checksum

* Provisioning: Add Connection resource

* adding some more integration tests

* updating openapi snapshot, linting

* generating FE code, fixing issue in unit tests

* addressing comments

* addressing comments

* adding more integration tests

* fixing rebase issues

* removing linting exception

* addressing comments: improving validation and tests

* adding Connection URL at mutation time, updating tests accordingly

* linting

.github/CODEOWNERS

@@ -208,7 +208,7 @@
 /pkg/tests/apis/shorturl @grafana/sharing-squad
 /pkg/tests/api/correlations/ @grafana/datapro
 /pkg/tsdb/grafanads/ @grafana/grafana-backend-group
-/pkg/tsdb/opentsdb/ @grafana/partner-datasources
+/pkg/tsdb/opentsdb/ @grafana/oss-big-tent
 /pkg/util/ @grafana/grafana-backend-group
 /pkg/web/ @grafana/grafana-backend-group
 
@@ -260,7 +260,7 @@
 /devenv/dev-dashboards/dashboards.go @grafana/dataviz-squad
 /devenv/dev-dashboards/home.json @grafana/dataviz-squad
 /devenv/dev-dashboards/datasource-elasticsearch/ @grafana/partner-datasources
-/devenv/dev-dashboards/datasource-opentsdb/ @grafana/partner-datasources
+/devenv/dev-dashboards/datasource-opentsdb/ @grafana/oss-big-tent
 /devenv/dev-dashboards/datasource-influxdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-mssql/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-loki/ @grafana/plugins-platform-frontend
@@ -307,7 +307,7 @@
 /devenv/docker/blocks/mysql_exporter/ @grafana/oss-big-tent
 /devenv/docker/blocks/mysql_opendata/ @grafana/oss-big-tent
 /devenv/docker/blocks/mysql_tests/ @grafana/oss-big-tent
-/devenv/docker/blocks/opentsdb/ @grafana/partner-datasources
+/devenv/docker/blocks/opentsdb/ @grafana/oss-big-tent
 /devenv/docker/blocks/postgres/ @grafana/oss-big-tent
 /devenv/docker/blocks/postgres_tests/ @grafana/oss-big-tent
 /devenv/docker/blocks/prometheus/ @grafana/oss-big-tent
@@ -520,7 +520,7 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /e2e-playwright/various-suite/solo-route.spec.ts @grafana/dashboards-squad
 /e2e-playwright/various-suite/trace-view-scrolling.spec.ts @grafana/observability-traces-and-profiling
 /e2e-playwright/various-suite/verify-i18n.spec.ts @grafana/grafana-frontend-platform
-/e2e-playwright/various-suite/visualization-suggestions.spec.ts @grafana/dashboards-squad
+/e2e-playwright/various-suite/visualization-suggestions.spec.ts @grafana/dataviz-squad
 /e2e-playwright/various-suite/perf-test.spec.ts @grafana/grafana-frontend-platform
 
 # Packages
@@ -956,6 +956,7 @@ playwright.storybook.config.ts @grafana/grafana-frontend-platform
 /public/app/features/notifications/ @grafana/grafana-search-navigate-organise
 /public/app/features/org/ @grafana/grafana-search-navigate-organise
 /public/app/features/panel/ @grafana/dashboards-squad
+/public/app/features/panel/components/VizTypePicker/VisualizationSuggestions.tsx @grafana/dataviz-squad
 /public/app/features/panel/suggestions/ @grafana/dataviz-squad
 /public/app/features/playlist/ @grafana/dashboards-squad
 /public/app/features/plugins/ @grafana/plugins-platform-frontend
@@ -1100,7 +1101,7 @@ eslint-suppressions.json @grafanabot
 /public/app/plugins/datasource/mixed/ @grafana/dashboards-squad
 /public/app/plugins/datasource/mssql/ @grafana/partner-datasources
 /public/app/plugins/datasource/mysql/ @grafana/oss-big-tent
-/public/app/plugins/datasource/opentsdb/ @grafana/partner-datasources
+/public/app/plugins/datasource/opentsdb/ @grafana/oss-big-tent
 /public/app/plugins/datasource/grafana-postgresql-datasource/ @grafana/oss-big-tent
 /public/app/plugins/datasource/prometheus/ @grafana/oss-big-tent
 /public/app/plugins/datasource/cloud-monitoring/ @grafana/partner-datasources

.github/workflows/pr-patch-check-event.yml

@@ -12,6 +12,7 @@ on:
 permissions:
   id-token: write
   contents: read
+  statuses: write
 
 # Since this is run on a pull request, we want to apply the patches intended for the
 # target branch onto the source branch, to verify compatibility before merging.

.github/workflows/pr-patch-check.yml

@@ -29,6 +29,10 @@ permissions:
 # target branch onto the source branch, to verify compatibility before merging.
 jobs:
   dispatch-job:
+    # If the source is not from a fork then dispatch the job to the workflow.
+    # This will fail on forks when trying to broker a token, so instead, forks will create the required status and mark
+    # it as a success
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
     env:
       HEAD_REF: ${{ inputs.head_ref }}
       BASE_REF: ${{ github.base_ref }}
@@ -76,3 +80,20 @@ jobs:
                   triggering_github_handle: SENDER
                 }
             })
+  dispatch-job-fork:
+    # If the source is from a fork then use the built-in workflow token to create the same status and unconditionally
+    # mark it as a success.
+    if: ${{ github.event.pull_request.head.repo.fork }}
+    permissions:
+      statuses: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create status
+        uses: myrotvorets/set-commit-status-action@6d6905c99cd24a4a2cbccc720b62dc6ca5587141
+        with:
+          token: ${{ github.token }}
+          sha: ${{ inputs.pr_commit_sha }}
+          repo: ${{ inputs.repo }}
+          status: success
+          context: "Test Patches (event)"
+          description: "Test Patches (event) on a fork"

.github/workflows/release-comms.yml

@@ -111,12 +111,13 @@ jobs:
       ownerRepo: 'grafana/grafana-enterprise'
       from: ${{ needs.setup.outputs.release_branch }}
       to: ${{ needs.create_next_release_branch_enterprise.outputs.branch }}
-  post_changelog_on_forum:
-    needs: setup
-    uses: grafana/grafana/.github/workflows/community-release.yml@main
-    with:
-      version: ${{ needs.setup.outputs.version }}
-      dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
+  # Removed this for now since it doesn't work
+  # post_changelog_on_forum:
+  #   needs: setup
+  #   uses: grafana/grafana/.github/workflows/community-release.yml@main
+  #   with:
+  #     version: ${{ needs.setup.outputs.version }}
+  #     dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
   create_github_release:
     # a github release requires a git tag
     # The github-release action retrieves the changelog using the /repos/grafana/grafana/contents/CHANGELOG.md API

.golangci.yml

@@ -3,7 +3,7 @@
 # Others can set up the YAML LSP manually, which supports schemas: https://github.com/redhat-developer/yaml-language-server
 
 # $schema: https://golangci-lint.run/jsonschema/golangci.jsonschema.json
-version: "2"
+version: '2'
 run:
   timeout: 15m
   concurrency: 10
@@ -83,6 +83,16 @@ linters:
           deny:
             - pkg: github.com/grafana/grafana/pkg
               desc: apps/playlist is not allowed to import grafana core
+        apps-dashboard:
+          list-mode: lax
+          files:
+            - ./apps/dashboard/*
+            - ./apps/dashboard/**/*
+          allow:
+            - github.com/grafana/grafana/pkg/apimachinery
+          deny:
+            - pkg: github.com/grafana/grafana/pkg
+              desc: apps/dashboard is not allowed to import grafana core
         apps-secret:
           list-mode: lax
           files:
@@ -281,16 +291,16 @@ linters:
         text: G306
       - linters:
           - gosec
-        text: "401"
+        text: '401'
       - linters:
           - gosec
-        text: "402"
+        text: '402'
       - linters:
           - gosec
-        text: "501"
+        text: '501'
       - linters:
           - gosec
-        text: "404"
+        text: '404'
       - linters:
           - errorlint
         text: non-wrapping format verb for fmt.Errorf

apps/advisor/go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	k8s.io/apimachinery v0.34.2
 	k8s.io/apiserver v0.34.2
+	k8s.io/client-go v0.34.2
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
 )
 
@@ -43,6 +44,7 @@ replace github.com/grafana/grafana/apps/plugins => ../plugins
 replace github.com/prometheus/alertmanager => github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604
 
 require (
+	cel.dev/expr v0.24.0 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
@@ -55,6 +57,7 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/VividCortex/mysqlerr v0.0.0-20170204212430-6c6b55f8796f // indirect
 	github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b // indirect
@@ -85,6 +88,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cheekybits/genny v1.0.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
@@ -101,6 +105,7 @@ require (
 	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gchaincl/sqlhooks v1.3.0 // indirect
 	github.com/getkin/kin-openapi v0.133.0 // indirect
@@ -144,12 +149,13 @@ require (
 	github.com/golang-migrate/migrate/v4 v4.7.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
+	github.com/google/cel-go v0.26.1 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/google/wire v0.7.0 // indirect
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // indirect
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // indirect
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect
 	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 // indirect
@@ -162,6 +168,7 @@ require (
 	github.com/grafana/sqlds/v4 v4.2.7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
+	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20191002090509-6af20e3a5340 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
@@ -176,6 +183,7 @@ require (
 	github.com/hashicorp/memberlist v0.5.2 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jaegertracing/jaeger-idl v0.5.0 // indirect
 	github.com/jessevdk/go-flags v1.6.1 // indirect
 	github.com/jmespath-community/go-jmespath v1.1.1 // indirect
@@ -248,7 +256,9 @@ require (
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/cobra v1.10.1 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tetratelabs/wazero v1.8.2 // indirect
 	github.com/thomaspoignant/go-feature-flag v1.42.0 // indirect
@@ -256,6 +266,9 @@ require (
 	github.com/woodsbury/decimal128 v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
 	go.mongodb.org/mongo-driver v1.17.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
@@ -274,6 +287,8 @@ require (
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/mock v0.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/crypto v0.45.0 // indirect
@@ -297,23 +312,26 @@ require (
 	google.golang.org/grpc v1.77.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/mail.v2 v2.3.1 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/src-d/go-errors.v1 v1.0.0 // indirect
 	gopkg.in/telebot.v3 v3.3.8 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.34.2 // indirect
 	k8s.io/apiextensions-apiserver v0.34.2 // indirect
-	k8s.io/client-go v0.34.2 // indirect
 	k8s.io/component-base v0.34.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kms v0.34.2 // indirect
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
 	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	modernc.org/sqlite v1.40.1 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.1 // indirect

apps/advisor/go.sum

@@ -282,6 +282,7 @@ github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03V
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cznic/b v0.0.0-20180115125044-35e9bbe41f07/go.mod h1:URriBxXwVq5ijiJ12C7iIZqlA69nTlI+LgI6/pwftG8=
 github.com/cznic/fileutil v0.0.0-20180108211300-6a051e75936f/go.mod h1:8S58EK26zhXSxzv7NQFpnliaOQsmDUxvoQO3rt154Vg=
@@ -406,6 +407,8 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/analysis v0.24.0 h1:vE/VFFkICKyYuTWYnplQ+aVr45vlG6NcZKC7BdIXhsA=
 github.com/go-openapi/analysis v0.24.0/go.mod h1:GLyoJA+bvmGGaHgpfeDh8ldpGo69fAJg7eeMDMRCIrw=
 github.com/go-openapi/errors v0.22.3 h1:k6Hxa5Jg1TUyZnOwV2Lh81j8ayNw5VVYLvKrp4zFKFs=
@@ -606,8 +609,10 @@ github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z
 github.com/gorilla/mux v1.7.1/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=
@@ -749,6 +754,8 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
@@ -979,6 +986,7 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg
 github.com/pressly/goose/v3 v3.26.0 h1:KJakav68jdH0WDvoAcj8+n61WqOIaPGgH0bJWS6jpmM=
 github.com/pressly/goose/v3 v3.26.0/go.mod h1:4hC1KrritdCxtuFsqgs1R4AU5bWtTAf+cnWvfhf2DNY=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
@@ -996,6 +1004,7 @@ github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6T
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
@@ -1010,6 +1019,7 @@ github.com/prometheus/common/sigv4 v0.1.0/go.mod h1:2Jkxxk9yYvCkE5G1sQT7GuEXm57J
 github.com/prometheus/exporter-toolkit v0.14.0 h1:NMlswfibpcZZ+H0sZBiTjrA3/aBFHkNZqE+iCj5EmRg=
 github.com/prometheus/exporter-toolkit v0.14.0/go.mod h1:Gu5LnVvt7Nr/oqTBUC23WILZepW0nffNo10XdhQcwWA=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
@@ -1036,6 +1046,7 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
 github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sagikazarmark/crypt v0.6.0/go.mod h1:U8+INwJo3nBv1m6A/8OBXAq7Jnpspk5AxSgDyEQcea8=
 github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
@@ -1058,6 +1069,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
+github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
@@ -1071,6 +1084,7 @@ github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
 github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw=
@@ -1096,6 +1110,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
@@ -1112,6 +1127,8 @@ github.com/thomaspoignant/go-feature-flag v1.42.0/go.mod h1:y0QiWH7chHWhGATb/+Xq
 github.com/tidwall/pretty v0.0.0-20180105212114-65a9db5fad51/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tjhop/slog-gokit v0.1.5 h1:ayloIUi5EK2QYB8eY4DOPO95/mRtMW42lUkp3quJohc=
 github.com/tjhop/slog-gokit v0.1.5/go.mod h1:yA48zAHvV+Sg4z4VRyeFyFUNNXd3JY5Zg84u3USICq0=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
 github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
@@ -1129,6 +1146,8 @@ github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcY
 github.com/xanzy/go-gitlab v0.15.0/go.mod h1:8zdQa/ri1dfn8eS3Ir1SyfvOKlw7WBJ8DVThkpGiXrs=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
+github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chqDkyE9Z4N61UnQd+KOfgp5Iu53llk=
+github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -1139,6 +1158,8 @@ github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b/go.mod h1:T3BPAOm2cqquPa0MKWeNkmOM5RQsRhkrwMWonFMN7fE=
+go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
+go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
 go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
 go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
 go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
@@ -1149,6 +1170,12 @@ go.etcd.io/etcd/client/v2 v2.305.4/go.mod h1:Ud+VUwIi9/uQHOMA+4ekToJ12lTxlv0zB/+
 go.etcd.io/etcd/client/v3 v3.5.4/go.mod h1:ZaRkVgBZC+L+dLCjTcF1hRXpgZXQPOvnA/Ak/gq3kiY=
 go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
 go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
+go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
+go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
+go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
+go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
+go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.mongodb.org/mongo-driver v1.1.0/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
 go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
@@ -1301,6 +1328,7 @@ golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181108082009-03003ca0c849/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1712,6 +1740,7 @@ google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba/go.
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba h1:UKgtfRM7Yh93Sya0Fo8ZzhDP4qBckrrxEr2oF5UIVb8=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
+google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=

apps/advisor/pkg/app/app.go

@@ -8,18 +8,24 @@ import (
 
 	"github.com/grafana/grafana-app-sdk/app"
 	"github.com/grafana/grafana-app-sdk/k8s"
+	appsdkapiserver "github.com/grafana/grafana-app-sdk/k8s/apiserver"
 	"github.com/grafana/grafana-app-sdk/logging"
 	"github.com/grafana/grafana-app-sdk/operator"
 	"github.com/grafana/grafana-app-sdk/resource"
 	"github.com/grafana/grafana-app-sdk/simple"
+	advisorapi "github.com/grafana/grafana/apps/advisor/pkg/apis"
 	advisorv0alpha1 "github.com/grafana/grafana/apps/advisor/pkg/apis/advisor/v0alpha1"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checkregistry"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checks"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checkscheduler"
 	"github.com/grafana/grafana/apps/advisor/pkg/app/checktyperegisterer"
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
+	"github.com/grafana/grafana/pkg/services/org"
+	"github.com/grafana/grafana/pkg/setting"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/client-go/rest"
 )
 
 func New(cfg app.Config) (app.App, error) {
@@ -188,3 +194,45 @@ func GetKinds() map[schema.GroupVersion][]resource.Kind {
 		},
 	}
 }
+
+func ProvideAppInstaller(
+	authorizer authorizer.Authorizer,
+	checkRegistry checkregistry.CheckService,
+	cfg *setting.Cfg,
+	orgService org.Service,
+) (*AdvisorAppInstaller, error) {
+	provider := simple.NewAppProvider(advisorapi.LocalManifest(), nil, New)
+	pluginConfig := cfg.PluginSettings["grafana-advisor-app"]
+	specificConfig := checkregistry.AdvisorAppConfig{
+		CheckRegistry: checkRegistry,
+		PluginConfig:  pluginConfig,
+		StackID:       cfg.StackID,
+		OrgService:    orgService,
+	}
+	appCfg := app.Config{
+		KubeConfig:     rest.Config{},
+		ManifestData:   *advisorapi.LocalManifest().ManifestData,
+		SpecificConfig: specificConfig,
+	}
+
+	defaultInstaller, err := appsdkapiserver.NewDefaultAppInstaller(provider, appCfg, advisorapi.NewGoTypeAssociator())
+	if err != nil {
+		return nil, err
+	}
+
+	installer := &AdvisorAppInstaller{
+		AppInstaller: defaultInstaller,
+		authorizer:   authorizer,
+	}
+
+	return installer, nil
+}
+
+type AdvisorAppInstaller struct {
+	appsdkapiserver.AppInstaller
+	authorizer authorizer.Authorizer
+}
+
+func (a *AdvisorAppInstaller) GetAuthorizer() authorizer.Authorizer {
+	return a.authorizer
+}

apps/advisor/pkg/app/authorizer.go

@@ -1,47 +0,0 @@
-package app
-
-import (
-	"context"
-
-	claims "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/apimachinery/identity"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-)
-
-func GetAuthorizer() authorizer.Authorizer {
-	return authorizer.AuthorizerFunc(func(
-		ctx context.Context, attr authorizer.Attributes,
-	) (authorized authorizer.Decision, reason string, err error) {
-		if !attr.IsResourceRequest() {
-			return authorizer.DecisionNoOpinion, "", nil
-		}
-
-		// Check for service identity
-		if identity.IsServiceIdentity(ctx) {
-			return authorizer.DecisionAllow, "", nil
-		}
-
-		// Check for access policy identity
-		info, ok := claims.AuthInfoFrom(ctx)
-		if ok && claims.IsIdentityType(info.GetIdentityType(), claims.TypeAccessPolicy) {
-			// For access policy identities, we need to use ResourceAuthorizer
-			// This requires an AccessClient, which should be provided by the API server
-			// For now, we'll use the default ResourceAuthorizer from the API server
-			// This will be set up by the API server's authorization chain
-			return authorizer.DecisionNoOpinion, "", nil
-		}
-
-		// For regular Grafana users, check if they are admin
-		u, err := identity.GetRequester(ctx)
-		if err != nil {
-			return authorizer.DecisionDeny, "valid user is required", err
-		}
-
-		// check if is admin
-		if u.HasRole(identity.RoleAdmin) {
-			return authorizer.DecisionAllow, "", nil
-		}
-
-		return authorizer.DecisionDeny, "forbidden", nil
-	})
-}

apps/advisor/pkg/app/authorizer_test.go

@@ -1,91 +0,0 @@
-package app
-
-import (
-	"context"
-	"testing"
-
-	claims "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/apimachinery/identity"
-	"github.com/stretchr/testify/assert"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-)
-
-func TestGetAuthorizer(t *testing.T) {
-	tests := []struct {
-		name             string
-		ctx              context.Context
-		attr             authorizer.Attributes
-		expectedDecision authorizer.Decision
-		expectedReason   string
-		expectedErr      error
-	}{
-		{
-			name:             "non-resource request",
-			ctx:              context.TODO(),
-			attr:             &mockAttributes{resourceRequest: false},
-			expectedDecision: authorizer.DecisionNoOpinion,
-			expectedReason:   "",
-			expectedErr:      nil,
-		},
-		{
-			name:             "user is admin",
-			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: true}),
-			attr:             &mockAttributes{resourceRequest: true},
-			expectedDecision: authorizer.DecisionAllow,
-			expectedReason:   "",
-			expectedErr:      nil,
-		},
-		{
-			name:             "user is not admin",
-			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: false}),
-			attr:             &mockAttributes{resourceRequest: true},
-			expectedDecision: authorizer.DecisionDeny,
-			expectedReason:   "forbidden",
-			expectedErr:      nil,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			auth := GetAuthorizer()
-			decision, reason, err := auth.Authorize(tt.ctx, tt.attr)
-			assert.Equal(t, tt.expectedDecision, decision)
-			assert.Equal(t, tt.expectedReason, reason)
-			assert.Equal(t, tt.expectedErr, err)
-		})
-	}
-}
-
-type mockAttributes struct {
-	authorizer.Attributes
-	resourceRequest bool
-}
-
-func (m *mockAttributes) IsResourceRequest() bool {
-	return m.resourceRequest
-}
-
-// Implement other methods of authorizer.Attributes as needed
-
-type mockUser struct {
-	identity.Requester
-	isGrafanaAdmin bool
-}
-
-func (m *mockUser) GetIsGrafanaAdmin() bool {
-	return m.isGrafanaAdmin
-}
-
-func (m *mockUser) HasRole(role identity.RoleType) bool {
-	return role == identity.RoleAdmin && m.isGrafanaAdmin
-}
-
-func (m *mockUser) GetUID() string {
-	return "test-uid"
-}
-
-func (m *mockUser) GetIdentityType() claims.IdentityType {
-	return claims.TypeUser
-}
-
-// Implement other methods of identity.Requester as needed

apps/alerting/historian/go.mod

@@ -4,7 +4,7 @@ go 1.25.5
 
 require (
 	github.com/go-kit/log v0.2.1
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7
 	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4
 	github.com/grafana/grafana-app-sdk v0.48.5
 	github.com/grafana/grafana-app-sdk/logging v0.48.3

apps/alerting/historian/go.sum

@@ -216,12 +216,10 @@ github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grafana/grafana-app-sdk v0.48.5 h1:MS8l9fTZz+VbTfgApn09jw27GxhQ6fNOWGhC4ydvZmM=
-github.com/grafana/grafana-app-sdk v0.48.5/go.mod h1:HJsMOSBmt/D/Ihs1SvagOwmXKi0coBMVHlfvdd+qe9Y=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 h1:jSojuc7njleS3UOz223WDlXOinmuLAIPI0z2vtq8EgI=
 github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4/go.mod h1:VahT+GtfQIM+o8ht2StR6J9g+Ef+C2Vokh5uuSmOD/4=
 github.com/grafana/grafana-app-sdk v0.48.5 h1:MS8l9fTZz+VbTfgApn09jw27GxhQ6fNOWGhC4ydvZmM=

apps/dashboard/go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/grafana/grafana-app-sdk/logging v0.48.3
 	github.com/grafana/grafana-plugin-sdk-go v0.284.0
 	github.com/grafana/grafana/pkg/apimachinery v0.0.0-20250514132646-acbc7b54ed9e
+	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/prometheus/client_golang v1.23.2
 	github.com/stretchr/testify v1.11.1
 	k8s.io/apimachinery v0.34.2
@@ -57,7 +58,6 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.7.0 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/jaegertracing/jaeger-idl v0.5.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect

apps/dashboard/pkg/migration/conversion/testdata/input/v1beta1.value-mapping-and-overrides.json

@@ -0,0 +1,603 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v1beta1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    },
+    "annotations": {},
+    "managedFields": []
+  },
+  "spec": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations & Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "critical": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Critical!"
+                  },
+                  "warning": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  },
+                  "ok": {
+                    "color": "green",
+                    "index": 2,
+                    "text": "OK"
+                  }
+                },
+                "type": "value"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 100
+                },
+                {
+                  "id": "custom.align",
+                  "value": "center"
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "targets": [
+          {
+            "expr": "up",
+            "refId": "A"
+          }
+        ],
+        "title": "ValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "from": 0,
+                  "to": 50,
+                  "result": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Low"
+                  }
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 50,
+                  "to": 80,
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Medium"
+                  }
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 80,
+                  "to": 100,
+                  "result": {
+                    "color": "red",
+                    "index": 2,
+                    "text": "High"
+                  }
+                },
+                "type": "range"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^cpu_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "percent"
+                },
+                {
+                  "id": "decimals",
+                  "value": 2
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 0
+        },
+        "id": 2,
+        "targets": [
+          {
+            "expr": "cpu_usage_percent",
+            "refId": "A"
+          }
+        ],
+        "title": "RangeMap Example",
+        "type": "gauge"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "pattern": "/^error.*/",
+                  "result": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Error"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^warn.*/",
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^info.*/",
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "Info"
+                  }
+                },
+                "type": "regex"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "string"
+              },
+              "properties": [
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-text"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 8
+        },
+        "id": 3,
+        "targets": [
+          {
+            "expr": "log_level",
+            "refId": "A"
+          }
+        ],
+        "title": "RegexMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 0,
+                    "text": "No Data"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 1,
+                    "text": "Not a Number"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "null+nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 2,
+                    "text": "N/A"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "true",
+                  "result": {
+                    "color": "green",
+                    "index": 3,
+                    "text": "Yes"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "false",
+                  "result": {
+                    "color": "red",
+                    "index": 4,
+                    "text": "No"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "empty",
+                  "result": {
+                    "color": "gray",
+                    "index": 5,
+                    "text": "Empty"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "A"
+              },
+              "properties": [
+                {
+                  "id": "color",
+                  "value": {
+                    "mode": "fixed",
+                    "fixedColor": "blue"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 8
+        },
+        "id": 4,
+        "targets": [
+          {
+            "expr": "some_metric",
+            "refId": "A"
+          }
+        ],
+        "title": "SpecialValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "success": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Success"
+                  },
+                  "failure": {
+                    "color": "red",
+                    "index": 1,
+                    "text": "Failure"
+                  }
+                },
+                "type": "value"
+              },
+              {
+                "options": {
+                  "from": 0,
+                  "to": 100,
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "In Range"
+                  }
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "pattern": "/^[A-Z]{3}-\\d+$/",
+                  "result": {
+                    "color": "purple",
+                    "index": 3,
+                    "text": "ID Format"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 4,
+                    "text": "Missing"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 120
+                },
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-background"
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^value_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "short"
+                },
+                {
+                  "id": "min",
+                  "value": 0
+                },
+                {
+                  "id": "max",
+                  "value": 100
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "number"
+              },
+              "properties": [
+                {
+                  "id": "decimals",
+                  "value": 2
+                },
+                {
+                  "id": "thresholds",
+                  "value": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "color": "green",
+                        "value": null
+                      },
+                      {
+                        "color": "yellow",
+                        "value": 50
+                      },
+                      {
+                        "color": "red",
+                        "value": 80
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "B"
+              },
+              "properties": [
+                {
+                  "id": "displayName",
+                  "value": "Secondary Query"
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byValue",
+                "options": {
+                  "reducer": "allIsNull",
+                  "op": "gte",
+                  "value": 0
+                }
+              },
+              "properties": [
+                {
+                  "id": "custom.hidden",
+                  "value": true
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 24,
+          "x": 0,
+          "y": 16
+        },
+        "id": 5,
+        "targets": [
+          {
+            "expr": "combined_metric",
+            "refId": "A"
+          },
+          {
+            "expr": "secondary_metric",
+            "refId": "B"
+          }
+        ],
+        "title": "Combined Mappings and Overrides Example",
+        "type": "table"
+      }
+    ],
+    "schemaVersion": 42,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-6h",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "browser",
+    "title": "Value Mapping and Overrides Test",
+    "weekStart": ""
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v0alpha1"
+    }
+  },
+  "access": {
+    "slug": "value-mapping-test",
+    "url": "/d/value-mapping-test/value-mapping-and-overrides-test",
+    "canSave": true,
+    "canEdit": true,
+    "canAdmin": true,
+    "canStar": true,
+    "canDelete": true,
+    "annotationsPermissions": {
+      "dashboard": {
+        "canAdd": true,
+        "canEdit": true,
+        "canDelete": true
+      },
+      "organization": {
+        "canAdd": true,
+        "canEdit": true,
+        "canDelete": true
+      }
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/input/v2beta1.tab-with-multiple-panels.json

@@ -0,0 +1,715 @@
+{
+"kind": "DashboardWithAccessInfo",
+"apiVersion": "dashboard.grafana.app/v2beta1",
+"metadata": {
+    "name": "adt885j",
+    "namespace": "default",
+    "uid": "yTWet6JgBjlRIWnqRE9ZOmUycfT0tEkr2mljaln1GWIX",
+    "resourceVersion": "2",
+    "generation": 2,
+    "creationTimestamp": "2025-12-16T10:44:31Z",
+    "labels": {
+    "grafana.app/deprecatedInternalID": "2409"
+    },
+    "annotations": {
+    "grafana.app/createdBy": "user:u000000001",
+    "grafana.app/updatedBy": "user:u000000001",
+    "grafana.app/updatedTimestamp": "2025-12-16T10:51:14Z"
+    }
+},
+"spec": {
+    "annotations": [
+    {
+        "kind": "AnnotationQuery",
+        "spec": {
+        "query": {
+            "kind": "DataQuery",
+            "group": "grafana",
+            "version": "v0",
+            "datasource": {
+            "name": "-- Grafana --"
+            },
+            "spec": {}
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations \u0026 Alerts",
+        "builtIn": true
+        }
+    }
+    ],
+    "cursorSync": "Off",
+    "description": "",
+    "editable": true,
+    "elements": {
+    "panel-1": {
+        "kind": "Panel",
+        "spec": {
+        "id": 1,
+        "title": "Panel1",
+        "description": "",
+        "links": [],
+        "data": {
+            "kind": "QueryGroup",
+            "spec": {
+            "queries": [
+                {
+                "kind": "PanelQuery",
+                "spec": {
+                    "query": {
+                    "kind": "DataQuery",
+                    "group": "grafana-testdata-datasource",
+                    "version": "v0",
+                    "datasource": {
+                        "name": "PD8C576611E62080A"
+                    },
+                    "spec": {}
+                    },
+                    "refId": "A",
+                    "hidden": false
+                }
+                }
+            ],
+            "transformations": [],
+            "queryOptions": {}
+            }
+        },
+        "vizConfig": {
+            "kind": "VizConfig",
+            "group": "timeseries",
+            "version": "12.4.0-pre",
+            "spec": {
+            "options": {
+                "legend": {
+                "calcs": [],
+                "displayMode": "list",
+                "placement": "bottom",
+                "showLegend": true
+                },
+                "tooltip": {
+                "hideZeros": false,
+                "mode": "single",
+                "sort": "none"
+                }
+            },
+            "fieldConfig": {
+                "defaults": {
+                "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                    {
+                        "value": 0,
+                        "color": "green"
+                    },
+                    {
+                        "value": 80,
+                        "color": "red"
+                    }
+                    ]
+                },
+                "color": {
+                    "mode": "palette-classic"
+                },
+                "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                    "legend": false,
+                    "tooltip": false,
+                    "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                    "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                    "group": "A",
+                    "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                    "mode": "off"
+                    }
+                }
+                },
+                "overrides": []
+            }
+            }
+        }
+        }
+    },
+    "panel-2": {
+        "kind": "Panel",
+        "spec": {
+        "id": 2,
+        "title": "Panel2",
+        "description": "",
+        "links": [],
+        "data": {
+            "kind": "QueryGroup",
+            "spec": {
+            "queries": [
+                {
+                "kind": "PanelQuery",
+                "spec": {
+                    "query": {
+                    "kind": "DataQuery",
+                    "group": "",
+                    "version": "v0",
+                    "spec": {}
+                    },
+                    "refId": "A",
+                    "hidden": false
+                }
+                }
+            ],
+            "transformations": [],
+            "queryOptions": {}
+            }
+        },
+        "vizConfig": {
+            "kind": "VizConfig",
+            "group": "timeseries",
+            "version": "12.4.0-pre",
+            "spec": {
+            "options": {
+                "legend": {
+                "calcs": [],
+                "displayMode": "list",
+                "placement": "bottom",
+                "showLegend": true
+                },
+                "tooltip": {
+                "hideZeros": false,
+                "mode": "single",
+                "sort": "none"
+                }
+            },
+            "fieldConfig": {
+                "defaults": {
+                "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                    {
+                        "value": 0,
+                        "color": "green"
+                    },
+                    {
+                        "value": 80,
+                        "color": "red"
+                    }
+                    ]
+                },
+                "color": {
+                    "mode": "palette-classic"
+                },
+                "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                    "legend": false,
+                    "tooltip": false,
+                    "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                    "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                    "group": "A",
+                    "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                    "mode": "off"
+                    }
+                }
+                },
+                "overrides": []
+            }
+            }
+        }
+        }
+    },
+    "panel-3": {
+        "kind": "Panel",
+        "spec": {
+        "id": 3,
+        "title": "Panel3",
+        "description": "",
+        "links": [],
+        "data": {
+            "kind": "QueryGroup",
+            "spec": {
+            "queries": [
+                {
+                "kind": "PanelQuery",
+                "spec": {
+                    "query": {
+                    "kind": "DataQuery",
+                    "group": "",
+                    "version": "v0",
+                    "spec": {}
+                    },
+                    "refId": "A",
+                    "hidden": false
+                }
+                }
+            ],
+            "transformations": [],
+            "queryOptions": {}
+            }
+        },
+        "vizConfig": {
+            "kind": "VizConfig",
+            "group": "timeseries",
+            "version": "12.4.0-pre",
+            "spec": {
+            "options": {
+                "legend": {
+                "calcs": [],
+                "displayMode": "list",
+                "placement": "bottom",
+                "showLegend": true
+                },
+                "tooltip": {
+                "hideZeros": false,
+                "mode": "single",
+                "sort": "none"
+                }
+            },
+            "fieldConfig": {
+                "defaults": {
+                "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                    {
+                        "value": 0,
+                        "color": "green"
+                    },
+                    {
+                        "value": 80,
+                        "color": "red"
+                    }
+                    ]
+                },
+                "color": {
+                    "mode": "palette-classic"
+                },
+                "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                    "legend": false,
+                    "tooltip": false,
+                    "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                    "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                    "group": "A",
+                    "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                    "mode": "off"
+                    }
+                }
+                },
+                "overrides": []
+            }
+            }
+        }
+        }
+    },
+    "panel-4": {
+        "kind": "Panel",
+        "spec": {
+        "id": 4,
+        "title": "Panel4",
+        "description": "",
+        "links": [],
+        "data": {
+            "kind": "QueryGroup",
+            "spec": {
+            "queries": [
+                {
+                "kind": "PanelQuery",
+                "spec": {
+                    "query": {
+                    "kind": "DataQuery",
+                    "group": "",
+                    "version": "v0",
+                    "spec": {}
+                    },
+                    "refId": "A",
+                    "hidden": false
+                }
+                }
+            ],
+            "transformations": [],
+            "queryOptions": {}
+            }
+        },
+        "vizConfig": {
+            "kind": "VizConfig",
+            "group": "timeseries",
+            "version": "12.4.0-pre",
+            "spec": {
+            "options": {
+                "legend": {
+                "calcs": [],
+                "displayMode": "list",
+                "placement": "bottom",
+                "showLegend": true
+                },
+                "tooltip": {
+                "hideZeros": false,
+                "mode": "single",
+                "sort": "none"
+                }
+            },
+            "fieldConfig": {
+                "defaults": {
+                "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                    {
+                        "value": 0,
+                        "color": "green"
+                    },
+                    {
+                        "value": 80,
+                        "color": "red"
+                    }
+                    ]
+                },
+                "color": {
+                    "mode": "palette-classic"
+                },
+                "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                    "legend": false,
+                    "tooltip": false,
+                    "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                    "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                    "group": "A",
+                    "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                    "mode": "off"
+                    }
+                }
+                },
+                "overrides": []
+            }
+            }
+        }
+        }
+    },
+    "panel-5": {
+        "kind": "Panel",
+        "spec": {
+        "id": 5,
+        "title": "Panel5",
+        "description": "",
+        "links": [],
+        "data": {
+            "kind": "QueryGroup",
+            "spec": {
+            "queries": [
+                {
+                "kind": "PanelQuery",
+                "spec": {
+                    "query": {
+                    "kind": "DataQuery",
+                    "group": "",
+                    "version": "v0",
+                    "spec": {}
+                    },
+                    "refId": "A",
+                    "hidden": false
+                }
+                }
+            ],
+            "transformations": [],
+            "queryOptions": {}
+            }
+        },
+        "vizConfig": {
+            "kind": "VizConfig",
+            "group": "timeseries",
+            "version": "12.4.0-pre",
+            "spec": {
+            "options": {
+                "legend": {
+                "calcs": [],
+                "displayMode": "list",
+                "placement": "bottom",
+                "showLegend": true
+                },
+                "tooltip": {
+                "hideZeros": false,
+                "mode": "single",
+                "sort": "none"
+                }
+            },
+            "fieldConfig": {
+                "defaults": {
+                "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                    {
+                        "value": 0,
+                        "color": "green"
+                    },
+                    {
+                        "value": 80,
+                        "color": "red"
+                    }
+                    ]
+                },
+                "color": {
+                    "mode": "palette-classic"
+                },
+                "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                    "legend": false,
+                    "tooltip": false,
+                    "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                    "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                    "group": "A",
+                    "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                    "mode": "off"
+                    }
+                }
+                },
+                "overrides": []
+            }
+            }
+        }
+        }
+    }
+    },
+    "layout": {
+    "kind": "TabsLayout",
+    "spec": {
+        "tabs": [
+        {
+            "kind": "TabsLayoutTab",
+            "spec": {
+            "title": "Tab1",
+            "layout": {
+                "kind": "GridLayout",
+                "spec": {
+                "items": [
+                    {
+                    "kind": "GridLayoutItem",
+                    "spec": {
+                        "x": 0,
+                        "y": 0,
+                        "width": 7,
+                        "height": 8,
+                        "element": {
+                        "kind": "ElementReference",
+                        "name": "panel-1"
+                        }
+                    }
+                    },
+                    {
+                    "kind": "GridLayoutItem",
+                    "spec": {
+                        "x": 7,
+                        "y": 0,
+                        "width": 8,
+                        "height": 8,
+                        "element": {
+                        "kind": "ElementReference",
+                        "name": "panel-2"
+                        }
+                    }
+                    },
+                    {
+                    "kind": "GridLayoutItem",
+                    "spec": {
+                        "x": 15,
+                        "y": 0,
+                        "width": 9,
+                        "height": 8,
+                        "element": {
+                        "kind": "ElementReference",
+                        "name": "panel-3"
+                        }
+                    }
+                    },
+                    {
+                    "kind": "GridLayoutItem",
+                    "spec": {
+                        "x": 0,
+                        "y": 8,
+                        "width": 12,
+                        "height": 8,
+                        "element": {
+                        "kind": "ElementReference",
+                        "name": "panel-4"
+                        }
+                    }
+                    },
+                    {
+                    "kind": "GridLayoutItem",
+                    "spec": {
+                        "x": 12,
+                        "y": 8,
+                        "width": 12,
+                        "height": 8,
+                        "element": {
+                        "kind": "ElementReference",
+                        "name": "panel-5"
+                        }
+                    }
+                    }
+                ]
+                }
+            }
+            }
+        }
+        ]
+    }
+    },
+    "links": [],
+    "liveNow": false,
+    "preload": false,
+    "tags": [],
+    "timeSettings": {
+    "timezone": "browser",
+    "from": "now-6h",
+    "to": "now",
+    "autoRefresh": "",
+    "autoRefreshIntervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+    ],
+    "hideTimepicker": false,
+    "fiscalYearStartMonth": 0
+    },
+    "title": "Dashboard with tabs",
+    "variables": []
+},
+"status": {},
+"access": {
+    "slug": "dashboard-with-tabs",
+    "url": "/d/adt885j/dashboard-with-tabs",
+    "isPublic": false,
+    "canSave": true,
+    "canEdit": true,
+    "canAdmin": true,
+    "canStar": true,
+    "canDelete": true,
+    "annotationsPermissions": {
+    "dashboard": {
+        "canAdd": true,
+        "canEdit": true,
+        "canDelete": true
+    },
+    "organization": {
+        "canAdd": true,
+        "canEdit": true,
+        "canDelete": true
+    }
+    }
+}
+} 

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v30.value_mappings_and_tooltip_options.v42.v2alpha1.json

@@ -530,7 +530,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v30.value_mappings_and_tooltip_options.v42.v2beta1.json

@@ -546,7 +546,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v33.panel_ds_name_to_ref.v42.v2alpha1.json

@@ -548,7 +548,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v33.panel_ds_name_to_ref.v42.v2beta1.json

@@ -574,7 +574,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v34.multiple_stats_cloudwatch.v42.v2alpha1.json

@@ -1663,7 +1663,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v34.multiple_stats_cloudwatch.v42.v2beta1.json

@@ -1727,7 +1727,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v42.hidefrom_tooltip.v42.v2alpha1.json

@@ -328,7 +328,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/migrated_dashboards_output/v1beta1-mig-v42.hidefrom_tooltip.v42.v2beta1.json

@@ -335,7 +335,7 @@
             "kind": "RowsLayoutRow",
             "spec": {
               "title": "",
-              "collapse": true,
+              "collapse": false,
               "hideHeader": true,
               "layout": {
                 "kind": "GridLayout",

apps/dashboard/pkg/migration/conversion/testdata/output/v1beta1.value-mapping-and-overrides.v0alpha1.json

@@ -0,0 +1,580 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v0alpha1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    }
+  },
+  "spec": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "critical": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Critical!"
+                  },
+                  "ok": {
+                    "color": "green",
+                    "index": 2,
+                    "text": "OK"
+                  },
+                  "warning": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  }
+                },
+                "type": "value"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 100
+                },
+                {
+                  "id": "custom.align",
+                  "value": "center"
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "targets": [
+          {
+            "expr": "up",
+            "refId": "A"
+          }
+        ],
+        "title": "ValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "from": 0,
+                  "result": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Low"
+                  },
+                  "to": 50
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 50,
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Medium"
+                  },
+                  "to": 80
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "from": 80,
+                  "result": {
+                    "color": "red",
+                    "index": 2,
+                    "text": "High"
+                  },
+                  "to": 100
+                },
+                "type": "range"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^cpu_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "percent"
+                },
+                {
+                  "id": "decimals",
+                  "value": 2
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 0
+        },
+        "id": 2,
+        "targets": [
+          {
+            "expr": "cpu_usage_percent",
+            "refId": "A"
+          }
+        ],
+        "title": "RangeMap Example",
+        "type": "gauge"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "pattern": "/^error.*/",
+                  "result": {
+                    "color": "red",
+                    "index": 0,
+                    "text": "Error"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^warn.*/",
+                  "result": {
+                    "color": "orange",
+                    "index": 1,
+                    "text": "Warning"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "pattern": "/^info.*/",
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "Info"
+                  }
+                },
+                "type": "regex"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "string"
+              },
+              "properties": [
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-text"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 8
+        },
+        "id": 3,
+        "targets": [
+          {
+            "expr": "log_level",
+            "refId": "A"
+          }
+        ],
+        "title": "RegexMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 0,
+                    "text": "No Data"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 1,
+                    "text": "Not a Number"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "null+nan",
+                  "result": {
+                    "color": "gray",
+                    "index": 2,
+                    "text": "N/A"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "true",
+                  "result": {
+                    "color": "green",
+                    "index": 3,
+                    "text": "Yes"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "false",
+                  "result": {
+                    "color": "red",
+                    "index": 4,
+                    "text": "No"
+                  }
+                },
+                "type": "special"
+              },
+              {
+                "options": {
+                  "match": "empty",
+                  "result": {
+                    "color": "gray",
+                    "index": 5,
+                    "text": "Empty"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "A"
+              },
+              "properties": [
+                {
+                  "id": "color",
+                  "value": {
+                    "fixedColor": "blue",
+                    "mode": "fixed"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 8
+        },
+        "id": 4,
+        "targets": [
+          {
+            "expr": "some_metric",
+            "refId": "A"
+          }
+        ],
+        "title": "SpecialValueMap Example",
+        "type": "stat"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "prometheus-uid"
+        },
+        "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+        "fieldConfig": {
+          "defaults": {
+            "mappings": [
+              {
+                "options": {
+                  "failure": {
+                    "color": "red",
+                    "index": 1,
+                    "text": "Failure"
+                  },
+                  "success": {
+                    "color": "green",
+                    "index": 0,
+                    "text": "Success"
+                  }
+                },
+                "type": "value"
+              },
+              {
+                "options": {
+                  "from": 0,
+                  "result": {
+                    "color": "blue",
+                    "index": 2,
+                    "text": "In Range"
+                  },
+                  "to": 100
+                },
+                "type": "range"
+              },
+              {
+                "options": {
+                  "pattern": "/^[A-Z]{3}-\\d+$/",
+                  "result": {
+                    "color": "purple",
+                    "index": 3,
+                    "text": "ID Format"
+                  }
+                },
+                "type": "regex"
+              },
+              {
+                "options": {
+                  "match": "null",
+                  "result": {
+                    "color": "gray",
+                    "index": 4,
+                    "text": "Missing"
+                  }
+                },
+                "type": "special"
+              }
+            ]
+          },
+          "overrides": [
+            {
+              "matcher": {
+                "id": "byName",
+                "options": "status"
+              },
+              "properties": [
+                {
+                  "id": "custom.width",
+                  "value": 120
+                },
+                {
+                  "id": "custom.cellOptions",
+                  "value": {
+                    "type": "color-background"
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byRegexp",
+                "options": "/^value_/"
+              },
+              "properties": [
+                {
+                  "id": "unit",
+                  "value": "short"
+                },
+                {
+                  "id": "min",
+                  "value": 0
+                },
+                {
+                  "id": "max",
+                  "value": 100
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byType",
+                "options": "number"
+              },
+              "properties": [
+                {
+                  "id": "decimals",
+                  "value": 2
+                },
+                {
+                  "id": "thresholds",
+                  "value": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "color": "green",
+                        "value": null
+                      },
+                      {
+                        "color": "yellow",
+                        "value": 50
+                      },
+                      {
+                        "color": "red",
+                        "value": 80
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byFrameRefID",
+                "options": "B"
+              },
+              "properties": [
+                {
+                  "id": "displayName",
+                  "value": "Secondary Query"
+                }
+              ]
+            },
+            {
+              "matcher": {
+                "id": "byValue",
+                "options": {
+                  "op": "gte",
+                  "reducer": "allIsNull",
+                  "value": 0
+                }
+              },
+              "properties": [
+                {
+                  "id": "custom.hidden",
+                  "value": true
+                }
+              ]
+            }
+          ]
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 24,
+          "x": 0,
+          "y": 16
+        },
+        "id": 5,
+        "targets": [
+          {
+            "expr": "combined_metric",
+            "refId": "A"
+          },
+          {
+            "expr": "secondary_metric",
+            "refId": "B"
+          }
+        ],
+        "title": "Combined Mappings and Overrides Example",
+        "type": "table"
+      }
+    ],
+    "schemaVersion": 42,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-6h",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "browser",
+    "title": "Value Mapping and Overrides Test",
+    "weekStart": ""
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v1beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/output/v1beta1.value-mapping-and-overrides.v2alpha1.json

@@ -0,0 +1,783 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v2alpha1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    }
+  },
+  "spec": {
+    "annotations": [
+      {
+        "kind": "AnnotationQuery",
+        "spec": {
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "query": {
+            "kind": "grafana",
+            "spec": {}
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "builtIn": true,
+          "legacyOptions": {
+            "type": "dashboard"
+          }
+        }
+      }
+    ],
+    "cursorSync": "Off",
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "elements": {
+      "panel-1": {
+        "kind": "Panel",
+        "spec": {
+          "id": 1,
+          "title": "ValueMap Example",
+          "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "up"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "stat",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "critical": {
+                          "text": "Critical!",
+                          "color": "red",
+                          "index": 0
+                        },
+                        "ok": {
+                          "text": "OK",
+                          "color": "green",
+                          "index": 2
+                        },
+                        "warning": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 100
+                      },
+                      {
+                        "id": "custom.align",
+                        "value": "center"
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-2": {
+        "kind": "Panel",
+        "spec": {
+          "id": 2,
+          "title": "RangeMap Example",
+          "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "cpu_usage_percent"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "gauge",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 50,
+                        "result": {
+                          "text": "Low",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 50,
+                        "to": 80,
+                        "result": {
+                          "text": "Medium",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 80,
+                        "to": 100,
+                        "result": {
+                          "text": "High",
+                          "color": "red",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^cpu_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "percent"
+                      },
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-3": {
+        "kind": "Panel",
+        "spec": {
+          "id": 3,
+          "title": "RegexMap Example",
+          "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "log_level"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "stat",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^error.*/",
+                        "result": {
+                          "text": "Error",
+                          "color": "red",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^warn.*/",
+                        "result": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^info.*/",
+                        "result": {
+                          "text": "Info",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "string"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-text"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-4": {
+        "kind": "Panel",
+        "spec": {
+          "id": 4,
+          "title": "SpecialValueMap Example",
+          "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "some_metric"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "stat",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "No Data",
+                          "color": "gray",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "nan",
+                        "result": {
+                          "text": "Not a Number",
+                          "color": "gray",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null+nan",
+                        "result": {
+                          "text": "N/A",
+                          "color": "gray",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "true",
+                        "result": {
+                          "text": "Yes",
+                          "color": "green",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "false",
+                        "result": {
+                          "text": "No",
+                          "color": "red",
+                          "index": 4
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "empty",
+                        "result": {
+                          "text": "Empty",
+                          "color": "gray",
+                          "index": 5
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "A"
+                    },
+                    "properties": [
+                      {
+                        "id": "color",
+                        "value": {
+                          "fixedColor": "blue",
+                          "mode": "fixed"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-5": {
+        "kind": "Panel",
+        "spec": {
+          "id": 5,
+          "title": "Combined Mappings and Overrides Example",
+          "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "combined_metric"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                },
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "prometheus",
+                      "spec": {
+                        "expr": "secondary_metric"
+                      }
+                    },
+                    "datasource": {
+                      "type": "prometheus",
+                      "uid": "prometheus-uid"
+                    },
+                    "refId": "B",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "table",
+            "spec": {
+              "pluginVersion": "",
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "failure": {
+                          "text": "Failure",
+                          "color": "red",
+                          "index": 1
+                        },
+                        "success": {
+                          "text": "Success",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 100,
+                        "result": {
+                          "text": "In Range",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^[A-Z]{3}-\\d+$/",
+                        "result": {
+                          "text": "ID Format",
+                          "color": "purple",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "Missing",
+                          "color": "gray",
+                          "index": 4
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 120
+                      },
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-background"
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^value_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "short"
+                      },
+                      {
+                        "id": "min",
+                        "value": 0
+                      },
+                      {
+                        "id": "max",
+                        "value": 100
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "number"
+                    },
+                    "properties": [
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      },
+                      {
+                        "id": "thresholds",
+                        "value": {
+                          "mode": "absolute",
+                          "steps": [
+                            {
+                              "color": "green",
+                              "value": null
+                            },
+                            {
+                              "color": "yellow",
+                              "value": 50
+                            },
+                            {
+                              "color": "red",
+                              "value": 80
+                            }
+                          ]
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "B"
+                    },
+                    "properties": [
+                      {
+                        "id": "displayName",
+                        "value": "Secondary Query"
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byValue",
+                      "options": {
+                        "op": "gte",
+                        "reducer": "allIsNull",
+                        "value": 0
+                      }
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.hidden",
+                        "value": true
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    },
+    "layout": {
+      "kind": "GridLayout",
+      "spec": {
+        "items": [
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-1"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-2"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-3"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-4"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 16,
+              "width": 24,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-5"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "links": [],
+    "liveNow": false,
+    "preload": false,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "timeSettings": {
+      "timezone": "browser",
+      "from": "now-6h",
+      "to": "now",
+      "autoRefresh": "",
+      "autoRefreshIntervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+      ],
+      "hideTimepicker": false,
+      "fiscalYearStartMonth": 0
+    },
+    "title": "Value Mapping and Overrides Test",
+    "variables": []
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v1beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/output/v1beta1.value-mapping-and-overrides.v2beta1.json

@@ -0,0 +1,795 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v2beta1",
+  "metadata": {
+    "name": "value-mapping-test",
+    "namespace": "default",
+    "uid": "value-mapping-test",
+    "resourceVersion": "1765384157199094",
+    "generation": 2,
+    "creationTimestamp": "2025-11-19T20:09:28Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "646372978987008"
+    }
+  },
+  "spec": {
+    "annotations": [
+      {
+        "kind": "AnnotationQuery",
+        "spec": {
+          "query": {
+            "kind": "DataQuery",
+            "group": "grafana",
+            "version": "v0",
+            "datasource": {
+              "name": "-- Grafana --"
+            },
+            "spec": {}
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "builtIn": true,
+          "legacyOptions": {
+            "type": "dashboard"
+          }
+        }
+      }
+    ],
+    "cursorSync": "Off",
+    "description": "Test dashboard for all value mapping types and override matcher types",
+    "editable": true,
+    "elements": {
+      "panel-1": {
+        "kind": "Panel",
+        "spec": {
+          "id": 1,
+          "title": "ValueMap Example",
+          "description": "Panel with ValueMap mapping type - maps specific text values to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "up"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "stat",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "critical": {
+                          "text": "Critical!",
+                          "color": "red",
+                          "index": 0
+                        },
+                        "ok": {
+                          "text": "OK",
+                          "color": "green",
+                          "index": 2
+                        },
+                        "warning": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 100
+                      },
+                      {
+                        "id": "custom.align",
+                        "value": "center"
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-2": {
+        "kind": "Panel",
+        "spec": {
+          "id": 2,
+          "title": "RangeMap Example",
+          "description": "Panel with RangeMap mapping type - maps numerical ranges to colors and display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "cpu_usage_percent"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "gauge",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 50,
+                        "result": {
+                          "text": "Low",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 50,
+                        "to": 80,
+                        "result": {
+                          "text": "Medium",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 80,
+                        "to": 100,
+                        "result": {
+                          "text": "High",
+                          "color": "red",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^cpu_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "percent"
+                      },
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-3": {
+        "kind": "Panel",
+        "spec": {
+          "id": 3,
+          "title": "RegexMap Example",
+          "description": "Panel with RegexMap mapping type - maps values matching regex patterns to colors",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "log_level"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "stat",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^error.*/",
+                        "result": {
+                          "text": "Error",
+                          "color": "red",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^warn.*/",
+                        "result": {
+                          "text": "Warning",
+                          "color": "orange",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^info.*/",
+                        "result": {
+                          "text": "Info",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "string"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-text"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-4": {
+        "kind": "Panel",
+        "spec": {
+          "id": 4,
+          "title": "SpecialValueMap Example",
+          "description": "Panel with SpecialValueMap mapping type - maps special values like null, NaN, true, false to display text",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "some_metric"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "stat",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "No Data",
+                          "color": "gray",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "nan",
+                        "result": {
+                          "text": "Not a Number",
+                          "color": "gray",
+                          "index": 1
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null+nan",
+                        "result": {
+                          "text": "N/A",
+                          "color": "gray",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "true",
+                        "result": {
+                          "text": "Yes",
+                          "color": "green",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "false",
+                        "result": {
+                          "text": "No",
+                          "color": "red",
+                          "index": 4
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "empty",
+                        "result": {
+                          "text": "Empty",
+                          "color": "gray",
+                          "index": 5
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "A"
+                    },
+                    "properties": [
+                      {
+                        "id": "color",
+                        "value": {
+                          "fixedColor": "blue",
+                          "mode": "fixed"
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      },
+      "panel-5": {
+        "kind": "Panel",
+        "spec": {
+          "id": 5,
+          "title": "Combined Mappings and Overrides Example",
+          "description": "Panel with all mapping types combined - demonstrates mixing different mapping types and multiple override matchers",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "combined_metric"
+                      }
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                },
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "DataQuery",
+                      "group": "prometheus",
+                      "version": "v0",
+                      "datasource": {
+                        "name": "prometheus-uid"
+                      },
+                      "spec": {
+                        "expr": "secondary_metric"
+                      }
+                    },
+                    "refId": "B",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "VizConfig",
+            "group": "table",
+            "version": "",
+            "spec": {
+              "options": {},
+              "fieldConfig": {
+                "defaults": {
+                  "mappings": [
+                    {
+                      "type": "value",
+                      "options": {
+                        "failure": {
+                          "text": "Failure",
+                          "color": "red",
+                          "index": 1
+                        },
+                        "success": {
+                          "text": "Success",
+                          "color": "green",
+                          "index": 0
+                        }
+                      }
+                    },
+                    {
+                      "type": "range",
+                      "options": {
+                        "from": 0,
+                        "to": 100,
+                        "result": {
+                          "text": "In Range",
+                          "color": "blue",
+                          "index": 2
+                        }
+                      }
+                    },
+                    {
+                      "type": "regex",
+                      "options": {
+                        "pattern": "/^[A-Z]{3}-\\d+$/",
+                        "result": {
+                          "text": "ID Format",
+                          "color": "purple",
+                          "index": 3
+                        }
+                      }
+                    },
+                    {
+                      "type": "special",
+                      "options": {
+                        "match": "null",
+                        "result": {
+                          "text": "Missing",
+                          "color": "gray",
+                          "index": 4
+                        }
+                      }
+                    }
+                  ]
+                },
+                "overrides": [
+                  {
+                    "matcher": {
+                      "id": "byName",
+                      "options": "status"
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.width",
+                        "value": 120
+                      },
+                      {
+                        "id": "custom.cellOptions",
+                        "value": {
+                          "type": "color-background"
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byRegexp",
+                      "options": "/^value_/"
+                    },
+                    "properties": [
+                      {
+                        "id": "unit",
+                        "value": "short"
+                      },
+                      {
+                        "id": "min",
+                        "value": 0
+                      },
+                      {
+                        "id": "max",
+                        "value": 100
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byType",
+                      "options": "number"
+                    },
+                    "properties": [
+                      {
+                        "id": "decimals",
+                        "value": 2
+                      },
+                      {
+                        "id": "thresholds",
+                        "value": {
+                          "mode": "absolute",
+                          "steps": [
+                            {
+                              "color": "green",
+                              "value": null
+                            },
+                            {
+                              "color": "yellow",
+                              "value": 50
+                            },
+                            {
+                              "color": "red",
+                              "value": 80
+                            }
+                          ]
+                        }
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byFrameRefID",
+                      "options": "B"
+                    },
+                    "properties": [
+                      {
+                        "id": "displayName",
+                        "value": "Secondary Query"
+                      }
+                    ]
+                  },
+                  {
+                    "matcher": {
+                      "id": "byValue",
+                      "options": {
+                        "op": "gte",
+                        "reducer": "allIsNull",
+                        "value": 0
+                      }
+                    },
+                    "properties": [
+                      {
+                        "id": "custom.hidden",
+                        "value": true
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    },
+    "layout": {
+      "kind": "GridLayout",
+      "spec": {
+        "items": [
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-1"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 0,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-2"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-3"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 12,
+              "y": 8,
+              "width": 12,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-4"
+              }
+            }
+          },
+          {
+            "kind": "GridLayoutItem",
+            "spec": {
+              "x": 0,
+              "y": 16,
+              "width": 24,
+              "height": 8,
+              "element": {
+                "kind": "ElementReference",
+                "name": "panel-5"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "links": [],
+    "liveNow": false,
+    "preload": false,
+    "tags": [
+      "value-mapping",
+      "overrides",
+      "test"
+    ],
+    "timeSettings": {
+      "timezone": "browser",
+      "from": "now-6h",
+      "to": "now",
+      "autoRefresh": "",
+      "autoRefreshIntervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+      ],
+      "hideTimepicker": false,
+      "fiscalYearStartMonth": 0
+    },
+    "title": "Value Mapping and Overrides Test",
+    "variables": []
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v1beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/output/v2beta1.tab-with-multiple-panels.v0alpha1.json

@@ -0,0 +1,511 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v0alpha1",
+  "metadata": {
+    "name": "adt885j",
+    "namespace": "default",
+    "uid": "yTWet6JgBjlRIWnqRE9ZOmUycfT0tEkr2mljaln1GWIX",
+    "resourceVersion": "2",
+    "generation": 2,
+    "creationTimestamp": "2025-12-16T10:44:31Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "2409"
+    },
+    "annotations": {
+      "grafana.app/createdBy": "user:u000000001",
+      "grafana.app/updatedBy": "user:u000000001",
+      "grafana.app/updatedTimestamp": "2025-12-16T10:51:14Z"
+    }
+  },
+  "spec": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "description": "",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 0,
+    "liveNow": false,
+    "panels": [
+      {
+        "collapsed": false,
+        "gridPos": {
+          "h": 1,
+          "w": 24,
+          "x": 0,
+          "y": 0
+        },
+        "id": -1,
+        "panels": [],
+        "title": "Tab1",
+        "type": "row"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 7,
+          "x": 0,
+          "y": 1
+        },
+        "id": 1,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "datasource": {
+              "type": "grafana-testdata-datasource",
+              "uid": "PD8C576611E62080A"
+            },
+            "refId": "A"
+          }
+        ],
+        "title": "Panel1",
+        "type": "timeseries"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 8,
+          "x": 7,
+          "y": 1
+        },
+        "id": 2,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "refId": "A"
+          }
+        ],
+        "title": "Panel2",
+        "type": "timeseries"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 9,
+          "x": 15,
+          "y": 1
+        },
+        "id": 3,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "refId": "A"
+          }
+        ],
+        "title": "Panel3",
+        "type": "timeseries"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 9
+        },
+        "id": 4,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "refId": "A"
+          }
+        ],
+        "title": "Panel4",
+        "type": "timeseries"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 9
+        },
+        "id": 5,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "refId": "A"
+          }
+        ],
+        "title": "Panel5",
+        "type": "timeseries"
+      }
+    ],
+    "preload": false,
+    "refresh": "",
+    "schemaVersion": 42,
+    "time": {
+      "from": "now-6h",
+      "to": "now"
+    },
+    "timepicker": {
+      "refresh_intervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+      ]
+    },
+    "timezone": "browser",
+    "title": "Dashboard with tabs"
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v2beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/output/v2beta1.tab-with-multiple-panels.v1beta1.json

@@ -0,0 +1,511 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v1beta1",
+  "metadata": {
+    "name": "adt885j",
+    "namespace": "default",
+    "uid": "yTWet6JgBjlRIWnqRE9ZOmUycfT0tEkr2mljaln1GWIX",
+    "resourceVersion": "2",
+    "generation": 2,
+    "creationTimestamp": "2025-12-16T10:44:31Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "2409"
+    },
+    "annotations": {
+      "grafana.app/createdBy": "user:u000000001",
+      "grafana.app/updatedBy": "user:u000000001",
+      "grafana.app/updatedTimestamp": "2025-12-16T10:51:14Z"
+    }
+  },
+  "spec": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "description": "",
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 0,
+    "liveNow": false,
+    "panels": [
+      {
+        "collapsed": false,
+        "gridPos": {
+          "h": 1,
+          "w": 24,
+          "x": 0,
+          "y": 0
+        },
+        "id": -1,
+        "panels": [],
+        "title": "Tab1",
+        "type": "row"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 7,
+          "x": 0,
+          "y": 1
+        },
+        "id": 1,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "datasource": {
+              "type": "grafana-testdata-datasource",
+              "uid": "PD8C576611E62080A"
+            },
+            "refId": "A"
+          }
+        ],
+        "title": "Panel1",
+        "type": "timeseries"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 8,
+          "x": 7,
+          "y": 1
+        },
+        "id": 2,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "refId": "A"
+          }
+        ],
+        "title": "Panel2",
+        "type": "timeseries"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 9,
+          "x": 15,
+          "y": 1
+        },
+        "id": 3,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "refId": "A"
+          }
+        ],
+        "title": "Panel3",
+        "type": "timeseries"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 9
+        },
+        "id": 4,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "refId": "A"
+          }
+        ],
+        "title": "Panel4",
+        "type": "timeseries"
+      },
+      {
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisBorderShow": false,
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "barWidthFactor": 0.6,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "insertNulls": false,
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "showValues": false,
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": 0
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          }
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 12,
+          "y": 9
+        },
+        "id": 5,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "hideZeros": false,
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "pluginVersion": "12.4.0-pre",
+        "targets": [
+          {
+            "refId": "A"
+          }
+        ],
+        "title": "Panel5",
+        "type": "timeseries"
+      }
+    ],
+    "preload": false,
+    "refresh": "",
+    "schemaVersion": 42,
+    "time": {
+      "from": "now-6h",
+      "to": "now"
+    },
+    "timepicker": {
+      "refresh_intervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+      ]
+    },
+    "timezone": "browser",
+    "title": "Dashboard with tabs"
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v2beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/testdata/output/v2beta1.tab-with-multiple-panels.v2alpha1.json

@@ -0,0 +1,683 @@
+{
+  "kind": "DashboardWithAccessInfo",
+  "apiVersion": "dashboard.grafana.app/v2alpha1",
+  "metadata": {
+    "name": "adt885j",
+    "namespace": "default",
+    "uid": "yTWet6JgBjlRIWnqRE9ZOmUycfT0tEkr2mljaln1GWIX",
+    "resourceVersion": "2",
+    "generation": 2,
+    "creationTimestamp": "2025-12-16T10:44:31Z",
+    "labels": {
+      "grafana.app/deprecatedInternalID": "2409"
+    },
+    "annotations": {
+      "grafana.app/createdBy": "user:u000000001",
+      "grafana.app/updatedBy": "user:u000000001",
+      "grafana.app/updatedTimestamp": "2025-12-16T10:51:14Z"
+    }
+  },
+  "spec": {
+    "annotations": [
+      {
+        "kind": "AnnotationQuery",
+        "spec": {
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "query": {
+            "kind": "grafana",
+            "spec": {}
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations \u0026 Alerts",
+          "builtIn": true
+        }
+      }
+    ],
+    "cursorSync": "Off",
+    "description": "",
+    "editable": true,
+    "elements": {
+      "panel-1": {
+        "kind": "Panel",
+        "spec": {
+          "id": 1,
+          "title": "Panel1",
+          "description": "",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "grafana-testdata-datasource",
+                      "spec": {}
+                    },
+                    "datasource": {
+                      "type": "grafana-testdata-datasource",
+                      "uid": "PD8C576611E62080A"
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "timeseries",
+            "spec": {
+              "pluginVersion": "12.4.0-pre",
+              "options": {
+                "legend": {
+                  "calcs": [],
+                  "displayMode": "list",
+                  "placement": "bottom",
+                  "showLegend": true
+                },
+                "tooltip": {
+                  "hideZeros": false,
+                  "mode": "single",
+                  "sort": "none"
+                }
+              },
+              "fieldConfig": {
+                "defaults": {
+                  "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "value": 0,
+                        "color": "green"
+                      },
+                      {
+                        "value": 80,
+                        "color": "red"
+                      }
+                    ]
+                  },
+                  "color": {
+                    "mode": "palette-classic"
+                  },
+                  "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                      "legend": false,
+                      "tooltip": false,
+                      "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                      "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                      "group": "A",
+                      "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                      "mode": "off"
+                    }
+                  }
+                },
+                "overrides": []
+              }
+            }
+          }
+        }
+      },
+      "panel-2": {
+        "kind": "Panel",
+        "spec": {
+          "id": 2,
+          "title": "Panel2",
+          "description": "",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "",
+                      "spec": {}
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "timeseries",
+            "spec": {
+              "pluginVersion": "12.4.0-pre",
+              "options": {
+                "legend": {
+                  "calcs": [],
+                  "displayMode": "list",
+                  "placement": "bottom",
+                  "showLegend": true
+                },
+                "tooltip": {
+                  "hideZeros": false,
+                  "mode": "single",
+                  "sort": "none"
+                }
+              },
+              "fieldConfig": {
+                "defaults": {
+                  "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "value": 0,
+                        "color": "green"
+                      },
+                      {
+                        "value": 80,
+                        "color": "red"
+                      }
+                    ]
+                  },
+                  "color": {
+                    "mode": "palette-classic"
+                  },
+                  "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                      "legend": false,
+                      "tooltip": false,
+                      "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                      "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                      "group": "A",
+                      "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                      "mode": "off"
+                    }
+                  }
+                },
+                "overrides": []
+              }
+            }
+          }
+        }
+      },
+      "panel-3": {
+        "kind": "Panel",
+        "spec": {
+          "id": 3,
+          "title": "Panel3",
+          "description": "",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "",
+                      "spec": {}
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "timeseries",
+            "spec": {
+              "pluginVersion": "12.4.0-pre",
+              "options": {
+                "legend": {
+                  "calcs": [],
+                  "displayMode": "list",
+                  "placement": "bottom",
+                  "showLegend": true
+                },
+                "tooltip": {
+                  "hideZeros": false,
+                  "mode": "single",
+                  "sort": "none"
+                }
+              },
+              "fieldConfig": {
+                "defaults": {
+                  "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "value": 0,
+                        "color": "green"
+                      },
+                      {
+                        "value": 80,
+                        "color": "red"
+                      }
+                    ]
+                  },
+                  "color": {
+                    "mode": "palette-classic"
+                  },
+                  "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                      "legend": false,
+                      "tooltip": false,
+                      "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                      "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                      "group": "A",
+                      "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                      "mode": "off"
+                    }
+                  }
+                },
+                "overrides": []
+              }
+            }
+          }
+        }
+      },
+      "panel-4": {
+        "kind": "Panel",
+        "spec": {
+          "id": 4,
+          "title": "Panel4",
+          "description": "",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "",
+                      "spec": {}
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "timeseries",
+            "spec": {
+              "pluginVersion": "12.4.0-pre",
+              "options": {
+                "legend": {
+                  "calcs": [],
+                  "displayMode": "list",
+                  "placement": "bottom",
+                  "showLegend": true
+                },
+                "tooltip": {
+                  "hideZeros": false,
+                  "mode": "single",
+                  "sort": "none"
+                }
+              },
+              "fieldConfig": {
+                "defaults": {
+                  "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "value": 0,
+                        "color": "green"
+                      },
+                      {
+                        "value": 80,
+                        "color": "red"
+                      }
+                    ]
+                  },
+                  "color": {
+                    "mode": "palette-classic"
+                  },
+                  "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                      "legend": false,
+                      "tooltip": false,
+                      "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                      "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                      "group": "A",
+                      "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                      "mode": "off"
+                    }
+                  }
+                },
+                "overrides": []
+              }
+            }
+          }
+        }
+      },
+      "panel-5": {
+        "kind": "Panel",
+        "spec": {
+          "id": 5,
+          "title": "Panel5",
+          "description": "",
+          "links": [],
+          "data": {
+            "kind": "QueryGroup",
+            "spec": {
+              "queries": [
+                {
+                  "kind": "PanelQuery",
+                  "spec": {
+                    "query": {
+                      "kind": "",
+                      "spec": {}
+                    },
+                    "refId": "A",
+                    "hidden": false
+                  }
+                }
+              ],
+              "transformations": [],
+              "queryOptions": {}
+            }
+          },
+          "vizConfig": {
+            "kind": "timeseries",
+            "spec": {
+              "pluginVersion": "12.4.0-pre",
+              "options": {
+                "legend": {
+                  "calcs": [],
+                  "displayMode": "list",
+                  "placement": "bottom",
+                  "showLegend": true
+                },
+                "tooltip": {
+                  "hideZeros": false,
+                  "mode": "single",
+                  "sort": "none"
+                }
+              },
+              "fieldConfig": {
+                "defaults": {
+                  "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                      {
+                        "value": 0,
+                        "color": "green"
+                      },
+                      {
+                        "value": 80,
+                        "color": "red"
+                      }
+                    ]
+                  },
+                  "color": {
+                    "mode": "palette-classic"
+                  },
+                  "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "barWidthFactor": 0.6,
+                    "drawStyle": "line",
+                    "fillOpacity": 0,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                      "legend": false,
+                      "tooltip": false,
+                      "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 1,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                      "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "showValues": false,
+                    "spanNulls": false,
+                    "stacking": {
+                      "group": "A",
+                      "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                      "mode": "off"
+                    }
+                  }
+                },
+                "overrides": []
+              }
+            }
+          }
+        }
+      }
+    },
+    "layout": {
+      "kind": "TabsLayout",
+      "spec": {
+        "tabs": [
+          {
+            "kind": "TabsLayoutTab",
+            "spec": {
+              "title": "Tab1",
+              "layout": {
+                "kind": "GridLayout",
+                "spec": {
+                  "items": [
+                    {
+                      "kind": "GridLayoutItem",
+                      "spec": {
+                        "x": 0,
+                        "y": 0,
+                        "width": 7,
+                        "height": 8,
+                        "element": {
+                          "kind": "ElementReference",
+                          "name": "panel-1"
+                        }
+                      }
+                    },
+                    {
+                      "kind": "GridLayoutItem",
+                      "spec": {
+                        "x": 7,
+                        "y": 0,
+                        "width": 8,
+                        "height": 8,
+                        "element": {
+                          "kind": "ElementReference",
+                          "name": "panel-2"
+                        }
+                      }
+                    },
+                    {
+                      "kind": "GridLayoutItem",
+                      "spec": {
+                        "x": 15,
+                        "y": 0,
+                        "width": 9,
+                        "height": 8,
+                        "element": {
+                          "kind": "ElementReference",
+                          "name": "panel-3"
+                        }
+                      }
+                    },
+                    {
+                      "kind": "GridLayoutItem",
+                      "spec": {
+                        "x": 0,
+                        "y": 8,
+                        "width": 12,
+                        "height": 8,
+                        "element": {
+                          "kind": "ElementReference",
+                          "name": "panel-4"
+                        }
+                      }
+                    },
+                    {
+                      "kind": "GridLayoutItem",
+                      "spec": {
+                        "x": 12,
+                        "y": 8,
+                        "width": 12,
+                        "height": 8,
+                        "element": {
+                          "kind": "ElementReference",
+                          "name": "panel-5"
+                        }
+                      }
+                    }
+                  ]
+                }
+              }
+            }
+          }
+        ]
+      }
+    },
+    "links": [],
+    "liveNow": false,
+    "preload": false,
+    "tags": [],
+    "timeSettings": {
+      "timezone": "browser",
+      "from": "now-6h",
+      "to": "now",
+      "autoRefresh": "",
+      "autoRefreshIntervals": [
+        "5s",
+        "10s",
+        "30s",
+        "1m",
+        "5m",
+        "15m",
+        "30m",
+        "1h",
+        "2h",
+        "1d"
+      ],
+      "hideTimepicker": false,
+      "fiscalYearStartMonth": 0
+    },
+    "title": "Dashboard with tabs",
+    "variables": []
+  },
+  "status": {
+    "conversion": {
+      "failed": false,
+      "storedVersion": "v2beta1"
+    }
+  }
+}

apps/dashboard/pkg/migration/conversion/v1beta1_to_v2alpha1.go

@@ -501,11 +501,9 @@ func convertToRowsLayout(ctx context.Context, panels []interface{}, dsIndexProvi
 
 			if currentRow != nil {
 				// If currentRow is a hidden-header row (panels before first explicit row),
-				// set its collapse to match the first explicit row's collapsed value
-				// This matches frontend behavior: collapse: panel.collapsed
+				// it should not be collapsed because it will disappear and be visible only in edit mode
 				if currentRow.Spec.HideHeader != nil && *currentRow.Spec.HideHeader {
-					rowCollapsed := getBoolField(panelMap, "collapsed", false)
-					currentRow.Spec.Collapse = &rowCollapsed
+					currentRow.Spec.Collapse = &[]bool{false}[0]
 				}
 				// Flush current row to layout
 				rows = append(rows, *currentRow)
@@ -2022,6 +2020,9 @@ func transformPanelQueries(ctx context.Context, panelMap map[string]interface{},
 
 func transformSingleQuery(ctx context.Context, targetMap map[string]interface{}, panelDatasource *dashv2alpha1.DashboardDataSourceRef, dsIndexProvider schemaversion.DataSourceIndexProvider) dashv2alpha1.DashboardPanelQueryKind {
 	refId := schemaversion.GetStringValue(targetMap, "refId", "A")
+	if refId == "" {
+		refId = "A"
+	}
 	hidden := getBoolField(targetMap, "hide", false)
 
 	// Extract datasource from query or use panel datasource
@@ -2518,22 +2519,15 @@ func buildRegexMap(mappingMap map[string]interface{}) *dashv2alpha1.DashboardReg
 	regexMap := &dashv2alpha1.DashboardRegexMap{}
 	regexMap.Type = dashv2alpha1.DashboardMappingTypeRegex
 
-	opts, ok := mappingMap["options"].([]interface{})
-	if !ok || len(opts) == 0 {
-		return nil
-	}
-
-	optMap, ok := opts[0].(map[string]interface{})
+	optMap, ok := mappingMap["options"].(map[string]interface{})
 	if !ok {
 		return nil
 	}
 
 	r := dashv2alpha1.DashboardV2alpha1RegexMapOptions{}
-	if pattern, ok := optMap["regex"].(string); ok {
+	if pattern, ok := optMap["pattern"].(string); ok {
 		r.Pattern = pattern
 	}
-
-	// Result is a DashboardValueMappingResult
 	if resMap, ok := optMap["result"].(map[string]interface{}); ok {
 		r.Result = buildValueMappingResult(resMap)
 	}

apps/dashboard/pkg/migration/conversion/v2alpha1_to_v1beta1.go

@@ -495,6 +495,9 @@ func processTabItem(elements map[string]dashv2alpha1.DashboardElement, tab *dash
 		currentY = getMaxYFromPanels(nestedPanels, currentY)
 	} else if tab.Spec.Layout.GridLayoutKind != nil {
 		// GridLayout inside tab
+		baseY := currentY
+		maxY := currentY
+
 		for _, item := range tab.Spec.Layout.GridLayoutKind.Spec.Items {
 			element, ok := elements[item.Spec.Element.Name]
 			if !ok {
@@ -502,7 +505,7 @@ func processTabItem(elements map[string]dashv2alpha1.DashboardElement, tab *dash
 			}
 
 			adjustedItem := item
-			adjustedItem.Spec.Y = item.Spec.Y + currentY
+			adjustedItem.Spec.Y = item.Spec.Y + baseY
 
 			panel, err := convertPanelFromElement(&element, &adjustedItem)
 			if err != nil {
@@ -511,10 +514,12 @@ func processTabItem(elements map[string]dashv2alpha1.DashboardElement, tab *dash
 			panels = append(panels, panel)
 
 			panelEndY := adjustedItem.Spec.Y + item.Spec.Height
-			if panelEndY > currentY {
-				currentY = panelEndY
+			if panelEndY > maxY {
+				maxY = panelEndY
 			}
 		}
+
+		currentY = maxY
 	} else if tab.Spec.Layout.AutoGridLayoutKind != nil {
 		// AutoGridLayout inside tab - convert with Y offset
 		autoGridPanels, err := convertAutoGridLayoutToPanelsWithOffset(elements, tab.Spec.Layout.AutoGridLayoutKind, currentY)

apps/dashboard/pkg/migration/schemaversion/cache.go

@@ -5,12 +5,11 @@ import (
 	"sync"
 	"time"
 
-	"github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/hashicorp/golang-lru/v2/expirable"
-	k8srequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/endpoints/request"
 
-	"github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"
+	"github.com/grafana/authlib/types"
+	"github.com/grafana/grafana-app-sdk/logging"
 )
 
 const defaultCacheSize = 1000
@@ -32,17 +31,15 @@ type cachedProvider[T any] struct {
 	fetch    func(context.Context) T
 	cache    *expirable.LRU[string, T] // LRU cache: namespace to cache entry
 	inFlight sync.Map                  // map[string]*sync.Mutex - per-namespace fetch locks
-	logger   log.Logger
 }
 
 // newCachedProvider creates a new cachedProvider.
 // The fetch function should be able to handle context with different namespaces.
 // A non-positive size turns LRU mechanism off (cache of unlimited size).
 // A non-positive cacheTTL disables TTL expiration.
-func newCachedProvider[T any](fetch func(context.Context) T, size int, cacheTTL time.Duration, logger log.Logger) *cachedProvider[T] {
+func newCachedProvider[T any](fetch func(context.Context) T, size int, cacheTTL time.Duration) *cachedProvider[T] {
 	cacheProvider := &cachedProvider[T]{
-		fetch:  fetch,
-		logger: logger,
+		fetch: fetch,
 	}
 	cacheProvider.cache = expirable.NewLRU(size, func(key string, value T) {
 		cacheProvider.inFlight.Delete(key)
@@ -53,14 +50,13 @@ func newCachedProvider[T any](fetch func(context.Context) T, size int, cacheTTL
 // Get returns the cached value if it's still valid, otherwise calls fetch and caches the result.
 func (p *cachedProvider[T]) Get(ctx context.Context) T {
 	// Get namespace info from ctx
-	nsInfo, err := request.NamespaceInfoFrom(ctx, true)
-	if err != nil {
+	namespace, ok := request.NamespaceFrom(ctx)
+	if !ok {
 		// No namespace, fall back to direct fetch call without caching
-		p.logger.Warn("Unable to get namespace info from context, skipping cache", "error", err)
+		logging.FromContext(ctx).Warn("Unable to get namespace info from context, skipping cache")
 		return p.fetch(ctx)
 	}
 
-	namespace := nsInfo.Value
 	// Fast path: check if cache is still valid
 	if entry, ok := p.cache.Get(namespace); ok {
 		return entry
@@ -81,7 +77,7 @@ func (p *cachedProvider[T]) Get(ctx context.Context) T {
 	}
 
 	// Fetch outside the main lock - only this namespace is blocked
-	p.logger.Debug("cache miss or expired, fetching new value", "namespace", namespace)
+	logging.FromContext(ctx).Debug("cache miss or expired, fetching new value", "namespace", namespace)
 	value := p.fetch(ctx)
 
 	// Update the cache for this namespace
@@ -93,12 +89,12 @@ func (p *cachedProvider[T]) Get(ctx context.Context) T {
 // Preload loads data into the cache for the given namespaces.
 func (p *cachedProvider[T]) Preload(ctx context.Context, nsInfos []types.NamespaceInfo) {
 	// Build the cache using a context with the namespace
-	p.logger.Info("preloading cache", "nsInfos", len(nsInfos))
+	logging.FromContext(ctx).Info("preloading cache", "nsInfos", len(nsInfos))
 	startedAt := time.Now()
 	defer func() {
-		p.logger.Info("finished preloading cache", "nsInfos", len(nsInfos), "elapsed", time.Since(startedAt))
+		logging.FromContext(ctx).Info("finished preloading cache", "nsInfos", len(nsInfos), "elapsed", time.Since(startedAt))
 	}()
 	for _, nsInfo := range nsInfos {
-		p.cache.Add(nsInfo.Value, p.fetch(k8srequest.WithNamespace(ctx, nsInfo.Value)))
+		p.cache.Add(nsInfo.Value, p.fetch(request.WithNamespace(ctx, nsInfo.Value)))
 	}
 }

apps/dashboard/pkg/migration/schemaversion/cache_test.go

@@ -8,11 +8,11 @@ import (
 	"testing"
 	"time"
 
-	authlib "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apiserver/pkg/endpoints/request"
+
+	authlib "github.com/grafana/authlib/types"
 )
 
 // testProvider tracks how many times get() is called
@@ -44,7 +44,7 @@ func TestCachedProvider_CacheHit(t *testing.T) {
 
 	underlying := newTestProvider(datasources)
 	// Test newCachedProvider directly instead of the wrapper
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Use "default" namespace (org 1) - this is the standard Grafana namespace format
 	ctx := request.WithNamespace(context.Background(), "default")
@@ -69,7 +69,7 @@ func TestCachedProvider_NamespaceIsolation(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Use "default" (org 1) and "org-2" (org 2) - standard Grafana namespace formats
 	ctx1 := request.WithNamespace(context.Background(), "default")
@@ -102,7 +102,7 @@ func TestCachedProvider_NoNamespaceFallback(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Context without namespace - should fall back to direct provider call
 	ctx := context.Background()
@@ -123,7 +123,7 @@ func TestCachedProvider_ConcurrentAccess(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	// Use "default" namespace (org 1)
 	ctx := request.WithNamespace(context.Background(), "default")
@@ -155,7 +155,7 @@ func TestCachedProvider_ConcurrentNamespaces(t *testing.T) {
 	}
 
 	underlying := newTestProvider(datasources)
-	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, time.Minute)
 
 	var wg sync.WaitGroup
 	numOrgs := 10
@@ -198,7 +198,7 @@ func TestCachedProvider_CorrectDataPerNamespace(t *testing.T) {
 			"org-2":   {{UID: "org2-ds", Type: "loki", Name: "Org2 DS", Default: true}},
 		},
 	}
-	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute)
 
 	// Use valid namespace formats
 	ctx1 := request.WithNamespace(context.Background(), "default")
@@ -228,7 +228,7 @@ func TestCachedProvider_PreloadMultipleNamespaces(t *testing.T) {
 			"org-3":   {{UID: "org3-ds", Type: "tempo", Name: "Org3 DS", Default: true}},
 		},
 	}
-	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(underlying.Index, defaultCacheSize, time.Minute)
 
 	// Preload multiple namespaces
 	nsInfos := []authlib.NamespaceInfo{
@@ -346,7 +346,7 @@ func TestCachedProvider_TTLExpiration(t *testing.T) {
 	underlying := newTestProvider(datasources)
 	// Use a very short TTL for testing
 	shortTTL := 50 * time.Millisecond
-	cached := newCachedProvider(underlying.get, defaultCacheSize, shortTTL, log.New("test"))
+	cached := newCachedProvider(underlying.get, defaultCacheSize, shortTTL)
 
 	ctx := request.WithNamespace(context.Background(), "default")
 
@@ -379,7 +379,7 @@ func TestCachedProvider_ParallelNamespacesFetch(t *testing.T) {
 			{UID: "ds1", Type: "prometheus", Name: "Prometheus", Default: true},
 		},
 	}
-	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute)
 
 	numNamespaces := 5
 	var wg sync.WaitGroup
@@ -421,7 +421,7 @@ func TestCachedProvider_SameNamespaceSerialFetch(t *testing.T) {
 			{UID: "ds1", Type: "prometheus", Name: "Prometheus", Default: true},
 		},
 	}
-	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute, log.New("test"))
+	cached := newCachedProvider(provider.get, defaultCacheSize, time.Minute)
 
 	numGoroutines := 10
 	var wg sync.WaitGroup

apps/dashboard/pkg/migration/schemaversion/datasource_utils.go

@@ -3,8 +3,6 @@ package schemaversion
 import (
 	"context"
 	"time"
-
-	"github.com/grafana/grafana/pkg/infra/log"
 )
 
 // Shared utility functions for datasource migrations across different schema versions.
@@ -36,7 +34,7 @@ func WrapIndexProviderWithCache(provider DataSourceIndexProvider, cacheTTL time.
 		return provider
 	}
 	return &cachedIndexProvider{
-		newCachedProvider[*DatasourceIndex](provider.Index, defaultCacheSize, cacheTTL, log.New("schemaversion.dsindexprovider")),
+		newCachedProvider[*DatasourceIndex](provider.Index, defaultCacheSize, cacheTTL),
 	}
 }
 
@@ -46,7 +44,7 @@ func WrapLibraryElementProviderWithCache(provider LibraryElementIndexProvider, c
 		return provider
 	}
 	return &cachedLibraryElementProvider{
-		newCachedProvider[[]LibraryElementInfo](provider.GetLibraryElementInfo, defaultCacheSize, cacheTTL, log.New("schemaversion.leindexprovider")),
+		newCachedProvider[[]LibraryElementInfo](provider.GetLibraryElementInfo, defaultCacheSize, cacheTTL),
 	}
 }
 

apps/dashboard/pkg/migration/testdata/dev-dashboards-output/panel-gauge/gauge_tests_new.v42.json

@@ -75,9 +75,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -154,9 +154,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -233,9 +233,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -312,9 +312,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -391,9 +391,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -470,9 +470,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": false,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -549,9 +549,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": false,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -641,9 +641,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -720,9 +720,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -799,9 +799,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -878,9 +878,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": false,
           "rounded": true,
-          "spotlight": true,
-          "gradient": false
+          "spotlight": true
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -974,9 +974,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1053,9 +1053,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1132,9 +1132,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1211,9 +1211,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1290,9 +1290,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1386,9 +1386,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1469,9 +1469,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1552,9 +1552,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": true,
           "rounded": false,
-          "spotlight": false,
-          "gradient": true
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1643,9 +1643,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1727,9 +1727,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1825,9 +1825,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1910,9 +1910,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -1994,9 +1994,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -2078,9 +2078,9 @@
         "effects": {
           "barGlow": true,
           "centerGlow": true,
+          "gradient": true,
           "rounded": true,
-          "spotlight": true,
-          "gradient": true
+          "spotlight": true
         },
         "glow": "both",
         "orientation": "auto",
@@ -2172,7 +2172,9 @@
         },
         "orientation": "auto",
         "reduceOptions": {
-          "calcs": ["lastNotNull"],
+          "calcs": [
+            "lastNotNull"
+          ],
           "fields": "",
           "values": false
         },
@@ -2238,7 +2240,9 @@
         },
         "orientation": "auto",
         "reduceOptions": {
-          "calcs": ["lastNotNull"],
+          "calcs": [
+            "lastNotNull"
+          ],
           "fields": "",
           "values": false
         },
@@ -2275,4 +2279,4 @@
   "title": "Panel tests - Gauge (new)",
   "uid": "panel-tests-gauge-new",
   "weekStart": ""
-}
+}

apps/dashboard/pkg/migration/testdata/dev-dashboards-output/panel-gauge/gauge_tests_old_to_new.v42.json

@@ -955,9 +955,9 @@
         "effects": {
           "barGlow": false,
           "centerGlow": false,
+          "gradient": false,
           "rounded": false,
-          "spotlight": false,
-          "gradient": false
+          "spotlight": false
         },
         "orientation": "auto",
         "reduceOptions": {
@@ -1162,4 +1162,4 @@
   "title": "Panel tests - Old gauge to new",
   "uid": "panel-tests-old-gauge-to-new",
   "weekStart": ""
-}
+}

apps/iam/go.mod

@@ -221,7 +221,7 @@ require (
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // indirect
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // indirect
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect

apps/iam/go.sum

@@ -817,8 +817,8 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=

apps/plugins/go.mod

@@ -74,7 +74,7 @@ require (
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba // indirect
+	github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 // indirect
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect

apps/plugins/go.sum

@@ -174,8 +174,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba h1:psKWNETD5nGxmFAlqnWsXoRyUwSa2GHNEMSEDKGKfQ4=
-github.com/grafana/alerting v0.0.0-20251204145817-de8c2bbf9eba/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7 h1:ZzG/gCclEit9w0QUfQt9GURcOycAIGcsQAhY1u0AEX0=
+github.com/grafana/alerting v0.0.0-20251212143239-491433b332b7/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=

apps/provisioning/kinds/connection.cue

@@ -0,0 +1,73 @@
+package repository
+
+connection: {
+	kind:       "Connection"
+	pluralName: "Connections"
+	current:    "v0alpha1"
+	validation: {
+		operations: [
+			"CREATE",
+			"UPDATE",
+		]
+	}
+	versions: {
+		"v0alpha1": {
+			codegen: {
+				ts: {enabled: false}
+				go: {enabled: true}
+			}
+			schema: {
+				#GitHubConnectionConfig: {
+					// App-level information
+					// GitHub App ID
+					appID: int
+
+					// Installation-level information
+					// GitHub App installation ID
+					installationID: int
+				}
+				#BitbucketConnectionConfig: {
+					// The app clientID
+					clientID: string
+				}
+				#GitlabConnectionConfig: {
+					// The app clientID
+					clientID: string
+				}
+        #HealthStatus: {
+					// When not healthy, requests will not be executed
+					healthy: bool
+					// When the health was checked last time
+					checked?: int
+					// Summary messages (can be shown to users)
+					// Will only be populated when not healthy
+					message?: [...string]
+				}
+				spec: {
+					// The connection provider type
+					type: "github" | "bitbucket" | "gitlab"
+					// The connection URL
+					url: *"" | string
+					// GitHub connection configuration
+					// Only applicable when provider is "github"
+					github?: #GitHubConnectionConfig
+					// Bitbucket connection configuration
+					// Only applicable when provider is "bitbucket"
+					bitbucket?: #BitbucketConnectionConfig
+					// Gitlab connection configuration
+					// Only applicable when provider is "gitlab"
+					gitlab?: #GitlabConnectionConfig
+				}
+				status: {
+					// The generation of the spec last time reconciliation ran
+					observedGeneration?: int
+					// Connection state
+					state: "connected" | "disconnected"
+					// The connection health status
+					health: #HealthStatus
+				}
+			}
+		}
+	}
+}
+

apps/provisioning/kinds/manifest.cue

@@ -5,5 +5,6 @@ manifest: {
 	groupOverride:	"provisioning.grafana.app"
 	kinds:			[
 		repository,
+		connection
 	]
-} 
+}

apps/provisioning/pkg/apis/provisioning/v0alpha1/connections.go

@@ -0,0 +1,118 @@
+package v0alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+)
+
+// When this code is changed, make sure to update the code generation.
+// As of writing, this can be done via the hack dir in the root of the repo: ./hack/update-codegen.sh provisioning
+// If you've opened the generated files in this dir at some point in VSCode, you may also have to re-open them to clear errors.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type Connection struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ConnectionSpec   `json:"spec,omitempty"`
+	Secure ConnectionSecure `json:"secure,omitzero,omitempty"`
+	Status ConnectionStatus `json:"status,omitempty"`
+}
+
+type ConnectionSecure struct {
+	// PrivateKey is the reference to the private key used for GitHub App authentication.
+	// This value is stored securely and cannot be read back
+	PrivateKey common.InlineSecureValue `json:"privateKey,omitzero,omitempty"`
+
+	// ClientSecret is the reference to the secret used for other providers authentication,
+	// and Github on-behalf-of authentication.
+	// This value is stored securely and cannot be read back
+	ClientSecret common.InlineSecureValue `json:"clientSecret,omitzero,omitempty"`
+
+	// Token is the reference of the token used to act as the Connection.
+	// This value is stored securely and cannot be read back
+	Token common.InlineSecureValue `json:"webhook,omitzero,omitempty"`
+}
+
+func (v ConnectionSecure) IsZero() bool {
+	return v.PrivateKey.IsZero() && v.Token.IsZero()
+}
+
+type GitHubConnectionConfig struct {
+	// GitHub App ID
+	AppID string `json:"appID"`
+
+	// GitHub App installation ID
+	InstallationID string `json:"installationID"`
+}
+
+type BitbucketConnectionConfig struct {
+	// App client ID
+	ClientID string `json:"clientID"`
+}
+
+type GitlabConnectionConfig struct {
+	// App client ID
+	ClientID string `json:"clientID"`
+}
+
+// ConnectionType defines the types of Connection providers
+// +enum
+type ConnectionType string
+
+// ConnectionType values.
+const (
+	GithubConnectionType    ConnectionType = "github"
+	GitlabConnectionType    ConnectionType = "gitlab"
+	BitbucketConnectionType ConnectionType = "bitbucket"
+)
+
+type ConnectionSpec struct {
+	// The connection provider type
+	Type ConnectionType `json:"type"`
+	// The connection URL
+	URL string `json:"url,omitempty"`
+
+	// GitHub connection configuration
+	// Only applicable when provider is "github"
+	GitHub *GitHubConnectionConfig `json:"github,omitempty"`
+	// Bitbucket connection configuration
+	// Only applicable when provider is "bitbucket"
+	Bitbucket *BitbucketConnectionConfig `json:"bitbucket,omitempty"`
+	// Gitlab connection configuration
+	// Only applicable when provider is "gitlab"
+	Gitlab *GitlabConnectionConfig `json:"gitlab,omitempty"`
+}
+
+// ConnectionState defines the state of a Connection
+// +enum
+type ConnectionState string
+
+// ConnectionState values
+const (
+	ConnectionStateConnected    ConnectionState = "connected"
+	ConnectionStateDisconnected ConnectionState = "disconnected"
+)
+
+// The status of a Connection.
+// This is expected never to be created by a kubectl call or similar, and is expected to rarely (if ever) be edited manually.
+type ConnectionStatus struct {
+	// The generation of the spec last time reconciliation ran
+	ObservedGeneration int64 `json:"observedGeneration"`
+
+	// Connection state
+	State ConnectionState `json:"state"`
+
+	// The connection health status
+	Health HealthStatus `json:"health"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ConnectionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// +listType=atomic
+	Items []Connection `json:"items"`
+}

apps/provisioning/pkg/apis/provisioning/v0alpha1/health.go

@@ -0,0 +1,26 @@
+package v0alpha1
+
+// HealthFailureType represents different types of healthcheck failures
+// +enum
+type HealthFailureType string
+
+const (
+	HealthFailureHook   HealthFailureType = "hook"
+	HealthFailureHealth HealthFailureType = "health"
+)
+
+type HealthStatus struct {
+	// When not healthy, requests will not be executed
+	Healthy bool `json:"healthy"`
+
+	// The type of the error
+	Error HealthFailureType `json:"error,omitempty"`
+
+	// When the health was checked last time
+	Checked int64 `json:"checked,omitempty"`
+
+	// Summary messages (can be shown to users)
+	// Will only be populated when not healthy
+	// +listType=atomic
+	Message []string `json:"message,omitempty"`
+}

apps/provisioning/pkg/apis/provisioning/v0alpha1/register.go

@@ -115,6 +115,47 @@ var HistoricJobResourceInfo = utils.NewResourceInfo(GROUP, VERSION,
 		},
 	})
 
+var ConnectionResourceInfo = utils.NewResourceInfo(GROUP, VERSION,
+	"connections", "connection", "Connection",
+	func() runtime.Object { return &Connection{} },     // newObj
+	func() runtime.Object { return &ConnectionList{} }, // newList
+	utils.TableColumns{ // Returned by `kubectl get`. Doesn't affect disk storage.
+		Definition: []metav1.TableColumnDefinition{
+			{Name: "Name", Type: "string", Format: "name"},
+			{Name: "Created At", Type: "date"},
+			{Name: "Type", Type: "string"},
+			{Name: "AppID", Type: "string"},
+			{Name: "InstallationID", Type: "string"},
+			{Name: "ClientID", Type: "string"},
+		},
+		Reader: func(obj any) ([]interface{}, error) {
+			m, ok := obj.(*Connection)
+			if !ok {
+				return nil, errors.New("expected Repository")
+			}
+
+			var appID, installationID, clientID string
+			switch m.Spec.Type {
+			case GithubConnectionType:
+				appID = m.Spec.GitHub.AppID
+				installationID = m.Spec.GitHub.InstallationID
+			case BitbucketConnectionType:
+				clientID = m.Spec.Bitbucket.ClientID
+			case GitlabConnectionType:
+				clientID = m.Spec.Gitlab.ClientID
+			}
+
+			return []interface{}{
+				m.Name,
+				m.CreationTimestamp.UTC().Format(time.RFC3339),
+				m.Spec.Type,
+				appID,
+				installationID,
+				clientID,
+			}, nil
+		},
+	})
+
 var (
 	// SchemeGroupVersion is group version used to register these objects
 	SchemeGroupVersion   = schema.GroupVersion{Group: GROUP, Version: VERSION}
@@ -154,6 +195,8 @@ func AddKnownTypes(gv schema.GroupVersion, scheme *runtime.Scheme) error {
 		&RefList{},
 		&HistoricJob{},
 		&HistoricJobList{},
+		&Connection{},
+		&ConnectionList{},
 	)
 	return nil
 }

apps/provisioning/pkg/apis/provisioning/v0alpha1/types.go

@@ -315,31 +315,6 @@ type RepositoryStatus struct {
 	DeleteError string `json:"deleteError,omitempty"`
 }
 
-// HealthFailureType represents different types of repository failures
-// +enum
-type HealthFailureType string
-
-const (
-	HealthFailureHook   HealthFailureType = "hook"
-	HealthFailureHealth HealthFailureType = "health"
-)
-
-type HealthStatus struct {
-	// When not healthy, requests will not be executed
-	Healthy bool `json:"healthy"`
-
-	// The type of the error
-	Error HealthFailureType `json:"error,omitempty"`
-
-	// When the health was checked last time
-	Checked int64 `json:"checked,omitempty"`
-
-	// Summary messages (can be shown to users)
-	// Will only be populated when not healthy
-	// +listType=atomic
-	Message []string `json:"message,omitempty"`
-}
-
 type SyncStatus struct {
 	// pending, running, success, error
 	State JobState `json:"state"`

apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.deepcopy.go

@@ -27,6 +27,22 @@ func (in *Author) DeepCopy() *Author {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BitbucketConnectionConfig) DeepCopyInto(out *BitbucketConnectionConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BitbucketConnectionConfig.
+func (in *BitbucketConnectionConfig) DeepCopy() *BitbucketConnectionConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(BitbucketConnectionConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BitbucketRepositoryConfig) DeepCopyInto(out *BitbucketRepositoryConfig) {
 	*out = *in
@@ -43,6 +59,135 @@ func (in *BitbucketRepositoryConfig) DeepCopy() *BitbucketRepositoryConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Connection) DeepCopyInto(out *Connection) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Secure = in.Secure
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Connection.
+func (in *Connection) DeepCopy() *Connection {
+	if in == nil {
+		return nil
+	}
+	out := new(Connection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Connection) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConnectionList) DeepCopyInto(out *ConnectionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Connection, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionList.
+func (in *ConnectionList) DeepCopy() *ConnectionList {
+	if in == nil {
+		return nil
+	}
+	out := new(ConnectionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ConnectionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConnectionSecure) DeepCopyInto(out *ConnectionSecure) {
+	*out = *in
+	out.PrivateKey = in.PrivateKey
+	out.ClientSecret = in.ClientSecret
+	out.Token = in.Token
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionSecure.
+func (in *ConnectionSecure) DeepCopy() *ConnectionSecure {
+	if in == nil {
+		return nil
+	}
+	out := new(ConnectionSecure)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConnectionSpec) DeepCopyInto(out *ConnectionSpec) {
+	*out = *in
+	if in.GitHub != nil {
+		in, out := &in.GitHub, &out.GitHub
+		*out = new(GitHubConnectionConfig)
+		**out = **in
+	}
+	if in.Bitbucket != nil {
+		in, out := &in.Bitbucket, &out.Bitbucket
+		*out = new(BitbucketConnectionConfig)
+		**out = **in
+	}
+	if in.Gitlab != nil {
+		in, out := &in.Gitlab, &out.Gitlab
+		*out = new(GitlabConnectionConfig)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionSpec.
+func (in *ConnectionSpec) DeepCopy() *ConnectionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ConnectionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConnectionStatus) DeepCopyInto(out *ConnectionStatus) {
+	*out = *in
+	in.Health.DeepCopyInto(&out.Health)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionStatus.
+func (in *ConnectionStatus) DeepCopy() *ConnectionStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ConnectionStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeleteJobOptions) DeepCopyInto(out *DeleteJobOptions) {
 	*out = *in
@@ -148,6 +293,22 @@ func (in *FileList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitHubConnectionConfig) DeepCopyInto(out *GitHubConnectionConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubConnectionConfig.
+func (in *GitHubConnectionConfig) DeepCopy() *GitHubConnectionConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(GitHubConnectionConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubRepositoryConfig) DeepCopyInto(out *GitHubRepositoryConfig) {
 	*out = *in
@@ -196,6 +357,22 @@ func (in *GitRepositoryConfig) DeepCopy() *GitRepositoryConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabConnectionConfig) DeepCopyInto(out *GitlabConnectionConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabConnectionConfig.
+func (in *GitlabConnectionConfig) DeepCopy() *GitlabConnectionConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabConnectionConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HealthStatus) DeepCopyInto(out *HealthStatus) {
 	*out = *in

apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi.go

@@ -15,15 +15,23 @@ import (
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.Author":                    schema_pkg_apis_provisioning_v0alpha1_Author(ref),
+		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.BitbucketConnectionConfig": schema_pkg_apis_provisioning_v0alpha1_BitbucketConnectionConfig(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.BitbucketRepositoryConfig": schema_pkg_apis_provisioning_v0alpha1_BitbucketRepositoryConfig(ref),
+		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.Connection":                schema_pkg_apis_provisioning_v0alpha1_Connection(ref),
+		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionList":            schema_pkg_apis_provisioning_v0alpha1_ConnectionList(ref),
+		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionSecure":          schema_pkg_apis_provisioning_v0alpha1_ConnectionSecure(ref),
+		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionSpec":            schema_pkg_apis_provisioning_v0alpha1_ConnectionSpec(ref),
+		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionStatus":          schema_pkg_apis_provisioning_v0alpha1_ConnectionStatus(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.DeleteJobOptions":          schema_pkg_apis_provisioning_v0alpha1_DeleteJobOptions(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ErrorDetails":              schema_pkg_apis_provisioning_v0alpha1_ErrorDetails(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ExportJobOptions":          schema_pkg_apis_provisioning_v0alpha1_ExportJobOptions(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.FileItem":                  schema_pkg_apis_provisioning_v0alpha1_FileItem(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.FileList":                  schema_pkg_apis_provisioning_v0alpha1_FileList(ref),
+		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.GitHubConnectionConfig":    schema_pkg_apis_provisioning_v0alpha1_GitHubConnectionConfig(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.GitHubRepositoryConfig":    schema_pkg_apis_provisioning_v0alpha1_GitHubRepositoryConfig(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.GitLabRepositoryConfig":    schema_pkg_apis_provisioning_v0alpha1_GitLabRepositoryConfig(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.GitRepositoryConfig":       schema_pkg_apis_provisioning_v0alpha1_GitRepositoryConfig(ref),
+		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.GitlabConnectionConfig":    schema_pkg_apis_provisioning_v0alpha1_GitlabConnectionConfig(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.HealthStatus":              schema_pkg_apis_provisioning_v0alpha1_HealthStatus(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.HistoricJob":               schema_pkg_apis_provisioning_v0alpha1_HistoricJob(ref),
 		"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.HistoricJobList":           schema_pkg_apis_provisioning_v0alpha1_HistoricJobList(ref),
@@ -100,6 +108,27 @@ func schema_pkg_apis_provisioning_v0alpha1_Author(ref common.ReferenceCallback)
 	}
 }
 
+func schema_pkg_apis_provisioning_v0alpha1_BitbucketConnectionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"clientID": {
+						SchemaProps: spec.SchemaProps{
+							Description: "App client ID",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"clientID"},
+			},
+		},
+	}
+}
+
 func schema_pkg_apis_provisioning_v0alpha1_BitbucketRepositoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -142,6 +171,236 @@ func schema_pkg_apis_provisioning_v0alpha1_BitbucketRepositoryConfig(ref common.
 	}
 }
 
+func schema_pkg_apis_provisioning_v0alpha1_Connection(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "When this code is changed, make sure to update the code generation. As of writing, this can be done via the hack dir in the root of the repo: ./hack/update-codegen.sh provisioning If you've opened the generated files in this dir at some point in VSCode, you may also have to re-open them to clear errors.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Default: map[string]interface{}{},
+							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Default: map[string]interface{}{},
+							Ref:     ref("github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionSpec"),
+						},
+					},
+					"secure": {
+						SchemaProps: spec.SchemaProps{
+							Default: map[string]interface{}{},
+							Ref:     ref("github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionSecure"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Default: map[string]interface{}{},
+							Ref:     ref("github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionStatus"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionSecure", "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionSpec", "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.ConnectionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_pkg_apis_provisioning_v0alpha1_ConnectionList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Default: map[string]interface{}{},
+							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.Connection"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.Connection", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_pkg_apis_provisioning_v0alpha1_ConnectionSecure(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"privateKey": {
+						SchemaProps: spec.SchemaProps{
+							Description: "PrivateKey is the reference to the private key used for GitHub App authentication. This value is stored securely and cannot be read back",
+							Default:     map[string]interface{}{},
+							Ref:         ref("github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1.InlineSecureValue"),
+						},
+					},
+					"clientSecret": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ClientSecret is the reference to the secret used for other providers authentication, and Github on-behalf-of authentication. This value is stored securely and cannot be read back",
+							Default:     map[string]interface{}{},
+							Ref:         ref("github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1.InlineSecureValue"),
+						},
+					},
+					"webhook": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back",
+							Default:     map[string]interface{}{},
+							Ref:         ref("github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1.InlineSecureValue"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1.InlineSecureValue"},
+	}
+}
+
+func schema_pkg_apis_provisioning_v0alpha1_ConnectionSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"type": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The connection provider type\n\nPossible enum values:\n - `\"bitbucket\"`\n - `\"github\"`\n - `\"gitlab\"`",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+							Enum:        []interface{}{"bitbucket", "github", "gitlab"},
+						},
+					},
+					"url": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The connection URL",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"github": {
+						SchemaProps: spec.SchemaProps{
+							Description: "GitHub connection configuration Only applicable when provider is \"github\"",
+							Ref:         ref("github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.GitHubConnectionConfig"),
+						},
+					},
+					"bitbucket": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Bitbucket connection configuration Only applicable when provider is \"bitbucket\"",
+							Ref:         ref("github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.BitbucketConnectionConfig"),
+						},
+					},
+					"gitlab": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Gitlab connection configuration Only applicable when provider is \"gitlab\"",
+							Ref:         ref("github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.GitlabConnectionConfig"),
+						},
+					},
+				},
+				Required: []string{"type"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.BitbucketConnectionConfig", "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.GitHubConnectionConfig", "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.GitlabConnectionConfig"},
+	}
+}
+
+func schema_pkg_apis_provisioning_v0alpha1_ConnectionStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "The status of a Connection. This is expected never to be created by a kubectl call or similar, and is expected to rarely (if ever) be edited manually.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The generation of the spec last time reconciliation ran",
+							Default:     0,
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
+					"state": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Connection state\n\nPossible enum values:\n - `\"connected\"`\n - `\"disconnected\"`",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+							Enum:        []interface{}{"connected", "disconnected"},
+						},
+					},
+					"health": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The connection health status",
+							Default:     map[string]interface{}{},
+							Ref:         ref("github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.HealthStatus"),
+						},
+					},
+				},
+				Required: []string{"observedGeneration", "state", "health"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1.HealthStatus"},
+	}
+}
+
 func schema_pkg_apis_provisioning_v0alpha1_DeleteJobOptions(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -362,6 +621,35 @@ func schema_pkg_apis_provisioning_v0alpha1_FileList(ref common.ReferenceCallback
 	}
 }
 
+func schema_pkg_apis_provisioning_v0alpha1_GitHubConnectionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"appID": {
+						SchemaProps: spec.SchemaProps{
+							Description: "GitHub App ID",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"installationID": {
+						SchemaProps: spec.SchemaProps{
+							Description: "GitHub App installation ID",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"appID", "installationID"},
+			},
+		},
+	}
+}
+
 func schema_pkg_apis_provisioning_v0alpha1_GitHubRepositoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -481,6 +769,27 @@ func schema_pkg_apis_provisioning_v0alpha1_GitRepositoryConfig(ref common.Refere
 	}
 }
 
+func schema_pkg_apis_provisioning_v0alpha1_GitlabConnectionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"clientID": {
+						SchemaProps: spec.SchemaProps{
+							Description: "App client ID",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"clientID"},
+			},
+		},
+	}
+}
+
 func schema_pkg_apis_provisioning_v0alpha1_HealthStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi_violation_exceptions.list

@@ -1,3 +1,4 @@
+API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ConnectionList,Items
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,DeleteJobOptions,Paths
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,DeleteJobOptions,Resources
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,FileList,Items
@@ -20,6 +21,8 @@ API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioni
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ResourceList,Items
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,TestResults,Errors
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,WebhookStatus,SubscribedEvents
+API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ConnectionSecure,Token
+API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ConnectionSpec,GitHub
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobSpec,PullRequest
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobStatus,URLs
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ManagerStats,Identity

apps/provisioning/pkg/connection/mutator.go

@@ -0,0 +1,28 @@
+package connection
+
+import (
+	"fmt"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+)
+
+const (
+	githubInstallationURL = "https://github.com/settings/installations"
+)
+
+func MutateConnection(connection *provisioning.Connection) error {
+	switch connection.Spec.Type {
+	case provisioning.GithubConnectionType:
+		// Do nothing in case spec.Github is nil.
+		// If this field is required, we should fail at validation time.
+		if connection.Spec.GitHub == nil {
+			return nil
+		}
+
+		connection.Spec.URL = fmt.Sprintf("%s/%s", githubInstallationURL, connection.Spec.GitHub.InstallationID)
+		return nil
+	default:
+		// TODO: we need to setup the URL for bitbucket and gitlab.
+		return nil
+	}
+}

apps/provisioning/pkg/connection/mutator_test.go

@@ -0,0 +1,35 @@
+package connection_test
+
+import (
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestMutateConnection(t *testing.T) {
+	t.Run("should add URL to Github connection", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Name: "test-private-key",
+				},
+			},
+		}
+
+		require.NoError(t, connection.MutateConnection(c))
+		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
+	})
+}

apps/provisioning/pkg/connection/validator.go

@@ -0,0 +1,104 @@
+package connection
+
+import (
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func ValidateConnection(connection *provisioning.Connection) error {
+	list := field.ErrorList{}
+
+	if connection.Spec.Type == "" {
+		list = append(list, field.Required(field.NewPath("spec", "type"), "type must be specified"))
+	}
+
+	switch connection.Spec.Type {
+	case provisioning.GithubConnectionType:
+		list = append(list, validateGithubConnection(connection)...)
+	case provisioning.BitbucketConnectionType:
+		list = append(list, validateBitbucketConnection(connection)...)
+	case provisioning.GitlabConnectionType:
+		list = append(list, validateGitlabConnection(connection)...)
+	default:
+		list = append(
+			list, field.NotSupported(
+				field.NewPath("spec", "type"),
+				connection.Spec.Type,
+				[]provisioning.ConnectionType{
+					provisioning.GithubConnectionType,
+					provisioning.BitbucketConnectionType,
+					provisioning.GitlabConnectionType,
+				}),
+		)
+	}
+
+	return toError(connection.GetName(), list)
+}
+
+func validateGithubConnection(connection *provisioning.Connection) field.ErrorList {
+	list := field.ErrorList{}
+
+	if connection.Spec.GitHub == nil {
+		list = append(
+			list, field.Required(field.NewPath("spec", "github"), "github info must be specified for GitHub connection"),
+		)
+	}
+
+	if connection.Secure.PrivateKey.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "privateKey"), "privateKey must be specified for GitHub connection"))
+	}
+	if !connection.Secure.ClientSecret.IsZero() {
+		list = append(list, field.Forbidden(field.NewPath("secure", "clientSecret"), "clientSecret is forbidden in GitHub connection"))
+	}
+
+	return list
+}
+
+func validateBitbucketConnection(connection *provisioning.Connection) field.ErrorList {
+	list := field.ErrorList{}
+
+	if connection.Spec.Bitbucket == nil {
+		list = append(
+			list, field.Required(field.NewPath("spec", "bitbucket"), "bitbucket info must be specified in Bitbucket connection"),
+		)
+	}
+	if connection.Secure.ClientSecret.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "clientSecret"), "clientSecret must be specified for Bitbucket connection"))
+	}
+	if !connection.Secure.PrivateKey.IsZero() {
+		list = append(list, field.Forbidden(field.NewPath("secure", "privateKey"), "privateKey is forbidden in Bitbucket connection"))
+	}
+
+	return list
+}
+
+func validateGitlabConnection(connection *provisioning.Connection) field.ErrorList {
+	list := field.ErrorList{}
+
+	if connection.Spec.Gitlab == nil {
+		list = append(
+			list, field.Required(field.NewPath("spec", "gitlab"), "gitlab info must be specified in Gitlab connection"),
+		)
+	}
+	if connection.Secure.ClientSecret.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "clientSecret"), "clientSecret must be specified for Gitlab connection"))
+	}
+	if !connection.Secure.PrivateKey.IsZero() {
+		list = append(list, field.Forbidden(field.NewPath("secure", "privateKey"), "privateKey is forbidden in Gitlab connection"))
+	}
+
+	return list
+}
+
+// toError converts a field.ErrorList to an error, returning nil if the list is empty
+func toError(name string, list field.ErrorList) error {
+	if len(list) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(
+		provisioning.ConnectionResourceInfo.GroupVersionKind().GroupKind(),
+		name,
+		list,
+	)
+}

apps/provisioning/pkg/connection/validator_test.go

@@ -0,0 +1,253 @@
+package connection_test
+
+import (
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestValidateConnection(t *testing.T) {
+	tests := []struct {
+		name       string
+		connection *provisioning.Connection
+		wantErr    bool
+		errMsg     string
+	}{
+		{
+			name: "empty type returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec:       provisioning.ConnectionSpec{},
+			},
+			wantErr: true,
+			errMsg:  "spec.type",
+		},
+		{
+			name: "invalid type returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: "invalid",
+				},
+			},
+			wantErr: true,
+			errMsg:  "spec.type",
+		},
+		{
+			name: "github type without github config returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+				},
+			},
+			wantErr: true,
+			errMsg:  "spec.github",
+		},
+		{
+			name: "github type without private key returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.privateKey",
+		},
+		{
+			name: "github type with client secret returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.clientSecret",
+		},
+		{
+			name: "github type with github config is valid",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "bitbucket type without bitbucket config returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.BitbucketConnectionType,
+				},
+			},
+			wantErr: true,
+			errMsg:  "spec.bitbucket",
+		},
+		{
+			name: "bitbucket type without client secret returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.BitbucketConnectionType,
+					Bitbucket: &provisioning.BitbucketConnectionConfig{
+						ClientID: "client-123",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.clientSecret",
+		},
+		{
+			name: "bitbucket type with private key returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.BitbucketConnectionType,
+					Bitbucket: &provisioning.BitbucketConnectionConfig{
+						ClientID: "client-123",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.privateKey",
+		},
+		{
+			name: "bitbucket type with bitbucket config is valid",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.BitbucketConnectionType,
+					Bitbucket: &provisioning.BitbucketConnectionConfig{
+						ClientID: "client-123",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "gitlab type without gitlab config returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GitlabConnectionType,
+				},
+			},
+			wantErr: true,
+			errMsg:  "spec.gitlab",
+		},
+		{
+			name: "gitlab type without client secret returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GitlabConnectionType,
+					Gitlab: &provisioning.GitlabConnectionConfig{
+						ClientID: "client-456",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.clientSecret",
+		},
+		{
+			name: "gitlab type with private key returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GitlabConnectionType,
+					Gitlab: &provisioning.GitlabConnectionConfig{
+						ClientID: "client-456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.privateKey",
+		},
+		{
+			name: "gitlab type with gitlab config is valid",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GitlabConnectionType,
+					Gitlab: &provisioning.GitlabConnectionConfig{
+						ClientID: "client-456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := connection.ValidateConnection(tt.connection)
+			if tt.wantErr {
+				assert.Error(t, err)
+				if tt.errMsg != "" {
+					assert.Contains(t, err.Error(), tt.errMsg)
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/bitbucketconnectionconfig.go

@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v0alpha1
+
+// BitbucketConnectionConfigApplyConfiguration represents a declarative configuration of the BitbucketConnectionConfig type for use
+// with apply.
+type BitbucketConnectionConfigApplyConfiguration struct {
+	ClientID *string `json:"clientID,omitempty"`
+}
+
+// BitbucketConnectionConfigApplyConfiguration constructs a declarative configuration of the BitbucketConnectionConfig type for use with
+// apply.
+func BitbucketConnectionConfig() *BitbucketConnectionConfigApplyConfiguration {
+	return &BitbucketConnectionConfigApplyConfiguration{}
+}
+
+// WithClientID sets the ClientID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ClientID field is set to the value of the last call.
+func (b *BitbucketConnectionConfigApplyConfiguration) WithClientID(value string) *BitbucketConnectionConfigApplyConfiguration {
+	b.ClientID = &value
+	return b
+}

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/connection.go

@@ -0,0 +1,237 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// ConnectionApplyConfiguration represents a declarative configuration of the Connection type for use
+// with apply.
+type ConnectionApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *ConnectionSpecApplyConfiguration   `json:"spec,omitempty"`
+	Secure                           *ConnectionSecureApplyConfiguration `json:"secure,omitempty"`
+	Status                           *ConnectionStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// Connection constructs a declarative configuration of the Connection type for use with
+// apply.
+func Connection(name, namespace string) *ConnectionApplyConfiguration {
+	b := &ConnectionApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("Connection")
+	b.WithAPIVersion("provisioning.grafana.app/v0alpha1")
+	return b
+}
+func (b ConnectionApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithKind(value string) *ConnectionApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithAPIVersion(value string) *ConnectionApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithName(value string) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithGenerateName(value string) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithNamespace(value string) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithUID(value types.UID) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithResourceVersion(value string) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithGeneration(value int64) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *ConnectionApplyConfiguration) WithLabels(entries map[string]string) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *ConnectionApplyConfiguration) WithAnnotations(entries map[string]string) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *ConnectionApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *ConnectionApplyConfiguration) WithFinalizers(values ...string) *ConnectionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *ConnectionApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithSpec(value *ConnectionSpecApplyConfiguration) *ConnectionApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithSecure sets the Secure field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Secure field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithSecure(value *ConnectionSecureApplyConfiguration) *ConnectionApplyConfiguration {
+	b.Secure = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *ConnectionApplyConfiguration) WithStatus(value *ConnectionStatusApplyConfiguration) *ConnectionApplyConfiguration {
+	b.Status = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *ConnectionApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *ConnectionApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *ConnectionApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *ConnectionApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/connectionsecure.go

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	commonv0alpha1 "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+)
+
+// ConnectionSecureApplyConfiguration represents a declarative configuration of the ConnectionSecure type for use
+// with apply.
+type ConnectionSecureApplyConfiguration struct {
+	PrivateKey   *commonv0alpha1.InlineSecureValue `json:"privateKey,omitempty"`
+	ClientSecret *commonv0alpha1.InlineSecureValue `json:"clientSecret,omitempty"`
+	Token        *commonv0alpha1.InlineSecureValue `json:"webhook,omitempty"`
+}
+
+// ConnectionSecureApplyConfiguration constructs a declarative configuration of the ConnectionSecure type for use with
+// apply.
+func ConnectionSecure() *ConnectionSecureApplyConfiguration {
+	return &ConnectionSecureApplyConfiguration{}
+}
+
+// WithPrivateKey sets the PrivateKey field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PrivateKey field is set to the value of the last call.
+func (b *ConnectionSecureApplyConfiguration) WithPrivateKey(value commonv0alpha1.InlineSecureValue) *ConnectionSecureApplyConfiguration {
+	b.PrivateKey = &value
+	return b
+}
+
+// WithClientSecret sets the ClientSecret field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ClientSecret field is set to the value of the last call.
+func (b *ConnectionSecureApplyConfiguration) WithClientSecret(value commonv0alpha1.InlineSecureValue) *ConnectionSecureApplyConfiguration {
+	b.ClientSecret = &value
+	return b
+}
+
+// WithToken sets the Token field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Token field is set to the value of the last call.
+func (b *ConnectionSecureApplyConfiguration) WithToken(value commonv0alpha1.InlineSecureValue) *ConnectionSecureApplyConfiguration {
+	b.Token = &value
+	return b
+}

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/connectionspec.go

@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	provisioningv0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+)
+
+// ConnectionSpecApplyConfiguration represents a declarative configuration of the ConnectionSpec type for use
+// with apply.
+type ConnectionSpecApplyConfiguration struct {
+	Type      *provisioningv0alpha1.ConnectionType         `json:"type,omitempty"`
+	URL       *string                                      `json:"url,omitempty"`
+	GitHub    *GitHubConnectionConfigApplyConfiguration    `json:"github,omitempty"`
+	Bitbucket *BitbucketConnectionConfigApplyConfiguration `json:"bitbucket,omitempty"`
+	Gitlab    *GitlabConnectionConfigApplyConfiguration    `json:"gitlab,omitempty"`
+}
+
+// ConnectionSpecApplyConfiguration constructs a declarative configuration of the ConnectionSpec type for use with
+// apply.
+func ConnectionSpec() *ConnectionSpecApplyConfiguration {
+	return &ConnectionSpecApplyConfiguration{}
+}
+
+// WithType sets the Type field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Type field is set to the value of the last call.
+func (b *ConnectionSpecApplyConfiguration) WithType(value provisioningv0alpha1.ConnectionType) *ConnectionSpecApplyConfiguration {
+	b.Type = &value
+	return b
+}
+
+// WithURL sets the URL field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the URL field is set to the value of the last call.
+func (b *ConnectionSpecApplyConfiguration) WithURL(value string) *ConnectionSpecApplyConfiguration {
+	b.URL = &value
+	return b
+}
+
+// WithGitHub sets the GitHub field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GitHub field is set to the value of the last call.
+func (b *ConnectionSpecApplyConfiguration) WithGitHub(value *GitHubConnectionConfigApplyConfiguration) *ConnectionSpecApplyConfiguration {
+	b.GitHub = value
+	return b
+}
+
+// WithBitbucket sets the Bitbucket field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Bitbucket field is set to the value of the last call.
+func (b *ConnectionSpecApplyConfiguration) WithBitbucket(value *BitbucketConnectionConfigApplyConfiguration) *ConnectionSpecApplyConfiguration {
+	b.Bitbucket = value
+	return b
+}
+
+// WithGitlab sets the Gitlab field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Gitlab field is set to the value of the last call.
+func (b *ConnectionSpecApplyConfiguration) WithGitlab(value *GitlabConnectionConfigApplyConfiguration) *ConnectionSpecApplyConfiguration {
+	b.Gitlab = value
+	return b
+}

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/connectionstatus.go

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	provisioningv0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+)
+
+// ConnectionStatusApplyConfiguration represents a declarative configuration of the ConnectionStatus type for use
+// with apply.
+type ConnectionStatusApplyConfiguration struct {
+	ObservedGeneration *int64                                `json:"observedGeneration,omitempty"`
+	State              *provisioningv0alpha1.ConnectionState `json:"state,omitempty"`
+	Health             *HealthStatusApplyConfiguration       `json:"health,omitempty"`
+}
+
+// ConnectionStatusApplyConfiguration constructs a declarative configuration of the ConnectionStatus type for use with
+// apply.
+func ConnectionStatus() *ConnectionStatusApplyConfiguration {
+	return &ConnectionStatusApplyConfiguration{}
+}
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *ConnectionStatusApplyConfiguration) WithObservedGeneration(value int64) *ConnectionStatusApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
+
+// WithState sets the State field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the State field is set to the value of the last call.
+func (b *ConnectionStatusApplyConfiguration) WithState(value provisioningv0alpha1.ConnectionState) *ConnectionStatusApplyConfiguration {
+	b.State = &value
+	return b
+}
+
+// WithHealth sets the Health field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Health field is set to the value of the last call.
+func (b *ConnectionStatusApplyConfiguration) WithHealth(value *HealthStatusApplyConfiguration) *ConnectionStatusApplyConfiguration {
+	b.Health = value
+	return b
+}

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/githubconnectionconfig.go

@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v0alpha1
+
+// GitHubConnectionConfigApplyConfiguration represents a declarative configuration of the GitHubConnectionConfig type for use
+// with apply.
+type GitHubConnectionConfigApplyConfiguration struct {
+	AppID          *string `json:"appID,omitempty"`
+	InstallationID *string `json:"installationID,omitempty"`
+}
+
+// GitHubConnectionConfigApplyConfiguration constructs a declarative configuration of the GitHubConnectionConfig type for use with
+// apply.
+func GitHubConnectionConfig() *GitHubConnectionConfigApplyConfiguration {
+	return &GitHubConnectionConfigApplyConfiguration{}
+}
+
+// WithAppID sets the AppID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the AppID field is set to the value of the last call.
+func (b *GitHubConnectionConfigApplyConfiguration) WithAppID(value string) *GitHubConnectionConfigApplyConfiguration {
+	b.AppID = &value
+	return b
+}
+
+// WithInstallationID sets the InstallationID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the InstallationID field is set to the value of the last call.
+func (b *GitHubConnectionConfigApplyConfiguration) WithInstallationID(value string) *GitHubConnectionConfigApplyConfiguration {
+	b.InstallationID = &value
+	return b
+}

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/gitlabconnectionconfig.go

@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v0alpha1
+
+// GitlabConnectionConfigApplyConfiguration represents a declarative configuration of the GitlabConnectionConfig type for use
+// with apply.
+type GitlabConnectionConfigApplyConfiguration struct {
+	ClientID *string `json:"clientID,omitempty"`
+}
+
+// GitlabConnectionConfigApplyConfiguration constructs a declarative configuration of the GitlabConnectionConfig type for use with
+// apply.
+func GitlabConnectionConfig() *GitlabConnectionConfigApplyConfiguration {
+	return &GitlabConnectionConfigApplyConfiguration{}
+}
+
+// WithClientID sets the ClientID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ClientID field is set to the value of the last call.
+func (b *GitlabConnectionConfigApplyConfiguration) WithClientID(value string) *GitlabConnectionConfigApplyConfiguration {
+	b.ClientID = &value
+	return b
+}

apps/provisioning/pkg/generated/applyconfiguration/utils.go

@@ -18,14 +18,28 @@ import (
 func ForKind(kind schema.GroupVersionKind) interface{} {
 	switch kind {
 	// Group=provisioning.grafana.app, Version=v0alpha1
+	case v0alpha1.SchemeGroupVersion.WithKind("BitbucketConnectionConfig"):
+		return &provisioningv0alpha1.BitbucketConnectionConfigApplyConfiguration{}
 	case v0alpha1.SchemeGroupVersion.WithKind("BitbucketRepositoryConfig"):
 		return &provisioningv0alpha1.BitbucketRepositoryConfigApplyConfiguration{}
+	case v0alpha1.SchemeGroupVersion.WithKind("Connection"):
+		return &provisioningv0alpha1.ConnectionApplyConfiguration{}
+	case v0alpha1.SchemeGroupVersion.WithKind("ConnectionSecure"):
+		return &provisioningv0alpha1.ConnectionSecureApplyConfiguration{}
+	case v0alpha1.SchemeGroupVersion.WithKind("ConnectionSpec"):
+		return &provisioningv0alpha1.ConnectionSpecApplyConfiguration{}
+	case v0alpha1.SchemeGroupVersion.WithKind("ConnectionStatus"):
+		return &provisioningv0alpha1.ConnectionStatusApplyConfiguration{}
 	case v0alpha1.SchemeGroupVersion.WithKind("DeleteJobOptions"):
 		return &provisioningv0alpha1.DeleteJobOptionsApplyConfiguration{}
 	case v0alpha1.SchemeGroupVersion.WithKind("ExportJobOptions"):
 		return &provisioningv0alpha1.ExportJobOptionsApplyConfiguration{}
+	case v0alpha1.SchemeGroupVersion.WithKind("GitHubConnectionConfig"):
+		return &provisioningv0alpha1.GitHubConnectionConfigApplyConfiguration{}
 	case v0alpha1.SchemeGroupVersion.WithKind("GitHubRepositoryConfig"):
 		return &provisioningv0alpha1.GitHubRepositoryConfigApplyConfiguration{}
+	case v0alpha1.SchemeGroupVersion.WithKind("GitlabConnectionConfig"):
+		return &provisioningv0alpha1.GitlabConnectionConfigApplyConfiguration{}
 	case v0alpha1.SchemeGroupVersion.WithKind("GitLabRepositoryConfig"):
 		return &provisioningv0alpha1.GitLabRepositoryConfigApplyConfiguration{}
 	case v0alpha1.SchemeGroupVersion.WithKind("GitRepositoryConfig"):

apps/provisioning/pkg/generated/clientset/versioned/typed/provisioning/v0alpha1/connection.go

@@ -0,0 +1,60 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	context "context"
+
+	provisioningv0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	applyconfigurationprovisioningv0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1"
+	scheme "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// ConnectionsGetter has a method to return a ConnectionInterface.
+// A group's client should implement this interface.
+type ConnectionsGetter interface {
+	Connections(namespace string) ConnectionInterface
+}
+
+// ConnectionInterface has methods to work with Connection resources.
+type ConnectionInterface interface {
+	Create(ctx context.Context, connection *provisioningv0alpha1.Connection, opts v1.CreateOptions) (*provisioningv0alpha1.Connection, error)
+	Update(ctx context.Context, connection *provisioningv0alpha1.Connection, opts v1.UpdateOptions) (*provisioningv0alpha1.Connection, error)
+	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+	UpdateStatus(ctx context.Context, connection *provisioningv0alpha1.Connection, opts v1.UpdateOptions) (*provisioningv0alpha1.Connection, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*provisioningv0alpha1.Connection, error)
+	List(ctx context.Context, opts v1.ListOptions) (*provisioningv0alpha1.ConnectionList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *provisioningv0alpha1.Connection, err error)
+	Apply(ctx context.Context, connection *applyconfigurationprovisioningv0alpha1.ConnectionApplyConfiguration, opts v1.ApplyOptions) (result *provisioningv0alpha1.Connection, err error)
+	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+	ApplyStatus(ctx context.Context, connection *applyconfigurationprovisioningv0alpha1.ConnectionApplyConfiguration, opts v1.ApplyOptions) (result *provisioningv0alpha1.Connection, err error)
+	ConnectionExpansion
+}
+
+// connections implements ConnectionInterface
+type connections struct {
+	*gentype.ClientWithListAndApply[*provisioningv0alpha1.Connection, *provisioningv0alpha1.ConnectionList, *applyconfigurationprovisioningv0alpha1.ConnectionApplyConfiguration]
+}
+
+// newConnections returns a Connections
+func newConnections(c *ProvisioningV0alpha1Client, namespace string) *connections {
+	return &connections{
+		gentype.NewClientWithListAndApply[*provisioningv0alpha1.Connection, *provisioningv0alpha1.ConnectionList, *applyconfigurationprovisioningv0alpha1.ConnectionApplyConfiguration](
+			"connections",
+			c.RESTClient(),
+			scheme.ParameterCodec,
+			namespace,
+			func() *provisioningv0alpha1.Connection { return &provisioningv0alpha1.Connection{} },
+			func() *provisioningv0alpha1.ConnectionList { return &provisioningv0alpha1.ConnectionList{} },
+		),
+	}
+}

apps/provisioning/pkg/generated/clientset/versioned/typed/provisioning/v0alpha1/fake/fake_connection.go

@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	provisioningv0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1"
+	typedprovisioningv0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned/typed/provisioning/v0alpha1"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// fakeConnections implements ConnectionInterface
+type fakeConnections struct {
+	*gentype.FakeClientWithListAndApply[*v0alpha1.Connection, *v0alpha1.ConnectionList, *provisioningv0alpha1.ConnectionApplyConfiguration]
+	Fake *FakeProvisioningV0alpha1
+}
+
+func newFakeConnections(fake *FakeProvisioningV0alpha1, namespace string) typedprovisioningv0alpha1.ConnectionInterface {
+	return &fakeConnections{
+		gentype.NewFakeClientWithListAndApply[*v0alpha1.Connection, *v0alpha1.ConnectionList, *provisioningv0alpha1.ConnectionApplyConfiguration](
+			fake.Fake,
+			namespace,
+			v0alpha1.SchemeGroupVersion.WithResource("connections"),
+			v0alpha1.SchemeGroupVersion.WithKind("Connection"),
+			func() *v0alpha1.Connection { return &v0alpha1.Connection{} },
+			func() *v0alpha1.ConnectionList { return &v0alpha1.ConnectionList{} },
+			func(dst, src *v0alpha1.ConnectionList) { dst.ListMeta = src.ListMeta },
+			func(list *v0alpha1.ConnectionList) []*v0alpha1.Connection { return gentype.ToPointerSlice(list.Items) },
+			func(list *v0alpha1.ConnectionList, items []*v0alpha1.Connection) {
+				list.Items = gentype.FromPointerSlice(items)
+			},
+		),
+		fake,
+	}
+}

apps/provisioning/pkg/generated/clientset/versioned/typed/provisioning/v0alpha1/fake/fake_provisioning_client.go

@@ -14,6 +14,10 @@ type FakeProvisioningV0alpha1 struct {
 	*testing.Fake
 }
 
+func (c *FakeProvisioningV0alpha1) Connections(namespace string) v0alpha1.ConnectionInterface {
+	return newFakeConnections(c, namespace)
+}
+
 func (c *FakeProvisioningV0alpha1) HistoricJobs(namespace string) v0alpha1.HistoricJobInterface {
 	return newFakeHistoricJobs(c, namespace)
 }

apps/provisioning/pkg/generated/clientset/versioned/typed/provisioning/v0alpha1/generated_expansion.go

@@ -4,6 +4,8 @@
 
 package v0alpha1
 
+type ConnectionExpansion interface{}
+
 type HistoricJobExpansion interface{}
 
 type JobExpansion interface{}

apps/provisioning/pkg/generated/clientset/versioned/typed/provisioning/v0alpha1/provisioning_client.go

@@ -14,6 +14,7 @@ import (
 
 type ProvisioningV0alpha1Interface interface {
 	RESTClient() rest.Interface
+	ConnectionsGetter
 	HistoricJobsGetter
 	JobsGetter
 	RepositoriesGetter
@@ -24,6 +25,10 @@ type ProvisioningV0alpha1Client struct {
 	restClient rest.Interface
 }
 
+func (c *ProvisioningV0alpha1Client) Connections(namespace string) ConnectionInterface {
+	return newConnections(c, namespace)
+}
+
 func (c *ProvisioningV0alpha1Client) HistoricJobs(namespace string) HistoricJobInterface {
 	return newHistoricJobs(c, namespace)
 }

apps/provisioning/pkg/generated/informers/externalversions/generic.go

@@ -39,6 +39,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=provisioning.grafana.app, Version=v0alpha1
+	case v0alpha1.SchemeGroupVersion.WithResource("connections"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Provisioning().V0alpha1().Connections().Informer()}, nil
 	case v0alpha1.SchemeGroupVersion.WithResource("historicjobs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Provisioning().V0alpha1().HistoricJobs().Informer()}, nil
 	case v0alpha1.SchemeGroupVersion.WithResource("jobs"):

apps/provisioning/pkg/generated/informers/externalversions/provisioning/v0alpha1/connection.go

@@ -0,0 +1,88 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	context "context"
+	time "time"
+
+	apisprovisioningv0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	versioned "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned"
+	internalinterfaces "github.com/grafana/grafana/apps/provisioning/pkg/generated/informers/externalversions/internalinterfaces"
+	provisioningv0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/generated/listers/provisioning/v0alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// ConnectionInformer provides access to a shared informer and lister for
+// Connections.
+type ConnectionInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() provisioningv0alpha1.ConnectionLister
+}
+
+type connectionInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewConnectionInformer constructs a new informer for Connection type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewConnectionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredConnectionInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredConnectionInformer constructs a new informer for Connection type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredConnectionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ProvisioningV0alpha1().Connections(namespace).List(context.Background(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ProvisioningV0alpha1().Connections(namespace).Watch(context.Background(), options)
+			},
+			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ProvisioningV0alpha1().Connections(namespace).List(ctx, options)
+			},
+			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ProvisioningV0alpha1().Connections(namespace).Watch(ctx, options)
+			},
+		},
+		&apisprovisioningv0alpha1.Connection{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *connectionInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredConnectionInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *connectionInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&apisprovisioningv0alpha1.Connection{}, f.defaultInformer)
+}
+
+func (f *connectionInformer) Lister() provisioningv0alpha1.ConnectionLister {
+	return provisioningv0alpha1.NewConnectionLister(f.Informer().GetIndexer())
+}

apps/provisioning/pkg/generated/informers/externalversions/provisioning/v0alpha1/interface.go

@@ -10,6 +10,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// Connections returns a ConnectionInformer.
+	Connections() ConnectionInformer
 	// HistoricJobs returns a HistoricJobInformer.
 	HistoricJobs() HistoricJobInformer
 	// Jobs returns a JobInformer.
@@ -29,6 +31,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// Connections returns a ConnectionInformer.
+func (v *version) Connections() ConnectionInformer {
+	return &connectionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // HistoricJobs returns a HistoricJobInformer.
 func (v *version) HistoricJobs() HistoricJobInformer {
 	return &historicJobInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

apps/provisioning/pkg/generated/listers/provisioning/v0alpha1/connection.go

@@ -0,0 +1,56 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v0alpha1
+
+import (
+	provisioningv0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	listers "k8s.io/client-go/listers"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// ConnectionLister helps list Connections.
+// All objects returned here must be treated as read-only.
+type ConnectionLister interface {
+	// List lists all Connections in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*provisioningv0alpha1.Connection, err error)
+	// Connections returns an object that can list and get Connections.
+	Connections(namespace string) ConnectionNamespaceLister
+	ConnectionListerExpansion
+}
+
+// connectionLister implements the ConnectionLister interface.
+type connectionLister struct {
+	listers.ResourceIndexer[*provisioningv0alpha1.Connection]
+}
+
+// NewConnectionLister returns a new ConnectionLister.
+func NewConnectionLister(indexer cache.Indexer) ConnectionLister {
+	return &connectionLister{listers.New[*provisioningv0alpha1.Connection](indexer, provisioningv0alpha1.Resource("connection"))}
+}
+
+// Connections returns an object that can list and get Connections.
+func (s *connectionLister) Connections(namespace string) ConnectionNamespaceLister {
+	return connectionNamespaceLister{listers.NewNamespaced[*provisioningv0alpha1.Connection](s.ResourceIndexer, namespace)}
+}
+
+// ConnectionNamespaceLister helps list and get Connections.
+// All objects returned here must be treated as read-only.
+type ConnectionNamespaceLister interface {
+	// List lists all Connections in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*provisioningv0alpha1.Connection, err error)
+	// Get retrieves the Connection from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*provisioningv0alpha1.Connection, error)
+	ConnectionNamespaceListerExpansion
+}
+
+// connectionNamespaceLister implements the ConnectionNamespaceLister
+// interface.
+type connectionNamespaceLister struct {
+	listers.ResourceIndexer[*provisioningv0alpha1.Connection]
+}

apps/provisioning/pkg/generated/listers/provisioning/v0alpha1/expansion_generated.go

@@ -4,6 +4,14 @@
 
 package v0alpha1
 
+// ConnectionListerExpansion allows custom methods to be added to
+// ConnectionLister.
+type ConnectionListerExpansion interface{}
+
+// ConnectionNamespaceListerExpansion allows custom methods to be added to
+// ConnectionNamespaceLister.
+type ConnectionNamespaceListerExpansion interface{}
+
 // HistoricJobListerExpansion allows custom methods to be added to
 // HistoricJobLister.
 type HistoricJobListerExpansion interface{}

apps/provisioning/pkg/repository/git/git_repository_mock.go

@@ -179,21 +179,8 @@ func (_c *MockGitRepository_Config_Call) RunAndReturn(run func() *v0alpha1.Repos
 }
 
 // Create provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockGitRepository) Create(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Create")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockGitRepository) Create(ctx context.Context, path string, ref string, data []byte, message string) (*repository.FileInfo, error) {
+	return nil, nil
 }
 
 // MockGitRepository_Create_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Create'
@@ -945,21 +932,8 @@ func (_c *MockGitRepository_URL_Call) RunAndReturn(run func() string) *MockGitRe
 }
 
 // Update provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockGitRepository) Update(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Update")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockGitRepository) Update(ctx context.Context, path string, ref string, data []byte, message string) (*repository.FileInfo, error) {
+	return nil, nil
 }
 
 // MockGitRepository_Update_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Update'
@@ -1042,21 +1016,8 @@ func (_c *MockGitRepository_Validate_Call) RunAndReturn(run func() field.ErrorLi
 }
 
 // Write provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockGitRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Write")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockGitRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) (*repository.FileInfo, error) {
+	return nil, nil
 }
 
 // MockGitRepository_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'

apps/provisioning/pkg/repository/git/repository.go

@@ -316,26 +316,27 @@ func (r *gitRepository) ReadTree(ctx context.Context, ref string) ([]repository.
 	return entries, nil
 }
 
-func (r *gitRepository) Create(ctx context.Context, path, ref string, data []byte, comment string) error {
+func (r *gitRepository) Create(ctx context.Context, path, ref string, data []byte, comment string) (*repository.FileInfo, error) {
 	if ref == "" {
 		ref = r.gitConfig.Branch
 	}
 	ctx, _ = r.withGitContext(ctx, ref)
 	branchRef, err := r.ensureBranchExists(ctx, ref)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	writer, err := r.client.NewStagedWriter(ctx, branchRef)
 	if err != nil {
-		return fmt.Errorf("create staged writer: %w", err)
+		return nil, fmt.Errorf("create staged writer: %w", err)
 	}
 
 	if err := r.create(ctx, path, data, writer); err != nil {
-		return err
+		return nil, err
 	}
 
-	return r.commitAndPush(ctx, writer, comment)
+	// ???? or can we hash directly?
+	return r.Read(ctx, path, ref)
 }
 
 func (r *gitRepository) create(ctx context.Context, path string, data []byte, writer nanogit.StagedWriter) error {
@@ -361,7 +362,7 @@ func (r *gitRepository) create(ctx context.Context, path string, data []byte, wr
 	return nil
 }
 
-func (r *gitRepository) Update(ctx context.Context, path, ref string, data []byte, comment string) error {
+func (r *gitRepository) Update(ctx context.Context, path, ref string, data []byte, comment string) (*repository.FileInfo, error) {
 	if ref == "" {
 		ref = r.gitConfig.Branch
 	}
@@ -369,24 +370,29 @@ func (r *gitRepository) Update(ctx context.Context, path, ref string, data []byt
 
 	// Check if trying to update a directory
 	if safepath.IsDir(path) {
-		return apierrors.NewBadRequest("cannot update a directory")
+		return nil, apierrors.NewBadRequest("cannot update a directory")
 	}
 
 	branchRef, err := r.ensureBranchExists(ctx, ref)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	// Create a staged writer
 	writer, err := r.client.NewStagedWriter(ctx, branchRef)
 	if err != nil {
-		return fmt.Errorf("create staged writer: %w", err)
+		return nil, fmt.Errorf("create staged writer: %w", err)
 	}
 
 	if err := r.update(ctx, path, data, writer); err != nil {
-		return err
+		return nil, err
 	}
 
-	return r.commitAndPush(ctx, writer, comment)
+	if err := r.commitAndPush(ctx, writer, comment); err != nil {
+		return nil, err
+	}
+
+	// ???? or can we hash directly?
+	return r.Read(ctx, path, ref)
 }
 
 func (r *gitRepository) update(ctx context.Context, path string, data []byte, writer nanogit.StagedWriter) error {
@@ -407,7 +413,7 @@ func (r *gitRepository) update(ctx context.Context, path string, data []byte, wr
 	return nil
 }
 
-func (r *gitRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) error {
+func (r *gitRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) (*repository.FileInfo, error) {
 	if ref == "" {
 		ref = r.gitConfig.Branch
 	}
@@ -415,12 +421,12 @@ func (r *gitRepository) Write(ctx context.Context, path string, ref string, data
 	ctx, _ = r.withGitContext(ctx, ref)
 	info, err := r.Read(ctx, path, ref)
 	if err != nil && !(errors.Is(err, repository.ErrFileNotFound)) {
-		return fmt.Errorf("check if file exists before writing: %w", err)
+		return nil, fmt.Errorf("check if file exists before writing: %w", err)
 	}
 	if err == nil {
 		// If the value already exists and is the same, we don't need to do anything
 		if bytes.Equal(info.Data, data) {
-			return nil
+			return info, nil
 		}
 		return r.Update(ctx, path, ref, data, message)
 	}

apps/provisioning/pkg/repository/git/repository_test.go

@@ -939,7 +939,7 @@ func TestGitRepository_Create(t *testing.T) {
 				},
 			}
 
-			err := gitRepo.Create(context.Background(), tt.path, tt.ref, tt.data, tt.comment)
+			_, err := gitRepo.Create(context.Background(), tt.path, tt.ref, tt.data, tt.comment)
 
 			if tt.wantError {
 				require.Error(t, err)
@@ -1042,7 +1042,7 @@ func TestGitRepository_Update(t *testing.T) {
 				},
 			}
 
-			err := gitRepo.Update(context.Background(), tt.path, tt.ref, tt.data, tt.comment)
+			_, err := gitRepo.Update(context.Background(), tt.path, tt.ref, tt.data, tt.comment)
 
 			if tt.wantError {
 				require.Error(t, err)
@@ -1461,7 +1461,7 @@ func TestGitRepository_Write(t *testing.T) {
 				},
 			}
 
-			err := gitRepo.Write(context.Background(), tt.path, tt.ref, tt.data, tt.message)
+			_, err := gitRepo.Write(context.Background(), tt.path, tt.ref, tt.data, tt.message)
 
 			if tt.wantError {
 				require.Error(t, err)
@@ -2273,7 +2273,7 @@ func TestGitRepository_EdgeCases(t *testing.T) {
 			},
 		}
 
-		err := gitRepo.Create(context.Background(), "newdir/", "main", []byte("data"), "comment")
+		_, err := gitRepo.Create(context.Background(), "newdir/", "main", []byte("data"), "comment")
 
 		// This should fail because we're providing data for a directory
 		require.Error(t, err)
@@ -2288,7 +2288,7 @@ func TestGitRepository_EdgeCases(t *testing.T) {
 			},
 		}
 
-		err := gitRepo.Update(context.Background(), "directory/", "main", []byte("data"), "comment")
+		_, err := gitRepo.Update(context.Background(), "directory/", "main", []byte("data"), "comment")
 
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "cannot update a directory")
@@ -2311,7 +2311,7 @@ func TestGitRepository_EdgeCases(t *testing.T) {
 			},
 		}
 
-		err := gitRepo.Write(context.Background(), "test.yaml", "main", []byte("data"), "message")
+		_, err := gitRepo.Write(context.Background(), "test.yaml", "main", []byte("data"), "message")
 
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "check if file exists before writing")
@@ -3008,7 +3008,7 @@ func TestGitRepository_Create_ErrorConditions(t *testing.T) {
 				},
 			}
 
-			err := gitRepo.Create(context.Background(), "test.yaml", "main", []byte("content"), "comment")
+			_, err := gitRepo.Create(context.Background(), "test.yaml", "main", []byte("content"), "comment")
 
 			if tt.wantError {
 				require.Error(t, err)
@@ -3073,7 +3073,7 @@ func TestGitRepository_Update_ErrorConditions(t *testing.T) {
 				},
 			}
 
-			err := gitRepo.Update(context.Background(), "test.yaml", "main", []byte("content"), "comment")
+			_, err := gitRepo.Update(context.Background(), "test.yaml", "main", []byte("content"), "comment")
 
 			if tt.wantError {
 				require.Error(t, err)
@@ -3266,9 +3266,9 @@ func TestGitRepository_EmptyRefHandling(t *testing.T) {
 			var err error
 			switch tt.method {
 			case "Create":
-				err = gitRepo.Create(context.Background(), "test.yaml", "", []byte("content"), "comment")
+				_, err = gitRepo.Create(context.Background(), "test.yaml", "", []byte("content"), "comment")
 			case "Update":
-				err = gitRepo.Update(context.Background(), "test.yaml", "", []byte("content"), "comment")
+				_, err = gitRepo.Update(context.Background(), "test.yaml", "", []byte("content"), "comment")
 			case "Delete":
 				err = gitRepo.Delete(context.Background(), "test.yaml", "", "comment")
 			}
@@ -3428,7 +3428,7 @@ func TestGitRepository_Update_EnsureBranchExistsError(t *testing.T) {
 		},
 	}
 
-	err := gitRepo.Update(context.Background(), "test.yaml", "feature", []byte("content"), "comment")
+	_, err := gitRepo.Update(context.Background(), "test.yaml", "feature", []byte("content"), "comment")
 
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "branch error")
@@ -3451,7 +3451,7 @@ func TestGitRepository_Create_EnsureBranchExistsError(t *testing.T) {
 		},
 	}
 
-	err := gitRepo.Create(context.Background(), "test.yaml", "feature", []byte("content"), "comment")
+	_, err := gitRepo.Create(context.Background(), "test.yaml", "feature", []byte("content"), "comment")
 
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "branch error")
@@ -3538,7 +3538,7 @@ func TestGitRepository_Write_DefaultRef(t *testing.T) {
 	}
 
 	// Test Write with empty ref to trigger default branch usage
-	err := gitRepo.Write(context.Background(), "test.yaml", "", []byte("content"), "message")
+	_, err := gitRepo.Write(context.Background(), "test.yaml", "", []byte("content"), "message")
 
 	require.NoError(t, err)
 }

apps/provisioning/pkg/repository/git/staged.go

@@ -121,16 +121,20 @@ func (r *stagedGitRepository) handleCommitAndPush(ctx context.Context, message s
 	}
 }
 
-func (r *stagedGitRepository) Create(ctx context.Context, path, ref string, data []byte, message string) error {
+func (r *stagedGitRepository) Create(ctx context.Context, path, ref string, data []byte, message string) (*repository.FileInfo, error) {
 	if !r.isRefSupported(ref) {
-		return errors.New("ref is not supported for staged repository")
+		return nil, errors.New("ref is not supported for staged repository")
 	}
 
 	if err := r.create(ctx, path, data, r.writer); err != nil {
-		return err
+		return nil, err
 	}
 
-	return r.handleCommitAndPush(ctx, message)
+	if err := r.handleCommitAndPush(ctx, message); err != nil {
+		return nil, err
+	}
+
+	return r.Read(ctx, path, ref) // ??? or
 }
 
 func (r *stagedGitRepository) blobExists(ctx context.Context, path string) (bool, error) {
@@ -140,43 +144,51 @@ func (r *stagedGitRepository) blobExists(ctx context.Context, path string) (bool
 	return r.writer.BlobExists(ctx, path)
 }
 
-func (r *stagedGitRepository) Write(ctx context.Context, path, ref string, data []byte, message string) error {
+func (r *stagedGitRepository) Write(ctx context.Context, path, ref string, data []byte, message string) (*repository.FileInfo, error) {
 	if !r.isRefSupported(ref) {
-		return errors.New("ref is not supported for staged repository")
+		return nil, errors.New("ref is not supported for staged repository")
 	}
 
 	exists, err := r.blobExists(ctx, path)
 	if err != nil {
-		return fmt.Errorf("check if file exists: %w", err)
+		return nil, fmt.Errorf("check if file exists: %w", err)
 	}
 
 	if exists {
 		if err := r.update(ctx, path, data, r.writer); err != nil {
-			return err
+			return nil, err
 		}
 	} else {
 		if err := r.create(ctx, path, data, r.writer); err != nil {
-			return err
+			return nil, err
 		}
 	}
 
-	return r.handleCommitAndPush(ctx, message)
+	if err := r.handleCommitAndPush(ctx, message); err != nil {
+		return nil, err
+	}
+
+	return r.Read(ctx, path, ref) // ??? or
 }
 
-func (r *stagedGitRepository) Update(ctx context.Context, path, ref string, data []byte, message string) error {
+func (r *stagedGitRepository) Update(ctx context.Context, path, ref string, data []byte, message string) (*repository.FileInfo, error) {
 	if !r.isRefSupported(ref) {
-		return errors.New("ref is not supported for staged repository")
+		return nil, errors.New("ref is not supported for staged repository")
 	}
 
 	if safepath.IsDir(path) {
-		return errors.New("cannot update a directory in a staged repository")
+		return nil, errors.New("cannot update a directory in a staged repository")
 	}
 
 	if err := r.update(ctx, path, data, r.writer); err != nil {
-		return err
+		return nil, err
 	}
 
-	return r.handleCommitAndPush(ctx, message)
+	if err := r.handleCommitAndPush(ctx, message); err != nil {
+		return nil, err
+	}
+
+	return r.Read(ctx, path, ref) // ??? or
 }
 
 func (r *stagedGitRepository) Delete(ctx context.Context, path, ref, message string) error {

apps/provisioning/pkg/repository/git/staged_test.go

@@ -8,12 +8,13 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/require"
+
 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository"
 	"github.com/grafana/nanogit"
 	"github.com/grafana/nanogit/mocks"
 	"github.com/grafana/nanogit/protocol/hash"
-	"github.com/stretchr/testify/require"
 )
 
 func TestNewStagedGitRepository(t *testing.T) {
@@ -515,7 +516,7 @@ func TestStagedGitRepository_Create(t *testing.T) {
 
 			stagedRepo := createTestStagedRepositoryWithWriter(mockWriter, tt.opts)
 
-			err := stagedRepo.Create(context.Background(), tt.path, tt.ref, tt.data, tt.message)
+			_, err := stagedRepo.Create(context.Background(), tt.path, tt.ref, tt.data, tt.message)
 
 			if tt.wantError != nil {
 				require.EqualError(t, err, tt.wantError.Error())
@@ -688,7 +689,7 @@ func TestStagedGitRepository_Write(t *testing.T) {
 
 			stagedRepo := createTestStagedRepositoryWithWriter(mockWriter, tt.opts)
 
-			err := stagedRepo.Write(context.Background(), tt.path, tt.ref, tt.data, tt.message)
+			_, err := stagedRepo.Write(context.Background(), tt.path, tt.ref, tt.data, tt.message)
 
 			if tt.wantError != nil {
 				require.EqualError(t, err, tt.wantError.Error())
@@ -817,7 +818,7 @@ func TestStagedGitRepository_Update(t *testing.T) {
 
 			stagedRepo := createTestStagedRepositoryWithWriter(mockWriter, tt.opts)
 
-			err := stagedRepo.Update(context.Background(), tt.path, tt.ref, tt.data, tt.message)
+			_, err := stagedRepo.Update(context.Background(), tt.path, tt.ref, tt.data, tt.message)
 
 			if tt.wantError != nil {
 				require.EqualError(t, err, tt.wantError.Error())

apps/provisioning/pkg/repository/github/github_repository_mock.go

@@ -181,21 +181,8 @@ func (_c *MockGithubRepository_Config_Call) RunAndReturn(run func() *v0alpha1.Re
 }
 
 // Create provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockGithubRepository) Create(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Create")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockGithubRepository) Create(ctx context.Context, path string, ref string, data []byte, message string) (*repository.FileInfo, error) {
+	return nil, nil
 }
 
 // MockGithubRepository_Create_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Create'
@@ -948,21 +935,8 @@ func (_c *MockGithubRepository_Test_Call) RunAndReturn(run func(context.Context)
 }
 
 // Update provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockGithubRepository) Update(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Update")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockGithubRepository) Update(ctx context.Context, path string, ref string, data []byte, message string) (*repository.FileInfo, error) {
+	return nil, nil
 }
 
 // MockGithubRepository_Update_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Update'
@@ -1045,21 +1019,8 @@ func (_c *MockGithubRepository_Validate_Call) RunAndReturn(run func() field.Erro
 }
 
 // Write provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockGithubRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Write")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockGithubRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) (*repository.FileInfo, error) {
+	return nil, nil
 }
 
 // MockGithubRepository_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'

apps/provisioning/pkg/repository/github/repository_test.go

@@ -987,7 +987,7 @@ func TestGitHubRepositoryDelegation(t *testing.T) {
 			GitRepository: mockGitRepo,
 		}
 
-		err := repo.Create(ctx, "new-file.yaml", "main", data, "Create new file")
+		_, err := repo.Create(ctx, "new-file.yaml", "main", data, "Create new file")
 		require.NoError(t, err)
 		mockGitRepo.AssertExpectations(t)
 	})
@@ -1002,7 +1002,7 @@ func TestGitHubRepositoryDelegation(t *testing.T) {
 			GitRepository: mockGitRepo,
 		}
 
-		err := repo.Update(ctx, "existing-file.yaml", "main", data, "Update file")
+		_, err := repo.Update(ctx, "existing-file.yaml", "main", data, "Update file")
 		require.NoError(t, err)
 		mockGitRepo.AssertExpectations(t)
 	})
@@ -1017,7 +1017,7 @@ func TestGitHubRepositoryDelegation(t *testing.T) {
 			GitRepository: mockGitRepo,
 		}
 
-		err := repo.Write(ctx, "file.yaml", "main", data, "Write file")
+		_, err := repo.Write(ctx, "file.yaml", "main", data, "Write file")
 		require.NoError(t, err)
 		mockGitRepo.AssertExpectations(t)
 	})

apps/provisioning/pkg/repository/local/local.go

@@ -288,75 +288,87 @@ func (r *localRepository) calculateFileHash(path string) (string, int64, error)
 	return hex.EncodeToString(hasher.Sum(nil)), size, nil
 }
 
-func (r *localRepository) Create(ctx context.Context, filepath string, ref string, data []byte, comment string) error {
+func (r *localRepository) Create(ctx context.Context, filepath string, ref string, data []byte, comment string) (*repository.FileInfo, error) {
 	if err := r.validateRequest(ref); err != nil {
-		return err
+		return nil, err
 	}
 
 	fpath := safepath.Join(r.path, filepath)
 	_, err := os.Stat(fpath)
 	if !errors.Is(err, os.ErrNotExist) {
 		if err != nil {
-			return apierrors.NewInternalError(fmt.Errorf("failed to check if file exists: %w", err))
+			return nil, apierrors.NewInternalError(fmt.Errorf("failed to check if file exists: %w", err))
 		}
-		return apierrors.NewAlreadyExists(schema.GroupResource{}, filepath)
+		return nil, apierrors.NewAlreadyExists(schema.GroupResource{}, filepath)
 	}
 
 	if safepath.IsDir(fpath) {
 		if data != nil {
-			return apierrors.NewBadRequest("data cannot be provided for a directory")
+			return nil, apierrors.NewBadRequest("data cannot be provided for a directory")
 		}
 
 		if err := os.MkdirAll(fpath, 0700); err != nil {
-			return apierrors.NewInternalError(fmt.Errorf("failed to create path: %w", err))
+			return nil, apierrors.NewInternalError(fmt.Errorf("failed to create path: %w", err))
 		}
 
-		return nil
+		return nil, nil
 	}
 
 	if err := os.MkdirAll(path.Dir(fpath), 0700); err != nil {
-		return apierrors.NewInternalError(fmt.Errorf("failed to create path: %w", err))
+		return nil, apierrors.NewInternalError(fmt.Errorf("failed to create path: %w", err))
 	}
 
-	return os.WriteFile(fpath, data, 0600)
+	if err := os.WriteFile(fpath, data, 0600); err != nil {
+		return nil, err
+	}
+
+	return r.Read(ctx, filepath, ref)
 }
 
-func (r *localRepository) Update(ctx context.Context, path string, ref string, data []byte, comment string) error {
+func (r *localRepository) Update(ctx context.Context, path string, ref string, data []byte, comment string) (*repository.FileInfo, error) {
 	if err := r.validateRequest(ref); err != nil {
-		return err
+		return nil, err
 	}
 
 	path = safepath.Join(r.path, path)
 	if safepath.IsDir(path) {
-		return apierrors.NewBadRequest("cannot update a directory")
+		return nil, apierrors.NewBadRequest("cannot update a directory")
 	}
 
 	f, err := os.Stat(path)
 	if err != nil && errors.Is(err, os.ErrNotExist) {
-		return repository.ErrFileNotFound
+		return nil, repository.ErrFileNotFound
 	}
 	if f.IsDir() {
-		return apierrors.NewBadRequest("path exists but it is a directory")
+		return nil, apierrors.NewBadRequest("path exists but it is a directory")
 	}
 
-	return os.WriteFile(path, data, 0600)
+	if err := os.WriteFile(path, data, 0600); err != nil {
+		return nil, err
+	}
+
+	return r.Read(ctx, path, ref)
 }
 
-func (r *localRepository) Write(ctx context.Context, fpath, ref string, data []byte, comment string) error {
+func (r *localRepository) Write(ctx context.Context, fpath, ref string, data []byte, comment string) (*repository.FileInfo, error) {
 	if err := r.validateRequest(ref); err != nil {
-		return err
+		return nil, err
 	}
 
 	fpath = safepath.Join(r.path, fpath)
 	if safepath.IsDir(fpath) {
-		return os.MkdirAll(fpath, 0700)
+		return nil, os.MkdirAll(fpath, 0700)
 	}
 
 	if err := os.MkdirAll(path.Dir(fpath), 0700); err != nil {
-		return apierrors.NewInternalError(fmt.Errorf("failed to create path: %w", err))
+		return nil, apierrors.NewInternalError(fmt.Errorf("failed to create path: %w", err))
 	}
 
-	return os.WriteFile(fpath, data, 0600)
+	if err := os.WriteFile(fpath, data, 0600); err != nil {
+		return nil, err
+	}
+
+	return r.Read(ctx, fpath, ref)
 }
 
 func (r *localRepository) Delete(ctx context.Context, path string, ref string, comment string) error {

apps/provisioning/pkg/repository/local/local_test.go

@@ -776,7 +776,7 @@ func TestLocalRepository_Update(t *testing.T) {
 			_, repo := tc.setup(t)
 
 			// Execute the update operation
-			err := repo.Update(context.Background(), tc.path, tc.ref, tc.data, tc.comment)
+			_, err := repo.Update(context.Background(), tc.path, tc.ref, tc.data, tc.comment)
 
 			// Verify results
 			if tc.expectedErr != nil {
@@ -939,7 +939,7 @@ func TestLocalRepository_Write(t *testing.T) {
 			_, repo := tc.setup(t)
 
 			// Execute the write operation
-			err := repo.Write(context.Background(), tc.path, tc.ref, tc.data, tc.comment)
+			_, err := repo.Write(context.Background(), tc.path, tc.ref, tc.data, tc.comment)
 
 			// Verify results
 			if tc.expectedErr != nil {
@@ -1139,7 +1139,7 @@ func TestLocalRepository_Create(t *testing.T) {
 			_, repo := tc.setup(t)
 
 			// Execute the create operation
-			err := repo.Create(context.Background(), tc.path, tc.ref, tc.data, tc.comment)
+			_, err := repo.Create(context.Background(), tc.path, tc.ref, tc.data, tc.comment)
 
 			// Verify results
 			if tc.expectedErr != nil {

apps/provisioning/pkg/repository/repository.go

@@ -102,15 +102,15 @@ type Writer interface {
 
 	// Write a file to the repository.
 	// The data has already been validated and is ready for save
-	Create(ctx context.Context, path, ref string, data []byte, message string) error
+	Create(ctx context.Context, path, ref string, data []byte, message string) (*FileInfo, error)
 
 	// Update a file in the remote repository
 	// The data has already been validated and is ready for save
-	Update(ctx context.Context, path, ref string, data []byte, message string) error
+	Update(ctx context.Context, path, ref string, data []byte, message string) (*FileInfo, error)
 
 	// Write a file to the repository.
 	// Functionally the same as Read then Create or Update, but more efficient depending on the backend
-	Write(ctx context.Context, path, ref string, data []byte, message string) error
+	Write(ctx context.Context, path, ref string, data []byte, message string) (*FileInfo, error)
 
 	// Delete a file in the remote repository
 	Delete(ctx context.Context, path, ref, message string) error

apps/provisioning/pkg/repository/repository_mock.go

@@ -39,21 +39,8 @@ func (_m *MockRepository) Config() *v0alpha1.Repository {
 }
 
 // Create provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockRepository) Create(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Create")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockRepository) Create(ctx context.Context, path string, ref string, data []byte, message string) (*FileInfo, error) {
+	return nil, nil
 }
 
 // Delete provides a mock function with given fields: ctx, path, ref, message
@@ -195,21 +182,8 @@ func (_m *MockRepository) Test(ctx context.Context) (*v0alpha1.TestResults, erro
 }
 
 // Update provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockRepository) Update(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Update")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockRepository) Update(ctx context.Context, path string, ref string, data []byte, message string) (*FileInfo, error) {
+	return nil, nil
 }
 
 // Validate provides a mock function with no fields
@@ -263,21 +237,8 @@ func (_m *MockRepository) Webhook(ctx context.Context, req *http.Request) (*v0al
 }
 
 // Write provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Write")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) (*FileInfo, error) {
+	return nil, nil
 }
 
 // Move provides a mock function with given fields: ctx, oldPath, newPath, ref, message

apps/provisioning/pkg/repository/staged_repository_mock.go

@@ -72,21 +72,8 @@ func (_c *MockStagedRepository_Config_Call) RunAndReturn(run func() *v0alpha1.Re
 }
 
 // Create provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockStagedRepository) Create(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Create")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockStagedRepository) Create(ctx context.Context, path string, ref string, data []byte, message string) (*FileInfo, error) {
+	return nil, nil
 }
 
 // MockStagedRepository_Create_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Create'
@@ -490,21 +477,8 @@ func (_c *MockStagedRepository_Test_Call) RunAndReturn(run func(context.Context)
 }
 
 // Update provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockStagedRepository) Update(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Update")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockStagedRepository) Update(ctx context.Context, path string, ref string, data []byte, message string) (*FileInfo, error) {
+	return nil, nil
 }
 
 // MockStagedRepository_Update_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Update'
@@ -587,21 +561,8 @@ func (_c *MockStagedRepository_Validate_Call) RunAndReturn(run func() field.Erro
 }
 
 // Write provides a mock function with given fields: ctx, path, ref, data, message
-func (_m *MockStagedRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) error {
-	ret := _m.Called(ctx, path, ref, data, message)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Write")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, []byte, string) error); ok {
-		r0 = rf(ctx, path, ref, data, message)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
+func (_m *MockStagedRepository) Write(ctx context.Context, path string, ref string, data []byte, message string) (*FileInfo, error) {
+	return nil, nil
 }
 
 // MockStagedRepository_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'

apps/scope/pkg/apis/scope/v0alpha1/types.go

@@ -211,6 +211,12 @@ type ScopeNavigationSpec struct {
 	Scope string `json:"scope"`
 	// Used to navigate to a sub-scope of the main scope. URL will not be used if this is set.
 	SubScope string `json:"subScope,omitempty"`
+	// Preload the subscope children, as soon as the ScopeNavigation is loaded.
+	PreLoadSubScopeChildren bool `json:"preLoadSubScopeChildren,omitempty"`
+	// Expands to display the subscope children when the ScopeNavigation is loaded.
+	ExpandOnLoad bool `json:"expandOnLoad,omitempty"`
+	// Makes the subscope not selectable, only serving as a way to build the tree.
+	DisableSubScopeSelection bool `json:"disableSubScopeSelection,omitempty"`
 }
 
 // Type of the item.

apps/scope/pkg/apis/scope/v0alpha1/zz_generated.openapi.go

@@ -642,6 +642,27 @@ func schema_pkg_apis_scope_v0alpha1_ScopeNavigationSpec(ref common.ReferenceCall
 							Format:      "",
 						},
 					},
+					"preLoadSubScopeChildren": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Preload the subscope children, as soon as the ScopeNavigation is loaded.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"expandOnLoad": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Expands to display the subscope children when the ScopeNavigation is loaded.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"disableSubScopeSelection": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Makes the subscope not selectable, only serving as a way to build the tree.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
 				},
 				Required: []string{"url", "scope"},
 			},

conf/defaults.ini

@@ -1327,6 +1327,10 @@ alertmanager_max_silences_count =
 # Maximum silence size in bytes. Default: 0 (no limit).
 alertmanager_max_silence_size_bytes =
 
+# Maximum size of the expanded template output in bytes. Default: 10485760 (0 - no limit).
+# The result of template expansion will be truncated to the limit.
+alertmanager_max_template_output_bytes =
+
 # Redis server address or addresses. It can be a single Redis address if using Redis standalone,
 # or a list of comma-separated addresses if using Redis Cluster/Sentinel.
 ha_redis_address =

devenv/scopes/scopes-config.yaml

@@ -125,6 +125,7 @@ navigationTree:
     url: /d/_5rDmaQiz
     scope: shoe-org
     subScope: shoes
+    preLoadSubScopeChildren: true
     children:
       - name: shoes-overview
         title: Overview
@@ -141,6 +142,7 @@ navigationTree:
         url: /d/edediimbjhdz4b
         scope: shoes
         subScope: frontend
+        preLoadSubScopeChildren: true
         children:
           - name: frontend-api
             title: API Metrics
@@ -210,6 +212,7 @@ navigationTree:
     url: /d/UTv--wqMk
     scope: shoe-org
     subScope: apparel
+    disableSubScopeSelection: true
     children:
       - name: apparel-product-overview
         title: Product Overview

devenv/scopes/scopes.go

@@ -77,22 +77,26 @@ type TreeNode struct {
 }
 
 type NavigationConfig struct {
-	URL      string   `yaml:"url"`      // URL path (e.g., /d/abc123 or /explore)
-	Scope    string   `yaml:"scope"`    // Required scope
-	SubScope string   `yaml:"subScope"` // Optional subScope for hierarchical navigation
-	Title    string   `yaml:"title"`    // Display title
-	Groups   []string `yaml:"groups"`   // Optional groups for categorization
+	URL                      string   `yaml:"url"`                      // URL path (e.g., /d/abc123 or /explore)
+	Scope                    string   `yaml:"scope"`                    // Required scope
+	SubScope                 string   `yaml:"subScope"`                 // Optional subScope for hierarchical navigation
+	Title                    string   `yaml:"title"`                    // Display title
+	Groups                   []string `yaml:"groups"`                   // Optional groups for categorization
+	DisableSubScopeSelection bool     `yaml:"disableSubScopeSelection"` // Makes the subscope not selectable
+	PreLoadSubScopeChildren  bool     `yaml:"preLoadSubScopeChildren"`  // Preload children of subScope without updating UI
 }
 
 // NavigationTreeNode represents a node in the navigation tree structure
 type NavigationTreeNode struct {
-	Name     string               `yaml:"name"`
-	Title    string               `yaml:"title"`
-	URL      string               `yaml:"url"`
-	Scope    string               `yaml:"scope"`
-	SubScope string               `yaml:"subScope,omitempty"`
-	Groups   []string             `yaml:"groups,omitempty"`
-	Children []NavigationTreeNode `yaml:"children,omitempty"`
+	Name                     string               `yaml:"name"`
+	Title                    string               `yaml:"title"`
+	URL                      string               `yaml:"url"`
+	Scope                    string               `yaml:"scope"`
+	SubScope                 string               `yaml:"subScope,omitempty"`
+	Groups                   []string             `yaml:"groups,omitempty"`
+	DisableSubScopeSelection bool                 `yaml:"disableSubScopeSelection,omitempty"`
+	PreLoadSubScopeChildren  bool                 `yaml:"preLoadSubScopeChildren,omitempty"` // Preload children of subScope without updating UI
+	Children                 []NavigationTreeNode `yaml:"children,omitempty"`
 }
 
 // Helper function to convert ScopeFilterConfig to v0alpha1.ScopeFilter
@@ -313,8 +317,10 @@ func (c *Client) createScopeNavigation(name string, nav NavigationConfig) error
 	prefixedScope := prefix + "-" + nav.Scope
 
 	spec := v0alpha1.ScopeNavigationSpec{
-		URL:   nav.URL,
-		Scope: prefixedScope,
+		URL:                      nav.URL,
+		Scope:                    prefixedScope,
+		DisableSubScopeSelection: nav.DisableSubScopeSelection,
+		PreLoadSubScopeChildren:  nav.PreLoadSubScopeChildren,
 	}
 
 	if nav.SubScope != "" {
@@ -350,14 +356,14 @@ func (c *Client) createScopeNavigation(name string, nav NavigationConfig) error
 		return err
 	}
 
+	// Get the created resource to retrieve its resourceVersion for status update
+	createdNav, err := c.getScopeNavigation(prefixedName)
+	if err != nil {
+		return fmt.Errorf("failed to get created navigation: %w", err)
+	}
+
 	// Update status in a second request (status is a subresource)
 	if nav.Title != "" || len(nav.Groups) > 0 {
-		// Get the created resource to retrieve its resourceVersion and existing spec
-		createdNav, err := c.getScopeNavigation(prefixedName)
-		if err != nil {
-			return fmt.Errorf("failed to get created navigation: %w", err)
-		}
-
 		statusResource := v0alpha1.ScopeNavigation{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: apiVersion,
@@ -404,9 +410,11 @@ func treeToNavigations(node NavigationTreeNode, parentPath []string, dashboardCo
 
 	// Create navigation for this node
 	nav := NavigationConfig{
-		URL:   url,
-		Scope: node.Scope,
-		Title: node.Title,
+		URL:                      url,
+		Scope:                    node.Scope,
+		Title:                    node.Title,
+		DisableSubScopeSelection: node.DisableSubScopeSelection,
+		PreLoadSubScopeChildren:  node.PreLoadSubScopeChildren,
 	}
 	if node.SubScope != "" {
 		nav.SubScope = node.SubScope

docs/sources/administration/plugin-management/plugin-install.md

@@ -21,11 +21,28 @@ weight: 120
 
 # Install a plugin
 
-Besides the UI, you can use alternative methods to install a plugin depending on your environment or set-up.
+{{< admonition type="note" >}}
+
+Installing plugins from the Grafana website into a Grafana Cloud instance will be removed in February 2026.
+
+If you're a Grafana Cloud user, follow [Install a plugin through the Grafana UI](#install-a-plugin-through-the-grafana-uiinstall-a-plugin-through-the-grafana-ui) instead.
+
+{{< /admonition >}}
+
+## Install a plugin through the Grafana UI
+
+The most common way to install a plugin is through the Grafana UI.
+
+1. In Grafana, click **Administration > Plugins and data > Plugins** in the side navigation menu to view all plugins.
+1. Browse and find a plugin.
+1. Click the plugin's logo.
+1. Click **Install**.
+
+You can use use the following alternative methods to install a plugin depending on your environment or setup.
 
 ## Install a plugin using Grafana CLI
 
-The Grafana CLI allows you to install, upgrade, and manage your Grafana plugins using a command line tool. For more information about Grafana CLI plugin commands, refer to [Plugin commands](/docs/grafana/<GRAFANA_VERSION>/cli/#plugins-commands).
+The Grafana CLI allows you to install, upgrade, and manage your Grafana plugins using a command line tool. For more information about Grafana CLI plugin commands, refer to [Plugin commands](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/cli/#plugins-commands).
 
 ## Install a plugin from a ZIP file
 

docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md

@@ -44,7 +44,7 @@ refs:
       destination: /docs/grafana-cloud/alerting-and-irm/oncall/user-and-team-management/#available-grafana-oncall-rbac-roles--granted-actions
 ---
 
-# RBAC role definitions
+# Grafana RBAC role definitions
 
 {{< admonition type="note" >}}
 Available in [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/) and [Grafana Cloud](/docs/grafana-cloud).
@@ -59,7 +59,7 @@ The following tables list permissions associated with basic and fixed roles. Thi
 | Grafana Admin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | `basic_grafana_admin`                                                                                                                                    |
 | `fixed:authentication.config:writer`<br>`fixed:general.auth.config:writer`<br>`fixed:ldap:writer`<br>`fixed:licensing:writer`<br>`fixed:migrationassistant:migrator`<br>`fixed:org.users:writer`<br>`fixed:organization:maintainer`<br>`fixed:plugins:maintainer`<br>`fixed:provisioning:writer`<br>`fixed:roles:writer`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:stats:reader`<br>`fixed:support.bundles:writer`<br>`fixed:usagestats:reader`<br>`fixed:users:writer` | Default [Grafana server administrator](/docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/#grafana-server-administrators) assignments. |
 | Admin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | `basic_admin`                                                                                                                                            | All roles assigned to Editor and `fixed:reports:writer` <br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br>`fixed:dashboards:writer`<br>`fixed:dashboards.permissions:writer`<br>`fixed:dashboards.public:writer`<br>`fixed:folders:writer`<br>`fixed:folders.permissions:writer`<br>`fixed:alerting:writer`<br>`fixed:alerting.provisioning.secrets:reader`<br>`fixed:alerting.provisioning:writer`<br>`fixed:datasources.caching:writer`<br>`fixed:plugins:writer`<br>`fixed:library.panels:writer` | Default [Grafana organization administrator](ref:rbac-basic-roles) assignments. |
-| Editor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | `basic_editor`                                                                                                                                           | All roles assigned to Viewer and `fixed:datasources:explorer` <br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:alerting:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.status:writer`                                                                                                                                                                                                                                                                            | Default [Editor](ref:rbac-basic-roles) assignments.                             |
+| Editor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | `basic_editor`                                                                                                                                           | All roles assigned to Viewer and `fixed:datasources:explorer` <br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:alerting:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.provenance:writer`                                                                                                                                                                                                                                                                        | Default [Editor](ref:rbac-basic-roles) assignments.                             |
 | Viewer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | `basic_viewer`                                                                                                                                           | `fixed:datasources.id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader`<br>`fixed:plugins.app:reader`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:library.panels:general.reader`<br>`fixed:folders.general:reader`<br>`fixed:datasources.builtin:reader`                                                                                                                                                                                             | Default [Viewer](ref:rbac-basic-roles) assignments.                             |
 | No Basic Role                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | n/a                                                                                                                                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Default [No Basic Role](ref:rbac-basic-roles)                                   |
 
@@ -74,86 +74,86 @@ These UUIDs won't be available if your instance was created before Grafana v10.2
 To learn how to use the roles API to determine the role UUIDs, refer to [Manage RBAC roles](ref:rbac-manage-rbac-roles).
 {{< /admonition >}}
 
-| Fixed role                                   | UUID                                | Permissions                                                                                                                                                                                                                                                                 | Description                                                                                                                                                                                                                                                                           |
-| -------------------------------------------- | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `fixed:alerting:reader`                      | `fixed_O2oP1_uBFozI2i93klAkcvEWR30` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader`                                                                                                                                           | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules\*, alerts, contact points, and notification policies.[\*](#alerting-roles)                                                                                                                            |
-| `fixed:alerting:writer`                      | `fixed_-PAZgSJsDlRD8NUg-PFSeH_BkJY` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer`                                                                                                                                           | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules\*, silences, contact points, templates, mute timings, and notification policies.[\*](#alerting-roles)                                                                                                    |
-| `fixed:alerting.instances:reader`            | `fixed_ut5fVS-Ulh_ejFoskFhJT_rYg0Y` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*`                                                                                                                                                                | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.[\*](#alerting-roles)                                                                                                                                              |
-| `fixed:alerting.instances:writer`            | `fixed_pKOBJE346uyqMLdgWbk1NsQfEl0` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*`                                                                   | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.[\*](#alerting-roles)                                                                                                                                                                 |
-| `fixed:alerting.notifications:reader`        | `fixed_hmBn0lX5h1RZXB9Vaot420EEdA0` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                                                                                          | Read all Grafana and Alertmanager contact points, templates, and notification policies.[\*](#alerting-roles)                                                                                                                                                                          |
-| `fixed:alerting.notifications:writer`        | `fixed_XplK6HPNxf9AP5IGTdB5Iun4tJc` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                        | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.[\*](#alerting-roles)                                                                                                                              |
-| `fixed:alerting.provisioning:writer`         | `fixed_y7pFjdEkxpx5ETdcxPvp0AgRuUo` | `alert.provisioning:read` and `alert.provisioning:write`                                                                                                                                                                                                                    | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. [\*](#alerting-roles)                                                                                                                                      |
-| `fixed:alerting.provisioning.secrets:reader` | `fixed_9fmzXXZZG-Od0Amy2ofEG8Uk--c` | `alert.provisioning:read` and `alert.provisioning.secrets:read`                                                                                                                                                                                                             | Read-only permissions for Provisioning API and let export resources with decrypted secrets [\*](#alerting-roles)                                                                                                                                                                      |
-| `fixed:alerting.provisioning.status:writer`  | `fixed_eAxlzfkTuobvKEgXHveFMBZrOj8` | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                       | Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. [\*](#alerting-roles)                                                                                                                            |
-| `fixed:alerting.rules:reader`                | `fixed_fRGKL_vAqUsmUWq5EYKnOha9DcA` | `alert.rule:read`, `alert.silences:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` <br> `alert.notifications.time-intervals:read` <br> `alert.notifications.receivers:list`                                                          | Read all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and read rule-specific silences                                                                                                                                                                                 |
-| `fixed:alerting.rules:writer`                | `fixed_YJJGwAalUwDZPrXSyFH8GfYBXAc` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` <br> `alert.silences:create` <br> `alert.silences:write` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and manage rule-specific silences                                                                                                                                                         |
-| `fixed:annotations:reader`                   | `fixed_hpZnoizrfAJsrceNcNQqWYV-xNU` | `annotations:read` for scopes `annotations:type:*`                                                                                                                                                                                                                          | Read all annotations and annotation tags.                                                                                                                                                                                                                                             |
-| `fixed:annotations:writer`                   | `fixed_ZVW-Aa9Tzle6J4s2aUFcq1StKWE` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*`                                                                                                                    | Read, create, update and delete all annotations and annotation tags.                                                                                                                                                                                                                  |
-| `fixed:annotations.dashboard:writer`         | `fixed_8A775xenXeKaJk4Cr7bchP9yXOA` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard`                                                                                                                                                                | Create, update and delete dashboard annotations and annotation tags.                                                                                                                                                                                                                  |
-| `fixed:authentication.config:writer`         | `fixed_0rYhZ2Qnzs8AdB1nX7gexk3fHDw` | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*`                                                                                                                                                                     | Read and update authentication and SAML settings.                                                                                                                                                                                                                                     |
-| `fixed:general.auth.config:writer`           | `fixed_QFxIT_FGtBqbIVJIwx1bLgI5z6c` | `settings:read` for scope `settings:auth:oauth_allow_insecure_email_lookup` <br> `settings:write` for scope `settings:auth:oauth_allow_insecure_email_lookup`                                                                                                               | Read and update the Grafana instance's general authentication configuration settings.                                                                                                                                                                                                 |
-| `fixed:dashboards:creator`                   | `fixed_ZorKUcEPCM01A1fPakEzGBUyU64` | `dashboards:create`<br>`folders:read`                                                                                                                                                                                                                                       | Create dashboards.                                                                                                                                                                                                                                                                    |
-| `fixed:dashboards:reader`                    | `fixed_Sgr67JTOhjQGFlzYRahOe45TdWM` | `dashboards:read`                                                                                                                                                                                                                                                           | Read all dashboards.                                                                                                                                                                                                                                                                  |
-| `fixed:dashboards:writer`                    | `fixed_OK2YOQGIoI1G031hVzJB6rAJQAs` | All permissions from `fixed:dashboards:reader` and <br>`dashboards:write`<br>`dashboards:delete`<br>`dashboards:create`<br>`dashboards.permissions:read`<br>`dashboards.permissions:write`                                                                                  | Read, create, update, and delete all dashboards.                                                                                                                                                                                                                                      |
-| `fixed:dashboards.insights:reader`           | `fixed_JlBJ2_gizP8zhgaeGE2rjyZe2Rs` | `dashboards.insights:read`                                                                                                                                                                                                                                                  | Read dashboard insights data and see presence indicators.                                                                                                                                                                                                                             |
-| `fixed:dashboards.permissions:reader`        | `fixed_f17oxuXW_58LL8mYJsm4T_mCeIw` | `dashboards.permissions:read`                                                                                                                                                                                                                                               | Read all dashboard permissions.                                                                                                                                                                                                                                                       |
-| `fixed:dashboards.permissions:writer`        | `fixed_CcznxhWX_Yqn8uWMXMQ-b5iFW9k` | All permissions from `fixed:dashboards.permissions:reader` and <br>`dashboards.permissions:write`                                                                                                                                                                           | Read and update all dashboard permissions.                                                                                                                                                                                                                                            |
-| `fixed:dashboards.public:writer`             | `fixed_f_GHHRBciaqESXfGz2oCcooqHxs` | `dashboards.public:write`                                                                                                                                                                                                                                                   | Create, update, delete or pause a shared dashboard.                                                                                                                                                                                                                                   |
-| `fixed:datasources:creator`                  | `fixed_XX8jHREgUt-wo1A-rPXIiFlX6Zw` | `datasources:create`                                                                                                                                                                                                                                                        | Create data sources.                                                                                                                                                                                                                                                                  |
-| `fixed:datasources:explorer`                 | `fixed_qDzW9mzx9yM91T5Bi8dHUM2muTw` | `datasources:explore`                                                                                                                                                                                                                                                       | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.                                                                                                                                                |
-| `fixed:datasources:reader`                   | `fixed_C2x8IxkiBc1KZVjyYH775T9jNMQ` | `datasources:read`<br>`datasources:query`                                                                                                                                                                                                                                   | Read and query data sources.                                                                                                                                                                                                                                                          |
-| `fixed:datasources:writer`                   | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete`                                                                                                                                                 | Read, query, create, delete, or update a data source.                                                                                                                                                                                                                                 |
-| `fixed:datasources.builtin:reader`           | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | `datasources:read` and `datasources:query` scoped to `datasources:uid:grafana`                                                                                                                                                                                              | An internal role used to grant Viewers access to the builtin example data source in Grafana.                                                                                                                                                                                          |
-| `fixed:datasources.caching:reader`           | `fixed_D2ddpGxJYlw0mbsTS1ek9fj0kj4` | `datasources.caching:read`                                                                                                                                                                                                                                                  | Read data source query caching settings.                                                                                                                                                                                                                                              |
-| `fixed:datasources.caching:writer`           | `fixed_JtFjHr7jd7hSqUYcktKvRvIOGRE` | `datasources.caching:read`<br>`datasources.caching:write`                                                                                                                                                                                                                   | Enable, disable, or update query caching settings.                                                                                                                                                                                                                                    |
-| `fixed:datasources.id:reader`                | `fixed_entg--fHmDqWY2-69N0ocawK0Os` | `datasources.id:read`                                                                                                                                                                                                                                                       | Read the ID of a data source based on its name.                                                                                                                                                                                                                                       |
-| `fixed:datasources.insights:reader`          | `fixed_EBZ3NwlfecNPp2p0XcZRC1nfEYk` | `datasources.insights:read`                                                                                                                                                                                                                                                 | Read data source insights data.                                                                                                                                                                                                                                                       |
-| `fixed:datasources.permissions:reader`       | `fixed_ErYA-cTN3yn4h4GxaVPcawRhiOY` | `datasources.permissions:read`                                                                                                                                                                                                                                              | Read data source permissions.                                                                                                                                                                                                                                                         |
-| `fixed:datasources.permissions:writer`       | `fixed_aiQh9YDfLOKjQhYasF9_SFUjQiw` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write`                                                                                                                                                                         | Create, read, or delete permissions of a data source.                                                                                                                                                                                                                                 |
-| `fixed:folders:creator`                      | `fixed_gGLRbZGAGB6n9uECqSh_W382RlQ` | `folders:create`                                                                                                                                                                                                                                                            | Create folders in the root level.                                                                                                                                                                                                                                                     |
-| `fixed:folders:reader`                       | `fixed_yeW-5QPeo-i5PZUIUXMlAA97GnQ` | `folders:read`<br>`dashboards:read`                                                                                                                                                                                                                                         | Read all folders and dashboards.                                                                                                                                                                                                                                                      |
-| `fixed:folders:writer`                       | `fixed_wJXLoTzgE7jVuz90dryYoiogL0o` | All permissions from `fixed:dashboards:writer` and <br>`folders:read`<br>`folders:write`<br>`folders:create`<br>`folders:delete`<br>`folders.permissions:read`<br>`folders.permissions:write`                                                                               | Read, update, and delete all folders and dashboards. Create folders and subfolders.                                                                                                                                                                                                   |
-| `fixed:folders.general:reader`               | `fixed_rSASbkg8DvpG_gTX5s41d7uxRvI` | `folders:read` scoped to `folders:uid:general`                                                                                                                                                                                                                              | An internal role used to correctly display access to the folder tree for Viewer role.                                                                                                                                                                                                 |
-| `fixed:folders.permissions:reader`           | `fixed_E06l4cx0JFm47EeLBE4nmv3pnSo` | `folders.permissions:read`                                                                                                                                                                                                                                                  | Read all folder permissions.                                                                                                                                                                                                                                                          |
-| `fixed:folders.permissions:writer`           | `fixed_3GAgpQ_hWG8o7-lwNb86_VB37eI` | All permissions from `fixed:folders.permissions:reader` and <br>`folders.permissions:write`                                                                                                                                                                                 | Read and update all folder permissions.                                                                                                                                                                                                                                               |
-| `fixed:ldap:reader`                          | `fixed_lMcOPwSkxKY-qCK8NMJc5k6izLE` | `ldap.user:read`<br>`ldap.status:read`                                                                                                                                                                                                                                      | Read the LDAP configuration and LDAP status information.                                                                                                                                                                                                                              |
-| `fixed:ldap:writer`                          | `fixed_p6AvnU4GCQyIh7-hbwI-bk3GYnU` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload`                                                                                                                                                                                   | Read and update the LDAP configuration, and read LDAP status information.                                                                                                                                                                                                             |
-| `fixed:library.panels:creator`               | `fixed_6eX6ItfegCIY5zLmPqTDW8ZV7KY` | `library.panels:create`<br>`folders:read`                                                                                                                                                                                                                                   | Create library panel at the root level.                                                                                                                                                                                                                                               |
-| `fixed:library.panels:general.reader`        | `fixed_ct0DghiBWR_2BiQm3EvNPDVmpio` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels at the root level.                                                                                                                                                                                                                                            |
-| `fixed:library.panels:general.writer`        | `fixed_DgprkmqfN_1EhZ2v1_d1fYG8LzI` | All permissions from `fixed:library.panels:general.reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                             | Create, read, write or delete all library panels and their permissions at the root level.                                                                                                                                                                                             |
-| `fixed:library.panels:reader`                | `fixed_tvTr9CnZ6La5vvUO_U_X1LPnhUs` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels.                                                                                                                                                                                                                                                              |
-| `fixed:library.panels:writer`                | `fixed_JTljAr21LWLTXCkgfBC4H0lhBC8` | All permissions from `fixed:library.panels:reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                                     | Create, read, write or delete all library panels and their permissions.                                                                                                                                                                                                               |
-| `fixed:licensing:reader`                     | `fixed_OADpuXvNEylO2Kelu3GIuBXEAYE` | `licensing:read`<br>`licensing.reports:read`                                                                                                                                                                                                                                | Read licensing information and licensing reports.                                                                                                                                                                                                                                     |
-| `fixed:licensing:writer`                     | `fixed_gzbz3rJpQMdaKHt-E4q0PVaKMoE` | All permissions from `fixed:licensing:reader` and <br>`licensing:write`<br>`licensing:delete`                                                                                                                                                                               | Read licensing information and licensing reports, update and delete the license token.                                                                                                                                                                                                |
-| `fixed:migrationassistant:migrator`          | `fixed_LLk2p7TRuBztOAksTQb1Klc8YTk` | `migrationassistant:migrate`                                                                                                                                                                                                                                                | Execute on-prem to cloud migrations through the Migration Assistant.                                                                                                                                                                                                                  |
-| `fixed:org.users:reader`                     | `fixed_oCqNwlVHLOpw7-jAlwp4HzYqwGY` | `org.users:read`                                                                                                                                                                                                                                                            | Read users within a single organization.                                                                                                                                                                                                                                              |
-| `fixed:org.users:writer`                     | `fixed_VERj5nayasjgf_Yh0sWqqCkxWlw` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write`                                                                                                                                                            | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.                                                                                                        |
-| `fixed:organization:maintainer`              | `fixed_CMm-uuBaPUBf4r8XG3jIvxo55bg` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write`                                                                                                                                             | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.                                                                                                                                                                    |
-| `fixed:organization:reader`                  | `fixed_0SZPJlTHdNEe8zO91zv7Zwiwa2w` | `orgs:read`<br>`orgs.quotas:read`                                                                                                                                                                                                                                           | Read an organization and its quotas.                                                                                                                                                                                                                                                  |
-| `fixed:organization:writer`                  | `fixed_Y4jGqDd8w1yCrPwlik8z5Iu8-3M` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write`                                                                                                                                               | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.                                                                                                                                                                             |
-| `fixed:plugins:maintainer`                   | `fixed_yEOKidBcWgbm74x-nTa3lW5lOyY` | `plugins:install`                                                                                                                                                                                                                                                           | Install and uninstall plugins. Needs to be assigned globally.                                                                                                                                                                                                                         |
-| `fixed:plugins:writer`                       | `fixed_MRYpGk7kpNNwt2VoVOXFiPnQziE` | `plugins:write`                                                                                                                                                                                                                                                             | Enable and disable plugins and edit plugins' settings.                                                                                                                                                                                                                                |
-| `fixed:plugins.app:reader`                   | `fixed_AcZRiNYx7NueYkUqzw1o2OGGUAA` | `plugins.app:access`                                                                                                                                                                                                                                                        | Access application plugins (still enforcing the organization role).                                                                                                                                                                                                                   |
-| `fixed:provisioning:writer`                  | `fixed_bgk1FCyR6OEDwhgirZlQgu5LlCA` | `provisioning:reload`                                                                                                                                                                                                                                                       | Reload provisioning.                                                                                                                                                                                                                                                                  |
-| `fixed:reports:reader`                       | `fixed_72_8LU_0ukfm6BdblOw8Z9q-GQ8` | `reports:read`<br>`reports:send`<br>`reports.settings:read`                                                                                                                                                                                                                 | Read all reports and shared report settings.                                                                                                                                                                                                                                          |
-| `fixed:reports:writer`                       | `fixed_jBW3_7g1EWOjGVBYeVRwtFxhUNw` | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write`                                                                                                                                     | Create, read, update, or delete all reports and shared report settings.                                                                                                                                                                                                               |
-| `fixed:roles:reader`                         | `fixed_GkfG-1NSwEGb4hpK3-E3qHyNltc` | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read`                                                                                                                                                                                        | Read all access control roles, roles and permissions assigned to users, teams.                                                                                                                                                                                                        |
-| `fixed:roles:resetter`                       | `fixed_WgPpC3qJRmVpVTJavFNwfS5RuzQ` | `roles:write` with scope `permissions:type:escalate`                                                                                                                                                                                                                        | Reset basic roles to their default.                                                                                                                                                                                                                                                   |
-| `fixed:roles:writer`                         | `fixed_W5aFaw8isAM27x_eWfElBhZ0iOc` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove`                                                                                                 | Create, read, update, or delete all roles, assign or unassign roles to users, teams.                                                                                                                                                                                                  |
-| `fixed:serviceaccounts:creator`              | `fixed_Ikw60fckA0MyiiZ73BawSfOULy4` | `serviceaccounts:create`                                                                                                                                                                                                                                                    | Create Grafana service accounts.                                                                                                                                                                                                                                                      |
-| `fixed:serviceaccounts:reader`               | `fixed_QFjJAZ88iawMLInYOxPA1DB1w6I` | `serviceaccounts:read`                                                                                                                                                                                                                                                      | Read Grafana service accounts.                                                                                                                                                                                                                                                        |
-| `fixed:serviceaccounts:writer`               | `fixed_iBvUNUEZBZ7PUW0vdkN5iojc2sk` | `serviceaccounts:read`<br>`serviceaccounts:create`<br>`serviceaccounts:write`<br>`serviceaccounts:delete`<br>`serviceaccounts.permissions:read`<br>`serviceaccounts.permissions:write`                                                                                      | Create, update, read and delete all Grafana service accounts and manage service account permissions.                                                                                                                                                                                  |
-| `fixed:settings:reader`                      | `fixed_0LaUt1x6PP8hsZzEBhqPQZFUd8Q` | `settings:read`                                                                                                                                                                                                                                                             | Read Grafana instance settings.                                                                                                                                                                                                                                                       |
-| `fixed:settings:writer`                      | `fixed_joIHDgMrGg790hMhUufVzcU4j44` | All permissions from `fixed:settings:reader` and<br>`settings:write`                                                                                                                                                                                                        | Read and update Grafana instance settings.                                                                                                                                                                                                                                            |
-| `fixed:stats:reader`                         | `fixed_OnRCXxZVINWpcKvTF5A1gecJ7pA` | `server.stats:read`                                                                                                                                                                                                                                                         | Read Grafana instance statistics.                                                                                                                                                                                                                                                     |
-| `fixed:support.bundles:reader`               | `fixed_gcPjI3PTUJwRx-GJZwDhNa7zbos` | `support.bundles:read`                                                                                                                                                                                                                                                      | List and download support bundles.                                                                                                                                                                                                                                                    |
-| `fixed:support.bundles:writer`               | `fixed_dTgCv9Wxrp_WHAhwHYIgeboxKpE` | `support.bundles:read`<br>`support.bundles:create`<br>`support.bundles:delete`                                                                                                                                                                                              | Create, delete, list and download support bundles.                                                                                                                                                                                                                                    |
-| `fixed:teams:creator`                        | `fixed_nzVQoNSDSn0fg1MDgO6XnZX2RZI` | `teams:create`<br>`org.users:read`                                                                                                                                                                                                                                          | Create a team and list organization users (required to manage the created team).                                                                                                                                                                                                      |
-| `fixed:teams:read`                           | `fixed_Z8pB0GQlrqRt8IZBCJQxPWvJPgQ` | `teams:read`                                                                                                                                                                                                                                                                | List all teams.                                                                                                                                                                                                                                                                       |
-| `fixed:teams:writer`                         | `fixed_xw1T0579h620MOYi4L96GUs7fZY` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write`                                                                                                                                                  | Create, read, update and delete teams and manage team memberships.                                                                                                                                                                                                                    |
-| `fixed:usagestats:reader`                    | `fixed_eAM0azEvnWFCJAjNkUKnGL_1-bU` | `server.usagestats.report:read`                                                                                                                                                                                                                                             | View usage statistics report.                                                                                                                                                                                                                                                         |
-| `fixed:users:reader`                         | `fixed_buZastUG3reWyQpPemcWjGqPAd0` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`                                                                                                                                                                                                               | Read all users and their information, such as team memberships, authentication tokens, and quotas.                                                                                                                                                                                    |
-| `fixed:users:writer`                         | `fixed_wjzgHHo_Ux25DJuELn_oiAdB_yM` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write`        | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
+| Fixed role                                      | UUID                                | Permissions                                                                                                                                                                                                                                                                 | Description                                                                                                                                                                                                                                                                           |
+| ----------------------------------------------- | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `fixed:alerting:reader`                         | `fixed_O2oP1_uBFozI2i93klAkcvEWR30` | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader`                                                                                                                                           | Read-only permissions for all Grafana, Mimir, Loki and Alertmanager alert rules\*, alerts, contact points, and notification policies.[\*](#alerting-roles)                                                                                                                            |
+| `fixed:alerting:writer`                         | `fixed_-PAZgSJsDlRD8NUg-PFSeH_BkJY` | All permissions from `fixed:alerting.rules:writer` <br>`fixed:alerting.instances:writer`<br>`fixed:alerting.notifications:writer`                                                                                                                                           | Create, update, and delete Grafana, Mimir, Loki and Alertmanager alert rules\*, silences, contact points, templates, mute timings, and notification policies.[\*](#alerting-roles)                                                                                                    |
+| `fixed:alerting.instances:reader`               | `fixed_ut5fVS-Ulh_ejFoskFhJT_rYg0Y` | `alert.instances:read` for organization scope <br> `alert.instances.external:read` for scope `datasources:*`                                                                                                                                                                | Read all alerts and silences in the organization produced by Grafana Alerts and Mimir and Loki alerts and silences.[\*](#alerting-roles)                                                                                                                                              |
+| `fixed:alerting.instances:writer`               | `fixed_pKOBJE346uyqMLdgWbk1NsQfEl0` | All permissions from `fixed:alerting.instances:reader` and<br> `alert.instances:create`<br>`alert.instances:write` for organization scope <br> `alert.instances.external:write` for scope `datasources:*`                                                                   | Create, update and expire all silences in the organization produced by Grafana, Mimir, and Loki.[\*](#alerting-roles)                                                                                                                                                                 |
+| `fixed:alerting.notifications:reader`           | `fixed_hmBn0lX5h1RZXB9Vaot420EEdA0` | `alert.notifications:read` for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                                                                                          | Read all Grafana and Alertmanager contact points, templates, and notification policies.[\*](#alerting-roles)                                                                                                                                                                          |
+| `fixed:alerting.notifications:writer`           | `fixed_XplK6HPNxf9AP5IGTdB5Iun4tJc` | All permissions from `fixed:alerting.notifications:reader` and<br>`alert.notifications:write`for organization scope<br>`alert.notifications.external:read` for scope `datasources:*`                                                                                        | Create, update, and delete contact points, templates, mute timings and notification policies for Grafana and external Alertmanager.[\*](#alerting-roles)                                                                                                                              |
+| `fixed:alerting.provisioning:writer`            | `fixed_y7pFjdEkxpx5ETdcxPvp0AgRuUo` | `alert.provisioning:read` and `alert.provisioning:write`                                                                                                                                                                                                                    | Create, update and delete Grafana alert rules, notification policies, contact points, templates, etc via provisioning API. [\*](#alerting-roles)                                                                                                                                      |
+| `fixed:alerting.provisioning.secrets:reader`    | `fixed_9fmzXXZZG-Od0Amy2ofEG8Uk--c` | `alert.provisioning:read` and `alert.provisioning.secrets:read`                                                                                                                                                                                                             | Read-only permissions for Provisioning API and let export resources with decrypted secrets [\*](#alerting-roles)                                                                                                                                                                      |
+| `fixed:alerting.provisioning.provenance:writer` | `fixed_eAxlzfkTuobvKEgXHveFMBZrOj8` | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                       | Set provenance status to alert rules, notification policies, contact points, etc. Should be used together with regular writer roles. [\*](#alerting-roles)                                                                                                                            |
+| `fixed:alerting.rules:reader`                   | `fixed_fRGKL_vAqUsmUWq5EYKnOha9DcA` | `alert.rule:read`, `alert.silences:read` for scope `folders:*` <br> `alert.rules.external:read` for scope `datasources:*` <br> `alert.notifications.time-intervals:read` <br> `alert.notifications.receivers:list`                                                          | Read all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and read rule-specific silences                                                                                                                                                                                 |
+| `fixed:alerting.rules:writer`                   | `fixed_YJJGwAalUwDZPrXSyFH8GfYBXAc` | All permissions from `fixed:alerting.rules:reader` and <br> `alert.rule:create` <br> `alert.rule:write` <br> `alert.rule:delete` <br> `alert.silences:create` <br> `alert.silences:write` for scope `folders:*` <br> `alert.rules.external:write` for scope `datasources:*` | Create, update, and delete all\* Grafana, Mimir, and Loki alert rules.[\*](#alerting-roles) and manage rule-specific silences                                                                                                                                                         |
+| `fixed:annotations:reader`                      | `fixed_hpZnoizrfAJsrceNcNQqWYV-xNU` | `annotations:read` for scopes `annotations:type:*`                                                                                                                                                                                                                          | Read all annotations and annotation tags.                                                                                                                                                                                                                                             |
+| `fixed:annotations:writer`                      | `fixed_ZVW-Aa9Tzle6J4s2aUFcq1StKWE` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*`                                                                                                                    | Read, create, update and delete all annotations and annotation tags.                                                                                                                                                                                                                  |
+| `fixed:annotations.dashboard:writer`            | `fixed_8A775xenXeKaJk4Cr7bchP9yXOA` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard`                                                                                                                                                                | Create, update and delete dashboard annotations and annotation tags.                                                                                                                                                                                                                  |
+| `fixed:authentication.config:writer`            | `fixed_0rYhZ2Qnzs8AdB1nX7gexk3fHDw` | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*`                                                                                                                                                                     | Read and update authentication and SAML settings.                                                                                                                                                                                                                                     |
+| `fixed:general.auth.config:writer`              | `fixed_QFxIT_FGtBqbIVJIwx1bLgI5z6c` | `settings:read` for scope `settings:auth:oauth_allow_insecure_email_lookup` <br> `settings:write` for scope `settings:auth:oauth_allow_insecure_email_lookup`                                                                                                               | Read and update the Grafana instance's general authentication configuration settings.                                                                                                                                                                                                 |
+| `fixed:dashboards:creator`                      | `fixed_ZorKUcEPCM01A1fPakEzGBUyU64` | `dashboards:create`<br>`folders:read`                                                                                                                                                                                                                                       | Create dashboards.                                                                                                                                                                                                                                                                    |
+| `fixed:dashboards:reader`                       | `fixed_Sgr67JTOhjQGFlzYRahOe45TdWM` | `dashboards:read`                                                                                                                                                                                                                                                           | Read all dashboards.                                                                                                                                                                                                                                                                  |
+| `fixed:dashboards:writer`                       | `fixed_OK2YOQGIoI1G031hVzJB6rAJQAs` | All permissions from `fixed:dashboards:reader` and <br>`dashboards:write`<br>`dashboards:delete`<br>`dashboards:create`<br>`dashboards.permissions:read`<br>`dashboards.permissions:write`                                                                                  | Read, create, update, and delete all dashboards.                                                                                                                                                                                                                                      |
+| `fixed:dashboards.insights:reader`              | `fixed_JlBJ2_gizP8zhgaeGE2rjyZe2Rs` | `dashboards.insights:read`                                                                                                                                                                                                                                                  | Read dashboard insights data and see presence indicators.                                                                                                                                                                                                                             |
+| `fixed:dashboards.permissions:reader`           | `fixed_f17oxuXW_58LL8mYJsm4T_mCeIw` | `dashboards.permissions:read`                                                                                                                                                                                                                                               | Read all dashboard permissions.                                                                                                                                                                                                                                                       |
+| `fixed:dashboards.permissions:writer`           | `fixed_CcznxhWX_Yqn8uWMXMQ-b5iFW9k` | All permissions from `fixed:dashboards.permissions:reader` and <br>`dashboards.permissions:write`                                                                                                                                                                           | Read and update all dashboard permissions.                                                                                                                                                                                                                                            |
+| `fixed:dashboards.public:writer`                | `fixed_f_GHHRBciaqESXfGz2oCcooqHxs` | `dashboards.public:write`                                                                                                                                                                                                                                                   | Create, update, delete or pause a shared dashboard.                                                                                                                                                                                                                                   |
+| `fixed:datasources:creator`                     | `fixed_XX8jHREgUt-wo1A-rPXIiFlX6Zw` | `datasources:create`                                                                                                                                                                                                                                                        | Create data sources.                                                                                                                                                                                                                                                                  |
+| `fixed:datasources:explorer`                    | `fixed_qDzW9mzx9yM91T5Bi8dHUM2muTw` | `datasources:explore`                                                                                                                                                                                                                                                       | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions.                                                                                                                                                |
+| `fixed:datasources:reader`                      | `fixed_C2x8IxkiBc1KZVjyYH775T9jNMQ` | `datasources:read`<br>`datasources:query`                                                                                                                                                                                                                                   | Read and query data sources.                                                                                                                                                                                                                                                          |
+| `fixed:datasources:writer`                      | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete`                                                                                                                                                 | Read, query, create, delete, or update a data source.                                                                                                                                                                                                                                 |
+| `fixed:datasources.builtin:reader`              | `fixed_q8HXq8kjjA5IlHHgBJlKlUyaNik` | `datasources:read` and `datasources:query` scoped to `datasources:uid:grafana`                                                                                                                                                                                              | An internal role used to grant Viewers access to the builtin example data source in Grafana.                                                                                                                                                                                          |
+| `fixed:datasources.caching:reader`              | `fixed_D2ddpGxJYlw0mbsTS1ek9fj0kj4` | `datasources.caching:read`                                                                                                                                                                                                                                                  | Read data source query caching settings.                                                                                                                                                                                                                                              |
+| `fixed:datasources.caching:writer`              | `fixed_JtFjHr7jd7hSqUYcktKvRvIOGRE` | `datasources.caching:read`<br>`datasources.caching:write`                                                                                                                                                                                                                   | Enable, disable, or update query caching settings.                                                                                                                                                                                                                                    |
+| `fixed:datasources.id:reader`                   | `fixed_entg--fHmDqWY2-69N0ocawK0Os` | `datasources.id:read`                                                                                                                                                                                                                                                       | Read the ID of a data source based on its name.                                                                                                                                                                                                                                       |
+| `fixed:datasources.insights:reader`             | `fixed_EBZ3NwlfecNPp2p0XcZRC1nfEYk` | `datasources.insights:read`                                                                                                                                                                                                                                                 | Read data source insights data.                                                                                                                                                                                                                                                       |
+| `fixed:datasources.permissions:reader`          | `fixed_ErYA-cTN3yn4h4GxaVPcawRhiOY` | `datasources.permissions:read`                                                                                                                                                                                                                                              | Read data source permissions.                                                                                                                                                                                                                                                         |
+| `fixed:datasources.permissions:writer`          | `fixed_aiQh9YDfLOKjQhYasF9_SFUjQiw` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write`                                                                                                                                                                         | Create, read, or delete permissions of a data source.                                                                                                                                                                                                                                 |
+| `fixed:folders:creator`                         | `fixed_gGLRbZGAGB6n9uECqSh_W382RlQ` | `folders:create`                                                                                                                                                                                                                                                            | Create folders in the root level.                                                                                                                                                                                                                                                     |
+| `fixed:folders:reader`                          | `fixed_yeW-5QPeo-i5PZUIUXMlAA97GnQ` | `folders:read`<br>`dashboards:read`                                                                                                                                                                                                                                         | Read all folders and dashboards.                                                                                                                                                                                                                                                      |
+| `fixed:folders:writer`                          | `fixed_wJXLoTzgE7jVuz90dryYoiogL0o` | All permissions from `fixed:dashboards:writer` and <br>`folders:read`<br>`folders:write`<br>`folders:create`<br>`folders:delete`<br>`folders.permissions:read`<br>`folders.permissions:write`                                                                               | Read, update, and delete all folders and dashboards. Create folders and subfolders.                                                                                                                                                                                                   |
+| `fixed:folders.general:reader`                  | `fixed_rSASbkg8DvpG_gTX5s41d7uxRvI` | `folders:read` scoped to `folders:uid:general`                                                                                                                                                                                                                              | An internal role used to correctly display access to the folder tree for Viewer role.                                                                                                                                                                                                 |
+| `fixed:folders.permissions:reader`              | `fixed_E06l4cx0JFm47EeLBE4nmv3pnSo` | `folders.permissions:read`                                                                                                                                                                                                                                                  | Read all folder permissions.                                                                                                                                                                                                                                                          |
+| `fixed:folders.permissions:writer`              | `fixed_3GAgpQ_hWG8o7-lwNb86_VB37eI` | All permissions from `fixed:folders.permissions:reader` and <br>`folders.permissions:write`                                                                                                                                                                                 | Read and update all folder permissions.                                                                                                                                                                                                                                               |
+| `fixed:ldap:reader`                             | `fixed_lMcOPwSkxKY-qCK8NMJc5k6izLE` | `ldap.user:read`<br>`ldap.status:read`                                                                                                                                                                                                                                      | Read the LDAP configuration and LDAP status information.                                                                                                                                                                                                                              |
+| `fixed:ldap:writer`                             | `fixed_p6AvnU4GCQyIh7-hbwI-bk3GYnU` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload`                                                                                                                                                                                   | Read and update the LDAP configuration, and read LDAP status information.                                                                                                                                                                                                             |
+| `fixed:library.panels:creator`                  | `fixed_6eX6ItfegCIY5zLmPqTDW8ZV7KY` | `library.panels:create`<br>`folders:read`                                                                                                                                                                                                                                   | Create library panel at the root level.                                                                                                                                                                                                                                               |
+| `fixed:library.panels:general.reader`           | `fixed_ct0DghiBWR_2BiQm3EvNPDVmpio` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels at the root level.                                                                                                                                                                                                                                            |
+| `fixed:library.panels:general.writer`           | `fixed_DgprkmqfN_1EhZ2v1_d1fYG8LzI` | All permissions from `fixed:library.panels:general.reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                             | Create, read, write or delete all library panels and their permissions at the root level.                                                                                                                                                                                             |
+| `fixed:library.panels:reader`                   | `fixed_tvTr9CnZ6La5vvUO_U_X1LPnhUs` | `library.panels:read`                                                                                                                                                                                                                                                       | Read all library panels.                                                                                                                                                                                                                                                              |
+| `fixed:library.panels:writer`                   | `fixed_JTljAr21LWLTXCkgfBC4H0lhBC8` | All permissions from `fixed:library.panels:reader` plus<br>`library.panels:create`<br>`library.panels:delete`<br>`library.panels:write`                                                                                                                                     | Create, read, write or delete all library panels and their permissions.                                                                                                                                                                                                               |
+| `fixed:licensing:reader`                        | `fixed_OADpuXvNEylO2Kelu3GIuBXEAYE` | `licensing:read`<br>`licensing.reports:read`                                                                                                                                                                                                                                | Read licensing information and licensing reports.                                                                                                                                                                                                                                     |
+| `fixed:licensing:writer`                        | `fixed_gzbz3rJpQMdaKHt-E4q0PVaKMoE` | All permissions from `fixed:licensing:reader` and <br>`licensing:write`<br>`licensing:delete`                                                                                                                                                                               | Read licensing information and licensing reports, update and delete the license token.                                                                                                                                                                                                |
+| `fixed:migrationassistant:migrator`             | `fixed_LLk2p7TRuBztOAksTQb1Klc8YTk` | `migrationassistant:migrate`                                                                                                                                                                                                                                                | Execute on-prem to cloud migrations through the Migration Assistant.                                                                                                                                                                                                                  |
+| `fixed:org.users:reader`                        | `fixed_oCqNwlVHLOpw7-jAlwp4HzYqwGY` | `org.users:read`                                                                                                                                                                                                                                                            | Read users within a single organization.                                                                                                                                                                                                                                              |
+| `fixed:org.users:writer`                        | `fixed_VERj5nayasjgf_Yh0sWqqCkxWlw` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users:write`                                                                                                                                                            | Within a single organization, add a user, invite a new user, read information about a user and their role, remove a user from that organization, or change the role of a user.                                                                                                        |
+| `fixed:organization:maintainer`                 | `fixed_CMm-uuBaPUBf4r8XG3jIvxo55bg` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs:create`<br>`orgs:delete`<br>`orgs.quotas:write`                                                                                                                                             | Create, read, write, or delete an organization. Read or write its quotas. This role needs to be assigned globally.                                                                                                                                                                    |
+| `fixed:organization:reader`                     | `fixed_0SZPJlTHdNEe8zO91zv7Zwiwa2w` | `orgs:read`<br>`orgs.quotas:read`                                                                                                                                                                                                                                           | Read an organization and its quotas.                                                                                                                                                                                                                                                  |
+| `fixed:organization:writer`                     | `fixed_Y4jGqDd8w1yCrPwlik8z5Iu8-3M` | All permissions from `fixed:organization:reader` and <br> `orgs:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write`                                                                                                                                               | Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.                                                                                                                                                                             |
+| `fixed:plugins:maintainer`                      | `fixed_yEOKidBcWgbm74x-nTa3lW5lOyY` | `plugins:install`                                                                                                                                                                                                                                                           | Install and uninstall plugins. Needs to be assigned globally.                                                                                                                                                                                                                         |
+| `fixed:plugins:writer`                          | `fixed_MRYpGk7kpNNwt2VoVOXFiPnQziE` | `plugins:write`                                                                                                                                                                                                                                                             | Enable and disable plugins and edit plugins' settings.                                                                                                                                                                                                                                |
+| `fixed:plugins.app:reader`                      | `fixed_AcZRiNYx7NueYkUqzw1o2OGGUAA` | `plugins.app:access`                                                                                                                                                                                                                                                        | Access application plugins (still enforcing the organization role).                                                                                                                                                                                                                   |
+| `fixed:provisioning:writer`                     | `fixed_bgk1FCyR6OEDwhgirZlQgu5LlCA` | `provisioning:reload`                                                                                                                                                                                                                                                       | Reload provisioning.                                                                                                                                                                                                                                                                  |
+| `fixed:reports:reader`                          | `fixed_72_8LU_0ukfm6BdblOw8Z9q-GQ8` | `reports:read`<br>`reports:send`<br>`reports.settings:read`                                                                                                                                                                                                                 | Read all reports and shared report settings.                                                                                                                                                                                                                                          |
+| `fixed:reports:writer`                          | `fixed_jBW3_7g1EWOjGVBYeVRwtFxhUNw` | All permissions from `fixed:reports:reader` and <br>`reports:create`<br>`reports:write`<br>`reports:delete`<br>`reports.settings:write`                                                                                                                                     | Create, read, update, or delete all reports and shared report settings.                                                                                                                                                                                                               |
+| `fixed:roles:reader`                            | `fixed_GkfG-1NSwEGb4hpK3-E3qHyNltc` | `roles:read`<br>`teams.roles:read`<br>`users.roles:read`<br>`users.permissions:read`                                                                                                                                                                                        | Read all access control roles, roles and permissions assigned to users, teams.                                                                                                                                                                                                        |
+| `fixed:roles:resetter`                          | `fixed_WgPpC3qJRmVpVTJavFNwfS5RuzQ` | `roles:write` with scope `permissions:type:escalate`                                                                                                                                                                                                                        | Reset basic roles to their default.                                                                                                                                                                                                                                                   |
+| `fixed:roles:writer`                            | `fixed_W5aFaw8isAM27x_eWfElBhZ0iOc` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`teams.roles:add`<br>`teams.roles:remove`<br>`users.roles:add`<br>`users.roles:remove`                                                                                                 | Create, read, update, or delete all roles, assign or unassign roles to users, teams.                                                                                                                                                                                                  |
+| `fixed:serviceaccounts:creator`                 | `fixed_Ikw60fckA0MyiiZ73BawSfOULy4` | `serviceaccounts:create`                                                                                                                                                                                                                                                    | Create Grafana service accounts.                                                                                                                                                                                                                                                      |
+| `fixed:serviceaccounts:reader`                  | `fixed_QFjJAZ88iawMLInYOxPA1DB1w6I` | `serviceaccounts:read`                                                                                                                                                                                                                                                      | Read Grafana service accounts.                                                                                                                                                                                                                                                        |
+| `fixed:serviceaccounts:writer`                  | `fixed_iBvUNUEZBZ7PUW0vdkN5iojc2sk` | `serviceaccounts:read`<br>`serviceaccounts:create`<br>`serviceaccounts:write`<br>`serviceaccounts:delete`<br>`serviceaccounts.permissions:read`<br>`serviceaccounts.permissions:write`                                                                                      | Create, update, read and delete all Grafana service accounts and manage service account permissions.                                                                                                                                                                                  |
+| `fixed:settings:reader`                         | `fixed_0LaUt1x6PP8hsZzEBhqPQZFUd8Q` | `settings:read`                                                                                                                                                                                                                                                             | Read Grafana instance settings.                                                                                                                                                                                                                                                       |
+| `fixed:settings:writer`                         | `fixed_joIHDgMrGg790hMhUufVzcU4j44` | All permissions from `fixed:settings:reader` and<br>`settings:write`                                                                                                                                                                                                        | Read and update Grafana instance settings.                                                                                                                                                                                                                                            |
+| `fixed:stats:reader`                            | `fixed_OnRCXxZVINWpcKvTF5A1gecJ7pA` | `server.stats:read`                                                                                                                                                                                                                                                         | Read Grafana instance statistics.                                                                                                                                                                                                                                                     |
+| `fixed:support.bundles:reader`                  | `fixed_gcPjI3PTUJwRx-GJZwDhNa7zbos` | `support.bundles:read`                                                                                                                                                                                                                                                      | List and download support bundles.                                                                                                                                                                                                                                                    |
+| `fixed:support.bundles:writer`                  | `fixed_dTgCv9Wxrp_WHAhwHYIgeboxKpE` | `support.bundles:read`<br>`support.bundles:create`<br>`support.bundles:delete`                                                                                                                                                                                              | Create, delete, list and download support bundles.                                                                                                                                                                                                                                    |
+| `fixed:teams:creator`                           | `fixed_nzVQoNSDSn0fg1MDgO6XnZX2RZI` | `teams:create`<br>`org.users:read`                                                                                                                                                                                                                                          | Create a team and list organization users (required to manage the created team).                                                                                                                                                                                                      |
+| `fixed:teams:read`                              | `fixed_Z8pB0GQlrqRt8IZBCJQxPWvJPgQ` | `teams:read`                                                                                                                                                                                                                                                                | List all teams.                                                                                                                                                                                                                                                                       |
+| `fixed:teams:writer`                            | `fixed_xw1T0579h620MOYi4L96GUs7fZY` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write`                                                                                                                                                  | Create, read, update and delete teams and manage team memberships.                                                                                                                                                                                                                    |
+| `fixed:usagestats:reader`                       | `fixed_eAM0azEvnWFCJAjNkUKnGL_1-bU` | `server.usagestats.report:read`                                                                                                                                                                                                                                             | View usage statistics report.                                                                                                                                                                                                                                                         |
+| `fixed:users:reader`                            | `fixed_buZastUG3reWyQpPemcWjGqPAd0` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`                                                                                                                                                                                                               | Read all users and their information, such as team memberships, authentication tokens, and quotas.                                                                                                                                                                                    |
+| `fixed:users:writer`                            | `fixed_wjzgHHo_Ux25DJuELn_oiAdB_yM` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write`        | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
 
 ### Alerting roles
 
@@ -164,10 +164,20 @@ Access to Grafana alert rules is an intersection of many permissions:
 - Permission to read a folder. For example, the fixed role `fixed:folders:reader` includes the action `folders:read` and a folder scope `folders:id:`.
 - Permission to query **all** data sources that a given alert rule uses. If a user cannot query a given data source, they cannot see any alert rules that query that data source.
 
-There is only one exclusion at this moment. Role `fixed:alerting.provisioning:writer` does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
+There is only one exclusion. Role `fixed:alerting.provisioning:writer` does not require user to have any additional permissions and provides access to all aspects of the alerting configuration via special provisioning API.
 
 For more information about the permissions required to access alert rules, refer to [Create a custom role to access alerts in a folder](ref:plan-rbac-rollout-strategy-create-a-custom-role-to-access-alerts-in-a-folder).
 
+#### Alerting basic roles
+
+The following table lists the default RBAC alerting role assignments to the basic roles:
+
+| Basic role | Associated fixed roles                                                                                          | Description                                                                     |
+| ---------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- |
+| Admin      | `fixed:alerting:writer`<br>`fixed:alerting.provisioning.secrets:reader`<br>`fixed:alerting.provisioning:writer` | Default [Grafana organization administrator](ref:rbac-basic-roles) assignments. |
+| Editor     | `fixed:alerting:writer`<br>`fixed:alerting.provisioning.provenance:writer`                                      | Default [Editor](ref:rbac-basic-roles) assignments.                             |
+| Viewer     | `fixed:alerting:reader`                                                                                         | Default [Viewer](ref:rbac-basic-roles) assignments.                             |
+
 ### Grafana OnCall roles
 
 If you are using [Grafana OnCall](ref:oncall), you can try out the integration between Grafana OnCall and RBAC.

docs/sources/alerting/set-up/configure-alert-state-history/index.md

@@ -62,6 +62,9 @@ The following steps describe a basic configuration:
 
    # The URL of the Loki server
    loki_remote_url = http://localhost:3100
+
+   [feature_toggles]
+   enable = alertingCentralAlertHistory
    ```
 
 1. **Configure the Loki data source in Grafana**

docs/sources/alerting/set-up/configure-rbac/_index.md

@@ -17,55 +17,166 @@ weight: 155
 
 # Configure RBAC
 
-Role-based access control (RBAC) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.
+[Role-based access control (RBAC)](/docs/grafana/latest/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.
 
-A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system.
+A user is any individual who can log in to Grafana. Each user has a role that includes permissions. Permissions determine the tasks a user can perform in the system.
 
 Each permission contains one or more actions and a scope.
 
+## Role types
+
+Grafana has three types of roles for managing access:
+
+- **Basic roles**: Admin, Editor, Viewer, and No basic role. These are assigned to users and provide default access levels.
+- **Fixed roles**: Predefined groups of permissions for specific use cases. Basic roles automatically include certain fixed roles.
+- **Custom roles**: User-defined roles that combine specific permissions for granular access control.
+
+## Basic role permissions
+
+The following table summarizes the default alerting permissions for each basic role.
+
+| Capability                                | Admin | Editor | Viewer |
+| ----------------------------------------- | :---: | :----: | :----: |
+| View alert rules                          |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete alert rules      |   ✓   |   ✓    |        |
+| View silences                             |   ✓   |   ✓    |   ✓    |
+| Create, edit, and expire silences         |   ✓   |   ✓    |        |
+| View contact points and templates         |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete contact points   |   ✓   |   ✓    |        |
+| View notification policies                |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete policies         |   ✓   |   ✓    |        |
+| View mute timings                         |   ✓   |   ✓    |   ✓    |
+| Create, edit, and delete timing intervals |   ✓   |   ✓    |        |
+| Access provisioning API                   |   ✓   |   ✓    |        |
+| Export with decrypted secrets             |   ✓   |        |        |
+
+{{< admonition type="note" >}}
+Access to alert rules also requires permission to read the folder containing the rules and permission to query the data sources used in the rules.
+{{< /admonition >}}
+
 ## Permissions
 
-Grafana Alerting has the following permissions.
+Grafana Alerting has the following permissions organized by resource type.
 
-| Action                                       | Applicable scope                       | Description                                                                                                                                                                                                                                       |
-| -------------------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `alert.instances.external:read`              | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting.                                                                                                                                                                                   |
-| `alert.instances.external:write`             | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting.                                                                                                                                                                                 |
-| `alert.instances:create`                     | n/a                                    | Create silences in the current organization.                                                                                                                                                                                                      |
-| `alert.instances:read`                       | n/a                                    | Read alerts and silences in the current organization.                                                                                                                                                                                             |
-| `alert.instances:write`                      | n/a                                    | Update and expire silences in the current organization.                                                                                                                                                                                           |
-| `alert.notifications.external:read`          | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting.                                                                                                                                    |
-| `alert.notifications.external:write`         | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting.                                                                                                                                  |
-| `alert.notifications:write`                  | n/a                                    | Manage templates, contact points, notification policies, and mute timings in the current organization.                                                                                                                                            |
-| `alert.notifications:read`                   | n/a                                    | Read all templates, contact points, notification policies, and mute timings in the current organization.                                                                                                                                          |
-| `alert.rules.external:read`                  | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki)                                                                                                                                                              |
-| `alert.rules.external:write`                 | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki).                                                                                                                                                    |
-| `alert.rules:create`                         | `folders:*`<br>`folders:uid:*`         | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.                               |
-| `alert.rules:delete`                         | `folders:*`<br>`folders:uid:*`         | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                       |
-| `alert.rules:read`                           | `folders:*`<br>`folders:uid:*`         | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                         |
-| `alert.rules:write`                          | `folders:*`<br>`folders:uid:*`         | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. To allow query modifications add `datasources:query` in the scope of data sources the user can query. |
-| `alert.silences:create`                      | `folders:*`<br>`folders:uid:*`         | Create rule-specific silences in a folder and its subfolders.                                                                                                                                                                                     |
-| `alert.silences:read`                        | `folders:*`<br>`folders:uid:*`         | Read all general silences and rule-specific silences in a folder and its subfolders.                                                                                                                                                              |
-| `alert.silences:write`                       | `folders:*`<br>`folders:uid:*`         | Update and expire rule-specific silences in a folder and its subfolders.                                                                                                                                                                          |
-| `alert.provisioning:read`                    | n/a                                    | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                                                                                                           |
-| `alert.provisioning.secrets:read`            | n/a                                    | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets.                                                                                                                                                        |
-| `alert.provisioning:write`                   | n/a                                    | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                                                                                                         |
-| `alert.provisioning.provenance:write`        | n/a                                    | Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources                                                                                                                       |
-| `alert.notifications.receivers:read`         | `receivers:*`<br>`receivers:uid:*`     | Read contact points.                                                                                                                                                                                                                              |
-| `alert.notifications.receivers.secrets:read` | `receivers:*`<br>`receivers:uid:*`     | Export contact points with decrypted secrets.                                                                                                                                                                                                     |
-| `alert.notifications.receivers:create`       | n/a                                    | Create a new contact points. The creator is automatically granted full access to the created contact point.                                                                                                                                       |
-| `alert.notifications.receivers:write`        | `receivers:*`<br>`receivers:uid:*`     | Update existing contact points.                                                                                                                                                                                                                   |
-| `alert.notifications.receivers:delete`       | `receivers:*`<br>`receivers:uid:*`     | Update and delete existing contact points.                                                                                                                                                                                                        |
-| `receivers.permissions:read`                 | `receivers:*`<br>`receivers:uid:*`     | Read permissions for contact points.                                                                                                                                                                                                              |
-| `receivers.permissions:write`                | `receivers:*`<br>`receivers:uid:*`     | Manage permissions for contact points.                                                                                                                                                                                                            |
-| `alert.notifications.time-intervals:read`    | n/a                                    | Read mute time intervals.                                                                                                                                                                                                                         |
-| `alert.notifications.time-intervals:write`   | n/a                                    | Create new or update existing mute time intervals.                                                                                                                                                                                                |
-| `alert.notifications.time-intervals:delete`  | n/a                                    | Delete existing time intervals.                                                                                                                                                                                                                   |
-| `alert.notifications.templates:read`         | n/a                                    | Read templates.                                                                                                                                                                                                                                   |
-| `alert.notifications.templates:write`        | n/a                                    | Create new or update existing templates.                                                                                                                                                                                                          |
-| `alert.notifications.templates:delete`       | n/a                                    | Delete existing templates.                                                                                                                                                                                                                        |
-| `alert.notifications.templates.test:write`   | n/a                                    | Test templates with custom payloads (preview and payload editor functionality).                                                                                                                                                                   |
-| `alert.notifications.routes:read`            | n/a                                    | Read notification policies.                                                                                                                                                                                                                       |
-| `alert.notifications.routes:write`           | n/a                                    | Create new, update and update notification policies.                                                                                                                                                                                              |
+### Alert rules
+
+Permissions for managing Grafana-managed alert rules.
+
+| Action               | Applicable scope               | Description                                                                                                                                                                                                                                       |
+| -------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query.                               |
+| `alert.rules:read`   | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                         |
+| `alert.rules:write`  | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder. To allow query modifications add `datasources:query` in the scope of data sources the user can query. |
+| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with `folders:read` in a scope that includes the folder.                                                                                                       |
+
+### External alert rules
+
+Permissions for managing alert rules in external data sources that support alerting.
+
+| Action                       | Applicable scope                       | Description                                                                                    |
+| ---------------------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------- |
+| `alert.rules.external:read`  | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki).          |
+| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
+
+### Alert instances and silences
+
+Permissions for managing alert instances and silences in Grafana.
+
+| Action                   | Applicable scope               | Description                                                                          |
+| ------------------------ | ------------------------------ | ------------------------------------------------------------------------------------ |
+| `alert.instances:read`   | n/a                            | Read alerts and silences in the current organization.                                |
+| `alert.instances:create` | n/a                            | Create silences in the current organization.                                         |
+| `alert.instances:write`  | n/a                            | Update and expire silences in the current organization.                              |
+| `alert.silences:read`    | `folders:*`<br>`folders:uid:*` | Read all general silences and rule-specific silences in a folder and its subfolders. |
+| `alert.silences:create`  | `folders:*`<br>`folders:uid:*` | Create rule-specific silences in a folder and its subfolders.                        |
+| `alert.silences:write`   | `folders:*`<br>`folders:uid:*` | Update and expire rule-specific silences in a folder and its subfolders.             |
+
+### External alert instances
+
+Permissions for managing alert instances in external data sources.
+
+| Action                           | Applicable scope                       | Description                                                       |
+| -------------------------------- | -------------------------------------- | ----------------------------------------------------------------- |
+| `alert.instances.external:read`  | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting.   |
+| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
+
+### Contact points
+
+Permissions for managing contact points (notification receivers).
+
+| Action                                       | Applicable scope                   | Description                                                                                                 |
+| -------------------------------------------- | ---------------------------------- | ----------------------------------------------------------------------------------------------------------- |
+| `alert.notifications.receivers:list`         | n/a                                | List contact points in the current organization.                                                            |
+| `alert.notifications.receivers:read`         | `receivers:*`<br>`receivers:uid:*` | Read contact points.                                                                                        |
+| `alert.notifications.receivers.secrets:read` | `receivers:*`<br>`receivers:uid:*` | Export contact points with decrypted secrets.                                                               |
+| `alert.notifications.receivers:create`       | n/a                                | Create a new contact points. The creator is automatically granted full access to the created contact point. |
+| `alert.notifications.receivers:write`        | `receivers:*`<br>`receivers:uid:*` | Update existing contact points.                                                                             |
+| `alert.notifications.receivers:delete`       | `receivers:*`<br>`receivers:uid:*` | Update and delete existing contact points.                                                                  |
+| `alert.notifications.receivers:test`         | `receivers:*`<br>`receivers:uid:*` | Test contact points to verify their configuration.                                                          |
+| `receivers.permissions:read`                 | `receivers:*`<br>`receivers:uid:*` | Read permissions for contact points.                                                                        |
+| `receivers.permissions:write`                | `receivers:*`<br>`receivers:uid:*` | Manage permissions for contact points.                                                                      |
+
+### Notification policies
+
+Permissions for managing notification policies (routing rules).
+
+| Action                             | Applicable scope | Description                                           |
+| ---------------------------------- | ---------------- | ----------------------------------------------------- |
+| `alert.notifications.routes:read`  | n/a              | Read notification policies.                           |
+| `alert.notifications.routes:write` | n/a              | Create new, update, and delete notification policies. |
+
+### Time intervals
+
+Permissions for managing mute time intervals.
+
+| Action                                      | Applicable scope | Description                                        |
+| ------------------------------------------- | ---------------- | -------------------------------------------------- |
+| `alert.notifications.time-intervals:read`   | n/a              | Read mute time intervals.                          |
+| `alert.notifications.time-intervals:write`  | n/a              | Create new or update existing mute time intervals. |
+| `alert.notifications.time-intervals:delete` | n/a              | Delete existing time intervals.                    |
+
+### Templates
+
+Permissions for managing notification templates.
+
+| Action                                     | Applicable scope | Description                                                                     |
+| ------------------------------------------ | ---------------- | ------------------------------------------------------------------------------- |
+| `alert.notifications.templates:read`       | n/a              | Read templates.                                                                 |
+| `alert.notifications.templates:write`      | n/a              | Create new or update existing templates.                                        |
+| `alert.notifications.templates:delete`     | n/a              | Delete existing templates.                                                      |
+| `alert.notifications.templates.test:write` | n/a              | Test templates with custom payloads (preview and payload editor functionality). |
+
+### General notifications
+
+Legacy permissions for managing all notification resources.
+
+| Action                      | Applicable scope | Description                                                                                              |
+| --------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------- |
+| `alert.notifications:read`  | n/a              | Read all templates, contact points, notification policies, and mute timings in the current organization. |
+| `alert.notifications:write` | n/a              | Manage templates, contact points, notification policies, and mute timings in the current organization.   |
+
+### External notifications
+
+Permissions for managing notification resources in external data sources.
+
+| Action                               | Applicable scope                       | Description                                                                                                      |
+| ------------------------------------ | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
+| `alert.notifications.external:read`  | `datasources:*`<br>`datasources:uid:*` | Read templates, contact points, notification policies, and mute timings in data sources that support alerting.   |
+| `alert.notifications.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
+
+### Provisioning
+
+Permissions for managing alerting resources via the provisioning API.
+
+| Action                                   | Applicable scope | Description                                                                                                                                                        |
+| ---------------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `alert.provisioning:read`                | n/a              | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                            |
+| `alert.provisioning.secrets:read`        | n/a              | Same as `alert.provisioning:read` plus ability to export resources with decrypted secrets.                                                                         |
+| `alert.provisioning:write`               | n/a              | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and data source are not required.                          |
+| `alert.rules.provisioning:read`          | n/a              | Read Grafana alert rules via provisioning API. More specific than `alert.provisioning:read`.                                                                       |
+| `alert.rules.provisioning:write`         | n/a              | Create, update, and delete Grafana alert rules via provisioning API. More specific than `alert.provisioning:write`.                                                |
+| `alert.notifications.provisioning:read`  | n/a              | Read notification resources (contact points, notification policies, templates, time intervals) via provisioning API. More specific than `alert.provisioning:read`. |
+| `alert.notifications.provisioning:write` | n/a              | Create, update, and delete notification resources via provisioning API. More specific than `alert.provisioning:write`.                                             |
+| `alert.provisioning.provenance:write`    | n/a              | Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources.                                       |
 
 To help plan your RBAC rollout strategy, refer to [Plan your RBAC rollout strategy](https://grafana.com/docs/grafana/next/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/).

docs/sources/alerting/set-up/configure-rbac/access-folders/index.md

@@ -16,7 +16,7 @@ title: Manage access using folders or data sources
 weight: 200
 ---
 
-## Manage access using folders or data sources
+# Manage access using folders or data sources
 
 You can extend the access provided by a role to alert rules and rule-specific silences by assigning permissions to individual folders or data sources.
 

docs/sources/alerting/set-up/configure-rbac/access-roles/index.md

@@ -55,7 +55,7 @@ Details of the fixed roles and the access they provide for Grafana Alerting are
 | Full read-only access: `fixed:alerting:reader`                                           | All permissions from `fixed:alerting.rules:reader` <br>`fixed:alerting.instances:reader`<br>`fixed:alerting.notifications:reader`                                                                                                                                                                                                               | Read alert rules, alert instances, silences, contact points, and notification policies in Grafana and external providers.                                |
 | Read via Provisioning API + Export Secrets: `fixed:alerting.provisioning.secrets:reader` | `alert.provisioning:read` and `alert.provisioning.secrets:read`                                                                                                                                                                                                                                                                                 | Read alert rules, alert instances, silences, contact points, and notification policies using the provisioning API and use export with decrypted secrets. |
 | Access to alert rules provisioning API: `fixed:alerting.provisioning:writer`             | `alert.provisioning:read` and `alert.provisioning:write`                                                                                                                                                                                                                                                                                        | Manage all alert rules, notification policies, contact points, templates, in the organization using the provisioning API.                                |
-| Set provisioning status: `fixed:alerting.provisioning.status:writer`                     | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                                                                                           | Set provisioning rules for Alerting resources. Should be used together with other regular roles (Notifications Writer and/or Rules Writer.)              |
+| Set provisioning status: `fixed:alerting.provisioning.provenance:writer`                 | `alert.provisioning.provenance:write`                                                                                                                                                                                                                                                                                                           | Set provisioning rules for Alerting resources. Should be used together with other regular roles (Notifications Writer and/or Rules Writer.)              |
 | Contact Point Reader: `fixed:alerting.receivers:reader`                                  | `alert.notifications.receivers:read` for scope `receivers:*`                                                                                                                                                                                                                                                                                    | Read all contact points.                                                                                                                                 |
 | Contact Point Creator: `fixed:alerting.receivers:creator`                                | `alert.notifications.receivers:create`                                                                                                                                                                                                                                                                                                          | Create a new contact point. The user is automatically granted full access to the created contact point.                                                  |
 | Contact Point Writer: `fixed:alerting.receivers:writer`                                  | `alert.notifications.receivers:read`, `alert.notifications.receivers:write`, `alert.notifications.receivers:delete` for scope `receivers:*` and <br> `alert.notifications.receivers:create`                                                                                                                                                     | Create a new contact point and manage all existing contact points.                                                                                       |
@@ -63,8 +63,8 @@ Details of the fixed roles and the access they provide for Grafana Alerting are
 | Templates Writer: `fixed:alerting.templates:writer`                                      | `alert.notifications.templates:read`, `alert.notifications.templates:write`, `alert.notifications.templates:delete`, `alert.notifications.templates.test:write`                                                                                                                                                                                 | Create new and manage existing notification templates. Test templates with custom payloads.                                                              |
 | Time Intervals Reader: `fixed:alerting.time-intervals:reader`                            | `alert.notifications.time-intervals:read`                                                                                                                                                                                                                                                                                                       | Read all time intervals.                                                                                                                                 |
 | Time Intervals Writer: `fixed:alerting.time-intervals:writer`                            | `alert.notifications.time-intervals:read`, `alert.notifications.time-intervals:write`, `alert.notifications.time-intervals:delete`                                                                                                                                                                                                              | Create new and manage existing time intervals.                                                                                                           |
-| Notification Policies Reader: `fixed:alerting.routes:reader`                             | `alert.notifications.routes:read`                                                                                                                                                                                                                                                                                                               | Read all time intervals.                                                                                                                                 |
-| Notification Policies Writer: `fixed:alerting.routes:writer`                             | `alert.notifications.routes:read` `alert.notifications.routes:write`                                                                                                                                                                                                                                                                            | Create new and manage existing time intervals.                                                                                                           |
+| Notification Policies Reader: `fixed:alerting.routes:reader`                             | `alert.notifications.routes:read`                                                                                                                                                                                                                                                                                                               | Read all notification policies.                                                                                                                          |
+| Notification Policies Writer: `fixed:alerting.routes:writer`                             | `alert.notifications.routes:read`<br>`alert.notifications.routes:write`                                                                                                                                                                                                                                                                         | Create new and manage existing notification policies.                                                                                                    |
 
 ## Create custom roles
 

docs/sources/alerting/set-up/configure-roles/index.md

@@ -16,25 +16,27 @@ weight: 150
 
 # Configure roles and permissions
 
+This guide explains how to configure roles and permissions for Grafana Alerting for Grafana OSS users. You'll learn how to manage access using roles, folder permissions, and contact point permissions.
+
 A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system. For example, the Admin role includes permissions for an administrator to create and delete users.
 
 For more information, refer to [Organization roles](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/#organization-roles).
 
 ## Manage access using roles
 
-For Grafana OSS, there are three roles: Admin, Editor, and Viewer.
+Grafana OSS has three roles: Admin, Editor, and Viewer.
 
-Details of the roles and the access they provide for Grafana Alerting are below.
+The following table describes the access each role provides for Grafana Alerting.
 
-| Role   | Access                                                                                                                                                                    |
-| ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Admin  | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning. |
-| Editor | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning. |
-| Viewer | Read access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences).                    |
+| Role   | Access                                                                                                                                                                                             |
+| ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Viewer | Read access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences).                                             |
+| Editor | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning.                          |
+| Admin  | Write access to alert rules, notification resources (notification API, contact points, templates, time intervals, notification policies, and silences), and provisioning, as well as assign roles. |
 
 ## Assign roles
 
-To assign roles, admins need to complete the following steps.
+To assign roles, an admin needs to complete the following steps.
 
 1. Navigate to **Administration** > **Users and access** > **Users, Teams, or Service Accounts**.
 1. Search for the user, team or service account you want to add a role for.
@@ -58,32 +60,30 @@ Refer to the following table for details on the additional access provided by fo
 You can't use folders to customize access to notification resources.
 {{< /admonition >}}
 
-To manage folder permissions, complete the following steps.
+To manage folder permissions, complete the following steps:
 
 1. In the left-side menu, click **Dashboards**.
 1. Hover your mouse cursor over a folder and click **Go to folder**.
 1. Click **Manage permissions** from the Folder actions menu.
 1. Update or add permissions as required.
 
-## Manage access using contact point permissions
+## Manage access to contact points
 
-### Before you begin
-
-Extend or limit the access provided by a role to contact points by assigning permissions to individual contact point.
+Extend or limit the access provided by a role to contact points by assigning permissions to individual contact points.
 
 This allows different users, teams, or service accounts to have customized access to read or modify specific contact points.
 
 Refer to the following table for details on the additional access provided by contact point permissions.
 
-| Folder permission | Additional Access                                                                                                                             |
-| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| View              | View and export contact point as well as select it on the Alert rule edit page                                                                |
-| Edit              | Update or delete the contact point                                                                                                            |
-| Admin             | Same additional access as Edit and manage permissions for the contact point. User should have additional permissions to read users and teams. |
+| Contact point permission | Additional Access                                                                                                                             |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| View                     | View and export contact point as well as select it on the Alert rule edit page                                                                |
+| Edit                     | Update or delete the contact point                                                                                                            |
+| Admin                    | Same additional access as Edit and manage permissions for the contact point. User should have additional permissions to read users and teams. |
 
-### Steps
+### Assign contact point permissions
 
-To contact point permissions, complete the following steps.
+To manage contact point permissions, complete the following steps:
 
 1. In the left-side menu, click **Contact points**.
 1. Hover your mouse cursor over a contact point and click **More**.

docs/sources/as-code/infrastructure-as-code/terraform/terraform-plugins.md

@@ -24,7 +24,7 @@ Before you begin, you should have the following available:
 - Administrator permissions in your Grafana instance; for more information on assigning Grafana RBAC roles, refer to [Assign RBAC roles](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-control/assign-rbac-roles/).
 
 {{< admonition type="note" >}}
-All of the following Terraform configuration files should be saved in the same directory.
+Save all of the following Terraform configuration files in the same directory.
 {{< /admonition >}}
 
 ## Configure the Grafana provider

docs/sources/datasources/azure-monitor/_index.md

@@ -3,7 +3,6 @@ aliases:
   - ../data-sources/azure-monitor/
   - ../features/datasources/azuremonitor/
   - azuremonitor/
-  - azuremonitor/deprecated-application-insights/
 description: Guide for using Azure Monitor in Grafana
 keywords:
   - grafana
@@ -23,6 +22,7 @@ labels:
 menuTitle: Azure Monitor
 title: Azure Monitor data source
 weight: 300
+last_reviewed: 2025-12-04
 refs:
   configure-grafana-feature-toggles:
     - pattern: /docs/grafana/
@@ -49,6 +49,11 @@ refs:
       destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
     - pattern: /docs/grafana-cloud/
       destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
+  transform-data:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/transform-data/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/transform-data/
   configure-grafana-azure:
     - pattern: /docs/grafana/
       destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#azure
@@ -63,295 +68,98 @@ refs:
     - pattern: /docs/grafana/
       destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
     - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+  configure-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+  query-editor-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+  template-variables-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/template-variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/template-variables/
+  alerting-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/alerting/
+  troubleshooting-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+  annotations-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/annotations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/annotations/
 ---
 
 # Azure Monitor data source
 
-Grafana ships with built-in support for Azure Monitor, the Azure service to maximize the availability and performance of applications and services in the Azure Cloud.
-This topic explains configuring and querying specific to the Azure Monitor data source.
+The Azure Monitor data source plugin allows you to query and visualize data from Azure Monitor, the Azure service to maximize the availability and performance of applications and services in the Azure Cloud.
 
-For instructions on how to add a data source to Grafana, refer to the [administration documentation](ref:data-source-management).
-Only users with the organization administrator role can add data sources.
+## Supported Azure clouds
 
-Once you've added the Azure Monitor data source, you can [configure it](#configure-the-data-source) so that your Grafana instance's users can create queries in its [query editor](query-editor/) when they [build dashboards](ref:build-dashboards) and use [Explore](ref:explore).
+The Azure Monitor data source supports the following Azure cloud environments:
 
-The Azure Monitor data source supports visualizing data from four Azure services:
+- **Azure** - Azure public cloud (default)
+- **Azure US Government** - Azure Government cloud
+- **Azure China** - Azure China cloud operated by 21Vianet
 
-- **Azure Monitor Metrics:** Collect numeric data from resources in your Azure account.
-- **Azure Monitor Logs:** Collect log and performance data from your Azure account, and query using the Kusto Query Language (KQL).
-- **Azure Resource Graph:** Query your Azure resources across subscriptions.
-- **Azure Monitor Application Insights:** Collect trace logging data and other application performance metrics.
+## Supported Azure services
 
-## Configure the data source
+The Azure Monitor data source supports the following Azure services:
 
-**To access the data source configuration page:**
+| Service                         | Description                                                                                                                 |
+| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| **Azure Monitor Metrics**       | Collect numeric data from resources in your Azure account. Supports dimensions, aggregations, and time grain configuration. |
+| **Azure Monitor Logs**          | Collect log and performance data from your Azure account using the Kusto Query Language (KQL).                              |
+| **Azure Resource Graph**        | Query your Azure resources across subscriptions using KQL. Useful for inventory, compliance, and resource management.       |
+| **Application Insights Traces** | Collect distributed trace data and correlate requests across your application components.                                   |
 
-1. Click **Connections** in the left-side menu.
-1. Under Your connections, click **Data sources**.
-1. Enter `Azure Monitor` in the search bar.
-1. Click **Azure Monitor**.
+## Get started
 
-   The **Settings** tab of the data source is displayed.
+The following documents will help you get started with the Azure Monitor data source:
 
-### Configure Azure Active Directory (AD) authentication
+- [Configure the Azure Monitor data source](ref:configure-azure-monitor) - Set up authentication and connect to Azure
+- [Azure Monitor query editor](ref:query-editor-azure-monitor) - Create and edit queries for Metrics, Logs, Traces, and Resource Graph
+- [Template variables](ref:template-variables-azure-monitor) - Create dynamic dashboards with Azure Monitor variables
+- [Alerting](ref:alerting-azure-monitor) - Create alert rules using Azure Monitor data
+- [Troubleshooting](ref:troubleshooting-azure-monitor) - Solve common configuration and query errors
 
-You must create an app registration and service principal in Azure AD to authenticate the data source.
-For configuration details, refer to the [Azure documentation for service principals](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in).
+## Additional features
 
-The app registration you create must have the `Reader` role assigned on the subscription.
-For more information, refer to [Azure documentation for role assignments](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current).
+After you have configured the Azure Monitor data source, you can:
 
-If you host Grafana in Azure, such as in App Service or Azure Virtual Machines, you can configure the Azure Monitor data source to use Managed Identity for secure authentication without entering credentials into Grafana.
-For details, refer to [Configuring using Managed Identity](#configuring-using-managed-identity).
+- Add [Annotations](ref:annotations-azure-monitor) to overlay Azure log events on your graphs.
+- Configure and use [Template variables](ref:template-variables-azure-monitor) for dynamic dashboards.
+- Add [Transformations](ref:transform-data) to manipulate query results.
+- Set up [Alerting](ref:alerting-azure-monitor) and recording rules using Metrics, Logs, Traces, and Resource Graph queries.
+- Use [Explore](ref:explore) to investigate your Azure data without building a dashboard.
 
-You can configure the Azure Monitor data source to use Workload Identity for secure authentication without entering credentials into Grafana if you host Grafana in a Kubernetes environment, such as AKS, and require access to Azure resources.
-For details, refer to [Configuring using Workload Identity](#configuring-using-workload-identity).
+## Pre-built dashboards
 
-| Name                        | Description                                                                                                                                                                                                                                                                                           |
-| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Authentication**          | Enables Managed Identity. Selecting Managed Identity hides many of the other fields. For details, see [Configuring using Managed Identity](#configuring-using-managed-identity).                                                                                                                      |
-| **Azure Cloud**             | Sets the national cloud for your Azure account. For most users, this is the default "Azure". For details, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud).                                                               |
-| **Directory (tenant) ID**   | Sets the directory/tenant ID for the Azure AD app registration to use for authentication. For details, see the [Azure tenant and app ID docs](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in).     |
-| **Application (client) ID** | Sets the application/client ID for the Azure AD app registration to use for authentication.                                                                                                                                                                                                           |
-| **Client secret**           | Sets the application client secret for the Azure AD app registration to use for authentication. For details, see the [Azure application secret docs](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret). |
-| **Default subscription**    | _(Optional)_ Sets a default subscription for template variables to use.                                                                                                                                                                                                                               |
-| **Enable Basic Logs**       | Allows this data source to execute queries against [Basic Logs tables](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/basic-logs-query?tabs=portal-1) in supported Log Analytics Workspaces. These queries may incur additional costs.                                                    |
+The Azure Monitor plugin includes the following pre-built dashboards:
 
-### Provision the data source
+- **Azure Monitor Overview** - Displays key metrics across your Azure subscriptions and resources.
+- **Azure Storage Account** - Shows storage account metrics including availability, latency, and transactions.
 
-You can define and configure the data source in YAML files as part of Grafana's provisioning system.
-For more information about provisioning, and for available configuration options, refer to [Provisioning Grafana](ref:provisioning-data-sources).
+To import a pre-built dashboard:
 
-#### Provisioning examples
+1. Go to **Connections** > **Data sources**.
+1. Select your Azure Monitor data source.
+1. Click the **Dashboards** tab.
+1. Click **Import** next to the dashboard you want to use.
 
-**Azure AD App Registration (client secret):**
+## Related resources
 
-```yaml
-apiVersion: 1 # config file version
-
-datasources:
-  - name: Azure Monitor
-    type: grafana-azure-monitor-datasource
-    access: proxy
-    jsonData:
-      azureAuthType: clientsecret
-      cloudName: azuremonitor # See table below
-      tenantId: <tenant-id>
-      clientId: <client-id>
-      subscriptionId: <subscription-id> # Optional, default subscription
-    secureJsonData:
-      clientSecret: <client-secret>
-    version: 1
-```
-
-**Managed Identity:**
-
-```yaml
-apiVersion: 1 # config file version
-
-datasources:
-  - name: Azure Monitor
-    type: grafana-azure-monitor-datasource
-    access: proxy
-    jsonData:
-      azureAuthType: msi
-      subscriptionId: <subscription-id> # Optional, default subscription
-    version: 1
-```
-
-**Workload Identity:**
-
-```yaml
-apiVersion: 1 # config file version
-
-datasources:
-  - name: Azure Monitor
-    type: grafana-azure-monitor-datasource
-    access: proxy
-    jsonData:
-      azureAuthType: workloadidentity
-      subscriptionId: <subscription-id> # Optional, default subscription
-    version: 1
-```
-
-**Current User:**
-
-{{< admonition type="note" >}}
-The `oauthPassThru` property is required for current user authentication to function.
-Additionally, `disableGrafanaCache` is necessary to prevent the data source returning cached responses for resources users don't have access to.
-{{< /admonition >}}
-
-```yaml
-apiVersion: 1 # config file version
-
-datasources:
-  - name: Azure Monitor
-    type: grafana-azure-monitor-datasource
-    access: proxy
-    jsonData:
-      azureAuthType: currentuser
-      oauthPassThru: true
-      disableGrafanaCache: true
-      subscriptionId: <subscription-id> # Optional, default subscription
-    version: 1
-```
-
-#### Supported cloud names
-
-| Azure Cloud                          | `cloudName` Value          |
-| ------------------------------------ | -------------------------- |
-| **Microsoft Azure public cloud**     | `azuremonitor` (_Default_) |
-| **Microsoft Chinese national cloud** | `chinaazuremonitor`        |
-| **US Government cloud**              | `govazuremonitor`          |
-
-{{< admonition type="note" >}}
-Cloud names for current user authentication differ to the `cloudName` values in the preceding table.
-The public cloud name is `AzureCloud`, the Chinese national cloud name is `AzureChinaCloud`, and the US Government cloud name is `AzureUSGovernment`.
-{{< /admonition >}}
-
-### Configure Managed Identity
-
-{{< admonition type="note" >}}
-Managed Identity is available only in [Azure Managed Grafana](https://azure.microsoft.com/en-us/products/managed-grafana) or Grafana OSS/Enterprise when deployed in Azure. It is not available in Grafana Cloud.
-{{< /admonition >}}
-
-You can use managed identity to configure Azure Monitor in Grafana if you host Grafana in Azure (such as an App Service or with Azure Virtual Machines) and have managed identity enabled on your VM.
-This lets you securely authenticate data sources without manually configuring credentials via Azure AD App Registrations.
-For details on Azure managed identities, refer to the [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview).
-
-**To enable managed identity for Grafana:**
-
-1. Set the `managed_identity_enabled` flag in the `[azure]` section of the [Grafana server configuration](ref:configure-grafana-azure).
-
-   ```ini
-   [azure]
-   managed_identity_enabled = true
-   ```
-
-2. In the Azure Monitor data source configuration, set **Authentication** to **Managed Identity**.
-
-   This hides the directory ID, application ID, and client secret fields, and the data source uses managed identity to authenticate to Azure Monitor Metrics and Logs, and Azure Resource Graph.
-
-   {{< figure src="/media/docs/grafana/data-sources/screenshot-managed-identity-2.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor screenshot showing Managed Identity authentication" >}}
-
-3. You can set the `managed_identity_client_id` field in the `[azure]` section of the [Grafana server configuration](ref:configure-grafana-azure) to allow a user-assigned managed identity to be used instead of the default system-assigned identity.
-
-```ini
-[azure]
-managed_identity_enabled = true
-managed_identity_client_id = USER_ASSIGNED_IDENTITY_CLIENT_ID
-```
-
-### Configure Workload Identity
-
-You can use workload identity to configure Azure Monitor in Grafana if you host Grafana in a Kubernetes environment, such as AKS, in conjunction with managed identities.
-This lets you securely authenticate data sources without manually configuring credentials via Azure AD App Registrations.
-For details on workload identity, refer to the [Azure workload identity documentation](https://azure.github.io/azure-workload-identity/docs/).
-
-**To enable workload identity for Grafana:**
-
-1. Set the `workload_identity_enabled` flag in the `[azure]` section of the [Grafana server configuration](ref:configure-grafana-azure).
-
-   ```ini
-   [azure]
-   workload_identity_enabled = true
-   ```
-
-2. In the Azure Monitor data source configuration, set **Authentication** to **Workload Identity**.
-
-   This hides the directory ID, application ID, and client secret fields, and the data source uses workload identity to authenticate to Azure Monitor Metrics and Logs, and Azure Resource Graph.
-
-   {{< figure src="/media/docs/grafana/data-sources/screenshot-workload-identity.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor screenshot showing Workload Identity authentication" >}}
-
-3. There are additional configuration variables that can control the authentication method.`workload_identity_tenant_id` represents the Azure AD tenant that contains the managed identity, `workload_identity_client_id` represents the client ID of the managed identity if it differs from the default client ID, `workload_identity_token_file` represents the path to the token file. Refer to the [documentation](https://azure.github.io/azure-workload-identity/docs/) for more information on what values these variables should use, if any.
-
-   ```ini
-   [azure]
-   workload_identity_enabled = true
-   workload_identity_tenant_id = IDENTITY_TENANT_ID
-   workload_identity_client_id = IDENTITY_CLIENT_ID
-   workload_identity_token_file = TOKEN_FILE_PATH
-   ```
-
-### Configure Current User authentication
-
-{{< admonition type="note" >}}
-Current user authentication is an [experimental feature](/docs/release-life-cycle). Engineering and on-call support is not available. Documentation is either limited or not provided outside of code comments. No SLA is provided. Contact Grafana Support to enable this feature in Grafana Cloud. Aspects of Grafana may not work as expected when using this authentication method.
-{{< /admonition >}}
-
-If your Grafana instance is configured with Azure Entra (formerly Active Directory) authentication for login, this authentication method can be used to forward the currently logged in user's credentials to the data source. The users credentials will then be used when requesting data from the data source. For details on how to configure your Grafana instance using Azure Entra refer to the [documentation](ref:configure-grafana-azure-auth).
-
-{{< admonition type="note" >}}
-Additional configuration is required to ensure that the App Registration used to login a user via Azure provides an access token with the permissions required by the data source.
-
-The App Registration must be configured to issue both **Access Tokens** and **ID Tokens**.
-
-1. In the Azure Portal, open the App Registration that requires configuration.
-2. Select **Authentication** in the side menu.
-3. Under **Implicit grant and hybrid flows** check both the **Access tokens** and **ID tokens** boxes.
-4. Save the changes to ensure the App Registration is updated.
-
-The App Registration must also be configured with additional **API Permissions** to provide authenticated users with access to the APIs utilised by the data source.
-
-1. In the Azure Portal, open the App Registration that requires configuration.
-1. Select **API Permissions** in the side menu.
-1. Ensure the `openid`, `profile`, `email`, and `offline_access` permissions are present under the **Microsoft Graph** section. If not, they must be added.
-1. Select **Add a permission** and choose the following permissions. They must be added individually. Refer to the [Azure documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis) for more information.
-   - Select **Azure Service Management** > **Delegated permissions** > `user_impersonation` > **Add permissions**
-   - Select **APIs my organization uses** > Search for **Log Analytics API** and select it > **Delegated permissions** > `Date.Read` > **Add permissions**
-
-Once all permissions have been added, the Azure authentication section in Grafana must be updated. The `scopes` section must be updated to include the `.default` scope to ensure that a token with access to all APIs declared on the App Registration is requested by Grafana. Once updated the scopes value should equal: `.default openid email profile`.
-{{< /admonition >}}
-
-This method of authentication doesn't inherently support all backend functionality as a user's credentials won't be in scope.
-Affected functionality includes alerting, reporting, and recorded queries.
-In order to support backend queries when using a data source configured with current user authentication, you can configure service credentials.
-Also, note that query and resource caching is disabled by default for data sources using current user authentication.
-
-{{< admonition type="note" >}}
-To configure fallback service credentials the [feature toggle](ref:configure-grafana-feature-toggles) `idForwarding` must be set to `true` and `user_identity_fallback_credentials_enabled` must be enabled in the [Azure configuration section](ref:configure-grafana-azure) (enabled by default when `user_identity_enabled` is set to `true`).
-{{< /admonition >}}
-
-Permissions for fallback credentials may need to be broad to appropriately support backend functionality.
-For example, an alerting query created by a user is dependent on their permissions.
-If a user tries to create an alert for a resource that the fallback credentials can't access, the alert will fail.
-
-**To enable current user authentication for Grafana:**
-
-1. Set the `user_identity_enabled` flag in the `[azure]` section of the [Grafana server configuration](ref:configure-grafana-azure).
-   By default this will also enable fallback service credentials.
-   If you want to disable service credentials at the instance level set `user_identity_fallback_credentials_enabled` to false.
-
-   ```ini
-   [azure]
-   user_identity_enabled = true
-   ```
-
-1. In the Azure Monitor data source configuration, set **Authentication** to **Current User**.
-   If fallback service credentials are enabled at the instance level, an additional configuration section is visible that you can use to enable or disable using service credentials for this data source.
-   {{< figure src="/media/docs/grafana/data-sources/screenshot-current-user.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor screenshot showing Current User authentication" >}}
-
-1. If you want backend functionality to work with this data source, enable service credentials and configure the data source using the most applicable credentials for your circumstances.
-
-## Query the data source
-
-The Azure Monitor data source can query data from Azure Monitor Metrics and Logs, the Azure Resource Graph, and Application Insights Traces. Each source has its own specialized query editor.
-
-For details, see the [query editor documentation](query-editor/).
-
-## Use template variables
-
-Instead of hard-coding details such as server, application, and sensor names in metric queries, you can use variables.
-Grafana lists these variables in dropdown select boxes at the top of the dashboard to help you change the data displayed in your dashboard.
-Grafana refers to such variables as template variables.
-
-For details, see the [template variables documentation](template-variables/).
-
-## Application Insights and Insights Analytics (removed)
-
-Until Grafana v8.0, you could query the same Azure Application Insights data using Application Insights and Insights Analytics.
-
-These queries were deprecated in Grafana v7.5. In Grafana v8.0, Application Insights and Insights Analytics were made read-only in favor of querying this data through Metrics and Logs. These query methods were completely removed in Grafana v9.0.
-
-If you're upgrading from a Grafana version prior to v9.0 and relied on Application Insights and Analytics queries, refer to the [Grafana v9.0 documentation](/docs/grafana/v9.0/datasources/azuremonitor/deprecated-application-insights/) for help migrating these queries to Metrics and Logs queries.
+- [Azure Monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/)
+- [Kusto Query Language (KQL) reference](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/)
+- [Grafana community forum](https://community.grafana.com/)

docs/sources/datasources/azure-monitor/alerting/index.md

@@ -0,0 +1,262 @@
+---
+aliases:
+  - ../../data-sources/azure-monitor/alerting/
+description: Set up alerts using Azure Monitor data in Grafana
+keywords:
+  - grafana
+  - azure
+  - monitor
+  - alerting
+  - alerts
+  - metrics
+  - logs
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Alerting
+title: Azure Monitor alerting
+weight: 500
+refs:
+  alerting:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/
+  alerting-fundamentals:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/
+  create-alert-rule:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-grafana-managed-rule/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-grafana-managed-rule/
+  grafana-managed-recording-rules:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-recording-rules/create-grafana-managed-recording-rules/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-recording-rules/create-grafana-managed-recording-rules/
+  configure-azure-monitor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/configure/
+  query-editor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+  troubleshoot:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/troubleshooting/
+---
+
+# Azure Monitor alerting
+
+The Azure Monitor data source supports [Grafana Alerting](ref:alerting) and [Grafana-managed recording rules](ref:grafana-managed-recording-rules), allowing you to create alert rules based on Azure metrics, logs, traces, and resource data. You can monitor your Azure environment and receive notifications when specific conditions are met.
+
+## Before you begin
+
+- Ensure you have the appropriate permissions to create alert rules in Grafana.
+- Verify your Azure Monitor data source is configured and working correctly.
+- Familiarize yourself with [Grafana Alerting concepts](ref:alerting-fundamentals).
+- **Important**: Verify your data source uses a supported authentication method. Refer to [Authentication requirements](#authentication-requirements).
+
+## Supported query types for alerting
+
+All Azure Monitor query types support alerting and recording rules:
+
+| Query type           | Use case                                           | Notes                                                    |
+| -------------------- | -------------------------------------------------- | -------------------------------------------------------- |
+| Metrics              | Threshold-based alerts on Azure resource metrics   | Best suited for alerting; returns time-series data       |
+| Logs                 | Alert on log patterns, error counts, or thresholds | Use KQL to aggregate data into numeric values            |
+| Azure Resource Graph | Alert on resource state or configuration changes   | Use count aggregations to return numeric data            |
+| Traces               | Alert on trace data and application performance    | Use aggregations to return numeric values for evaluation |
+
+{{< admonition type="note" >}}
+Alert queries must return numeric data that Grafana can evaluate against a threshold. Queries that return only text or non-numeric data cannot be used directly for alerting.
+{{< /admonition >}}
+
+## Authentication requirements
+
+Alerting and recording rules run as background processes without a user context. This means they require service-level authentication and don't work with all authentication methods.
+
+| Authentication method            | Supported                             |
+| -------------------------------- | ------------------------------------- |
+| App Registration (client secret) | ✓                                     |
+| Managed Identity                 | ✓                                     |
+| Workload Identity                | ✓                                     |
+| Current User                     | ✓ (with fallback service credentials) |
+
+{{< admonition type="note" >}}
+If you use **Current User** authentication, you must configure **fallback service credentials** for alerting and recording rules to function. User credentials aren't available for background operations, so Grafana uses the fallback credentials instead. Refer to [configure the data source](ref:configure-azure-monitor) for details on setting up fallback credentials.
+{{< /admonition >}}
+
+## Create an alert rule
+
+To create an alert rule using Azure Monitor data:
+
+1. Go to **Alerting** > **Alert rules**.
+1. Click **New alert rule**.
+1. Enter a name for your alert rule.
+1. In the **Define query and alert condition** section:
+   - Select your Azure Monitor data source.
+   - Configure your query (for example, a Metrics query for CPU usage or a Logs query using KQL).
+   - Add a **Reduce** expression if your query returns multiple series.
+   - Add a **Threshold** expression to define the alert condition.
+1. Configure the **Set evaluation behavior**:
+   - Select or create a folder and evaluation group.
+   - Set the evaluation interval (how often the alert is checked).
+   - Set the pending period (how long the condition must be true before firing).
+1. Add labels and annotations to provide context for notifications.
+1. Click **Save rule**.
+
+For detailed instructions, refer to [Create a Grafana-managed alert rule](ref:create-alert-rule).
+
+## Example: VM CPU usage alert
+
+This example creates an alert that fires when virtual machine CPU usage exceeds 80%:
+
+1. Create a new alert rule.
+1. Configure the query:
+   - **Service**: Metrics
+   - **Resource**: Select your virtual machine
+   - **Metric namespace**: `Microsoft.Compute/virtualMachines`
+   - **Metric**: `Percentage CPU`
+   - **Aggregation**: `Average`
+1. Add expressions:
+   - **Reduce**: Last (to get the most recent data point)
+   - **Threshold**: Is above 80
+1. Set evaluation to run every 1 minute with a 5-minute pending period.
+1. Save the rule.
+
+## Example: Error log count alert
+
+This example alerts when error logs exceed a threshold using a KQL query:
+
+1. Create a new alert rule.
+1. Configure the query:
+   - **Service**: Logs
+   - **Resource**: Select your Log Analytics workspace
+   - **Query**:
+     ```kusto
+     AppExceptions
+     | where TimeGenerated > ago(5m)
+     | summarize ErrorCount = count() by bin(TimeGenerated, 1m)
+     ```
+1. Add expressions:
+   - **Reduce**: Max (to get the highest count in the period)
+   - **Threshold**: Is above 10
+1. Set evaluation to run every 5 minutes.
+1. Save the rule.
+
+## Example: Resource count alert
+
+This example alerts when the number of running virtual machines drops below a threshold using Azure Resource Graph:
+
+1. Create a new alert rule.
+1. Configure the query:
+   - **Service**: Azure Resource Graph
+   - **Subscriptions**: Select your subscriptions
+   - **Query**:
+
+     ```kusto
+     resources
+     | where type == "microsoft.compute/virtualmachines"
+     | where properties.extended.instanceView.powerState.displayStatus == "VM running"
+     | summarize RunningVMs = count()
+     ```
+
+1. Add expressions:
+   - **Reduce**: Last
+   - **Threshold**: Is below 3
+1. Set evaluation to run every 5 minutes.
+1. Save the rule.
+
+## Best practices
+
+Follow these recommendations to create reliable and efficient alerts with Azure Monitor data.
+
+### Use appropriate query intervals
+
+- Set the alert evaluation interval to be greater than or equal to the minimum data resolution from Azure Monitor.
+- Azure Monitor Metrics typically have 1-minute granularity at minimum.
+- Avoid very short intervals (less than 1 minute) as they may cause evaluation timeouts or miss data points.
+
+### Reduce multiple series
+
+When your Azure Monitor query returns multiple time series (for example, CPU usage across multiple VMs), use the **Reduce** expression to aggregate them:
+
+- **Last**: Use the most recent value
+- **Mean**: Average across all series
+- **Max/Min**: Use the highest or lowest value
+- **Sum**: Total across all series
+
+### Optimize Log Analytics queries
+
+For Logs queries used in alerting:
+
+- Use `summarize` to aggregate data into numeric values.
+- Include appropriate time filters using `ago()` or `TimeGenerated`.
+- Avoid returning large result sets; aggregate data in the query.
+- Test queries in Explore before using them in alert rules.
+
+### Handle no data conditions
+
+Configure what happens when no data is returned:
+
+1. In the alert rule, find **Configure no data and error handling**.
+1. Choose an appropriate action:
+   - **No Data**: Keep the alert in its current state
+   - **Alerting**: Treat no data as an alert condition
+   - **OK**: Treat no data as a healthy state
+
+### Test queries before alerting
+
+Always verify your query returns expected data before creating an alert:
+
+1. Go to **Explore**.
+1. Select your Azure Monitor data source.
+1. Run the query you plan to use for alerting.
+1. Confirm the data format and values are correct.
+1. Verify the query returns numeric data suitable for threshold evaluation.
+
+## Troubleshooting
+
+If your Azure Monitor alerts aren't working as expected, use the following sections to diagnose and resolve common issues.
+
+### Alerts not firing
+
+- Verify the data source uses a supported authentication method. If using Current User authentication, ensure fallback service credentials are configured.
+- Check that the query returns numeric data in Explore.
+- Ensure the evaluation interval allows enough time for data to be available.
+- Review the alert rule's health and any error messages in the Alerting UI.
+
+### Authentication errors in alert evaluation
+
+If you see authentication errors when alerts evaluate:
+
+- Confirm the data source is configured with App Registration, Managed Identity, Workload Identity, or Current User with fallback service credentials.
+- If using App Registration, verify the client secret hasn't expired.
+- If using Current User, verify that fallback service credentials are configured and valid.
+- Check that the service principal has appropriate permissions on Azure resources.
+
+### Query timeout errors
+
+- Simplify complex KQL queries.
+- Reduce the time range in Log Analytics queries.
+- Add more specific filters to narrow result sets.
+
+For additional troubleshooting help, refer to [Troubleshoot Azure Monitor](ref:troubleshoot).
+
+## Additional resources
+
+- [Grafana Alerting documentation](ref:alerting)
+- [Create alert rules](ref:create-alert-rule)
+- [Azure Monitor query editor](ref:query-editor)
+- [Grafana-managed recording rules](ref:grafana-managed-recording-rules)

docs/sources/datasources/azure-monitor/annotations/index.md

@@ -0,0 +1,218 @@
+---
+aliases:
+  - ../../data-sources/azure-monitor/annotations/
+description: Use annotations with the Azure Monitor data source in Grafana
+keywords:
+  - grafana
+  - azure
+  - monitor
+  - annotations
+  - events
+  - logs
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Annotations
+title: Azure Monitor annotations
+weight: 450
+refs:
+  annotate-visualizations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
+  query-editor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/azure-monitor/query-editor/
+---
+
+# Azure Monitor annotations
+
+[Annotations](ref:annotate-visualizations) overlay rich event information on top of graphs. You can use Azure Monitor Log Analytics queries to create annotations that mark important events, deployments, alerts, or other significant occurrences on your dashboards.
+
+## Before you begin
+
+- Ensure you have configured the Azure Monitor data source.
+- You need access to a Log Analytics workspace containing the data you want to use for annotations.
+- Annotations use Log Analytics (KQL) queries only. Metrics, Traces, and Azure Resource Graph queries are not supported for annotations.
+
+## Create an annotation query
+
+To add an Azure Monitor annotation to a dashboard:
+
+1. Open the dashboard where you want to add annotations.
+1. Click **Dashboard settings** (gear icon) in the top navigation.
+1. Select **Annotations** in the left menu.
+1. Click **Add annotation query**.
+1. Enter a **Name** for the annotation (e.g., "Azure Activity", "Deployments").
+1. Select your **Azure Monitor** data source.
+1. Choose the **Logs** service.
+1. Select a **Resource** (Log Analytics workspace or Application Insights resource).
+1. Write a KQL query that returns the annotation data.
+1. Click **Apply** to save.
+
+## Query requirements
+
+Your KQL query should return columns that Grafana can use to create annotations:
+
+| Column             | Required    | Description                                                                                      |
+| ------------------ | ----------- | ------------------------------------------------------------------------------------------------ |
+| `TimeGenerated`    | Yes         | The timestamp for the annotation. Grafana uses this to position the annotation on the time axis. |
+| `Text`             | Recommended | The annotation text displayed when you hover over or click the annotation.                       |
+| Additional columns | Optional    | Any other columns returned become annotation tags.                                               |
+
+{{< admonition type="note" >}}
+Always include a time filter in your query to limit results to the dashboard's time range. Use the `$__timeFilter()` macro.
+{{< /admonition >}}
+
+## Annotation query examples
+
+The following examples demonstrate common annotation use cases.
+
+### Azure Activity Log events
+
+Display Azure Activity Log events such as resource modifications, deployments, and administrative actions:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where Level == "Error" or Level == "Warning" or CategoryValue == "Administrative"
+| project TimeGenerated, Text=OperationNameValue, Level, ResourceGroup, Caller
+| order by TimeGenerated desc
+| take 100
+```
+
+### Deployment events
+
+Show deployment-related activity:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where OperationNameValue contains "deployments"
+| project TimeGenerated, Text=strcat("Deployment: ", OperationNameValue), Status=ActivityStatusValue, ResourceGroup
+| order by TimeGenerated desc
+```
+
+### Application Insights exceptions
+
+Mark application exceptions as annotations:
+
+```kusto
+AppExceptions
+| where $__timeFilter(TimeGenerated)
+| project TimeGenerated, Text=strcat(ProblemId, ": ", OuterMessage), SeverityLevel, AppRoleName
+| order by TimeGenerated desc
+| take 50
+```
+
+### Custom events from Application Insights
+
+Display custom events logged by your application:
+
+```kusto
+AppEvents
+| where $__timeFilter(TimeGenerated)
+| where Name == "DeploymentStarted" or Name == "DeploymentCompleted"
+| project TimeGenerated, Text=Name, AppRoleName
+| order by TimeGenerated desc
+```
+
+### Security alerts
+
+Show security-related alerts:
+
+```kusto
+SecurityAlert
+| where $__timeFilter(TimeGenerated)
+| project TimeGenerated, Text=AlertName, Severity=AlertSeverity, Description
+| order by TimeGenerated desc
+| take 50
+```
+
+### Resource health events
+
+Display resource health status changes:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where CategoryValue == "ResourceHealth"
+| project TimeGenerated, Text=OperationNameValue, Status=ActivityStatusValue, ResourceId
+| order by TimeGenerated desc
+```
+
+### VM start and stop events
+
+Mark virtual machine state changes:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where OperationNameValue has_any ("start", "deallocate", "restart")
+| where ResourceProviderValue == "MICROSOFT.COMPUTE"
+| project TimeGenerated, Text=OperationNameValue, VM=Resource, Status=ActivityStatusValue
+| order by TimeGenerated desc
+```
+
+### Autoscale events
+
+Show autoscale operations:
+
+```kusto
+AzureActivity
+| where $__timeFilter(TimeGenerated)
+| where OperationNameValue contains "autoscale"
+| project TimeGenerated, Text=strcat("Autoscale: ", OperationNameValue), Status=ActivityStatusValue, ResourceGroup
+| order by TimeGenerated desc
+```
+
+## Customize annotation appearance
+
+After creating an annotation query, you can customize its appearance:
+
+| Setting       | Description                                                                                              |
+| ------------- | -------------------------------------------------------------------------------------------------------- |
+| **Color**     | Choose a color for the annotation markers. Use different colors to distinguish between annotation types. |
+| **Show in**   | Select which panels display the annotations.                                                             |
+| **Filter by** | Add filters to limit when annotations appear.                                                            |
+
+## Best practices
+
+Follow these recommendations when creating annotations:
+
+1. **Limit results**: Always use `take` or `limit` to restrict the number of annotations. Too many annotations can clutter your dashboard and impact performance.
+
+2. **Use time filters**: Include `$__timeFilter()` to ensure queries only return data within the dashboard's time range.
+
+3. **Create meaningful text**: Use `strcat()` or `project` to create descriptive annotation text that provides context at a glance.
+
+4. **Add relevant tags**: Include columns like `ResourceGroup`, `Severity`, or `Status` that become clickable tags for filtering.
+
+5. **Use descriptive names**: Name your annotations clearly (e.g., "Production Deployments", "Critical Alerts") so dashboard users understand what they represent.
+
+## Troubleshoot annotations
+
+If annotations aren't appearing as expected, try the following solutions.
+
+### Annotations don't appear
+
+- Verify the query returns data in the selected time range.
+- Check that the query includes a `TimeGenerated` column.
+- Test the query in the Azure Portal Log Analytics query editor.
+- Ensure the annotation is enabled (toggle is on).
+
+### Too many annotations
+
+- Add more specific filters to your query.
+- Use `take` to limit results.
+- Narrow the time range.
+
+### Annotations appear at wrong times
+
+- Verify the `TimeGenerated` column contains the correct timestamp.
+- Check your dashboard's timezone settings.

docs/sources/datasources/azure-monitor/configure/index.md

@@ -0,0 +1,605 @@
+---
+aliases:
+  - ../../data-sources/azure-monitor/configure/
+description: Guide for configuring the Azure Monitor data source in Grafana.
+keywords:
+  - grafana
+  - microsoft
+  - azure
+  - monitor
+  - application
+  - insights
+  - log
+  - analytics
+  - guide
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Configure
+title: Configure the Azure Monitor data source
+weight: 200
+last_reviewed: 2025-12-04
+refs:
+  configure-grafana-feature-toggles:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#feature_toggles
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#feature_toggles
+  provisioning-data-sources:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/provisioning/#data-sources
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/provisioning/#data-sources
+  explore:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/explore/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/explore/
+  configure-grafana-azure-auth:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/
+  build-dashboards:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
+  configure-grafana-azure:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#azure
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#azure
+  data-source-management:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
+  configure-grafana-azure-auth-scopes:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+  data-sources:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/
+  private-data-source-connect:
+    - pattern: /docs/grafana/
+      destination: docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/
+    - pattern: /docs/grafana-cloud/
+      destination: docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/
+  configure-pdc:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/configure-pdc/#configure-grafana-private-data-source-connect-pdc
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/configure-pdc/#configure-grafana-private-data-source-connect-pdc
+---
+
+# Configure the Azure Monitor data source
+
+This document explains how to configure the Azure Monitor data source and the available configuration options.
+For general information about data sources, refer to [Grafana data sources](ref:data-sources) and [Data source management](ref:data-source-management).
+
+## Before you begin
+
+Before configuring the Azure Monitor data source, ensure you have the following:
+
+- **Grafana permissions:** You must have the `Organization administrator` role to configure data sources.
+  Organization administrators can also [configure the data source via YAML](#provision-the-data-source) with the Grafana provisioning system or [using Terraform](#configure-with-terraform).
+
+- **Azure prerequisites:** Depending on your chosen authentication method, you may need:
+  - A Microsoft Entra ID (formerly Azure AD) app registration with a service principal (for App Registration authentication)
+  - A Managed Identity enabled on your Azure VM or App Service (for Managed Identity authentication)
+  - Workload identity configured in your Kubernetes cluster (for Workload Identity authentication)
+  - Microsoft Entra ID authentication configured for Grafana login (for Current User authentication)
+
+{{< admonition type="note" >}}
+**Grafana Cloud users:** Managed Identity and Workload Identity authentication methods are not available in Grafana Cloud because they require Grafana to run on your Azure infrastructure. Use **App Registration** authentication instead.
+{{< /admonition >}}
+
+- **Azure RBAC permissions:** The identity used to authenticate must have the `Reader` role on the Azure subscription containing the resources you want to monitor.
+  For Log Analytics queries, the identity also needs appropriate permissions on the Log Analytics workspaces to be queried.
+  Refer to the [Azure documentation for role assignments](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current).
+
+{{< admonition type="note" >}}
+The Azure Monitor data source plugin is built into Grafana. No additional installation is required.
+{{< /admonition >}}
+
+## Add the data source
+
+To add the Azure Monitor data source:
+
+1. Click **Connections** in the left-side menu.
+1. Click **Add new connection**.
+1. Type `Azure Monitor` in the search bar.
+1. Select **Azure Monitor**.
+1. Click **Add new data source** in the upper right.
+
+You're taken to the **Settings** tab where you can configure the data source.
+
+## Choose an authentication method
+
+The Azure Monitor data source supports four authentication methods. Choose based on where Grafana is hosted and your security requirements:
+
+| Authentication method | Best for                                   | Requirements                                                   |
+| --------------------- | ------------------------------------------ | -------------------------------------------------------------- |
+| **App Registration**  | Any Grafana deployment                     | Microsoft Entra ID app registration with client secret         |
+| **Managed Identity**  | Grafana hosted in Azure (VMs, App Service) | Managed identity enabled on the Azure resource                 |
+| **Workload Identity** | Grafana in Kubernetes (AKS)                | Workload identity federation configured                        |
+| **Current User**      | User-level access control                  | Microsoft Entra ID authentication configured for Grafana login |
+
+## Configure authentication
+
+Select one of the following authentication methods and complete the configuration.
+
+### App Registration
+
+Use a Microsoft Entra ID app registration (service principal) to authenticate. This method works with any Grafana deployment.
+
+#### App Registration prerequisites
+
+1. Create an app registration in Microsoft Entra ID.
+   Refer to the [Azure documentation for creating a service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in).
+
+1. Create a client secret for the app registration.
+   Refer to the [Azure documentation for creating a client secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).
+
+1. Assign the `Reader` role to the app registration on the subscription or resources you want to monitor.
+   Refer to the [Azure documentation for role assignments](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current).
+
+#### App Registration UI configuration
+
+| Setting                     | Description                                                                                                                                |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
+| **Authentication**          | Select **App Registration**.                                                                                                               |
+| **Azure Cloud**             | The Azure environment to connect to. Select **Azure** for the public cloud, or choose Azure Government or Azure China for national clouds. |
+| **Directory (tenant) ID**   | The GUID that identifies your Microsoft Entra ID tenant.                                                                                   |
+| **Application (client) ID** | The GUID for the app registration you created.                                                                                             |
+| **Client secret**           | The secret key for the app registration. Keep this secure and rotate periodically.                                                         |
+| **Default Subscription**    | Click **Load Subscriptions** to populate available subscriptions, then select your default.                                                |
+
+#### Provision App Registration with YAML
+
+```yaml
+apiVersion: 1
+
+datasources:
+  - name: Azure Monitor
+    type: grafana-azure-monitor-datasource
+    access: proxy
+    jsonData:
+      azureAuthType: clientsecret
+      cloudName: azuremonitor # See supported cloud names below
+      tenantId: <tenant-id>
+      clientId: <client-id>
+      subscriptionId: <subscription-id> # Optional, default subscription
+    secureJsonData:
+      clientSecret: <client-secret>
+    version: 1
+```
+
+### Managed Identity
+
+Use Azure Managed Identity for secure, credential-free authentication when Grafana is hosted in Azure.
+
+{{< admonition type="note" >}}
+Managed Identity is available in [Azure Managed Grafana](https://azure.microsoft.com/en-us/products/managed-grafana) or self-hosted Grafana deployed in Azure. It is not available in Grafana Cloud.
+{{< /admonition >}}
+
+#### Managed Identity prerequisites
+
+- Grafana must be hosted in Azure (App Service, Azure VMs, or Azure Managed Grafana).
+- Managed identity must be enabled on the Azure resource hosting Grafana.
+- The managed identity must have the `Reader` role on the subscription or resources you want to monitor.
+
+For details on Azure managed identities, refer to the [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview).
+
+#### Managed Identity Grafana server configuration
+
+Enable managed identity in the Grafana server configuration:
+
+```ini
+[azure]
+managed_identity_enabled = true
+```
+
+To use a user-assigned managed identity instead of the system-assigned identity, also set:
+
+```ini
+[azure]
+managed_identity_enabled = true
+managed_identity_client_id = <USER_ASSIGNED_IDENTITY_CLIENT_ID>
+```
+
+Refer to [Grafana Azure configuration](ref:configure-grafana-azure) for more details.
+
+#### Managed Identity UI configuration
+
+| Setting                  | Description                                                                                         |
+| ------------------------ | --------------------------------------------------------------------------------------------------- |
+| **Authentication**       | Select **Managed Identity**. The directory ID, application ID, and client secret fields are hidden. |
+| **Default Subscription** | Click **Load Subscriptions** to populate available subscriptions, then select your default.         |
+
+{{< figure src="/media/docs/grafana/data-sources/screenshot-managed-identity-2.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor data source configured with Managed Identity" >}}
+
+#### Provision Managed Identity with YAML
+
+```yaml
+apiVersion: 1
+
+datasources:
+  - name: Azure Monitor
+    type: grafana-azure-monitor-datasource
+    access: proxy
+    jsonData:
+      azureAuthType: msi
+      subscriptionId: <subscription-id> # Optional, default subscription
+    version: 1
+```
+
+### Workload Identity
+
+Use Azure Workload Identity for secure authentication in Kubernetes environments like AKS.
+
+#### Workload Identity prerequisites
+
+- Grafana must be running in a Kubernetes environment with workload identity federation configured.
+- The workload identity must have the `Reader` role on the subscription or resources you want to monitor.
+
+For details, refer to the [Azure workload identity documentation](https://azure.github.io/azure-workload-identity/docs/).
+
+#### Workload Identity Grafana server configuration
+
+Enable workload identity in the Grafana server configuration:
+
+```ini
+[azure]
+workload_identity_enabled = true
+```
+
+Optional configuration variables:
+
+```ini
+[azure]
+workload_identity_enabled = true
+workload_identity_tenant_id = <IDENTITY_TENANT_ID>    # Microsoft Entra ID tenant containing the managed identity
+workload_identity_client_id = <IDENTITY_CLIENT_ID>    # Client ID if different from default
+workload_identity_token_file = <TOKEN_FILE_PATH>      # Path to the token file
+```
+
+Refer to [Grafana Azure configuration](ref:configure-grafana-azure) and the [Azure workload identity documentation](https://azure.github.io/azure-workload-identity/docs/) for more details.
+
+#### Workload Identity UI configuration
+
+| Setting                  | Description                                                                                          |
+| ------------------------ | ---------------------------------------------------------------------------------------------------- |
+| **Authentication**       | Select **Workload Identity**. The directory ID, application ID, and client secret fields are hidden. |
+| **Default Subscription** | Click **Load Subscriptions** to populate available subscriptions, then select your default.          |
+
+{{< figure src="/media/docs/grafana/data-sources/screenshot-workload-identity.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor data source configured with Workload Identity" >}}
+
+#### Provision Workload Identity with YAML
+
+```yaml
+apiVersion: 1
+
+datasources:
+  - name: Azure Monitor
+    type: grafana-azure-monitor-datasource
+    access: proxy
+    jsonData:
+      azureAuthType: workloadidentity
+      subscriptionId: <subscription-id> # Optional, default subscription
+    version: 1
+```
+
+### Current User
+
+Forward the logged-in Grafana user's Azure credentials to the data source for user-level access control.
+
+{{< admonition type="warning" >}}
+Current User authentication is an [experimental feature](/docs/release-life-cycle/). Engineering and on-call support is not available. Documentation is limited. No SLA is provided. Contact Grafana Support to enable this feature in Grafana Cloud.
+{{< /admonition >}}
+
+#### Current User prerequisites
+
+Your Grafana instance must be configured with Microsoft Entra ID authentication. Refer to the [Microsoft Entra ID authentication documentation](ref:configure-grafana-azure-auth).
+
+#### Configure your Azure App Registration
+
+The App Registration used for Grafana login requires additional configuration:
+
+**Enable token issuance:**
+
+1. In the Azure Portal, open your App Registration.
+1. Select **Authentication** in the side menu.
+1. Under **Implicit grant and hybrid flows**, check both **Access tokens** and **ID tokens**.
+1. Save your changes.
+
+**Add API permissions:**
+
+1. In the Azure Portal, open your App Registration.
+1. Select **API Permissions** in the side menu.
+1. Ensure these permissions are present under **Microsoft Graph**: `openid`, `profile`, `email`, and `offline_access`.
+1. Add the following permissions:
+   - **Azure Service Management** > **Delegated permissions** > `user_impersonation`
+   - **APIs my organization uses** > Search for **Log Analytics API** > **Delegated permissions** > `Data.Read`
+
+Refer to the [Azure documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis) for more information.
+
+**Update Grafana scopes:**
+
+Update the `scopes` section in your Grafana Azure authentication configuration to include the `.default` scope:
+
+```
+.default openid email profile
+```
+
+#### Current User Grafana server configuration
+
+Enable current user authentication in the Grafana server configuration:
+
+```ini
+[azure]
+user_identity_enabled = true
+```
+
+By default, this also enables fallback service credentials. To disable fallback credentials at the instance level:
+
+```ini
+[azure]
+user_identity_enabled = true
+user_identity_fallback_credentials_enabled = false
+```
+
+{{< admonition type="note" >}}
+To use fallback service credentials, the [feature toggle](ref:configure-grafana-feature-toggles) `idForwarding` must be set to `true`.
+{{< /admonition >}}
+
+#### Limitations and fallback credentials
+
+Current User authentication doesn't support backend functionality like alerting, reporting, and recorded queries because user credentials aren't available for background operations.
+
+To support these features, configure **fallback service credentials**. When enabled, Grafana uses the fallback credentials for backend operations. Note that operations using fallback credentials are limited to the permissions of those credentials, not the user's permissions.
+
+{{< admonition type="note" >}}
+Query and resource caching is disabled by default for data sources using Current User authentication.
+{{< /admonition >}}
+
+#### Current User UI configuration
+
+| Setting                          | Description                                                                                 |
+| -------------------------------- | ------------------------------------------------------------------------------------------- |
+| **Authentication**               | Select **Current User**.                                                                    |
+| **Default Subscription**         | Click **Load Subscriptions** to populate available subscriptions, then select your default. |
+| **Fallback Service Credentials** | Enable and configure credentials for backend features like alerting.                        |
+
+{{< figure src="/media/docs/grafana/data-sources/screenshot-current-user.png" max-width="800px" class="docs-image--no-shadow" caption="Azure Monitor data source configured with Current User authentication" >}}
+
+#### Provision Current User with YAML
+
+{{< admonition type="note" >}}
+The `oauthPassThru` property is required for Current User authentication. The `disableGrafanaCache` property prevents returning cached responses for resources users don't have access to.
+{{< /admonition >}}
+
+```yaml
+apiVersion: 1
+
+datasources:
+  - name: Azure Monitor
+    type: grafana-azure-monitor-datasource
+    access: proxy
+    jsonData:
+      azureAuthType: currentuser
+      oauthPassThru: true
+      disableGrafanaCache: true
+      subscriptionId: <subscription-id> # Optional, default subscription
+    version: 1
+```
+
+## Additional configuration options
+
+These settings apply to all authentication methods.
+
+### General settings
+
+| Setting     | Description                                                                     |
+| ----------- | ------------------------------------------------------------------------------- |
+| **Name**    | The data source name used in panels and queries. Example: `azure-monitor-prod`. |
+| **Default** | Toggle to make this the default data source for new panels.                     |
+
+### Enable Basic Logs
+
+Toggle **Enable Basic Logs** to allow queries against [Basic Logs tables](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/basic-logs-query?tabs=portal-1) in supported Log Analytics Workspaces.
+
+{{< admonition type="note" >}}
+Querying Basic Logs tables incurs additional costs on a per-query basis.
+{{< /admonition >}}
+
+### Private data source connect (Grafana Cloud only)
+
+If you're using Grafana Cloud and need to connect to Azure resources in a private network, use Private Data Source Connect (PDC).
+
+1. Click the **Private data source connect** dropdown to select your PDC configuration.
+1. Click **Manage private data source connect** to view your PDC connection details.
+
+For more information, refer to [Private data source connect](ref:private-data-source-connect) and [Configure PDC](ref:configure-pdc).
+
+## Supported cloud names
+
+When provisioning the data source, use the following `cloudName` values:
+
+| Azure Cloud                      | `cloudName` value        |
+| -------------------------------- | ------------------------ |
+| Microsoft Azure public cloud     | `azuremonitor` (default) |
+| Microsoft Chinese national cloud | `chinaazuremonitor`      |
+| US Government cloud              | `govazuremonitor`        |
+
+{{< admonition type="note" >}}
+For Current User authentication, the cloud names differ: use `AzureCloud` for public cloud, `AzureChinaCloud` for the Chinese national cloud, and `AzureUSGovernment` for the US Government cloud.
+{{< /admonition >}}
+
+## Verify the connection
+
+After configuring the data source, click **Save & test**. A successful connection displays a message confirming that the credentials are valid and have access to the configured default subscription.
+
+If the test fails, verify:
+
+- Your credentials are correct (tenant ID, client ID, client secret)
+- The identity has the required Azure RBAC permissions
+- For Managed Identity or Workload Identity, that the Grafana server configuration is correct
+- Network connectivity to Azure endpoints
+
+## Provision the data source
+
+You can define and configure the Azure Monitor data source in YAML files as part of the Grafana provisioning system.
+For more information about provisioning, refer to [Provisioning Grafana](ref:provisioning-data-sources).
+
+### Provision quick reference
+
+| Authentication method | `azureAuthType` value | Required fields                                    |
+| --------------------- | --------------------- | -------------------------------------------------- |
+| App Registration      | `clientsecret`        | `tenantId`, `clientId`, `clientSecret`             |
+| Managed Identity      | `msi`                 | None (uses VM identity)                            |
+| Workload Identity     | `workloadidentity`    | None (uses pod identity)                           |
+| Current User          | `currentuser`         | `oauthPassThru: true`, `disableGrafanaCache: true` |
+
+All methods support the optional `subscriptionId` field to set a default subscription.
+
+For complete YAML examples, see the [authentication method sections](#configure-authentication) above.
+
+## Configure with Terraform
+
+You can configure the Azure Monitor data source using the [Grafana Terraform provider](https://registry.terraform.io/providers/grafana/grafana/latest/docs). This approach enables infrastructure-as-code workflows and version control for your Grafana configuration.
+
+### Terraform prerequisites
+
+- [Terraform](https://www.terraform.io/downloads) installed
+- Grafana Terraform provider configured with appropriate credentials
+- For Grafana Cloud: A [Cloud Access Policy token](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/) with data source permissions
+
+### Provider configuration
+
+Configure the Grafana provider to connect to your Grafana instance:
+
+```hcl
+terraform {
+  required_providers {
+    grafana = {
+      source  = "grafana/grafana"
+      version = ">= 2.0.0"
+    }
+  }
+}
+
+# For Grafana Cloud
+provider "grafana" {
+  url  = "<YOUR_GRAFANA_CLOUD_STACK_URL>"
+  auth = "<YOUR_SERVICE_ACCOUNT_TOKEN>"
+}
+
+# For self-hosted Grafana
+# provider "grafana" {
+#   url  = "http://localhost:3000"
+#   auth = "<API_KEY_OR_SERVICE_ACCOUNT_TOKEN>"
+# }
+```
+
+### Terraform examples
+
+The following examples show how to configure the Azure Monitor data source for each authentication method.
+
+**App Registration (client secret):**
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType  = "clientsecret"
+    cloudName      = "azuremonitor"
+    tenantId       = "<TENANT_ID>"
+    clientId       = "<CLIENT_ID>"
+    subscriptionId = "<SUBSCRIPTION_ID>"
+  })
+
+  secure_json_data_encoded = jsonencode({
+    clientSecret = "<CLIENT_SECRET>"
+  })
+}
+```
+
+**Managed Identity:**
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType  = "msi"
+    subscriptionId = "<SUBSCRIPTION_ID>"
+  })
+}
+```
+
+**Workload Identity:**
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType  = "workloadidentity"
+    subscriptionId = "<SUBSCRIPTION_ID>"
+  })
+}
+```
+
+**Current User:**
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType       = "currentuser"
+    oauthPassThru       = true
+    disableGrafanaCache = true
+    subscriptionId      = "<SUBSCRIPTION_ID>"
+  })
+}
+```
+
+**With Basic Logs enabled:**
+
+Add `enableBasicLogs = true` to any of the above configurations:
+
+```hcl
+resource "grafana_data_source" "azure_monitor" {
+  type = "grafana-azure-monitor-datasource"
+  name = "Azure Monitor"
+
+  json_data_encoded = jsonencode({
+    azureAuthType   = "clientsecret"
+    cloudName       = "azuremonitor"
+    tenantId        = "<TENANT_ID>"
+    clientId        = "<CLIENT_ID>"
+    subscriptionId  = "<SUBSCRIPTION_ID>"
+    enableBasicLogs = true
+  })
+
+  secure_json_data_encoded = jsonencode({
+    clientSecret = "<CLIENT_SECRET>"
+  })
+}
+```
+
+For more information about the Grafana Terraform provider, refer to the [provider documentation](https://registry.terraform.io/providers/grafana/grafana/latest/docs) and the [grafana_data_source resource](https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/data_source).