Merge branch 'main' into feat_resource_access_policy_allowed_subnets

.github/CODEOWNERS

@@ -5,6 +5,7 @@
 /internal/resources/cloudprovider/*         @grafana/platform-monitoring @grafana/middleware-apps
 /internal/resources/connections/*           @grafana/platform-monitoring @grafana/middleware-apps
 /internal/resources/fleetmanagement/*       @grafana/platform-monitoring @grafana/fleet-management-backend
+/internal/resources/frontendo11y/*          @grafana/platform-monitoring @grafana/frontend-o11y
 /internal/resources/machinelearning/*       @grafana/platform-monitoring @grafana/machine-learning
 /internal/resources/oncall/*                @grafana/platform-monitoring @grafana/grafana-irm-backend
 /internal/resources/slo/*                   @grafana/platform-monitoring @grafana/slo-squad

.github/workflows/acc-tests.yml

@@ -55,7 +55,7 @@ jobs:
           resource: ${{ env.GRAFANA_URL }}
           interval: 2000 # 2s
           timeout: 30000 # 30s
-      - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+      - uses: nick-fields/retry@c97818ca39074beaea45180dba704f92496a0082 # v3.0.1
         with:
           timeout_minutes: 30
           max_attempts: 3 # Try 3 times to make sure we don't report failures on flaky tests
@@ -104,6 +104,27 @@ jobs:
     name: ${{ matrix.version }} - ${{ matrix.type }} - ${{ matrix.subset }}
     runs-on: ubuntu-latest
     steps:
+      - name: Check if fork
+        if: github.event_name == 'pull_request'
+        run: |
+          if [[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" && "${{ matrix.type }}" == "enterprise" ]]; then
+            echo "IS_FORK=true" >> $GITHUB_ENV
+          else
+            echo "IS_FORK=false" >> $GITHUB_ENV
+          fi
+      - name: Comment PR in forks
+        if: github.event_name == 'pull_request' && env.IS_FORK == 'true'
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            ⚠️ Enterprise tests skipped for fork PRs.
+      - name: Skip job if fork
+        if: github.event_name == 'pull_request' && env.IS_FORK == 'true'
+        run: |
+          echo "Skipping job because PR is from a fork"
+          exit 0
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with: 
@@ -119,7 +140,7 @@ jobs:
         uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # v0.5.0
         with:
           key: docker-${{ runner.os }}-${{ matrix.type == 'enterprise' && 'enterprise' || 'oss' }}-${{ matrix.version }}
-      - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+      - uses: nick-fields/retry@c97818ca39074beaea45180dba704f92496a0082 # v3.0.1
         with:
           timeout_minutes: 30
           max_attempts: 3 # Try 3 times to make sure we don't report failures on flaky tests

docs/data-sources/cloud_stack.md

@@ -35,6 +35,7 @@ available at “https://<stack_slug>.grafana.net".
 
 ### Read-Only
 
+- `alertmanager_ip_allow_list_cname` (String) Comma-separated list of CNAMEs that can be whitelisted to access the Alertmanager instances (Optional)
 - `alertmanager_name` (String) Name of the Alertmanager instance configured for this stack.
 - `alertmanager_status` (String) Status of the Alertmanager instance configured for this stack.
 - `alertmanager_url` (String) Base URL of the Alertmanager instance configured for this stack.
@@ -45,35 +46,57 @@ available at “https://<stack_slug>.grafana.net".
 - `fleet_management_status` (String) Status of the Fleet Management instance configured for this stack.
 - `fleet_management_url` (String) Base URL of the Fleet Management instance configured for this stack.
 - `fleet_management_user_id` (Number) User ID of the Fleet Management instance configured for this stack.
+- `grafanas_ip_allow_list_cname` (String) Comma-separated list of CNAMEs that can be whitelisted to access the grafana instance (Optional)
+- `graphite_ip_allow_list_cname` (String) Comma-separated list of CNAMEs that can be whitelisted to access the Graphite instance (Optional)
 - `graphite_name` (String)
+- `graphite_private_connectivity_info_private_dns` (String) Private DNS for Graphite when using AWS PrivateLink (only for AWS stacks)
+- `graphite_private_connectivity_info_service_name` (String) Service Name for Graphite when using AWS PrivateLink (only for AWS stacks)
 - `graphite_status` (String)
 - `graphite_url` (String)
 - `graphite_user_id` (Number)
 - `id` (String) The stack id assigned to this stack by Grafana.
 - `influx_url` (String) Base URL of the InfluxDB instance configured for this stack. The username is the same as the metrics' (`prometheus_user_id` attribute of this resource). See https://grafana.com/docs/grafana-cloud/send-data/metrics/metrics-influxdb/push-from-telegraf/ for docs on how to use this.
 - `labels` (Map of String) A map of labels to assign to the stack. Label keys and values must match the following regexp: "^[a-zA-Z0-9/\\-.]+$" and stacks cannot have more than 10 labels.
+- `logs_ip_allow_list_cname` (String) Comma-separated list of CNAMEs that can be whitelisted to access the Logs instance (Optional)
 - `logs_name` (String)
+- `logs_private_connectivity_info_private_dns` (String) Private DNS for Logs when using AWS PrivateLink (only for AWS stacks)
+- `logs_private_connectivity_info_service_name` (String) Service Name for Logs when using AWS PrivateLink (only for AWS stacks)
 - `logs_status` (String)
 - `logs_url` (String)
 - `logs_user_id` (Number)
 - `name` (String) Name of stack. Conventionally matches the url of the instance (e.g. `<stack_slug>.grafana.net`).
 - `org_id` (Number) Organization id to assign to this stack.
 - `org_name` (String) Organization name to assign to this stack.
 - `org_slug` (String) Organization slug to assign to this stack.
+- `otlp_private_connectivity_info_private_dns` (String) Private DNS for OTLP when using AWS PrivateLink (only for AWS stacks)
+- `otlp_private_connectivity_info_service_name` (String) Service Name for OTLP when using AWS PrivateLink (only for AWS stacks)
 - `otlp_url` (String) Base URL of the OTLP instance configured for this stack. The username is the stack's ID (`id` attribute of this resource). See https://grafana.com/docs/grafana-cloud/send-data/otlp/send-data-otlp/ for docs on how to use this.
+- `pdc_api_private_connectivity_info_private_dns` (String) Private DNS for PDC's API when using AWS PrivateLink (only for AWS stacks)
+- `pdc_api_private_connectivity_info_service_name` (String) Service Name for PDC's API when using AWS PrivateLink (only for AWS stacks)
+- `pdc_gateway_private_connectivity_info_private_dns` (String) Private DNS for PDC's Gateway when using AWS PrivateLink (only for AWS stacks)
+- `pdc_gateway_private_connectivity_info_service_name` (String) Service Name for PDC's Gateway when using AWS PrivateLink (only for AWS stacks)
+- `profiles_ip_allow_list_cname` (String) Comma-separated list of CNAMEs that can be whitelisted to access the Profiles instance (Optional)
 - `profiles_name` (String)
+- `profiles_private_connectivity_info_private_dns` (String) Private DNS for Profiles when using AWS PrivateLink (only for AWS stacks)
+- `profiles_private_connectivity_info_service_name` (String) Service Name for Profiles when using AWS PrivateLink (only for AWS stacks)
 - `profiles_status` (String)
 - `profiles_url` (String)
 - `profiles_user_id` (Number)
+- `prometheus_ip_allow_list_cname` (String) Comma-separated list of CNAMEs that can be whitelisted to access the Prometheus instance (Optional)
 - `prometheus_name` (String) Prometheus name for this instance.
+- `prometheus_private_connectivity_info_private_dns` (String) Private DNS for Prometheus when using AWS PrivateLink (only for AWS stacks)
+- `prometheus_private_connectivity_info_service_name` (String) Service Name for Prometheus when using AWS PrivateLink (only for AWS stacks)
 - `prometheus_remote_endpoint` (String) Use this URL to query hosted metrics data e.g. Prometheus data source in Grafana
 - `prometheus_remote_write_endpoint` (String) Use this URL to send prometheus metrics to Grafana cloud
 - `prometheus_status` (String) Prometheus status for this instance.
 - `prometheus_url` (String) Prometheus url for this instance.
 - `prometheus_user_id` (Number) Prometheus user ID. Used for e.g. remote_write.
 - `region_slug` (String) The region this stack is deployed to.
 - `status` (String) Status of the stack.
+- `traces_ip_allow_list_cname` (String) Comma-separated list of CNAMEs that can be whitelisted to access the Traces instance (Optional)
 - `traces_name` (String)
+- `traces_private_connectivity_info_private_dns` (String) Private DNS for Traces when using AWS PrivateLink (only for AWS stacks)
+- `traces_private_connectivity_info_service_name` (String) Service Name for Traces when using AWS PrivateLink (only for AWS stacks)
 - `traces_status` (String)
 - `traces_url` (String) Base URL of the Traces instance configured for this stack. To use this in the Tempo data source in Grafana, append `/tempo` to the URL.
 - `traces_user_id` (Number)

docs/data-sources/frontend_o11y_app.md

@@ -0,0 +1,41 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "grafana_frontend_o11y_app Data Source - terraform-provider-grafana"
+subcategory: "Frontend Observability"
+description: |-
+  
+---
+
+# grafana_frontend_o11y_app (Data Source)
+
+
+
+## Example Usage
+
+```terraform
+data "grafana_cloud_stack" "teststack" {
+  provider = grafana.cloud
+  name     = "gcloudstacktest"
+}
+
+data "grafana_frontend_o11y_app" "test-app" {
+  provider = grafana.cloud
+  stack_id = data.grafana_cloud_stack.teststack.id
+  name     = "test-app"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the Frontend Observability App. Part of the Terraform Resource ID.
+- `stack_id` (Number) The Stack ID of the Grafana Cloud instance. Part of the Terraform Resource ID.
+
+### Read-Only
+
+- `allowed_origins` (List of String) A list of allowed origins for CORS.
+- `extra_log_attributes` (Map of String) The extra attributes to append in each signal.
+- `id` (Number) The Terraform Resource ID. This auto-generated from Frontend Observability API.
+- `settings` (Map of String) The settings of the Frontend Observability App.

docs/index.md

@@ -242,6 +242,26 @@ resource "grafana_oncall_escalation" "example_notify_step" {
 }
 ```
 
+### Managing Frontend Observability
+
+#### Obtaining Frontend Observability Access Token
+
+Before using the Terraform Provider to manage Grafana Frontend Observability resources, such as your apps, you need to create an access policy token on the Grafana Cloud Portal. This token is used to authenticate the provider to the Grafana Frontend Observability API.
+[These docs](https://grafana.com/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/using-an-access-policy-token/#create-an-access-policy-for-a-stack) will guide you on how to create
+an access policy. The required permissions, or scopes, are `frontend-observability:read`, `frontend-observability:write`, `frontend-observability:delete` and `stacks:read`.
+
+You can also use the `cloud_access_policy_token` provided it has the aforementioned scopes included.
+
+#### Configuring the Provider to use the Frontend Observability API
+
+Once you have the token you can configure the provider as follows:
+
+```hcl
+provider "grafana" {
+  frontend_o11y_api_access_token = "<Access Token from previous step>"
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
@@ -257,6 +277,7 @@ resource "grafana_oncall_escalation" "example_notify_step" {
 - `connections_api_url` (String) A Grafana Connections API address. May alternatively be set via the `GRAFANA_CONNECTIONS_API_URL` environment variable.
 - `fleet_management_auth` (String, Sensitive) A Grafana Fleet Management basic auth in the `username:password` format. May alternatively be set via the `GRAFANA_FLEET_MANAGEMENT_AUTH` environment variable.
 - `fleet_management_url` (String) A Grafana Fleet Management API address. May alternatively be set via the `GRAFANA_FLEET_MANAGEMENT_URL` environment variable.
+- `frontend_o11y_api_access_token` (String, Sensitive) A Grafana Frontend Observability API access token. May alternatively be set via the `GRAFANA_FRONTEND_O11Y_API_ACCESS_TOKEN` environment variable.
 - `http_headers` (Map of String, Sensitive) Optional. HTTP headers mapping keys to values used for accessing the Grafana and Grafana Cloud APIs. May alternatively be set via the `GRAFANA_HTTP_HEADERS` environment variable in JSON format.
 - `insecure_skip_verify` (Boolean) Skip TLS certificate verification. May alternatively be set via the `GRAFANA_INSECURE_SKIP_VERIFY` environment variable.
 - `oncall_access_token` (String, Sensitive) A Grafana OnCall access token. May alternatively be set via the `GRAFANA_ONCALL_ACCESS_TOKEN` environment variable.
@@ -577,3 +598,8 @@ For guidance on creating one, see section [obtaining connections access token](#
 uses basic auth to allow access to the API, where the username is the Fleet Management instance ID and the
 password is the API token. You can access the instance ID and request a new Fleet Management API token on the
 Connections -> Collector -> Fleet Management page, in the API tab.
+
+### `frontend_o11y_access_token`
+
+An access policy token created on the [Grafana Cloud Portal](https://grafana.com/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/) to manage Frontend Observability apps.
+For guidance on creating one, see section [obtaining Frontend Observability access token](#obtaining-frontend-observability-access-token).

docs/resources/cloud_access_policy.md

@@ -64,7 +64,7 @@ resource "grafana_cloud_access_policy_token" "test" {
 
 ### Optional
 
-- `conditions` (Block Set ) (see [below for nested schema](#nestedblock--conditions))
+- `conditions` (Block Set) Conditions for the access policy. (see [below for nested schema](#nestedblock--conditions))
 - `display_name` (String) Display name of the access policy. Defaults to the name.
 
 ### Read-Only
@@ -74,13 +74,6 @@ resource "grafana_cloud_access_policy_token" "test" {
 - `policy_id` (String) ID of the access policy.
 - `updated_at` (String) Last update date of the access policy.
 
-<a id="nestedblock--conditions"></a>
-### Nested Schema for `conditions`
-
-Required:
-
-- `allowed_subnets` (Set of String) IP range based access control for the access policy. Connections initiated from IP addresses outside of the specified ranges will be denied.
-
 <a id="nestedblock--realm"></a>
 ### Nested Schema for `realm`
 
@@ -100,6 +93,15 @@ Required:
 
 - `selector` (String) The label selector to match in metrics or logs query. Should be in PromQL or LogQL format.
 
+
+
+<a id="nestedblock--conditions"></a>
+### Nested Schema for `conditions`
+
+Required:
+
+- `allowed_subnets` (Set of String) IP range based access control for the access policy. Connections initiated from IP addresses outside of the specified ranges will be denied. Ensure you review the [Caveats of IP range based access control](https://grafana.com/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/ip-ranges-access-policies/#caveats) before using this parameter.
+
 ## Import
 
 Import is supported using the following syntax: