" "test" {
-  region       = "us"
+  region       = "prod-us-east-0"
   name         = "my-policy"
   display_name = "My Policy"
 
@@ -44,7 +44,7 @@ resource "grafana_cloud_access_policy" "test" {
 }
 
 resource "grafana_cloud_access_policy_token" "test" {
-  region           = "us"
+  region           = "prod-us-east-0"
   access_policy_id = grafana_cloud_access_policy.test.policy_id
   name             = "my-policy-token"
   display_name     = "My Policy Token"

docs/resources/cloud_access_policy_token.md

@@ -27,7 +27,7 @@ data "grafana_cloud_organization" "current" {
 }
 
 resource "grafana_cloud_access_policy" "test" {
-  region       = "us"
+  region       = "prod-us-east-0"
   name         = "my-policy"
   display_name = "My Policy"
 
@@ -44,7 +44,7 @@ resource "grafana_cloud_access_policy" "test" {
 }
 
 resource "grafana_cloud_access_policy_token" "test" {
-  region           = "us"
+  region           = "prod-us-east-0"
   access_policy_id = grafana_cloud_access_policy.test.policy_id
   name             = "my-policy-token"
   display_name     = "My Policy Token"

docs/resources/cloud_private_data_source_connect_network.md

@@ -27,7 +27,7 @@ data "grafana_cloud_stack" "current" {
 }
 
 resource "grafana_cloud_private_data_source_connect_network" "test" {
-  region           = "us"
+  region           = "prod-us-east-0"
   name             = "my-pdc"
   display_name     = "My PDC"
   stack_identifier = data.grafana_cloud_stack.current.id

docs/resources/cloud_private_data_source_connect_network_token.md

@@ -27,7 +27,7 @@ data "grafana_cloud_stack" "current" {
 }
 
 resource "grafana_cloud_private_data_source_connect_network" "test" {
-  region           = "us"
+  region           = "prod-us-east-0"
   name             = "my-pdc"
   display_name     = "My PDC"
   stack_identifier = data.grafana_cloud_stack.current.id

docs/resources/cloud_provider_aws_cloudwatch_scrape_job.md

@@ -63,6 +63,11 @@ resource "grafana_cloud_provider_aws_cloudwatch_scrape_job" "test" {
     }
     scrape_interval_seconds = 300
   }
+
+  static_labels = {
+    "label1" = "value1"
+    "label2" = "value2"
+  }
 }
 ```
 
@@ -82,6 +87,7 @@ resource "grafana_cloud_provider_aws_cloudwatch_scrape_job" "test" {
 - `export_tags` (Boolean) When enabled, AWS resource tags are exported as Prometheus labels to metrics formatted as `aws_<service_name>_info`.
 - `regions_subset_override` (Set of String) A subset of the regions that are configured in the associated AWS Account resource to apply to this scrape job. If not set or empty, all of the Account resource's regions are scraped.
 - `service` (Block List) One or more configuration blocks to configure AWS services for the CloudWatch Scrape Job to scrape. Each block must have a distinct `name` attribute. When accessing this as an attribute reference, it is a list of objects. (see [below for nested schema](#nestedblock--service))
+- `static_labels` (Map of String) A set of static labels to add to all metrics exported by this scrape job.
 
 ### Read-Only