Merge branch 'main' of github.com:grafana/terraform-provider-grafana into alexander-akhmetov/alerting-enrichment

Author: alexander-akhmetov

docs/resources/contact_point.md

@@ -523,9 +523,13 @@ Optional:
 - `basic_auth_password` (String, Sensitive) The username to use in basic auth headers attached to the request. If omitted, basic auth will not be used.
 - `basic_auth_user` (String) The username to use in basic auth headers attached to the request. If omitted, basic auth will not be used.
 - `disable_resolve_message` (Boolean) Whether to disable sending resolve messages. Defaults to `false`.
+- `headers` (Map of String) Custom headers to attach to the request.
+- `hmac_config` (Block Set, Max: 1) HMAC signature configuration options. (see [below for nested schema](#nestedblock--webhook--hmac_config))
+- `http_config` (Block Set, Max: 1) Common HTTP client options. (see [below for nested schema](#nestedblock--webhook--http_config))
 - `http_method` (String) The HTTP method to use in the request. Defaults to `POST`.
 - `max_alerts` (Number) The maximum number of alerts to send in a single request. This can be helpful in limiting the size of the request body. The default is 0, which indicates no limit.
 - `message` (String) Custom message. You can use template variables.
+- `payload` (Block Set, Max: 1) Optionally provide a templated payload. Overrides 'Message' and 'Title' field. (see [below for nested schema](#nestedblock--webhook--payload))
 - `settings` (Map of String, Sensitive) Additional custom properties to attach to the notifier. Defaults to `map[]`.
 - `title` (String) Templated title of the message.
 - `tls_config` (Map of String, Sensitive) Allows configuring TLS for the webhook notifier.
@@ -534,6 +538,78 @@ Read-Only:
 
 - `uid` (String) The UID of the contact point.
 
+<a id="nestedblock--webhook--hmac_config"></a>
+### Nested Schema for `webhook.hmac_config`
+
+Required:
+
+- `secret` (String, Sensitive) The secret key used to generate the HMAC signature.
+
+Optional:
+
+- `header` (String) The header in which the HMAC signature will be included. Defaults to `X-Grafana-Alerting-Signature`.
+- `timestamp_header` (String) If set, the timestamp will be included in the HMAC signature. The value should be the name of the header to use.
+
+
+<a id="nestedblock--webhook--http_config"></a>
+### Nested Schema for `webhook.http_config`
+
+Optional:
+
+- `oauth2` (Block Set, Max: 1) OAuth2 configuration options. (see [below for nested schema](#nestedblock--webhook--http_config--oauth2))
+
+<a id="nestedblock--webhook--http_config--oauth2"></a>
+### Nested Schema for `webhook.http_config.oauth2`
+
+Required:
+
+- `client_id` (String) Client ID to use when authenticating.
+- `client_secret` (String, Sensitive) Client secret to use when authenticating.
+- `token_url` (String) URL for the access token endpoint.
+
+Optional:
+
+- `endpoint_params` (Map of String) Optional parameters to append to the access token request.
+- `proxy_config` (Block Set, Max: 1) Optional proxy configuration for OAuth2 requests. (see [below for nested schema](#nestedblock--webhook--http_config--oauth2--proxy_config))
+- `scopes` (List of String) Optional scopes to request when obtaining an access token.
+- `tls_config` (Block Set, Max: 1) Optional TLS configuration options for OAuth2 requests. (see [below for nested schema](#nestedblock--webhook--http_config--oauth2--tls_config))
+
+<a id="nestedblock--webhook--http_config--oauth2--proxy_config"></a>
+### Nested Schema for `webhook.http_config.oauth2.proxy_config`
+
+Optional:
+
+- `no_proxy` (String) Comma-separated list of addresses that should not use a proxy.
+- `proxy_connect_header` (Map of String) Optional headers to send to proxies during CONNECT requests.
+- `proxy_from_environment` (Boolean) Use environment HTTP_PROXY, HTTPS_PROXY and NO_PROXY to determine proxies. Defaults to `false`.
+- `proxy_url` (String) HTTP proxy server to use to connect to the targets.
+
+
+<a id="nestedblock--webhook--http_config--oauth2--tls_config"></a>
+### Nested Schema for `webhook.http_config.oauth2.tls_config`
+
+Optional:
+
+- `ca_certificate` (String, Sensitive) Certificate in PEM format to use when verifying the server's certificate chain.
+- `client_certificate` (String, Sensitive) Client certificate in PEM format to use when connecting to the server.
+- `client_key` (String, Sensitive) Client key in PEM format to use when connecting to the server.
+- `insecure_skip_verify` (Boolean) Do not verify the server's certificate chain and host name. Defaults to `false`.
+
+
+
+
+<a id="nestedblock--webhook--payload"></a>
+### Nested Schema for `webhook.payload`
+
+Required:
+
+- `template` (String) Custom payload template.
+
+Optional:
+
+- `vars` (Map of String) Optionally provide a variables to be used in the payload template. They will be available in the template as `.Vars.<variable_name>`.
+
+
 
 <a id="nestedblock--wecom"></a>
 ### Nested Schema for `wecom`

examples/resources/grafana_contact_point/_acc_receiver_types_11_6.tf

@@ -0,0 +1,19 @@
+resource "grafana_contact_point" "receiver_types" {
+  name = "Receiver Types since v11.6"
+
+  webhook {
+    url = "http://hmac-minimal-webhook-url"
+    hmac_config {
+      secret = "test-hmac-minimal-secret"
+    }
+  }
+
+  webhook {
+    url = "http://hmac-webhook-url"
+    hmac_config {
+      secret           = "test-hmac-secret"
+      header           = "X-Grafana-Alerting-Signature"
+      timestamp_header = "X-Grafana-Alerting-Timestamp"
+    }
+  }
+}

examples/resources/grafana_contact_point/_acc_receiver_types_12_0.tf

@@ -0,0 +1,17 @@
+resource "grafana_contact_point" "receiver_types" {
+  name = "Receiver Types since v12.0"
+
+  webhook {
+    url = "http://my-url"
+    headers = {
+      Content-Type  = "test-content-type"
+      X-Test-Header = "test-header-value"
+    }
+    payload {
+      template = "{{ .Receiver }}: {{ .Vars.var1 }}"
+      vars = {
+        var1 = "variable value"
+      }
+    }
+  }
+}

examples/resources/grafana_contact_point/_acc_receiver_types_12_1.tf

@@ -0,0 +1,70 @@
+resource "grafana_contact_point" "receiver_types" {
+  name = "Receiver Types since v12.1"
+
+  webhook {
+    url                 = "http://my-url"
+    http_method         = "POST"
+    basic_auth_user     = "user"
+    basic_auth_password = "password"
+    max_alerts          = 100
+    message             = "Custom message"
+    title               = "Custom title"
+    tls_config = {
+      insecure_skip_verify = true
+      ca_certificate       = "ca.crt"
+      client_certificate   = "client.crt"
+      client_key           = "client.key"
+    }
+    http_config {
+      oauth2 {
+        client_id     = "client_id"
+        client_secret = "client_secret"
+        token_url     = "http://oauth2-token-url"
+        scopes        = ["scope1", "scope2"]
+        endpoint_params = {
+          "param1" = "value1"
+          "param2" = "value2"
+        }
+        proxy_config {
+          proxy_url              = "http://proxy-url"
+          proxy_from_environment = false
+          no_proxy               = "localhost"
+          proxy_connect_header = {
+            "X-Proxy-Header" = "proxy-value"
+          }
+        }
+        tls_config {
+          insecure_skip_verify = true
+          ca_certificate       = <<EOF
+-----BEGIN CERTIFICATE-----
+MIGrMF+gAwIBAgIBATAFBgMrZXAwADAeFw0yNDExMTYxMDI4MzNaFw0yNTExMTYx
+MDI4MzNaMAAwKjAFBgMrZXADIQCf30GvRnHbs9gukA3DLXDK6W5JVgYw6mERU/60
+2M8+rjAFBgMrZXADQQCGmeaRp/AcjeqmJrF5Yh4d7aqsMSqVZvfGNDc0ppXyUgS3
+WMQ1+3T+/pkhU612HR0vFd3vyFhmB4yqFoNV8RML
+-----END CERTIFICATE-----
+EOF
+          client_certificate   = <<EOF
+-----BEGIN CERTIFICATE-----
+MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+6MF9+Yw1Yy0t
+-----END CERTIFICATE-----
+EOF
+          client_key           = <<EOF
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+-----END EC PRIVATE KEY-----
+EOF
+        }
+      }
+    }
+  }
+}

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/grafana/authlib/claims v0.0.0-20250120084028-e3328c576437
 	github.com/grafana/fleet-management-api v1.0.0
 	github.com/grafana/grafana-app-sdk v0.40.3
-	github.com/grafana/grafana-asserts-public-clients/go/gcom v0.0.0-20250805165836-14e16b51b910
+	github.com/grafana/grafana-asserts-public-clients/go/gcom v0.0.0-20250811125322-247815da58ca
 	github.com/grafana/grafana-com-public-clients/go/gcom v0.0.0-20250526074454-7ec66e02e4bb
 	github.com/grafana/grafana-openapi-client-go v0.0.0-20250617151817-c0f8cbb88d5c
 	github.com/grafana/grafana/apps/alerting/alertenrichment v0.0.0-20250904171753-3d6d6326866f

go.sum

@@ -178,8 +178,8 @@ github.com/grafana/grafana-app-sdk v0.40.3 h1:JFo7uAfbAJUfZ9neD7/4sODKm1xgu9zhck
 github.com/grafana/grafana-app-sdk v0.40.3/go.mod h1:j0KzHo3Sa6kd+lnwSScBNoV9Vobkg/YY9HtEjxpyPrk=
 github.com/grafana/grafana-app-sdk/logging v0.40.2 h1:HQ1+y9Od92iMbWWB54QxiYpNtCvYGUVpyxvxZ7ywB1k=
 github.com/grafana/grafana-app-sdk/logging v0.40.2/go.mod h1:otUD9XpJD7A5sCLb8mcs9hIXGdeV6lnhzVwe747g4RU=
-github.com/grafana/grafana-asserts-public-clients/go/gcom v0.0.0-20250805165836-14e16b51b910 h1:2OfDIhMtXWWVQcDp9cq/VMSBOJJfDek9450rcsV+qLg=
-github.com/grafana/grafana-asserts-public-clients/go/gcom v0.0.0-20250805165836-14e16b51b910/go.mod h1:EL/5hluCvj6EDjkUfoClLKSKDoCoDowZUety28jhxQI=
+github.com/grafana/grafana-asserts-public-clients/go/gcom v0.0.0-20250811125322-247815da58ca h1:GVzyCTi3rqvjK42b++lFjabG2zsrLvyAbbR43dWP6s0=
+github.com/grafana/grafana-asserts-public-clients/go/gcom v0.0.0-20250811125322-247815da58ca/go.mod h1:EL/5hluCvj6EDjkUfoClLKSKDoCoDowZUety28jhxQI=
 github.com/grafana/grafana-com-public-clients/go/gcom v0.0.0-20250526074454-7ec66e02e4bb h1:rmYEnCXHNQbRsuzc5jCX5qkBqFF37c5RCHlyqAAPJZo=
 github.com/grafana/grafana-com-public-clients/go/gcom v0.0.0-20250526074454-7ec66e02e4bb/go.mod h1:sYWkB3NhyirQJfy3wtNQ29UYjoHbRlJlYhqN1jNsC5g=
 github.com/grafana/grafana-openapi-client-go v0.0.0-20250617151817-c0f8cbb88d5c h1:jox7J0BnJmcZJp8lp631u4gjDEoIfpi6O3yrpiXNTtg=

internal/resources/asserts/common.go

@@ -0,0 +1,86 @@
+package asserts
+
+import (
+	"context"
+	"fmt"
+	"math"
+	"math/rand"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
+
+	assertsapi "github.com/grafana/grafana-asserts-public-clients/go/gcom"
+	"github.com/grafana/terraform-provider-grafana/v4/internal/common"
+)
+
+// validateAssertsClient checks if the Asserts API client is properly configured
+func validateAssertsClient(meta interface{}) (*assertsapi.APIClient, int64, diag.Diagnostics) {
+	client := meta.(*common.Client).AssertsAPIClient
+	if client == nil {
+		return nil, 0, diag.Errorf("Asserts API client is not configured")
+	}
+
+	stackID := meta.(*common.Client).GrafanaStackID
+	if stackID == 0 {
+		return nil, 0, diag.Errorf("stack_id must be set in provider configuration for Asserts resources")
+	}
+
+	return client, stackID, nil
+}
+
+// retryReadFunc is a function that performs a read operation with retry logic
+type retryReadFunc func(retryCount, maxRetries int) *retry.RetryError
+
+// withRetryRead wraps a read operation with consistent retry logic and exponential backoff
+func withRetryRead(ctx context.Context, operation retryReadFunc) error {
+	retryCount := 0
+	maxRetries := 40
+
+	// Increase overall timeout to better handle eventual consistency when
+	// multiple resources are created concurrently (e.g., stress tests)
+	return retry.RetryContext(ctx, 600*time.Second, func() *retry.RetryError {
+		retryCount++
+
+		// Backoff with jitter to reduce request stampeding
+		var baseSleep time.Duration
+		if retryCount == 1 {
+			baseSleep = 1 * time.Second
+		} else {
+			// Exponential backoff: 1s, 2s, 4s, 8s, 16s (capped at 16s)
+			baseSleep = time.Duration(1<<int(math.Min(float64(retryCount-2), 4))) * time.Second
+		}
+
+		// Apply jitter: sleep in [base/2, base]
+		minSleep := baseSleep / 2
+		maxJitter := baseSleep - minSleep
+		if maxJitter > 0 {
+			//nolint:gosec // Using math/rand for jitter in retry logic, not cryptographic purposes
+			j := time.Duration(rand.Int63n(int64(maxJitter)))
+			time.Sleep(minSleep + j)
+		} else {
+			time.Sleep(baseSleep)
+		}
+
+		// Execute the operation with retry count
+		return operation(retryCount, maxRetries)
+	})
+}
+
+// createRetryableError creates a retryable error with consistent formatting
+func createRetryableError(resourceType, resourceName string, retryCount, maxRetries int) *retry.RetryError {
+	return retry.RetryableError(fmt.Errorf("%s %s not found (attempt %d/%d)", resourceType, resourceName, retryCount, maxRetries))
+}
+
+// createNonRetryableError creates a non-retryable error with consistent formatting
+func createNonRetryableError(resourceType, resourceName string, retryCount int) *retry.RetryError {
+	return retry.NonRetryableError(fmt.Errorf("%s %s not found after %d retries - may indicate a permanent issue", resourceType, resourceName, retryCount))
+}
+
+// createAPIError creates a retryable or non-retryable API error based on retry count
+func createAPIError(operation string, retryCount, maxRetries int, err error) *retry.RetryError {
+	if retryCount >= maxRetries {
+		return retry.NonRetryableError(fmt.Errorf("failed to %s after %d retries: %w", operation, retryCount, err))
+	}
+	return retry.RetryableError(fmt.Errorf("failed to %s: %w", operation, err))
+}